From bf47a21a9befbd1325134b2e8fc2e0aa73fced89 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 11 May 2022 19:56:40 -0400 Subject: [PATCH] Copy packages from snapshot to production (#4385) --- packages/windows/1.12.1/changelog.yml | 219 ++ .../forwarded/agent/stream/httpjson.yml.hbs | 101 + .../forwarded/agent/stream/winlog.yml.hbs | 27 + .../elasticsearch/ingest_pipeline/default.yml | 19 + .../ingest_pipeline/powershell.yml | 430 +++ .../powershell_operational.yml | 489 +++ .../ingest_pipeline/security.yml | 3189 +++++++++++++++++ .../ingest_pipeline/sysmon_operational.yml | 1254 +++++++ .../data_stream/forwarded/fields/agent.yml | 198 + .../forwarded/fields/base-fields.yml | 34 + .../data_stream/forwarded/fields/beats.yml | 3 + .../data_stream/forwarded/fields/ecs.yml | 588 +++ .../data_stream/forwarded/fields/fields.yml | 172 + .../data_stream/forwarded/fields/winlog.yml | 620 ++++ .../1.12.1/data_stream/forwarded/manifest.yml | 107 + .../data_stream/forwarded/sample_event.json | 77 + .../perfmon/agent/stream/stream.yml.hbs | 6 + .../data_stream/perfmon/fields/agent.yml | 198 + .../perfmon/fields/base-fields.yml | 20 + .../data_stream/perfmon/fields/fields.yml | 15 + .../1.12.1/data_stream/perfmon/manifest.yml | 45 + .../powershell/agent/stream/httpjson.yml.hbs | 101 + .../powershell/agent/stream/winlog.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 430 +++ .../data_stream/powershell/fields/agent.yml | 198 + .../powershell/fields/base-fields.yml | 34 + .../data_stream/powershell/fields/beats.yml | 3 + .../data_stream/powershell/fields/ecs.yml | 201 ++ .../data_stream/powershell/fields/fields.yml | 133 + .../data_stream/powershell/fields/winlog.yml | 361 ++ .../data_stream/powershell/manifest.yml | 106 + .../data_stream/powershell/sample_event.json | 84 + .../agent/stream/httpjson.yml.hbs | 101 + .../agent/stream/winlog.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 489 +++ .../powershell_operational/fields/agent.yml | 198 + .../fields/base-fields.yml | 34 + .../powershell_operational/fields/beats.yml | 3 + .../powershell_operational/fields/ecs.yml | 201 ++ .../powershell_operational/fields/fields.yml | 132 + .../powershell_operational/fields/winlog.yml | 361 ++ .../powershell_operational/manifest.yml | 106 + .../powershell_operational/sample_event.json | 77 + .../service/agent/stream/stream.yml.hbs | 3 + .../data_stream/service/fields/agent.yml | 198 + .../service/fields/base-fields.yml | 20 + .../data_stream/service/fields/fields.yml | 44 + .../1.12.1/data_stream/service/manifest.yml | 14 + .../agent/stream/httpjson.yml.hbs | 101 + .../agent/stream/winlog.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 1241 +++++++ .../sysmon_operational/fields/agent.yml | 198 + .../sysmon_operational/fields/base-fields.yml | 34 + .../sysmon_operational/fields/beats.yml | 3 + .../sysmon_operational/fields/ecs.yml | 515 +++ .../sysmon_operational/fields/fields.yml | 9 + .../sysmon_operational/fields/winlog.yml | 371 ++ .../sysmon_operational/manifest.yml | 97 + .../sysmon_operational/sample_event.json | 126 + packages/windows/1.12.1/docs/README.md | 1268 +++++++ packages/windows/1.12.1/img/logo_windows.svg | 3 + .../1.12.1/img/metricbeat-windows-service.png | Bin 0 -> 159076 bytes ...-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json | 114 + ...-d9eba730-c991-11e7-9835-2f31fe08873b.json | 49 + ...-11a61760-9f27-11ea-bef1-95118e62a7c1.json | 40 + ...-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json | 48 + ...-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json | 27 + ...-23a5fff0-c98e-11e7-9835-2f31fe08873b.json | 25 + ...-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json | 27 + ...-35f5ad60-c996-11e7-9835-2f31fe08873b.json | 25 + ...-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-70751050-9f33-11ea-bef1-95118e62a7c1.json | 27 + ...-78874900-9f30-11ea-bef1-95118e62a7c1.json | 27 + ...-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-830c45f0-c991-11e7-9835-2f31fe08873b.json | 25 + ...-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json | 27 + ...-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json | 32 + ...-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json | 40 + ...-d27dea70-9f32-11ea-bef1-95118e62a7c1.json | 27 + ...-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json | 27 + ...-e64ff750-9f28-11ea-bef1-95118e62a7c1.json | 27 + ...-eb8277d0-c98c-11e7-9835-2f31fe08873b.json | 24 + ...-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json | 27 + ...-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json | 27 + packages/windows/1.12.1/manifest.yml | 95 + 89 files changed, 16430 insertions(+) create mode 100755 packages/windows/1.12.1/changelog.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/manifest.yml create mode 100755 packages/windows/1.12.1/data_stream/forwarded/sample_event.json create mode 100755 packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml create mode 100755 packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml create mode 100755 packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml create mode 100755 packages/windows/1.12.1/data_stream/perfmon/manifest.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/fields/agent.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/fields/beats.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/fields/fields.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/manifest.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell/sample_event.json create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml create mode 100755 packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json create mode 100755 packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/service/fields/agent.yml create mode 100755 packages/windows/1.12.1/data_stream/service/fields/base-fields.yml create mode 100755 packages/windows/1.12.1/data_stream/service/fields/fields.yml create mode 100755 packages/windows/1.12.1/data_stream/service/manifest.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml create mode 100755 packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json create mode 100755 packages/windows/1.12.1/docs/README.md create mode 100755 packages/windows/1.12.1/img/logo_windows.svg create mode 100755 packages/windows/1.12.1/img/metricbeat-windows-service.png create mode 100755 packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json create mode 100755 packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json create mode 100755 packages/windows/1.12.1/manifest.yml diff --git a/packages/windows/1.12.1/changelog.yml b/packages/windows/1.12.1/changelog.yml new file mode 100755 index 0000000000..929b94b614 --- /dev/null +++ b/packages/windows/1.12.1/changelog.yml @@ -0,0 +1,219 @@ +# newer versions go on top +- version: "1.12.1" + changes: + - description: Drop unset fields in sysmon_operational data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/3283 +- version: "1.12.0" + changes: + - description: Support for Sysmon Registry non-QWORD/DWORD events + type: enhancement + link: https://github.com/elastic/integrations/pull/2962 +- version: "1.11.0" + changes: + - description: Add parent process ID to security event for new process creation. + type: enhancement + link: https://github.com/elastic/integrations/pull/2966 +- version: "1.10.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.10.0" + changes: + - description: Add sysmon event 26 handling + type: enhancement + link: https://github.com/elastic/integrations/pull/2566 + - description: Normalise field order and remove event.ingested + type: enhancement + link: https://github.com/elastic/integrations/pull/2566 +- version: "1.9.0" + changes: + - description: Expose winlog input ignore_older option. + type: enhancement + link: https://github.com/elastic/integrations/pull/2542 + - description: Fix preserve original event option + type: bugfix + link: https://github.com/elastic/integrations/pull/2542 + - description: Make order of options consistent with other winlog based integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/2542 +- version: "1.8.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2515 +- version: "1.7.0" + changes: + - description: Add provider name check to forwarded/security conditional. + type: enhancement + link: https://github.com/elastic/integrations/pull/2527 +- version: "1.6.0" + changes: + - description: Expose winlog input language option. + type: enhancement + link: https://github.com/elastic/integrations/pull/2344 +- version: "1.5.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.5.0" + changes: + - description: Support Kibana 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2179 +- version: "1.4.0" + changes: + - description: Don't split hyphenated tokens for PowerShell scripts + type: enhancement + link: https://github.com/elastic/integrations/issues/1931 +- version: "1.3.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2080 +- version: "1.3.2" + changes: + - description: Fix processors configuration + type: bugfix + link: https://github.com/elastic/integrations/pull/2113 +- version: "1.3.1" + changes: + - description: Update Splunk input description + type: enhancement + link: https://github.com/elastic/integrations/pull/2067 +- version: "1.3.0" + changes: + - description: Consistently map message field in Windows integrations. + type: bugfix + link: https://github.com/elastic/integrations/pull/2008 +- version: "1.2.3" + changes: + - description: Fix ingest pipeline templating for related.ip + type: bugfix + link: https://github.com/elastic/integrations/pull/1920 +- version: "1.2.2" + changes: + - description: Prevent pipeline script error + type: bugfix + link: https://github.com/elastic/integrations/pull/1872 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1859 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1711 +- version: "1.1.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1511 +- version: '1.1.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1425 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1214 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1214 +- version: "0.9.2" + changes: + - description: Add support for Splunk authorization tokens + type: enhancement + link: https://github.com/elastic/integrations/pull/1147 +- version: "0.9.1" + changes: + - description: Use new `wildcard` type. + type: enhancement + link: https://github.com/elastic/integrations/pull/1161 +- version: "0.9.0" + changes: + - description: Make `event.original` optional and upgrade to ECS 1.10.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/1122 +- version: "0.8.2" + changes: + - description: Add system tests for Splunk http inputs and improve README. + type: enhancement + link: https://github.com/elastic/integrations/pull/1044 + - description: Fix sysmon pipeline when processing `dns.resolved_ip`. + type: bugfix + link: https://github.com/elastic/integrations/pull/1044 +- version: "0.8.1" + changes: + - description: Fix security pipeline to support string event.code. + type: bugfix + link: https://github.com/elastic/integrations/pull/1090 +- version: "0.8.0" + changes: + - description: Use ingest pipelines for forwarded dataset. + type: enhancement + link: https://github.com/elastic/integrations/pull/973 +- version: "0.7.0" + changes: + - description: Move Sysmon edge processing to ingest pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/972 +- version: "0.6.0" + changes: + - description: Move PowerShell edge processing to ingest pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/941 +- version: "0.5.2" + changes: + - description: Change Splunk input to use the decode_xml_wineventlog processor. + type: enhancement + link: https://github.com/elastic/integrations/pull/923 +- version: "0.5.1" + changes: + - description: Add support for Sysmon v13 events. + type: enhancement + link: https://github.com/elastic/integrations/pull/913 +- version: "0.5.0" + changes: + - description: Add Splunk input for Winlog data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/821 +- version: "0.4.3" + changes: + - description: Updating package owner + type: enhancement + link: https://github.com/elastic/integrations/pull/766 + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/877 +- version: "0.4.2" + changes: + - description: Move security data stream + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/726 +- version: "0.4.1" + changes: + - description: Fix Guards + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/724 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/91 diff --git a/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..965be31d60 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs @@ -0,0 +1,27 @@ +name: ForwardedEvents +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..6a274d1d5a --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,19 @@ +--- +description: Pipeline for Windows forwarded Event Logs +processors: + - pipeline: + name: '{{ IngestPipeline "security" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name) + - pipeline: + name: '{{ IngestPipeline "powershell" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Windows PowerShell" + - pipeline: + name: '{{ IngestPipeline "powershell_operational" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-PowerShell/Operational" + - pipeline: + name: '{{ IngestPipeline "sysmon_operational" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational" +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml new file mode 100755 index 0000000000..7e9df152b0 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml @@ -0,0 +1,430 @@ +--- +description: Pipeline for Windows Powershell events +processors: + - kv: + description: Split Event 800 event data fields. + field: winlog.event_data.param2 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "800" + - kv: + description: Split Events 4xx and 600 event data fields. + field: winlog.event_data.param3 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id != "800" + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "400" + - set: + field: event.type + value: end + if: ctx?.event.code == "403" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostId + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostId != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - split: + field: winlog.event_data.UserId + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.UserId != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + + ## PowerShell fields. + + - rename: + field: winlog.event_data.NewEngineState + target_field: powershell.engine.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewEngineState != "" + - rename: + field: winlog.event_data.PreviousEngineState + target_field: powershell.engine.previous_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.PreviousEngineState != "" + - rename: + field: winlog.event_data.NewProviderState + target_field: powershell.provider.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewProviderState != "" + - rename: + field: winlog.event_data.ProviderName + target_field: powershell.provider.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ProviderName != "" + - convert: + field: winlog.event_data.DetailTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailTotal != "" + - convert: + field: winlog.event_data.DetailSequence + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailSequence != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineId + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineId != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.param3 + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "800" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "800" + params: + field: param3 + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.param1 + - winlog.event_data.param2 + - winlog.event_data.param3 + - winlog.event_data.SequenceNumber + - winlog.event_data.DetailTotal + - winlog.event_data.DetailSequence + - winlog.event_data.UserId + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml new file mode 100755 index 0000000000..16d21d8fe8 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml @@ -0,0 +1,489 @@ +--- +description: Pipeline for Windows Powershell/Operational events +processors: + - kv: + description: Split Event 4103 event data fields. + field: winlog.event_data.ContextInfo + target_field: winlog.event_data + field_split: "\n" + trim_key: " \n\t" + trim_value: " \n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "4103" + - script: + description: Remove spaces from all event_data keys. + lang: painless + if: ctx?.winlog?.event_data != null + source: |- + def newEventData = new HashMap(); + for (entry in ctx.winlog.event_data.entrySet()) { + def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); + newEventData.put(newKey, entry.getValue()); + } + ctx.winlog.event_data = newEventData; + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "4105" + - set: + field: event.type + value: end + if: ctx?.event.code == "4106" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostID + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostID != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_failure: true + ignore_empty_value: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + - split: + field: winlog.event_data.ConnectedUser + target_field: "_temp.connected_user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.ConnectedUser != null + - set: + field: source.user.domain + value: "{{_temp.connected_user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - set: + field: source.user.name + value: "{{_temp.connected_user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - append: + field: related.user + value: "{{source.user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.user?.name != null + - rename: + field: user.domain + target_field: destination.user.domain + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - rename: + field: user.name + target_field: destination.user.name + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - set: + field: user.domain + copy_from: source.user.domain + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + - set: + field: user.name + copy_from: source.user.name + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + + ## PowerShell fields. + + - convert: + field: winlog.event_data.MessageNumber + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.MessageTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ShellID + target_field: powershell.id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ShellID != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineID + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineID != "" + - rename: + field: winlog.event_data.RunspaceID + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceID != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + - rename: + field: winlog.event_data.ScriptBlockId + target_field: powershell.file.script_block_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockId != "" + - rename: + field: winlog.event_data.ScriptBlockText + target_field: powershell.file.script_block_text + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockText != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.Payload + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "4103" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "4103" + params: + field: Payload + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - rename: + field: winlog.event_data.Path + target_field: winlog.event_data.ScriptName + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.Path != "" + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.SequenceNumber + - winlog.event_data.User + - winlog.event_data.ConnectedUser + - winlog.event_data.ContextInfo + - winlog.event_data.Severity + - winlog.event_data.MessageTotal + - winlog.event_data.MessageNumber + - winlog.event_data.Payload + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml new file mode 100755 index 0000000000..3f42b128e9 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml @@ -0,0 +1,3189 @@ +--- +description: Pipeline for Windows Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params.get(ctx.event.code)); + hm.forEach((k, v) -> ctx.event[k] = v); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx?.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx?.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + params: + "0x00000001": SCRIPT + "0x00000002": ACCOUNTDISABLE + "0x00000008": HOMEDIR_REQUIRED + "0x00000010": LOCKOUT + "0x00000020": PASSWD_NOTREQD + "0x00000040": PASSWD_CANT_CHANGE + "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED + "0x00000100": TEMP_DUPLICATE_ACCOUNT + "0x00000200": NORMAL_ACCOUNT + "0x00000800": INTERDOMAIN_TRUST_ACCOUNT + "0x00001000": WORKSTATION_TRUST_ACCOUNT + "0x00002000": SERVER_TRUST_ACCOUNT + "0x00010000": DONT_EXPIRE_PASSWORD + "0x00020000": MNS_LOGON_ACCOUNT + "0x00040000": SMARTCARD_REQUIRED + "0x00080000": TRUSTED_FOR_DELEGATION + "0x00100000": NOT_DELEGATED + "0x00200000": USE_DES_KEY_ONLY + "0x00400000": DONT_REQ_PREAUTH + "0x00800000": PASSWORD_EXPIRED + "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION + "0x04000000": PARTIAL_SECRETS_ACCOUNT + source: |- + if (ctx?.winlog?.event_data?.NewUacValue == null) { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx?.winlog?.event_data?.UserAccountControl == null) { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { + if (elem.trim().length() > 0) { + uac_array.add(elem.trim()); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx?.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx?.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx?.winlog?.event_data?.ServiceName != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx?.winlog.event_data?.ServiceType != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx?.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + params: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + source: |- + if (ctx?.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + if (params.containsKey(code)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", params[code]); + } + } + if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.containsKey(code)) { + results.add(params[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessMask != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AccessMask) { + def code = elem.replace("%%","").trim(); + if (params.containsKey(code)) { + results.add(params[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", results); + } + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx?.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx?.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx?.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx?.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx?.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx?.winlog?.event_data?.AccountName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx?.winlog?.event_data?.AccountDomain != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx?.winlog?.event_data?.ClientName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx?.winlog?.event_data?.LogonID != null) { + if (ctx?.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx?.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + //TargetUserSid to user.id or user.target.id + if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.id == null) { + ctx.user.put("id", ctx.winlog.event_data.TargetUserSid); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", ctx.winlog.event_data.TargetUserSid); + } + } + //TargetUserName to related.user and user.name or user.target.name + if (ctx?.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } + - script: + lang: painless + ignore_failure: false + tag: Copy MemberName to User and User to Group + description: Copy MemberName to User and User to Group + source: |- + if (ctx?.event?.code == null || + !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", + "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", + "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760", + "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.MemberName != null) { + def memberNameParts = ctx.winlog.event_data.MemberName.splitOnToken(","); + def memberName = memberNameParts[0].replace("CN=","").replace("cn=",""); + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", memberName); + if (!ctx.related.user.contains(memberName)) { + ctx.related.user.add(memberName); + } + } + if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("domain", ctx.winlog.event_data.TargetDomainName); + } + if (ctx?.user?.target != null) { + if (ctx?.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx?.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx?.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx?.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx?.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx?.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx?.event?.code == null || + !["4657", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", + "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724", + "4725", "4726", "4727", "4728", "4729", "4730", "4731", "4732", + "4733", "4734", "4735", "4737", "4738", "4739", "4740", "4741", + "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", + "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", + "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx?.winlog?.event_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx?.winlog?.event_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx?.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.user_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx?.winlog?.user_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx?.winlog?.user_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx?.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx?.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx?.winlog?.event_data?.ProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx?.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx?.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx?.winlog?.event_data?.WorkstationName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx?.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.NewProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx?.winlog?.event_data?.NewProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx?.winlog?.event_data?.ParentProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx?.process?.parent?.name == null && ctx?.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx?.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx?.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4624", "4648"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4798"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx?.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.PrivilegeList != null + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + - gsub: + field: source.ip + pattern: "::ffff:" + replacement: "" + ignore_missing: true + + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx?.source?.ip != null && + ctx.source.ip != "-" + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + NO: Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx?.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx?.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx?.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - convert: + field: winlog.record_id + type: string + ignore_missing: true + + - convert: + field: winlog.event_id + type: string + ignore_missing: true + + - set: + field: ecs.version + value: '8.0.0' + + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml new file mode 100755 index 0000000000..0a999ecaef --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml @@ -0,0 +1,1254 @@ +--- +description: Pipeline for Windows Sysmon Event Logs +processors: +## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: winlog.level + target_field: log.level + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + target_field: event.created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + - date: + field: winlog.event_data.UtcTime + formats: + - yyyy-MM-dd HH:mm:ss.SSS + timezone: UTC + ignore_failure: true + if: ctx?.winlog?.event_data?.UtcTime != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + + - script: + description: Set event category and type for all event types. + lang: painless + params: + "1": + category: + - process + type: + - start + "2": + category: + - file + type: + - change + "3": + category: + - network + type: + - start + - connection + - protocol + "4": + category: + - process + type: + - change + "5": + category: + - process + type: + - end + "6": + category: + - driver + type: + - start + "7": + category: + - process + type: + - change + "10": + category: + - process + type: + - access + "11": + category: + - file + type: + - creation + "12": + category: + - configuration + - registry + type: + - change + "13": + category: + - configuration + - registry + type: + - change + "14": + category: + - configuration + - registry + type: + - change + "15": + category: + - file + type: + - access + "16": + category: + - configuration + type: + - change + "17": + category: + - file + type: + - creation + "18": + category: + - file + type: + - access + "22": + category: + - network + type: + - connection + - protocol + - info + "23": + category: + - file + type: + - deletion + "24": + type: + - change + "25": + category: + - process + type: + - change + "26": + category: + - file + type: + - deletion + tag: Set ECS categorization fields + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + - rename: + field: winlog.event_data.ID + target_field: error.code + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog?.event_data?.ID != "" + + - rename: + field: winlog.event_data.RuleName + target_field: rule.name + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RuleName != null && ctx?.winlog?.event_data?.RuleName != "" && ctx?.winlog?.event_data?.RuleName != "-" + + + - rename: + field: winlog.event_data.Type + target_field: message + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "25" && ctx?.winlog?.event_data?.Type != null && ctx?.winlog?.event_data?.Type != "" + + - rename: + field: winlog.event_data.Hash + target_field: winlog.event_data.Hashes + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Hash != null && ctx?.winlog?.event_data?.Hash != "" + - kv: + field: winlog.event_data.Hashes + target_field: _temp.hashes + field_split: "," + value_split: "=" + ignore_failure: true + if: ctx?.winlog?.event_data?.Hashes != null + - script: + lang: painless + if: ctx?._temp?.hashes != null + source: |- + def hashIsEmpty(String hash) { + if (hash == "") { + return true; + } + + Pattern emptyHashRegex = /^0*$/; + def matcher = emptyHashRegex.matcher(hash); + + return matcher.matches(); + } + + def hashes = new HashMap(); + def related = [ + "hash": new ArrayList() + ]; + for (entry in ctx._temp.hashes.entrySet()) { + def key = entry.getKey().toString().toLowerCase(); + def value = entry.getValue().toString().toLowerCase(); + + if (hashIsEmpty(value)) { + continue; + } + + hashes[key] = value; + related.hash.add(value); + } + + ctx._temp.hashes = hashes; + if (related.hash.length > 0) { + ctx.related = related; + } + +## Process fields + + - rename: + field: _temp.hashes + target_field: process.hash + if: |- + ctx?._temp?.hashes != null && + ["1", "23", "24", "25", "26"].contains(ctx.event.code) + - rename: + field: process.hash.imphash + target_field: process.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ProcessGuid != null && ctx?.winlog?.event_data?.ProcessGuid != "" + - convert: + field: winlog.event_data.ProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ProcessId != null && ctx?.winlog?.event_data?.ProcessId != "" + - rename: + field: winlog.event_data.Image + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Image != null && ctx?.winlog?.event_data?.Image != "" + - rename: + field: winlog.event_data.SourceProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceProcessGuid != null && ctx?.winlog?.event_data?.SourceProcessGuid != "" + - rename: + field: winlog.event_data.SourceProcessGUID + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceProcessGUID != null && ctx?.winlog?.event_data?.SourceProcessGUID != "" + - convert: + field: winlog.event_data.SourceProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourceProcessId != null && ctx?.winlog?.event_data?.SourceProcessId != "" + - convert: + field: winlog.event_data.SourceThreadId + target_field: process.thread.id + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourceThreadId != null && ctx?.winlog?.event_data?.SourceThreadId != "" + - rename: + field: winlog.event_data.SourceImage + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceImage != null && ctx?.winlog?.event_data?.SourceImage != "" + - rename: + field: winlog.event_data.Destination + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Destination != null && ctx?.winlog?.event_data?.Destination != "" + - rename: + field: winlog.event_data.CommandLine + target_field: process.command_line + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.CommandLine != null && ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CurrentDirectory + target_field: process.working_directory + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.CurrentDirectory != null && ctx?.winlog?.event_data?.CurrentDirectory != "" + - rename: + field: winlog.event_data.ParentProcessGuid + target_field: process.parent.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ParentProcessGuid != null && ctx?.winlog?.event_data?.ParentProcessGuid != "" + - convert: + field: winlog.event_data.ParentProcessId + target_field: process.parent.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ParentProcessId != null && ctx?.winlog?.event_data?.ParentProcessId != "" + - rename: + field: winlog.event_data.ParentImage + target_field: process.parent.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ParentImage != null && ctx?.winlog?.event_data?.ParentImage != "" + - rename: + field: winlog.event_data.ParentCommandLine + target_field: process.parent.command_line + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ParentCommandLine != null && ctx?.winlog?.event_data?.ParentCommandLine != "" + - rename: + field: winlog.event_data.OriginalFileName + target_field: process.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "7" && ctx?.winlog?.event_data?.OriginalFileName != null && ctx?.winlog?.event_data?.OriginalFileName != "" + - set: + field: process.pe.company + copy_from: winlog.event_data.Company + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.description + copy_from: winlog.event_data.Description + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.product + copy_from: winlog.event_data.Product + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: |- + (ctx?.process?.command_line != null && ctx.process.command_line != "") || + (ctx?.process?.parent?.command_line != null && ctx.process.parent.command_line != "") + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + def cmd = ctx?.process?.command_line; + if (cmd != null && cmd != "") { + ctx.process.args = commandLineToArgv(cmd); + ctx.process.args_count = ctx.process.args.length; + } + + def parentCmd = ctx?.process?.parent?.command_line; + if (parentCmd != null && parentCmd != "") { + ctx.process.parent.args = commandLineToArgv(parentCmd); + ctx.process.parent.args_count = ctx.process.parent.args.length; + } + + - script: + description: Adds process name information. + lang: painless + if: |- + (ctx?.process?.executable != null && ctx.process.executable.length() > 1) || + (ctx?.process?.parent?.executable != null && ctx.process.parent.executable.length() > 1) + source: |- + def getProcessName(def path) { + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + return path.substring(idx+1); + } + return ""; + } + + def cmd = ctx?.process?.executable; + if (cmd != null && cmd != "" && ctx?.process?.name == null) { + def name = getProcessName(cmd); + if (name != "") { + ctx.process.name = name; + } + } + + def parentCmd = ctx?.process?.parent?.executable; + if (parentCmd != null && parentCmd != "" && ctx?.process?.parent?.name == null) { + def name = getProcessName(parentCmd); + if (name != "") { + ctx.process.parent.name = name; + } + } + +## File fields + + - rename: + field: _temp.hashes + target_field: file.hash + if: |- + ctx?._temp?.hashes != null && + ["6", "7", "15"].contains(ctx.event.code) + - rename: + field: file.hash.imphash + target_field: file.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.TargetFilename + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.TargetFilename != null && ctx?.winlog?.event_data?.TargetFilename != "" + - rename: + field: winlog.event_data.Device + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Device != null && ctx?.winlog?.event_data?.Device != "" + - rename: + field: winlog.event_data.PipeName + target_field: file.name + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipeName != null && ctx?.winlog?.event_data?.PipeName != "" + - rename: + field: winlog.event_data.ImageLoaded + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ImageLoaded != null && ctx?.winlog?.event_data?.ImageLoaded != "" + - set: + field: file.code_signature.subject_name + copy_from: winlog.event_data.Signature + ignore_failure: true + ignore_empty_value: true + - set: + field: file.code_signature.status + copy_from: winlog.event_data.SignatureStatus + ignore_failure: true + ignore_empty_value: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: file.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "7" && ctx?.winlog?.event_data?.OriginalFileName != null && ctx?.winlog?.event_data?.OriginalFileName != "" + - set: + field: file.pe.company + copy_from: winlog.event_data.Company + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.description + copy_from: winlog.event_data.Description + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.product + copy_from: winlog.event_data.Product + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.code_signature.signed + value: true + if: ctx?.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == true + - set: + field: file.code_signature.valid + value: true + if: ctx?.winlog?.event_data?.SignatureStatus != null && ctx?.winlog?.event_data?.SignatureStatus == "Valid" + + - script: + description: Adds file information. + lang: painless + if: ctx?.file?.path != null && ctx.file.path.length() > 1 + source: |- + def path = ctx.file.path; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + +## Network, Destination, and Source fields + + - rename: + field: winlog.event_data.Protocol + target_field: network.transport + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Protocol != null && ctx?.winlog?.event_data?.Protocol != "" + - rename: + field: winlog.event_data.DestinationPortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" && ctx?.winlog?.event_data?.DestinationPortName != null && ctx?.winlog?.event_data?.DestinationPortName != "" + - rename: + field: winlog.event_data.SourcePortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" && ctx?.winlog?.event_data?.SourcePortName != null && ctx?.winlog?.event_data?.SourcePortName != "" + - set: + field: network.protocol + value: dns + if: ctx.event.code == "22" + - convert: + field: winlog.event_data.SourceIp + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourceIp != null && ctx?.winlog?.event_data?.SourceIp != "" + - rename: + field: winlog.event_data.SourceHostname + target_field: source.domain + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceHostname != null && ctx?.winlog?.event_data?.SourceHostname != "" + - convert: + field: winlog.event_data.SourcePort + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourcePort != null && ctx?.winlog?.event_data?.SourcePort != "" + - convert: + field: winlog.event_data.DestinationIp + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DestinationIp != null && ctx?.winlog?.event_data?.DestinationIp != "" + - rename: + field: winlog.event_data.DestinationHostname + target_field: destination.domain + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.DestinationHostname != null && ctx?.winlog?.event_data?.DestinationHostname != "" + - convert: + field: winlog.event_data.DestinationPort + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DestinationPort != null && ctx?.winlog?.event_data?.DestinationPort != "" + - rename: + field: winlog.event_data.QueryName + target_field: dns.question.name + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.QueryName != null && ctx?.winlog?.event_data?.QueryName != "" + - set: + field: network.direction + value: egress + if: ctx?.winlog?.event_data?.Initiated != null && ctx?.winlog?.event_data?.Initiated == "true" + - set: + field: network.direction + value: ingress + if: ctx?.winlog?.event_data?.Initiated != null && ctx?.winlog?.event_data?.Initiated == "false" + - set: + field: network.type + value: ipv4 + if: ctx?.winlog?.event_data?.SourceIsIpv6 != null && ctx?.winlog?.event_data?.SourceIsIpv6 == "false" + - set: + field: network.type + value: ipv6 + if: ctx?.winlog?.event_data?.SourceIsIpv6 != null && ctx?.winlog?.event_data?.SourceIsIpv6 == "true" + - script: + description: | + Splits the QueryResults field that contains the DNS responses. + Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + lang: painless + if: ctx?.winlog?.event_data?.QueryResults != null && ctx?.winlog?.event_data?.QueryResults != "" + params: + "1": "A" + "2": "NS" + "3": "MD" + "4": "MF" + "5": "CNAME" + "6": "SOA" + "7": "MB" + "8": "MG" + "9": "MR" + "10": "NULL" + "11": "WKS" + "12": "PTR" + "13": "HINFO" + "14": "MINFO" + "15": "MX" + "16": "TXT" + "17": "RP" + "18": "AFSDB" + "19": "X25" + "20": "ISDN" + "21": "RT" + "22": "NSAP" + "23": "NSAPPTR" + "24": "SIG" + "25": "KEY" + "26": "PX" + "27": "GPOS" + "28": "AAAA" + "29": "LOC" + "30": "NXT" + "31": "EID" + "32": "NIMLOC" + "33": "SRV" + "34": "ATMA" + "35": "NAPTR" + "36": "KX" + "37": "CERT" + "38": "A6" + "39": "DNAME" + "40": "SINK" + "41": "OPT" + "43": "DS" + "46": "RRSIG" + "47": "NSEC" + "48": "DNSKEY" + "49": "DHCID" + "100": "UINFO" + "101": "UID" + "102": "GID" + "103": "UNSPEC" + "248": "ADDRS" + "249": "TKEY" + "250": "TSIG" + "251": "IXFR" + "252": "AXFR" + "253": "MAILB" + "254": "MAILA" + "255": "ANY" + "65281": "WINS" + "65282": "WINSR" + source: |- + def results = /;/.split(ctx.winlog.event_data.QueryResults); + def answers = new ArrayList(); + def ips = new ArrayList(); + def relatedHosts = new ArrayList(); + for (def i = 0; i < results.length; i++) { + def answer = results[i]; + if (answer == "") { + continue; + } + + if (answer.startsWith("type:")) { + def parts = /\s+/.split(answer); + if (parts.length != 3) { + throw new Exception("unexpected QueryResult format"); + } + + answers.add([ + "type": params[parts[1]], + "data": parts[2] + ]); + relatedHosts.add(parts[2]); + } else { + answer = answer.replace("::ffff:", ""); + ips.add(answer); + } + } + + if (answers.length > 0) { + ctx.dns.answers = answers; + } + if (ips.length > 0) { + ctx.dns.resolved_ip = ips; + } + if (relatedHosts.length > 0) { + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + ctx.related.hosts = relatedHosts; + } + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + convert: + field: _ingest._value + type: ip + on_failure: + - remove: + field: _ingest._value + - script: + description: Convert V4MAPPED addresses. + lang: painless + if: ctx?.dns?.resolved_ip != null + source: |- + if (ctx.dns.answers == null) { + ctx.dns.answers = new ArrayList(); + } + for (def i = 0; i < ctx.dns.resolved_ip.length; i++) { + def ip = ctx.dns.resolved_ip[i]; + if (ip == null) { + ctx.dns.resolved_ip.remove(i); + continue; + } + + // Synthesize record type based on IP address type. + def type = "A"; + if (ip.indexOf(":") != -1) { + type = "AAAA"; + } + ctx.dns.answers.add([ + "type": type, + "data": ip + ]); + } + - registered_domain: + field: dns.question.name + target_field: dns.question + ignore_failure: true + ignore_missing: true + - append: + field: related.hosts + value: "{{dns.question.name}}" + allow_duplicates: false + if: ctx?.dns?.question?.name != null && ctx?.dns?.question?.name != "" + - remove: + description: Remove dns.question.domain because it is not part of ECS and is redundant with dns.question.name. + field: dns.question.domain + ignore_missing: true + ignore_failure: true + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + allow_duplicates: false + - community_id: + ignore_failure: true + ignore_missing: false + +## User fields + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_empty_value: true + ignore_failure: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + +## Sysmon fields + + - rename: + field: winlog.event_data.QueryStatus + target_field: sysmon.dns.status + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.QueryStatus != null && ctx?.winlog?.event_data?.QueryStatus != "" + - script: + description: Translate DNS Query status. + lang: painless + params: + "5": "ERROR_ACCESS_DENIED" + "0": "SUCCESS" + "8": "ERROR_NOT_ENOUGH_MEMORY" + "13": "ERROR_INVALID_DATA" + "14": "ERROR_OUTOFMEMORY" + "123": "ERROR_INVALID_NAME" + "1214": "ERROR_INVALID_NETNAME" + "1223": "ERROR_CANCELLED" + "1460": "ERROR_TIMEOUT" + "4312": "ERROR_OBJECT_NOT_FOUND" + "9001": "DNS_ERROR_RCODE_FORMAT_ERROR" + "9002": "DNS_ERROR_RCODE_SERVER_FAILURE" + "9003": "DNS_ERROR_RCODE_NAME_ERROR" + "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED" + "9005": "DNS_ERROR_RCODE_REFUSED" + "9006": "DNS_ERROR_RCODE_YXDOMAIN" + "9007": "DNS_ERROR_RCODE_YXRRSET" + "9008": "DNS_ERROR_RCODE_NXRRSET" + "9009": "DNS_ERROR_RCODE_NOTAUTH" + "9010": "DNS_ERROR_RCODE_NOTZONE" + "9016": "DNS_ERROR_RCODE_BADSIG" + "9017": "DNS_ERROR_RCODE_BADKEY" + "9018": "DNS_ERROR_RCODE_BADTIME" + "9101": "DNS_ERROR_KEYMASTER_REQUIRED" + "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE" + "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1" + "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS" + "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM" + "9106": "DNS_ERROR_INVALID_KEY_SIZE" + "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE" + "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION" + "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR" + "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR" + "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION" + "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE" + "9113": "DNS_ERROR_TOO_MANY_SKDS" + "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD" + "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET" + "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS" + "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT" + "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK" + "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD" + "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED" + "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE" + "9122": "DNS_ERROR_BAD_KEYMASTER" + "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD" + "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT" + "9125": "DNS_ERROR_DNSSEC_IS_DISABLED" + "9126": "DNS_ERROR_INVALID_XML" + "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS" + "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE" + "9129": "DNS_ERROR_NSEC3_NAME_COLLISION" + "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1" + "9501": "DNS_INFO_NO_RECORDS" + "9502": "DNS_ERROR_BAD_PACKET" + "9503": "DNS_ERROR_NO_PACKET" + "9504": "DNS_ERROR_RCODE" + "9505": "DNS_ERROR_UNSECURE_PACKET" + "9506": "DNS_REQUEST_PENDING" + "9551": "DNS_ERROR_INVALID_TYPE" + "9552": "DNS_ERROR_INVALID_IP_ADDRESS" + "9553": "DNS_ERROR_INVALID_PROPERTY" + "9554": "DNS_ERROR_TRY_AGAIN_LATER" + "9555": "DNS_ERROR_NOT_UNIQUE" + "9556": "DNS_ERROR_NON_RFC_NAME" + "9557": "DNS_STATUS_FQDN" + "9558": "DNS_STATUS_DOTTED_NAME" + "9559": "DNS_STATUS_SINGLE_PART_NAME" + "9560": "DNS_ERROR_INVALID_NAME_CHAR" + "9561": "DNS_ERROR_NUMERIC_NAME" + "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER" + "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION" + "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS" + "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS" + "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL" + "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE" + "9568": "DNS_ERROR_BACKGROUND_LOADING" + "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC" + "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME" + "9571": "DNS_ERROR_DELEGATION_REQUIRED" + "9572": "DNS_ERROR_INVALID_POLICY_TABLE" + "9573": "DNS_ERROR_ADDRESS_REQUIRED" + "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST" + "9602": "DNS_ERROR_NO_ZONE_INFO" + "9603": "DNS_ERROR_INVALID_ZONE_OPERATION" + "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR" + "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD" + "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS" + "9607": "DNS_ERROR_ZONE_LOCKED" + "9608": "DNS_ERROR_ZONE_CREATION_FAILED" + "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS" + "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS" + "9611": "DNS_ERROR_INVALID_ZONE_TYPE" + "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP" + "9613": "DNS_ERROR_ZONE_NOT_SECONDARY" + "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES" + "9615": "DNS_ERROR_WINS_INIT_FAILED" + "9616": "DNS_ERROR_NEED_WINS_SERVERS" + "9617": "DNS_ERROR_NBSTAT_INIT_FAILED" + "9618": "DNS_ERROR_SOA_DELETE_INVALID" + "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS" + "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP" + "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN" + "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING" + "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE" + "9652": "DNS_ERROR_INVALID_DATAFILE_NAME" + "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE" + "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED" + "9655": "DNS_ERROR_DATAFILE_PARSING" + "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + "9702": "DNS_ERROR_RECORD_FORMAT" + "9703": "DNS_ERROR_NODE_CREATION_FAILED" + "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE" + "9705": "DNS_ERROR_RECORD_TIMED_OUT" + "9706": "DNS_ERROR_NAME_NOT_IN_ZONE" + "9707": "DNS_ERROR_CNAME_LOOP" + "9708": "DNS_ERROR_NODE_IS_CNAME" + "9709": "DNS_ERROR_CNAME_COLLISION" + "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT" + "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS" + "9712": "DNS_ERROR_SECONDARY_DATA" + "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA" + "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST" + "9715": "DNS_WARNING_PTR_CREATE_FAILED" + "9716": "DNS_WARNING_DOMAIN_UNDELETED" + "9717": "DNS_ERROR_DS_UNAVAILABLE" + "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS" + "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE" + "9720": "DNS_ERROR_NODE_IS_DNAME" + "9721": "DNS_ERROR_DNAME_COLLISION" + "9722": "DNS_ERROR_ALIAS_LOOP" + "9751": "DNS_INFO_AXFR_COMPLETE" + "9752": "DNS_ERROR_AXFR" + "9753": "DNS_INFO_ADDED_LOCAL_WINS" + "9801": "DNS_STATUS_CONTINUE_NEEDED" + "9851": "DNS_ERROR_NO_TCPIP" + "9852": "DNS_ERROR_NO_DNS_SERVERS" + "9901": "DNS_ERROR_DP_DOES_NOT_EXIST" + "9902": "DNS_ERROR_DP_ALREADY_EXISTS" + "9903": "DNS_ERROR_DP_NOT_ENLISTED" + "9904": "DNS_ERROR_DP_ALREADY_ENLISTED" + "9905": "DNS_ERROR_DP_NOT_AVAILABLE" + "9906": "DNS_ERROR_DP_FSMO_ERROR" + "9911": "DNS_ERROR_RRL_NOT_ENABLED" + "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE" + "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX" + "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX" + "9915": "DNS_ERROR_RRL_INVALID_TC_RATE" + "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE" + "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE" + "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS" + "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST" + "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED" + "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME" + "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE" + "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS" + "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST" + "9953": "DNS_ERROR_DEFAULT_ZONESCOPE" + "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME" + "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES" + "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED" + "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED" + "9958": "DNS_ERROR_INVALID_SCOPE_NAME" + "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST" + "9960": "DNS_ERROR_DEFAULT_SCOPE" + "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION" + "9962": "DNS_ERROR_SCOPE_LOCKED" + "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS" + "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS" + "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST" + "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA" + "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS" + "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED" + "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST" + "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS" + "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST" + "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS" + "9980": "DNS_ERROR_POLICY_LOCKED" + "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT" + "9982": "DNS_ERROR_POLICY_INVALID_NAME" + "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA" + "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME" + "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID" + "9986": "DNS_ERROR_POLICY_SCOPE_MISSING" + "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED" + "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED" + "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED" + "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET" + "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL" + "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL" + "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE" + "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN" + "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE" + "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY" + "10054": "WSAECONNRESET" + "10055": "WSAENOBUFS" + "10060": "WSAETIMEDOUT" + if: ctx?.sysmon?.dns?.status != null && ctx?.sysmon?.dns?.status != "" + source: |- + def status = params[ctx.sysmon.dns.status]; + if (status != null) { + ctx.sysmon.dns.status = status; + } + - convert: + field: winlog.event_data.Archived + target_field: sysmon.file.archived + type: boolean + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Archived != null && ctx?.winlog?.event_data?.Archived != "" + - convert: + field: winlog.event_data.IsExecutable + target_field: sysmon.file.is_executable + type: boolean + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.IsExecutable != null && ctx?.winlog?.event_data?.IsExecutable != "" + +## Related fields + + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null && ctx.user.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx.source.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx.destination.ip != "" + +## Registry fields + + - script: + description: Set registry fields. + lang: painless + if: |- + ctx?.winlog?.event_data?.TargetObject != null && ctx?.winlog?.event_data?.TargetObject != "" && + ["12", "13", "14"].contains(ctx.event.code) + params: + HKEY_CLASSES_ROOT: "HKCR" + HKCR: "HKCR" + HKEY_CURRENT_CONFIG: "HKCC" + HKCC: "HKCC" + HKEY_CURRENT_USER: "HKCU" + HKCU: "HKCU" + HKEY_DYN_DATA: "HKDD" + HKDD: "HKDD" + HKEY_LOCAL_MACHINE: "HKLM" + HKLM: "HKLM" + HKEY_PERFORMANCE_DATA: "HKPD" + HKPD: "HKPD" + HKEY_USERS: "HKU" + HKU: "HKU" + source: |- + ctx.registry = new HashMap(); + Pattern qwordRegex = /(?i)QWORD \(((0x\d{8})-(0x\d{8}))\)/; + Pattern dwordRegex = /(?i)DWORD \((0x\d{8})\)/; + + def path = ctx.winlog.event_data.TargetObject; + ctx.registry.path = path; + + def pathTokens = Arrays.asList(/\\/.split(path)); + def hive = params[pathTokens[0]]; + if (hive != null) { + ctx.registry.hive = hive; + if (pathTokens.length > 1) { + ctx.registry.key = pathTokens.subList(1, pathTokens.length).join("\\"); + } + } + + def value = pathTokens[pathTokens.length - 1]; + ctx.registry.value = value; + + def data = ctx?.winlog?.event_data?.Details; + if (data != null && data != "") { + def prefixLen = 2; // to remove 0x prefix + def dataValue = ""; + def dataType = ""; + def matcher = qwordRegex.matcher(data); + if (matcher.matches()) { + def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); + def parsedLowByte = Long.parseLong(matcher.group(3).substring(prefixLen), 16); + if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { + dataType = "SZ_QWORD"; + dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); + } + } else { + matcher = dwordRegex.matcher(data); + if (matcher.matches()) { + def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); + if (!Double.isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = matcher.group(1); + } + } + } + + if (dataType != "") { + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + } + +## Cleanup + + - remove: + field: + - _temp + - winlog.event_data.ProcessId + - winlog.event_data.ParentProcessId + - winlog.event_data.SourceProcessId + - winlog.event_data.SourceThreadId + - winlog.event_data.SourceIp + - winlog.event_data.SourcePort + - winlog.event_data.SourcePortName + - winlog.event_data.DestinationIp + - winlog.event_data.DestinationPort + - winlog.event_data.DestinationPortName + - winlog.event_data.RuleName + - winlog.event_data.User + - winlog.event_data.Initiated + - winlog.event_data.SourceIsIpv6 + - winlog.event_data.DestinationIsIpv6 + - winlog.event_data.QueryStatus + - winlog.event_data.Archived + - winlog.event_data.IsExecutable + - winlog.event_data.QueryResults + - winlog.event_data.UtcTime + - winlog.event_data.Hash + - winlog.event_data.Hashes + - winlog.event_data.TargetObject + - winlog.event_data.Details + - winlog.time_created + - winlog.level + ignore_failure: true + ignore_missing: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml new file mode 100755 index 0000000000..a04d6e06c9 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.forwarded +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml new file mode 100755 index 0000000000..ebb7c8a3ff --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml @@ -0,0 +1,588 @@ +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Boolean to capture if a signature is present. + name: file.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: file.code_signature.status + type: keyword +- description: Subject name of the code signer + name: file.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: file.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: file.code_signature.valid + type: boolean +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: CPU architecture target for the file. + name: file.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: file.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: file.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: file.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.parent.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.parent.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.parent.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.parent.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.parent.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: CPU architecture target for the file. + name: process.parent.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.parent.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.parent.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.parent.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.parent.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.parent.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.parent.pe.product + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.parent.start + type: date +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: CPU architecture target for the file. + name: process.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.pe.product + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Content when writing string types. + Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + name: registry.data.strings + type: wildcard +- description: Standard registry type for encoding contents + name: registry.data.type + type: keyword +- description: Abbreviated name for the hive. + name: registry.hive + type: keyword +- description: Hive-relative path of keys. + name: registry.key + type: keyword +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: Name of the value written. + name: registry.value + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml new file mode 100755 index 0000000000..08a58df583 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml @@ -0,0 +1,172 @@ +- name: sysmon.dns.status + type: keyword + description: Windows status code returned for the DNS query. +- name: sysmon.file.archived + type: boolean + description: Indicates if the deleted file was archived. +- name: sysmon.file.is_executable + type: boolean + description: Indicates if the deleted file was an executable. +- name: winlog.logon + type: group + description: Data related to a Windows logon. + fields: + - name: type + type: keyword + description: > + Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. + + example: RemoteInteractive + - name: id + type: keyword + description: > + Logon ID that can be used to associate this logon with other events related to the same logon session. + + - name: failure.reason + type: keyword + description: > + The reason the logon failed. + + - name: failure.status + type: keyword + description: > + The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. + + - name: failure.sub_status + type: keyword + description: > + Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. + +- name: powershell.id + type: keyword + description: Shell Id. + example: Microsoft Powershell +- name: powershell.pipeline_id + type: keyword + description: Pipeline id. + example: "1" +- name: powershell.runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" +- name: powershell.sequence + type: long + description: Sequence number of the powershell execution. + example: 1 +- name: powershell.total + type: long + description: Total number of messages in the sequence. + example: 10 +- name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + - name: type + type: keyword + description: Type of the executed command. + example: Application + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + + example: AssemblyName + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + + example: System.IO.Compression.FileSystem +- name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + - name: name + type: keyword + description: User name. + example: vagrant +- name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + + example: Available + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + + example: Stopped +- name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + - name: script_block_text + type: text + analyzer: powershell_script_analyzer + search_analyzer: powershell_script_analyzer + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" +- name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" +- name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + + example: Active + - name: name + type: keyword + description: > + Provider name. + + example: Variable diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml new file mode 100755 index 0000000000..031494e84e --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml @@ -0,0 +1,620 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: level + type: keyword + required: false + description: > + The event severity. Levels are Critical, Error, Warning and Information, Verbose + + - name: outcome + type: keyword + required: false + description: > + Success or Failure of the event. + + - name: time_created + type: keyword + required: false + description: > + Time event was created + + - name: trustAttribute + type: keyword + required: false + - name: trustDirection + type: keyword + required: false + - name: trustType + type: keyword + required: false + - name: computerObject + type: group + description: > + computer Object data + + fields: + - name: domain + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AccessGranted + type: keyword + - name: AccessRemoved + type: keyword + - name: AccountDomain + type: keyword + - name: AccountExpires + type: keyword + - name: AccountName + type: keyword + - name: AllowedToDelegateTo + type: keyword + - name: AuditPolicyChanges + type: keyword + - name: AuditPolicyChangesDescription + type: keyword + - name: AuditSourceName + type: keyword + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: CallerProcessId + type: keyword + - name: CallerProcessName + type: keyword + - name: Category + type: keyword + - name: CategoryId + type: keyword + - name: ClientAddress + type: keyword + - name: ClientInfo + type: keyword + - name: ClientName + type: keyword + - name: CommandLine + type: keyword + - name: Company + type: keyword + - name: Configuration + type: keyword + - name: CorruptionActionState + type: keyword + - name: CrashOnAuditFailValue + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DisplayName + type: keyword + - name: DomainBehaviorVersion + type: keyword + - name: DomainName + type: keyword + - name: DomainPolicyChanged + type: keyword + - name: DomainSid + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: Dummy + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: EventSourceId + type: keyword + - name: EventType + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FailureReason + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: GroupTypeChange + type: keyword + - name: HandleId + type: keyword + - name: HomeDirectory + type: keyword + - name: HomePath + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KerberosPolicyChange + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonHours + type: keyword + - name: LogonId + type: keyword + - name: LogonID + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MachineAccountQuota + type: keyword + - name: MajorVersion + type: keyword + - name: MandatoryLabel + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: MixedDomainMode + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewSd + type: keyword + - name: NewSdDacl0 + type: keyword + - name: NewSdDacl1 + type: keyword + - name: NewSdDacl2 + type: keyword + - name: NewSdSacl0 + type: keyword + - name: NewSdSacl1 + type: keyword + - name: NewSdSacl2 + type: keyword + - name: NewTargetUserName + type: keyword + - name: NewTime + type: keyword + - name: NewUACList + type: keyword + - name: NewUacValue + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: ObjectName + type: keyword + - name: ObjectServer + type: keyword + - name: ObjectType + type: keyword + - name: OemInformation + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldSd + type: keyword + - name: OldSdDacl0 + type: keyword + - name: OldSdDacl1 + type: keyword + - name: OldSdDacl2 + type: keyword + - name: OldSdSacl0 + type: keyword + - name: OldSdSacl1 + type: keyword + - name: OldSdSacl2 + type: keyword + - name: OldTargetUserName + type: keyword + - name: OldTime + type: keyword + - name: OldUacValue + type: keyword + - name: OriginalFileName + type: keyword + - name: PackageName + type: keyword + - name: PasswordLastSet + type: keyword + - name: PasswordHistoryLength + type: keyword + - name: Path + type: keyword + - name: ParentProcessName + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreAuthType + type: keyword + - name: PreviousTime + type: keyword + - name: PrimaryGroupId + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: ProfilePath + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SamAccountName + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptPath + type: keyword + - name: Session + type: keyword + - name: SidHistory + type: keyword + - name: ScriptBlockText + type: keyword + - name: Service + type: keyword + - name: ServiceAccount + type: keyword + - name: ServiceFileName + type: keyword + - name: ServiceName + type: keyword + - name: ServiceSid + type: keyword + - name: ServiceStartType + type: keyword + - name: ServiceType + type: keyword + - name: ServiceVersion + type: keyword + - name: SessionName + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: SidFilteringEnabled + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StatusDescription + type: keyword + - name: StopTime + type: keyword + - name: SubCategory + type: keyword + - name: SubCategoryGuid + type: keyword + - name: SubcategoryGuid + type: keyword + - name: SubCategoryId + type: keyword + - name: SubcategoryId + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: SubStatus + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetSid + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TdoAttributes + type: keyword + - name: TdoDirection + type: keyword + - name: TdoType + type: keyword + - name: TerminalSessionId + type: keyword + - name: TicketEncryptionType + type: keyword + - name: TicketEncryptionTypeDescription + type: keyword + - name: TicketOptions + type: keyword + - name: TicketOptionsDescription + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserAccountControl + type: keyword + - name: UserParameters + type: keyword + - name: UserPrincipalName + type: keyword + - name: UserSid + type: keyword + - name: UserWorkstations + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: WorkstationName + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user_data + type: group + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + fields: + - name: BackupPath + type: keyword + - name: Channel + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: xml_name + type: keyword + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/forwarded/manifest.yml b/packages/windows/1.12.1/data_stream/forwarded/manifest.yml new file mode 100755 index 0000000000..b5ebb051ea --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/manifest.yml @@ -0,0 +1,107 @@ +type: logs +title: Windows forwarded events +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Forwarded + description: 'Collect ForwardedEvents channel logs' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: false + show_user: false + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows ForwardedEvents via Splunk Enterprise REST API + description: Collect ForwardedEvents via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:ForwardedEvents\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/forwarded/sample_event.json b/packages/windows/1.12.1/data_stream/forwarded/sample_event.json new file mode 100755 index 0000000000..2b6f02eb4a --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/sample_event.json @@ -0,0 +1,77 @@ +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "17601e61-e945-4f5c-aec5-4a2d491f3b00", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.forwarded", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "4105", + "created": "2022-03-31T08:40:37.999Z", + "dataset": "windows.forwarded", + "ingested": "2022-03-31T08:40:39Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs b/packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..142d2d803e --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs @@ -0,0 +1,6 @@ +metricsets: ["perfmon"] +condition: ${host.platform} == 'windows' +perfmon.group_measurements_by_instance: {{perfmon.group_measurements_by_instance}} +perfmon.ignore_non_existent_counters: {{perfmon.ignore_non_existent_counters}} +perfmon.queries: {{perfmon.queries}} +period: {{period}} diff --git a/packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml b/packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml new file mode 100755 index 0000000000..2dfe4fa4af --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.perfmon +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml b/packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml new file mode 100755 index 0000000000..c5cca6fc04 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml @@ -0,0 +1,15 @@ +- name: windows.perfmon + type: group + fields: + - name: object + type: keyword + description: | + Object value. + - name: instance + type: keyword + description: | + Instance value. + - name: metrics.*.* + type: object + description: | + Metric values returned. diff --git a/packages/windows/1.12.1/data_stream/perfmon/manifest.yml b/packages/windows/1.12.1/data_stream/perfmon/manifest.yml new file mode 100755 index 0000000000..23ec03a7e4 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/manifest.yml @@ -0,0 +1,45 @@ +title: Windows perfmon metrics +type: metrics +streams: + - input: windows/metrics + vars: + - name: perfmon.group_measurements_by_instance + type: bool + title: Perfmon Group Measurements By Instance + multi: false + required: false + show_user: true + default: false + description: Enabling this option will send all measurements with a matching perfmon instance as part of a single event + - name: perfmon.ignore_non_existent_counters + type: bool + title: Perfmon Ignore Non Existent Counters + multi: false + required: false + show_user: true + default: false + description: Enabling this option will make sure to ignore any errors caused by counters that do not exist + - name: perfmon.queries + type: yaml + title: Perfmon Queries + multi: false + required: true + show_user: true + default: | + - object: 'Process' + instance: ["*"] + counters: + - name: '% Processor Time' + field: cpu_perc + format: "float" + - name: "Working Set" + description: Will list the perfmon queries to execute, each query will have an `object` option, an optional `instance` contiguration and the actual counters + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + title: Windows perfmon metrics + description: Collect Windows perfmon metrics diff --git a/packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..8695fa2300 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Windows PowerShell +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7e9df152b0 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,430 @@ +--- +description: Pipeline for Windows Powershell events +processors: + - kv: + description: Split Event 800 event data fields. + field: winlog.event_data.param2 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "800" + - kv: + description: Split Events 4xx and 600 event data fields. + field: winlog.event_data.param3 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id != "800" + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "400" + - set: + field: event.type + value: end + if: ctx?.event.code == "403" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostId + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostId != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - split: + field: winlog.event_data.UserId + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.UserId != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + + ## PowerShell fields. + + - rename: + field: winlog.event_data.NewEngineState + target_field: powershell.engine.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewEngineState != "" + - rename: + field: winlog.event_data.PreviousEngineState + target_field: powershell.engine.previous_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.PreviousEngineState != "" + - rename: + field: winlog.event_data.NewProviderState + target_field: powershell.provider.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewProviderState != "" + - rename: + field: winlog.event_data.ProviderName + target_field: powershell.provider.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ProviderName != "" + - convert: + field: winlog.event_data.DetailTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailTotal != "" + - convert: + field: winlog.event_data.DetailSequence + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailSequence != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineId + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineId != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.param3 + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "800" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "800" + params: + field: param3 + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.param1 + - winlog.event_data.param2 + - winlog.event_data.param3 + - winlog.event_data.SequenceNumber + - winlog.event_data.DetailTotal + - winlog.event_data.DetailSequence + - winlog.event_data.UserId + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/agent.yml b/packages/windows/1.12.1/data_stream/powershell/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml new file mode 100755 index 0000000000..baeabae2d0 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.powershell +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/beats.yml b/packages/windows/1.12.1/data_stream/powershell/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml b/packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml new file mode 100755 index 0000000000..b38edb214f --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml @@ -0,0 +1,201 @@ +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/fields.yml b/packages/windows/1.12.1/data_stream/powershell/fields/fields.yml new file mode 100755 index 0000000000..1c154bd041 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/fields.yml @@ -0,0 +1,133 @@ +- name: powershell.id + type: keyword + description: Shell Id. + example: Microsoft Powershell +- name: powershell.pipeline_id + type: keyword + description: Pipeline id. + example: "1" +- name: powershell.runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" +- name: powershell.sequence + type: long + description: Sequence number of the powershell execution. + example: 1 +- name: powershell.total + type: long + description: Total number of messages in the sequence. + example: 10 +- name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + - name: type + type: keyword + description: Type of the executed command. + example: Application + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + + example: AssemblyName + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + + example: System.IO.Compression.FileSystem +- name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + - name: name + type: keyword + description: User name. + example: vagrant +- name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + + example: Available + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + + example: Stopped +- name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + - name: script_block_text + analyzer: powershell_script_analyzer + search_analyzer: powershell_script_analyzer + type: text + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" +- name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" +- name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + + example: Active + - name: name + type: keyword + description: > + Provider name. + + example: Variable diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml b/packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml new file mode 100755 index 0000000000..4ac76fdcdc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml @@ -0,0 +1,361 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: Company + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/powershell/manifest.yml b/packages/windows/1.12.1/data_stream/powershell/manifest.yml new file mode 100755 index 0000000000..7b712964ee --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/manifest.yml @@ -0,0 +1,106 @@ +type: logs +title: Windows Powershell logs +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Powershell + description: 'Windows Powershell channel' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: true + show_user: false + default: 400, 403, 600, 800 + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows Powershell Events via Splunk Enterprise REST API + description: Collect Powershell Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Windows PowerShell\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/powershell/sample_event.json b/packages/windows/1.12.1/data_stream/powershell/sample_event.json new file mode 100755 index 0000000000..45e597cfcc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/sample_event.json @@ -0,0 +1,84 @@ +{ + "@timestamp": "2020-05-13T13:21:43.183Z", + "agent": { + "ephemeral_id": "9c05a45c-02bf-4437-9447-8591244dbdca", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "600", + "created": "2022-03-31T08:41:12.816Z", + "dataset": "windows.powershell", + "ingested": "2022-03-31T08:41:16Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1089" + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..55799473ec --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Microsoft-Windows-PowerShell/Operational +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..16d21d8fe8 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,489 @@ +--- +description: Pipeline for Windows Powershell/Operational events +processors: + - kv: + description: Split Event 4103 event data fields. + field: winlog.event_data.ContextInfo + target_field: winlog.event_data + field_split: "\n" + trim_key: " \n\t" + trim_value: " \n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "4103" + - script: + description: Remove spaces from all event_data keys. + lang: painless + if: ctx?.winlog?.event_data != null + source: |- + def newEventData = new HashMap(); + for (entry in ctx.winlog.event_data.entrySet()) { + def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); + newEventData.put(newKey, entry.getValue()); + } + ctx.winlog.event_data = newEventData; + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "4105" + - set: + field: event.type + value: end + if: ctx?.event.code == "4106" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostID + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostID != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_failure: true + ignore_empty_value: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + - split: + field: winlog.event_data.ConnectedUser + target_field: "_temp.connected_user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.ConnectedUser != null + - set: + field: source.user.domain + value: "{{_temp.connected_user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - set: + field: source.user.name + value: "{{_temp.connected_user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - append: + field: related.user + value: "{{source.user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.user?.name != null + - rename: + field: user.domain + target_field: destination.user.domain + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - rename: + field: user.name + target_field: destination.user.name + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - set: + field: user.domain + copy_from: source.user.domain + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + - set: + field: user.name + copy_from: source.user.name + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + + ## PowerShell fields. + + - convert: + field: winlog.event_data.MessageNumber + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.MessageTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ShellID + target_field: powershell.id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ShellID != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineID + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineID != "" + - rename: + field: winlog.event_data.RunspaceID + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceID != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + - rename: + field: winlog.event_data.ScriptBlockId + target_field: powershell.file.script_block_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockId != "" + - rename: + field: winlog.event_data.ScriptBlockText + target_field: powershell.file.script_block_text + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockText != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.Payload + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "4103" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "4103" + params: + field: Payload + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - rename: + field: winlog.event_data.Path + target_field: winlog.event_data.ScriptName + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.Path != "" + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.SequenceNumber + - winlog.event_data.User + - winlog.event_data.ConnectedUser + - winlog.event_data.ContextInfo + - winlog.event_data.Severity + - winlog.event_data.MessageTotal + - winlog.event_data.MessageNumber + - winlog.event_data.Payload + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml new file mode 100755 index 0000000000..e5b4a9801c --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.powershell_operational +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml new file mode 100755 index 0000000000..b38edb214f --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml @@ -0,0 +1,201 @@ +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml new file mode 100755 index 0000000000..ae35dff329 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml @@ -0,0 +1,132 @@ +- name: powershell.id + type: keyword + description: Shell Id. + example: Microsoft Powershell +- name: powershell.pipeline_id + type: keyword + description: Pipeline id. + example: "1" +- name: powershell.runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" +- name: powershell.sequence + type: long + description: Sequence number of the powershell execution. + example: 1 +- name: powershell.total + type: long + description: Total number of messages in the sequence. + example: 10 +- name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + - name: type + type: keyword + description: Type of the executed command. + example: Application + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + + example: AssemblyName + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + + example: System.IO.Compression.FileSystem +- name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + - name: name + type: keyword + description: User name. + example: vagrant +- name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + + example: Available + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + + example: Stopped +- name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + - name: script_block_text + type: text + analyzer: powershell_script_analyzer + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" +- name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" +- name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + + example: Active + - name: name + type: keyword + description: > + Provider name. + + example: Variable diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml new file mode 100755 index 0000000000..4ac76fdcdc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml @@ -0,0 +1,361 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: Company + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml b/packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml new file mode 100755 index 0000000000..5b3a0c3ad6 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml @@ -0,0 +1,106 @@ +type: logs +title: Windows Powershell/Operational logs +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Powershell Operational + description: 'Microsoft-Windows-Powershell/Operational channel' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: true + show_user: false + default: 4103, 4104, 4105, 4106 + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows Powershell Operational Events via Splunk Enterprise REST API + description: Collect Powershell Operational Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Powershell/Operational\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json b/packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json new file mode 100755 index 0000000000..51586bda91 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json @@ -0,0 +1,77 @@ +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "d531ecae-45f4-4f96-a334-2c851a45469a", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell_operational", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "4105", + "created": "2022-03-31T08:41:48.560Z", + "dataset": "windows.powershell_operational", + "ingested": "2022-03-31T08:41:49Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs b/packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d01c1b05cd --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs @@ -0,0 +1,3 @@ +metricsets: ["service"] +condition: ${host.platform} == 'windows' +period: {{period}} diff --git a/packages/windows/1.12.1/data_stream/service/fields/agent.yml b/packages/windows/1.12.1/data_stream/service/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/service/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/service/fields/base-fields.yml new file mode 100755 index 0000000000..5ec8437476 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.service +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/windows/1.12.1/data_stream/service/fields/fields.yml b/packages/windows/1.12.1/data_stream/service/fields/fields.yml new file mode 100755 index 0000000000..7618a693c4 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/fields/fields.yml @@ -0,0 +1,44 @@ +- name: windows.service + type: group + fields: + - name: id + type: keyword + description: | + A unique ID for the service. It is a hash of the machine's GUID and the service name. + - name: name + type: keyword + description: | + The service name. + - name: display_name + type: keyword + description: | + The display name of the service. + - name: start_type + type: keyword + description: | + The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. + - name: start_name + type: keyword + description: | + Account name under which a service runs. + - name: path_name + type: keyword + description: | + Fully qualified path to the file that implements the service, including arguments. + - name: state + type: keyword + description: | + The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. + - name: exit_code + type: keyword + description: | + For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. + - name: pid + type: long + description: | + For `Running` services this is the associated process PID. + - name: uptime.ms + type: long + format: duration + description: | + The service's uptime specified in milliseconds. diff --git a/packages/windows/1.12.1/data_stream/service/manifest.yml b/packages/windows/1.12.1/data_stream/service/manifest.yml new file mode 100755 index 0000000000..8810c1a5fa --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/manifest.yml @@ -0,0 +1,14 @@ +title: Windows service metrics +type: metrics +streams: + - input: windows/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 60s + title: Windows service metrics + description: Collect Windows service metrics diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..7795afb123 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Microsoft-Windows-Sysmon/Operational +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..843d73b827 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1241 @@ +--- +description: Pipeline for Windows Sysmon Event Logs +processors: +## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> [null, "", "-", "{00000000-0000-0000-0000-000000000000}"].contains(entry.getValue())) + - rename: + field: winlog.level + target_field: log.level + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + target_field: event.created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + - date: + field: winlog.event_data.UtcTime + formats: + - yyyy-MM-dd HH:mm:ss.SSS + timezone: UTC + ignore_failure: true + if: ctx?.winlog?.event_data?.UtcTime != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + + - script: + description: Set event category and type for all event types. + lang: painless + params: + "1": + category: + - process + type: + - start + "2": + category: + - file + type: + - change + "3": + category: + - network + type: + - start + - connection + - protocol + "4": + category: + - process + type: + - change + "5": + category: + - process + type: + - end + "6": + category: + - driver + type: + - start + "7": + category: + - process + type: + - change + "10": + category: + - process + type: + - access + "11": + category: + - file + type: + - creation + "12": + category: + - configuration + - registry + type: + - change + "13": + category: + - configuration + - registry + type: + - change + "14": + category: + - configuration + - registry + type: + - change + "15": + category: + - file + type: + - access + "16": + category: + - configuration + type: + - change + "17": + category: + - file + type: + - creation + "18": + category: + - file + type: + - access + "22": + category: + - network + type: + - connection + - protocol + - info + "23": + category: + - file + type: + - deletion + "24": + type: + - change + "25": + category: + - process + type: + - change + "26": + category: + - file + type: + - deletion + tag: Add ECS categorization fields + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + - rename: + field: winlog.event_data.ID + target_field: error.code + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "255" + + - rename: + field: winlog.event_data.RuleName + target_field: rule.name + ignore_missing: true + ignore_failure: true + + - rename: + field: winlog.event_data.Type + target_field: message + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "25" + + - rename: + field: winlog.event_data.Hash + target_field: winlog.event_data.Hashes + ignore_missing: true + ignore_failure: true + - kv: + field: winlog.event_data.Hashes + target_field: _temp.hashes + field_split: "," + value_split: "=" + ignore_failure: true + if: ctx?.winlog?.event_data?.Hashes != null + - script: + lang: painless + if: ctx?._temp?.hashes != null + source: |- + def hashIsEmpty(String hash) { + if (hash == "") { + return true; + } + + Pattern emptyHashRegex = /^0*$/; + def matcher = emptyHashRegex.matcher(hash); + + return matcher.matches(); + } + + def hashes = new HashMap(); + def related = [ + "hash": new ArrayList() + ]; + for (entry in ctx._temp.hashes.entrySet()) { + def key = entry.getKey().toString().toLowerCase(); + def value = entry.getValue().toString().toLowerCase(); + + if (hashIsEmpty(value)) { + continue; + } + + hashes[key] = value; + related.hash.add(value); + } + + ctx._temp.hashes = hashes; + if (related.hash.length > 0) { + ctx.related = related; + } + +## Process fields + + - rename: + field: _temp.hashes + target_field: process.hash + if: |- + ctx?._temp?.hashes != null && + ["1", "23", "24", "25", "26"].contains(ctx.event.code) + - rename: + field: process.hash.imphash + target_field: process.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.ProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.Image + target_field: process.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.SourceProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.SourceProcessGUID + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.SourceProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.SourceThreadId + target_field: process.thread.id + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.SourceImage + target_field: process.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.Destination + target_field: process.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.CommandLine + target_field: process.command_line + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.CurrentDirectory + target_field: process.working_directory + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.ParentProcessGuid + target_field: process.parent.entity_id + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.ParentProcessId + target_field: process.parent.pid + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ParentImage + target_field: process.parent.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.ParentCommandLine + target_field: process.parent.command_line + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: process.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.company + copy_from: winlog.event_data.Company + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.description + copy_from: winlog.event_data.Description + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.product + copy_from: winlog.event_data.Product + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: |- + (ctx?.process?.command_line != null && ctx.process.command_line != "") || + (ctx?.process?.parent?.command_line != null && ctx.process.parent.command_line != "") + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + def cmd = ctx?.process?.command_line; + if (cmd != null && cmd != "") { + ctx.process.args = commandLineToArgv(cmd); + ctx.process.args_count = ctx.process.args.length; + } + + def parentCmd = ctx?.process?.parent?.command_line; + if (parentCmd != null && parentCmd != "") { + ctx.process.parent.args = commandLineToArgv(parentCmd); + ctx.process.parent.args_count = ctx.process.parent.args.length; + } + + - script: + description: Adds process name information. + lang: painless + if: |- + (ctx?.process?.executable != null && ctx.process.executable.length() > 1) || + (ctx?.process?.parent?.executable != null && ctx.process.parent.executable.length() > 1) + source: |- + def getProcessName(def path) { + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + return path.substring(idx+1); + } + return ""; + } + + def cmd = ctx?.process?.executable; + if (cmd != null && cmd != "" && ctx?.process?.name == null) { + def name = getProcessName(cmd); + if (name != "") { + ctx.process.name = name; + } + } + + def parentCmd = ctx?.process?.parent?.executable; + if (parentCmd != null && parentCmd != "" && ctx?.process?.parent?.name == null) { + def name = getProcessName(parentCmd); + if (name != "") { + ctx.process.parent.name = name; + } + } + +## File fields + + - rename: + field: _temp.hashes + target_field: file.hash + if: |- + ctx?._temp?.hashes != null && + ["6", "7", "15"].contains(ctx.event.code) + - rename: + field: file.hash.imphash + target_field: file.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.TargetFilename + target_field: file.path + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.Device + target_field: file.path + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.PipeName + target_field: file.name + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.ImageLoaded + target_field: file.path + ignore_missing: true + ignore_failure: true + - set: + field: file.code_signature.subject_name + copy_from: winlog.event_data.Signature + ignore_failure: true + ignore_empty_value: true + - set: + field: file.code_signature.status + copy_from: winlog.event_data.SignatureStatus + ignore_failure: true + ignore_empty_value: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: file.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "7" + - set: + field: file.pe.company + copy_from: winlog.event_data.Company + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.description + copy_from: winlog.event_data.Description + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.product + copy_from: winlog.event_data.Product + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.code_signature.signed + value: true + if: ctx?.winlog?.event_data?.Signed == true + - set: + field: file.code_signature.valid + value: true + if: ctx?.winlog?.event_data?.SignatureStatus == "Valid" + + - script: + description: Adds file information. + lang: painless + if: ctx?.file?.path != null && ctx.file.path.length() > 1 + source: |- + def path = ctx.file.path; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + +## Network, Destination, and Source fields + + - rename: + field: winlog.event_data.Protocol + target_field: network.transport + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.DestinationPortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" + - rename: + field: winlog.event_data.SourcePortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" + - set: + field: network.protocol + value: dns + if: ctx.event.code == "22" + - convert: + field: winlog.event_data.SourceIp + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.SourceHostname + target_field: source.domain + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.SourcePort + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.DestinationIp + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.DestinationHostname + target_field: destination.domain + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.DestinationPort + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.QueryName + target_field: dns.question.name + ignore_missing: true + ignore_failure: true + - set: + field: network.direction + value: egress + if: ctx?.winlog?.event_data?.Initiated == "true" + - set: + field: network.direction + value: ingress + if: ctx?.winlog?.event_data?.Initiated == "false" + - set: + field: network.type + value: ipv4 + if: ctx?.winlog?.event_data?.SourceIsIpv6 == "false" + - set: + field: network.type + value: ipv6 + if: ctx?.winlog?.event_data?.SourceIsIpv6 == "true" + - script: + description: | + Splits the QueryResults field that contains the DNS responses. + Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + lang: painless + if: ctx?.winlog?.event_data?.QueryResults != null + params: + "1": "A" + "2": "NS" + "3": "MD" + "4": "MF" + "5": "CNAME" + "6": "SOA" + "7": "MB" + "8": "MG" + "9": "MR" + "10": "NULL" + "11": "WKS" + "12": "PTR" + "13": "HINFO" + "14": "MINFO" + "15": "MX" + "16": "TXT" + "17": "RP" + "18": "AFSDB" + "19": "X25" + "20": "ISDN" + "21": "RT" + "22": "NSAP" + "23": "NSAPPTR" + "24": "SIG" + "25": "KEY" + "26": "PX" + "27": "GPOS" + "28": "AAAA" + "29": "LOC" + "30": "NXT" + "31": "EID" + "32": "NIMLOC" + "33": "SRV" + "34": "ATMA" + "35": "NAPTR" + "36": "KX" + "37": "CERT" + "38": "A6" + "39": "DNAME" + "40": "SINK" + "41": "OPT" + "43": "DS" + "46": "RRSIG" + "47": "NSEC" + "48": "DNSKEY" + "49": "DHCID" + "100": "UINFO" + "101": "UID" + "102": "GID" + "103": "UNSPEC" + "248": "ADDRS" + "249": "TKEY" + "250": "TSIG" + "251": "IXFR" + "252": "AXFR" + "253": "MAILB" + "254": "MAILA" + "255": "ANY" + "65281": "WINS" + "65282": "WINSR" + source: |- + def results = /;/.split(ctx.winlog.event_data.QueryResults); + def answers = new ArrayList(); + def ips = new ArrayList(); + def relatedHosts = new ArrayList(); + for (def i = 0; i < results.length; i++) { + def answer = results[i]; + if (answer == "") { + continue; + } + + if (answer.startsWith("type:")) { + def parts = /\s+/.split(answer); + if (parts.length != 3) { + throw new Exception("unexpected QueryResult format"); + } + + answers.add([ + "type": params[parts[1]], + "data": parts[2] + ]); + relatedHosts.add(parts[2]); + } else { + answer = answer.replace("::ffff:", ""); + ips.add(answer); + } + } + + if (answers.length > 0) { + ctx.dns.answers = answers; + } + if (ips.length > 0) { + ctx.dns.resolved_ip = ips; + } + if (relatedHosts.length > 0) { + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + ctx.related.hosts = relatedHosts; + } + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + convert: + field: _ingest._value + type: ip + on_failure: + - remove: + field: _ingest._value + - script: + description: Convert V4MAPPED addresses. + lang: painless + if: ctx?.dns?.resolved_ip != null + source: |- + if (ctx.dns.answers == null) { + ctx.dns.answers = new ArrayList(); + } + for (def i = 0; i < ctx.dns.resolved_ip.length; i++) { + def ip = ctx.dns.resolved_ip[i]; + if (ip == null) { + ctx.dns.resolved_ip.remove(i); + continue; + } + + // Synthesize record type based on IP address type. + def type = "A"; + if (ip.indexOf(":") != -1) { + type = "AAAA"; + } + ctx.dns.answers.add([ + "type": type, + "data": ip + ]); + } + - registered_domain: + field: dns.question.name + target_field: dns.question + ignore_failure: true + ignore_missing: true + - append: + field: related.hosts + value: "{{dns.question.name}}" + allow_duplicates: false + if: ctx?.dns?.question?.name != null && ctx?.dns?.question?.name != "" + - remove: + description: Remove dns.question.domain because it is not part of ECS and is redundant with dns.question.name. + field: dns.question.domain + ignore_missing: true + ignore_failure: true + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + allow_duplicates: false + ignore_failure: true + - community_id: + ignore_failure: true + ignore_missing: false + +## User fields + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_empty_value: true + ignore_failure: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + +## Sysmon fields + + - rename: + field: winlog.event_data.QueryStatus + target_field: sysmon.dns.status + ignore_missing: true + ignore_failure: true + - script: + description: Translate DNS Query status. + lang: painless + params: + "5": "ERROR_ACCESS_DENIED" + "0": "SUCCESS" + "8": "ERROR_NOT_ENOUGH_MEMORY" + "13": "ERROR_INVALID_DATA" + "14": "ERROR_OUTOFMEMORY" + "123": "ERROR_INVALID_NAME" + "1214": "ERROR_INVALID_NETNAME" + "1223": "ERROR_CANCELLED" + "1460": "ERROR_TIMEOUT" + "4312": "ERROR_OBJECT_NOT_FOUND" + "9001": "DNS_ERROR_RCODE_FORMAT_ERROR" + "9002": "DNS_ERROR_RCODE_SERVER_FAILURE" + "9003": "DNS_ERROR_RCODE_NAME_ERROR" + "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED" + "9005": "DNS_ERROR_RCODE_REFUSED" + "9006": "DNS_ERROR_RCODE_YXDOMAIN" + "9007": "DNS_ERROR_RCODE_YXRRSET" + "9008": "DNS_ERROR_RCODE_NXRRSET" + "9009": "DNS_ERROR_RCODE_NOTAUTH" + "9010": "DNS_ERROR_RCODE_NOTZONE" + "9016": "DNS_ERROR_RCODE_BADSIG" + "9017": "DNS_ERROR_RCODE_BADKEY" + "9018": "DNS_ERROR_RCODE_BADTIME" + "9101": "DNS_ERROR_KEYMASTER_REQUIRED" + "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE" + "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1" + "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS" + "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM" + "9106": "DNS_ERROR_INVALID_KEY_SIZE" + "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE" + "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION" + "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR" + "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR" + "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION" + "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE" + "9113": "DNS_ERROR_TOO_MANY_SKDS" + "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD" + "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET" + "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS" + "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT" + "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK" + "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD" + "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED" + "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE" + "9122": "DNS_ERROR_BAD_KEYMASTER" + "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD" + "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT" + "9125": "DNS_ERROR_DNSSEC_IS_DISABLED" + "9126": "DNS_ERROR_INVALID_XML" + "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS" + "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE" + "9129": "DNS_ERROR_NSEC3_NAME_COLLISION" + "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1" + "9501": "DNS_INFO_NO_RECORDS" + "9502": "DNS_ERROR_BAD_PACKET" + "9503": "DNS_ERROR_NO_PACKET" + "9504": "DNS_ERROR_RCODE" + "9505": "DNS_ERROR_UNSECURE_PACKET" + "9506": "DNS_REQUEST_PENDING" + "9551": "DNS_ERROR_INVALID_TYPE" + "9552": "DNS_ERROR_INVALID_IP_ADDRESS" + "9553": "DNS_ERROR_INVALID_PROPERTY" + "9554": "DNS_ERROR_TRY_AGAIN_LATER" + "9555": "DNS_ERROR_NOT_UNIQUE" + "9556": "DNS_ERROR_NON_RFC_NAME" + "9557": "DNS_STATUS_FQDN" + "9558": "DNS_STATUS_DOTTED_NAME" + "9559": "DNS_STATUS_SINGLE_PART_NAME" + "9560": "DNS_ERROR_INVALID_NAME_CHAR" + "9561": "DNS_ERROR_NUMERIC_NAME" + "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER" + "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION" + "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS" + "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS" + "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL" + "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE" + "9568": "DNS_ERROR_BACKGROUND_LOADING" + "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC" + "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME" + "9571": "DNS_ERROR_DELEGATION_REQUIRED" + "9572": "DNS_ERROR_INVALID_POLICY_TABLE" + "9573": "DNS_ERROR_ADDRESS_REQUIRED" + "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST" + "9602": "DNS_ERROR_NO_ZONE_INFO" + "9603": "DNS_ERROR_INVALID_ZONE_OPERATION" + "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR" + "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD" + "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS" + "9607": "DNS_ERROR_ZONE_LOCKED" + "9608": "DNS_ERROR_ZONE_CREATION_FAILED" + "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS" + "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS" + "9611": "DNS_ERROR_INVALID_ZONE_TYPE" + "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP" + "9613": "DNS_ERROR_ZONE_NOT_SECONDARY" + "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES" + "9615": "DNS_ERROR_WINS_INIT_FAILED" + "9616": "DNS_ERROR_NEED_WINS_SERVERS" + "9617": "DNS_ERROR_NBSTAT_INIT_FAILED" + "9618": "DNS_ERROR_SOA_DELETE_INVALID" + "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS" + "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP" + "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN" + "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING" + "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE" + "9652": "DNS_ERROR_INVALID_DATAFILE_NAME" + "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE" + "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED" + "9655": "DNS_ERROR_DATAFILE_PARSING" + "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + "9702": "DNS_ERROR_RECORD_FORMAT" + "9703": "DNS_ERROR_NODE_CREATION_FAILED" + "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE" + "9705": "DNS_ERROR_RECORD_TIMED_OUT" + "9706": "DNS_ERROR_NAME_NOT_IN_ZONE" + "9707": "DNS_ERROR_CNAME_LOOP" + "9708": "DNS_ERROR_NODE_IS_CNAME" + "9709": "DNS_ERROR_CNAME_COLLISION" + "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT" + "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS" + "9712": "DNS_ERROR_SECONDARY_DATA" + "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA" + "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST" + "9715": "DNS_WARNING_PTR_CREATE_FAILED" + "9716": "DNS_WARNING_DOMAIN_UNDELETED" + "9717": "DNS_ERROR_DS_UNAVAILABLE" + "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS" + "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE" + "9720": "DNS_ERROR_NODE_IS_DNAME" + "9721": "DNS_ERROR_DNAME_COLLISION" + "9722": "DNS_ERROR_ALIAS_LOOP" + "9751": "DNS_INFO_AXFR_COMPLETE" + "9752": "DNS_ERROR_AXFR" + "9753": "DNS_INFO_ADDED_LOCAL_WINS" + "9801": "DNS_STATUS_CONTINUE_NEEDED" + "9851": "DNS_ERROR_NO_TCPIP" + "9852": "DNS_ERROR_NO_DNS_SERVERS" + "9901": "DNS_ERROR_DP_DOES_NOT_EXIST" + "9902": "DNS_ERROR_DP_ALREADY_EXISTS" + "9903": "DNS_ERROR_DP_NOT_ENLISTED" + "9904": "DNS_ERROR_DP_ALREADY_ENLISTED" + "9905": "DNS_ERROR_DP_NOT_AVAILABLE" + "9906": "DNS_ERROR_DP_FSMO_ERROR" + "9911": "DNS_ERROR_RRL_NOT_ENABLED" + "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE" + "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX" + "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX" + "9915": "DNS_ERROR_RRL_INVALID_TC_RATE" + "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE" + "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE" + "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS" + "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST" + "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED" + "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME" + "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE" + "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS" + "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST" + "9953": "DNS_ERROR_DEFAULT_ZONESCOPE" + "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME" + "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES" + "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED" + "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED" + "9958": "DNS_ERROR_INVALID_SCOPE_NAME" + "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST" + "9960": "DNS_ERROR_DEFAULT_SCOPE" + "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION" + "9962": "DNS_ERROR_SCOPE_LOCKED" + "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS" + "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS" + "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST" + "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA" + "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS" + "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED" + "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST" + "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS" + "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST" + "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS" + "9980": "DNS_ERROR_POLICY_LOCKED" + "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT" + "9982": "DNS_ERROR_POLICY_INVALID_NAME" + "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA" + "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME" + "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID" + "9986": "DNS_ERROR_POLICY_SCOPE_MISSING" + "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED" + "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED" + "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED" + "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET" + "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL" + "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL" + "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE" + "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN" + "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE" + "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY" + "10054": "WSAECONNRESET" + "10055": "WSAENOBUFS" + "10060": "WSAETIMEDOUT" + if: ctx?.sysmon?.dns?.status != null && ctx?.sysmon?.dns?.status != "" + source: |- + def status = params[ctx.sysmon.dns.status]; + if (status != null) { + ctx.sysmon.dns.status = status; + } + - convert: + field: winlog.event_data.Archived + target_field: sysmon.file.archived + type: boolean + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.IsExecutable + target_field: sysmon.file.is_executable + type: boolean + ignore_missing: true + ignore_failure: true + +## Related fields + + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null && ctx.user.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx.source.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx.destination.ip != "" + +## Registry fields + + - script: + description: Set registry fields. + lang: painless + if: |- + ctx?.winlog?.event_data?.TargetObject != null && ["12", "13", "14"].contains(ctx.event.code) + params: + HKEY_CLASSES_ROOT: "HKCR" + HKCR: "HKCR" + HKEY_CURRENT_CONFIG: "HKCC" + HKCC: "HKCC" + HKEY_CURRENT_USER: "HKCU" + HKCU: "HKCU" + HKEY_DYN_DATA: "HKDD" + HKDD: "HKDD" + HKEY_LOCAL_MACHINE: "HKLM" + HKLM: "HKLM" + HKEY_PERFORMANCE_DATA: "HKPD" + HKPD: "HKPD" + HKEY_USERS: "HKU" + HKU: "HKU" + source: |- + ctx.registry = new HashMap(); + Pattern qwordRegex = /(?i)QWORD \(((0x[0-9A-F]{8})-(0x[0-9A-F]{8}))\)/; + Pattern dwordRegex = /(?i)DWORD \((0x[0-9A-F]{8})\)/; + Pattern binDataRegex = /Binary Data/; + + def path = ctx.winlog.event_data.TargetObject; + ctx.registry.path = path; + + def pathTokens = Arrays.asList(/\\/.split(path)); + def hive = params[pathTokens[0]]; + if (hive != null) { + ctx.registry.hive = hive; + if (pathTokens.length > 1) { + ctx.registry.key = pathTokens.subList(1, pathTokens.length).join("\\"); + } + } + + def value = pathTokens[pathTokens.length - 1]; + ctx.registry.value = value; + + def data = ctx?.winlog?.event_data?.Details; + if (data != null && data != "") { + def prefixLen = 2; // to remove 0x prefix + def dataValue = ""; + def dataType = ""; + def matcher = qwordRegex.matcher(data); + if (matcher.matches()) { + def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); + def parsedLowByte = Long.parseLong(matcher.group(3).substring(prefixLen), 16); + if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { + dataType = "SZ_QWORD"; + dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + return; + } + + matcher = dwordRegex.matcher(data); + if (matcher.matches()) { + def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); + if (!Double.isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = Long.toString(parsedValue); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + return; + } + + matcher = binDataRegex.matcher(data); + if (matcher.matches()) { + // Data type could be REG_BINARY or REG_MULTI_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_BINARY" + ]; + return; + } + + // REG_SZ or REG_EXPAND_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_SZ" + ]; + } + +## Cleanup + + - remove: + field: + - _temp + - winlog.event_data.ProcessId + - winlog.event_data.ParentProcessId + - winlog.event_data.SourceProcessId + - winlog.event_data.SourceThreadId + - winlog.event_data.SourceIp + - winlog.event_data.SourcePort + - winlog.event_data.SourcePortName + - winlog.event_data.DestinationIp + - winlog.event_data.DestinationPort + - winlog.event_data.DestinationPortName + - winlog.event_data.RuleName + - winlog.event_data.User + - winlog.event_data.Initiated + - winlog.event_data.SourceIsIpv6 + - winlog.event_data.DestinationIsIpv6 + - winlog.event_data.QueryStatus + - winlog.event_data.Archived + - winlog.event_data.IsExecutable + - winlog.event_data.QueryResults + - winlog.event_data.UtcTime + - winlog.event_data.Hash + - winlog.event_data.Hashes + - winlog.event_data.TargetObject + - winlog.event_data.Details + - winlog.time_created + - winlog.level + ignore_failure: true + ignore_missing: true + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml new file mode 100755 index 0000000000..2d622167df --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.sysmon_operational +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml new file mode 100755 index 0000000000..9f34a703c2 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml @@ -0,0 +1,515 @@ +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Boolean to capture if a signature is present. + name: file.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: file.code_signature.status + type: keyword +- description: Subject name of the code signer + name: file.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: file.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: file.code_signature.valid + type: boolean +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: CPU architecture target for the file. + name: file.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: file.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: file.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: file.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.parent.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.parent.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: CPU architecture target for the file. + name: process.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.pe.product + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Content when writing string types. + Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + name: registry.data.strings + type: wildcard +- description: Standard registry type for encoding contents + name: registry.data.type + type: keyword +- description: Abbreviated name for the hive. + name: registry.hive + type: keyword +- description: Hive-relative path of keys. + name: registry.key + type: keyword +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: Name of the value written. + name: registry.value + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml new file mode 100755 index 0000000000..fe766a8460 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml @@ -0,0 +1,9 @@ +- name: sysmon.dns.status + type: keyword + description: Windows status code returned for the DNS query. +- name: sysmon.file.archived + type: boolean + description: Indicates if the deleted file was archived. +- name: sysmon.file.is_executable + type: boolean + description: Indicates if the deleted file was an executable. diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml new file mode 100755 index 0000000000..85152cf774 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml @@ -0,0 +1,371 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: ClientInfo + type: keyword + - name: Company + type: keyword + - name: Configuration + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: EventType + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: Session + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: Type + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml new file mode 100755 index 0000000000..24eb2f3039 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml @@ -0,0 +1,97 @@ +type: logs +title: Windows Sysmon/Operational events +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Sysmon Operational + description: 'Collect Microsoft-Windows-Sysmon/Operational channel logs' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: false + show_user: false + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows Sysmon Operational Events via Splunk Enterprise REST API + description: Collect Sysmon Operational Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json b/packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json new file mode 100755 index 0000000000..0e68166259 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json @@ -0,0 +1,126 @@ +{ + "@timestamp": "2019-07-18T03:34:01.261Z", + "agent": { + "ephemeral_id": "0670a96e-1852-42bc-b667-66e022ab1c89", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.sysmon_operational", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "dataset": "windows.sysmon_operational", + "ingested": "2022-03-31T08:42:26Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/docs/README.md b/packages/windows/1.12.1/docs/README.md new file mode 100755 index 0000000000..2f9e3154f8 --- /dev/null +++ b/packages/windows/1.12.1/docs/README.md @@ -0,0 +1,1268 @@ +# Windows Integration + +The Windows package allows you to monitor the Windows os, services, applications etc. Because the Windows integration +always applies to the local server, the `hosts` config option is not needed. Note that for 7.11, `security`, `application` and `system` logs have been moved to the system package. + +## Compatibility + +The Windows datasets collect different kinds of metric data, which may require dedicated permissions +to be fetched and which may vary across operating systems. + +## Configuration + +### Ingesting Windows Events via Splunk + +This integration offers the ability to seamlessly ingest data from a Splunk Enterprise instance. +These integrations work by using the [httpjson input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html) in Elastic Agent to run a Splunk search via the Splunk REST API and then extract the raw event from the results. +The raw event is then processed via the Elastic Agent. +The Splunk search is customizable and the interval between searches is customizable. +For more information on the Splunk API integration please see [here](https://www.elastic.co/guide/en/observability/current/ingest-splunk.html). + +This integration requires Windows Events from Splunk to be in XML format. +To achieve this, `renderXml` needs to be set to `1` in your [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file. + +## Metrics + +### Service + +The Windows `service` dataset provides service details. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| windows.service.display_name | The display name of the service. | keyword | +| windows.service.exit_code | For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. | keyword | +| windows.service.id | A unique ID for the service. It is a hash of the machine's GUID and the service name. | keyword | +| windows.service.name | The service name. | keyword | +| windows.service.path_name | Fully qualified path to the file that implements the service, including arguments. | keyword | +| windows.service.pid | For `Running` services this is the associated process PID. | long | +| windows.service.start_name | Account name under which a service runs. | keyword | +| windows.service.start_type | The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. | keyword | +| windows.service.state | The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. | keyword | +| windows.service.uptime.ms | The service's uptime specified in milliseconds. | long | + + + +### Perfmon + +The Windows `perfmon` dataset provides performance counter values. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| windows.perfmon.instance | Instance value. | keyword | +| windows.perfmon.metrics.\*.\* | Metric values returned. | object | +| windows.perfmon.object | Object value. | keyword | + + + +Both datasets are available on Windows only. + +## Logs + +### Forwarded + +The Windows `forwarded` dataset provides events from the Windows +`ForwardedEvents` event log. The fields will be the same as the +channel specific datasets. + +### Powershell + +The Windows `powershell` dataset provides events from the Windows +`Windows PowerShell` event log. + +An example event for `powershell` looks as following: + +```json +{ + "@timestamp": "2020-05-13T13:21:43.183Z", + "agent": { + "ephemeral_id": "9c05a45c-02bf-4437-9447-8591244dbdca", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "600", + "created": "2022-03-31T08:41:12.816Z", + "dataset": "windows.powershell", + "ingested": "2022-03-31T08:41:16Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1089" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | +| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | +| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | +| powershell.command.invocation_details.type | The type of detail. | keyword | +| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | +| powershell.command.name | Name of the executed command. | keyword | +| powershell.command.path | Path of the executed command. | keyword | +| powershell.command.type | Type of the executed command. | keyword | +| powershell.command.value | The invoked command. | text | +| powershell.connected_user.domain | User domain. | keyword | +| powershell.connected_user.name | User name. | keyword | +| powershell.engine.new_state | New state of the PowerShell engine. | keyword | +| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | +| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | +| powershell.file.script_block_id | Id of the executed script block. | keyword | +| powershell.file.script_block_text | Text of the executed script block. | text | +| powershell.id | Shell Id. | keyword | +| powershell.pipeline_id | Pipeline id. | keyword | +| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | +| powershell.provider.name | Provider name. | keyword | +| powershell.provider.new_state | New state of the PowerShell provider. | keyword | +| powershell.runspace_id | Runspace id. | keyword | +| powershell.sequence | Sequence number of the powershell execution. | long | +| powershell.total | Total number of messages in the sequence. | long | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + + +### Powershell/Operational + +The Windows `powershell_operational` dataset provides events from the Windows +`Microsoft-Windows-PowerShell/Operational` event log. + +An example event for `powershell_operational` looks as following: + +```json +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "d531ecae-45f4-4f96-a334-2c851a45469a", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell_operational", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "4105", + "created": "2022-03-31T08:41:48.560Z", + "dataset": "windows.powershell_operational", + "ingested": "2022-03-31T08:41:49Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | +| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | +| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | +| powershell.command.invocation_details.type | The type of detail. | keyword | +| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | +| powershell.command.name | Name of the executed command. | keyword | +| powershell.command.path | Path of the executed command. | keyword | +| powershell.command.type | Type of the executed command. | keyword | +| powershell.command.value | The invoked command. | text | +| powershell.connected_user.domain | User domain. | keyword | +| powershell.connected_user.name | User name. | keyword | +| powershell.engine.new_state | New state of the PowerShell engine. | keyword | +| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | +| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | +| powershell.file.script_block_id | Id of the executed script block. | keyword | +| powershell.file.script_block_text | Text of the executed script block. | text | +| powershell.id | Shell Id. | keyword | +| powershell.pipeline_id | Pipeline id. | keyword | +| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | +| powershell.provider.name | Provider name. | keyword | +| powershell.provider.new_state | New state of the PowerShell provider. | keyword | +| powershell.runspace_id | Runspace id. | keyword | +| powershell.sequence | Sequence number of the powershell execution. | long | +| powershell.total | Total number of messages in the sequence. | long | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + + +### Sysmon/Operational + +The Windows `sysmon_operational` dataset provides events from the Windows +`Microsoft-Windows-Sysmon/Operational` event log. + +An example event for `sysmon_operational` looks as following: + +```json +{ + "@timestamp": "2019-07-18T03:34:01.261Z", + "agent": { + "ephemeral_id": "0670a96e-1852-42bc-b667-66e022ab1c89", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.sysmon_operational", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "dataset": "windows.sysmon_operational", + "ingested": "2022-03-31T08:42:26Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.subject_name | Subject name of the code signer | keyword | +| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.pe.architecture | CPU architecture target for the file. | keyword | +| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| file.pe.description | Internal description of the file, provided at compile-time. | keyword | +| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| registry.data.type | Standard registry type for encoding contents | keyword | +| registry.hive | Abbreviated name for the hive. | keyword | +| registry.key | Hive-relative path of keys. | keyword | +| registry.path | Full path, including hive, key and value | keyword | +| registry.value | Name of the value written. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| sysmon.dns.status | Windows status code returned for the DNS query. | keyword | +| sysmon.file.archived | Indicates if the deleted file was archived. | boolean | +| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.ClientInfo | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.Configuration | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.EventType | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.Session | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.Type | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + diff --git a/packages/windows/1.12.1/img/logo_windows.svg b/packages/windows/1.12.1/img/logo_windows.svg new file mode 100755 index 0000000000..953b33d8f5 --- /dev/null +++ b/packages/windows/1.12.1/img/logo_windows.svg @@ -0,0 +1,3 @@ + + + diff --git a/packages/windows/1.12.1/img/metricbeat-windows-service.png b/packages/windows/1.12.1/img/metricbeat-windows-service.png new file mode 100755 index 0000000000000000000000000000000000000000..b9437930a983f57de821e09bc3be6c68264b7300 GIT binary patch literal 159076 zcmd43Wmua_7dFbSP+BN7P)bvzG@(F&Ai=#wfQ1gLun}l2=4Ay+#QO$d$Ho~ zt~p`9yZe2w^L^L(ee&yhp0PD+X4b4(_dW6bC@u2z$*U(A7#L5*M1|xqFmPZP7>{VM z?xVk)x>(I&VEiRvte|46A|=VCXK7Ba1Gm)Gr*|~}j84bE;Nf@ttfObDZ%eMLZ)j}6 z3)-t~1d$uVc|ppoQjAic1@(=LMV+nn<(;J!^qfugIN>0Ez9&46T<8kS^=);?9nH-w zY`7eGL4ViFg?_&K%m5<)JBzI;FX+QvgXAhwAISwRt@X)S>DeH9Oe~D#?40yWY>X_d zOmyT>MkaO!Mpgz!HV7jV7b6E3l!^SGABgV>Igd5mfJ;sY_D^HzH(rpDt?g$n1_lQQ z2YLr)dP{3V1}08UP6kFO0~88D=YZHaS=j10LM&{+cUAnS4k3LTJ!|97w#JqgXI3 zg*rf8&X(6Tq0WX-H_L-3D0L0>g1mgxUgz!Y&GOP(&aZO_U zG$0UvKfl?P&D^1b%Zp1C>cklWnJNsgtf+7cE;<@YshB@+XsD0wJwPqjl!y5u@N_1NI^0>iJ^HZXkxlDoQkTuk(a28Y6b zRPP<0FK-?~Af5|HsMLg*4>V04*zn8gqe=Y^}))zK(%k*zSgYV z#`+;LwINC2-&}*z&yRL4u2AixbGysG>?9zgiE4W@-70<+^TS;b?ZTbqWv7zq^P>w_ zH`n&XQ$$$g*B{+I6@@+!2H#+vDaJd$ltfrULoiw9%Fnl;NT?y?qW(Y=x>j56`WvpinKp_GU8F8fO_9ZQHZ40d`=(~r z3^29qmg)W<>29C+CUU30rT+Y&3Wu2GmbrW|ggf>}kJL1El_FD?4_70<*sb(#G=Kk4 zlk75Aw|I1MRyE(4FIm z)}AW67#QRjVnQDj9Di-syM0zvj78OENE4<@<0FMh7=p1VIRPIeG44NZ$1!fDFp}_z zmL_>XG59_Whh_Ky!BZS*$BoGc_fy_%7(6KZpcU@@!suS)Q$bmM2_jzR4E`Va7kbXr zx$8f;D>L(5>@t7sInSHs*AH|#NnmxIjWCCn4$PSrmiIe5HEgY@_9NU|{<<@IXd8)3 z4*t&*Mlj%?hfb`29^eoDd4S%7-uusEC)WQh^`C6Oe=7Zg{DS;HN@Dys^`Er&X#4#4 z?|(%2M~L6jjCO7KZ~^Og3_kx<^-W!P8|Q&Em^f6-octpJ~&eJye}Ku=m<0K6;{sqZpjMp*EC{y)^s{-3W^h z<&OE_;5RH|{Q{;RDU=Ud90OdGI;=iO?CFZJ5_cj<8KkdeNQ-&}qGI1vVc8^*9YRPe4%g*0GY~b#@Ue4P! z+pLT?-jHn^&Zxd5qL{_=V*a+M0PuY8z8ypl2*OXyJ$d5G${U5>lm21?H+KqLx~OE! zCM`@}v@cCKY@J9YyN=+7fax&_JLdf5V90GS@Ble~QWqZ&wtpjzdebwPMP}X3D{y=B z{i?63qjQZaRcXod=e+Zi^&8JC7-ewaw#$8)KDnmcDmN0Wy5A^1W_^@$oh8Gnu(XWJ z*?{7XD|6(V(4ebQMf5K5nMjW0vr}^=`&Asv$pA*`stC=md8sXB;Ly#0MIi5t4Cj&e zRd*KIVF;i;?k!U`f&(t(@}7!n-gJjIqVs3LQHm1R8h@(Rv9$so|G?3@bT@+9wiP23 z(Db{B`iZT5jX%OJ8$F>2hpbt-UOIfnr-3-?(e0SdygyoTj-Oogz0ocm0A{7;HNmm-s zs<2dwWC0lzd;IAV0lvgyrEiJ*IqB7StjCyy;b}b$gBDT=R`>F(mLP*ojg$!k-fDHJ zu9T=HWZOzxzlCs*1hAqU`Wpj|nJcRKNbMMyLaBPKJ-Qw*z*|x0zTJ@nQQVJv5NmzD zVsg8Q_Qbi3OILK_ub*Du7@^MIiorM%SA&I?b2N{Gx_d-c+wmpGHYksS(Mu5Iz#+pe z4=m(#2ttzATO}h;r-&!6r}J*Z0Zz7bu2&YZtZ}FfsVo${m7t+9G#D^U=frnQsC1Bv zWyt167bf9TzoRh4t4vxc6@HdoPkBAFsUPa-u-)}#i6~`W^4SP>5PRjHd{@}`m zYyk0tm6y3db1VGY@T|+LLXGP2!Lqm>gs&nuSD|KHNC@Q)%E#26Ma#4p{RZlOGUPo`(nXuGccw4iKsSY0{tvIkLVW8E$k2~ggBdi`7TpiSmJfwe-2aqYF7 zbpPgn3SAuP-7^lBde?zR#?oVnhY|h1;_?|1Bzt~^Ttzxs@ASpTCuk}}5CEBqH@jry z_&Jx991l6E){wurhwBVyCAigzqrD0*4~Krb@vf|x9Le>awXPx--~XNndUCQa@`Cn& z?{MI;;gL704>*1ih*Poyb!yqv3{=-wlO9S?d0n*bupD{xdm?h}P(@)!=RiU4e*@f|cz|ijaD^7HP~$UPj1FMK0kE=P0@z8*ep6oFCUn zV{fGCM{P{_!1@><>Y=|PH%QqXb~WlfDv?XEg!$b3JI)gJ{#PTz4s~S~lLC#7!hJv9 ze`?MRY(yqwib_Y}gc}Gk?@YH)@P7a{X`SwLi(RiR8TfVtZx9gzQb+Jcrjp)yO1^qA z23P^;3$5&&#BeJ+G%y^kJb(8vpVwz3J}ilcu#p9)7)Z3`DSL;UJ%|&cCbFOXvly+ zZ=qX?vo?BIvqW*vx~KmE>-PisV$QEdv5oFQ67dH?rC9!FAs!VdC7y~|CXmaDT}TOC z_2caUs`E(e@oV^v&~Al_@KS7ny`NRn@0b9_*~u;izP48)`2IdqN};c>HF#m{2|NpR zZz@=FIIbs*X!%bh9Wm?Qp`8UQpln`6erUt@{?4l&1ebXb(~dHkyi1uF|Jfo%O+*lI z+Msaj6s8~O@%j}nf2nI=Fr0;_;4EOnvWNN>yHsTk>sspcY`uf1?!eD;Z`u@Jp`ZFb zoXmz>47xZOb?B#kNDvBuW?!-GCk4g4<@1*0&&FZ{76+oLIT(?*VKQFA(htyz=U=h3 z33gL(hu`XK;<;5^DbulRrz(0rc5iU=zfaKpUHHg4l3Mw?U6(92t4{Sh@2q2`v9Yl% zQd2~T{WViC+^dxBC0tdo@79!8Q#VBZ;mP9Yh`YB(*BM-U%Q*c9c|Z@Ab4qEL-(O0P z*Y7u3x^&)eiW;d~@Fic>#Fn$th^Pi3o2}V zC0qN!+&wcSVeout%Y^88!Y$5q#!aS?T++(Zm+ED0X9w5eeARx!W-WXAn9*`^LRT_1 z3^NyJ!?xzh#t_+JES#&pdA>rE2V%eQl)7i%(BU?!pFP%QF<8zD6Mi-JSd;dY_lLP8 z+HGPK()YUZJ%)J1y@0`%dBwRy)rQ}c0@zl!Hzx8MQ`~S#+d$U~1iv~|>*<+y`^Rs! zsz{GdQ<&agmSlUoc3J+5Uoi8vg4fYIr-EO>0O`M~!|}CX zA4irP!j!LJ*Sq}s7uI2}*TR?6xn2B?{k_+f_%cipz=2fl)v zKKTX%j@GRnuDy8ptqfu4A-LRPam#}@gC*067?>p9Xt7QGe5;IJ+BZqo)>=DKF!VCp zHXx5`WR@KT>b5?@&9u@K-O@R&x3+vh%QQn35e|4AHvX;uqauW?FAk|k+mml(y=19)I)uoQPeNAz6dWrqU_*i30Th0NTzz)AT)H2{Z68(6)~%gbQY!NgYEn z^=9hM_t0BsenVL=7@YmEeZpaICZz{L#-{HjJIC`~(*V9GgmQ2ZZZC1 zd>H$6Q=bTrzAkeLP;U8{*|ZKAtz?MXm073!=t5AXFD4H}VzO{2W+E$W>H=P&cw@aOFLrmYA19FV+Sk!iGMTx90=OvX^5#$NvN z#3#B4|CXk~0{QsEv-1IndVTx*OzwWb#`p%;ytI{UUV?6ou;?=y@w%}krzAme9TX&U z4y#GJH4=ci(yigO)u-744_@!Rf;QWx**3x`OZ(vxY&sYaN7J^c+Y)v0y z*>0?1yc;odPbrkLTb`fVKx$*9i{|ixtFoOE!{u>Gv1}XB;_ zug-Gy8+GzM*R6XV{Fg(5|`5|=w@!CGwn9d0d&0f-KB1pz4NI}gW5 zB!JWNXI6a=7U)3qR$ijMHy8j0cOgD%lJEPBe~r2~9?N3g!E^x);nqb}(}H^sS82g8 zF22Y}!nRsrSUhP+r`dx_lIhK;_{57(5az2XrAI4v8>#VPgYZ^n=TEBI)l?GMaVPs_ z4uSFv$9CtjD-K3p$}mJ<>+%}No*@b#r242KL9CiI7*<}#)giIh7cHuZ_#-a z%d6fvx+0%y%yV$*=0?r%WA?enRN(lJm#ZF1J}O}f{d%0xBP;t4k?tLK^e31MsIzIS z{Z*CsYzM!*y#%1hC*nlf&YHW3` zMQ=jyRR7`wY%($u*mkZcg!GTamj?tK>;-fZxPbf1Y3C(b^u~+$gLXpk!qJBaZAZ8l zVIpxWhXY|m5^^7Hh-ksBnX9^|akGWXbyhz!-+<>>^jmM*X+-2<$Z++L?>6_jmK<-` z57Rt$;yf&W^RGS;i#?;3{Yx&f2D(^VfpnaV1TfTCQLIEkbV1s;v#oNmN}QC<30l|s z$}fQ*B7~+_M4SSuwFg2T9jk~=5K<@%8L3(AcggHB=rmXM3`L<8I~Wc?)klAjp$m|P zc~ylq&L_M!S20hGx@Zz2{5rI?xu!o7<1F*~759dz7LkOPX4w1K$7{D;9A_8qten4# zF?GrJ04}%9BPf5ZsFUMJBxC67T;$+3@dUYaAW~FRq*GW*1BTGVuctFnyK;#EUed7rkC!8sld&GQhXj>tXRG?TH z<3FJs$$j~5ya4Ig6bT@h#eO@tKSPc{I&yyfTbUv-c&V`9yrJM`0Wx|&ZjHnCBH#^} z?6ebsU+*dw^{D`Po`AE-Pgyei#PesNd}TeEG%T2wz~CmtB|ptHj?!Jb%HLkU)nAEO zw;{Cs0LUI_YrK9Y`b3QR_(}N*%G6>bO*gcB2YNJenzf>ni(P!~(K`+wZcYG)9;{dPnfQ4zXsTC060CkqBa{63T_1h0Y6f1tzyPaCbV{yVf!Qb89961SiE-= zm&qH+5vc$S2@V{rQ1K`IU2k4&z;^L^Te4t8u0}S+DvCz z--$K*kA63xi*ol8V@uAx*LYHaxWlZHZydCAei>|v`${XGcOgXmW7{2DnBhWRQ;6*- z>)R6OD_~Qg$;&e=b4a%m`WA^RLCAVprorhwe-GLg-qtf2X{V+hs;%$UvX=M6uey={ocnV<1m%zcmB!Xk> z>v*VMiQR`Nt=0rh7z4O<-wcGFTifk(2qM?KqErso6Ic!?6asFL{yl@`{LG8vQ(z%M zk9v9!R#ssC$HOqdkz-poH>kfF*N@}5%yWLvF73yJTC~ohCev->fSuN z5tphnW94S>4g<8ob{e!R-ZXdRtnvvw=VxNR@D2r3ba-!fi~$qOk{X^C(@3r&i~Q&s!{2T00#YuL7!-w^UQinme%$Tk$5#_C5NZQh_@m9_m!eatD|1 z6JWgQYko-+(9|+5PjsOA%Nu$yWzNF5;r;qjoZs1;HTbu3=!>GYtHZRm+ z+42S7mxTJb%9jWUGXCmO&qcW8K;N5GG1~_ri^7t=AUiLsW3SE|AmCfJIV4hD#0z1B zB{?D3U95?JApGXA#d77z@#2?*T8|_rIX^8}9uy~bQr|19sCEwxPci$srGP@|zzuoYAq8a$s-l2h8nmfQPfUDbh!3XFnYJis5|%pY#&Ukp&y4nL*%f&E)sc$3F;T?YX@=ZK zPc#7^*I+a3J=0t{`oW{}#rtnwNW(r(HJ!d3ETvKHcBdJz%_bnO9-b20ZhY1(K)oP- z&{OwD*GwVmIDA$vuvoreL-lzxui2%XI_$GYcWMUy$$}pKBSqr8Yf0@@nuDQr>Ax^O z8TBA!gM1Si_vWymspdJa(p|o&kITE>ska1Id>g}dm4XHwn_<(!#dnI%tE;0soYqbU zT<}$vbd@CPEIjVSauymXgtJRt$=|8^Zll5L1{>@pDfwytqrj9nz{JdVkwI<%5D8^KweQ?Vy*0@fQYaf5bH^B*u1r=O^u# z86tHa!e|S}%*_*M@(Kf#J;0Qv&ow9jt8^RLuBdB;M`(vPD_Z{m-}n%`ii_MauO?^p ze*nv31srcq#393jr6bB_vp{ow!S!d#B-ra za^911Ss%fz6?DT$a(5(=f(-^9HVho*GSD(`-F6IUUL=3EWS&)42GMPqzEhU5OwOV+ zW{<6>pD$!gNojEJ5-H?A`KXINRl9id+q%1#yLarhZKLDHMuwu0$cg(}K%EX+%4nC! z$Mb9ut-7_NL!W!0R_loC zm#^ddTv;GG9((3lVFUw;)8ksdx6RrwkBnP!V~akkvQ9^e9U6^-8%?XYvO+DM-Oy{3 z+0PeThdZE8#8yE(W6`oG4>oPA=-gtxC_rL!LH%@DSsr!!d#5rQP!2TJMo0rHP@F(q zYwLeMOEz8?;^b-i#m5Y2B|P_Y_7t9jv1)$eo%N_mS0c@G3DE9Cj&|La!u*h=&D_Z~G;oiB!v=igBA~nO`@wFmzDrB`DHZml^30zr4*k@UKiF2v&)V{DTXfjyjd$a+WV;gwIe*GWCA=h z92@(t6uX?;x7^XnFzZlaNF+MFi1$|uSYjI1 zv*O?S7_4QOr9w;VlfTv9Fj0Pft?%_@6Q#c4;NueP`xeZz(nr62S^HF?$4_?~n(9Cp zA_*K~1Ob3neY~&1rjOXS4Od80j_^$T_qo|fSMiKW0rHdlg~(l%R-qP`5;#J{V*3E<}iQy>jvh~+iPn- z8D3Jgp93zpM@p}Lj;Lyv_}L4Q`2}lrZ0+w!57VxxR1x%Zdo0WNjPtEpeE&V_I*{-> z{gGWD(_EI8#3KwZN_t&O9@|tEdhZ`KKV_2LC2--_La`St?;GY#0``+#?Q@qR0IE^n zU&S&CW~Qk-w%nf3gI~}A25NhX5+l?-TW@4Y&z21d`Rl0mN1f=5@1ggeP6|_KtV4jO zDee3xL9J958y8M{Jcs9G9LF(LA3OT;z_j`3fm0>{!UD8^t(~8w$c`L{{aoijJLM1J z`a1|46BRG1x1J}lN>>&w62=Y99EOs7ca;co!5)YJQ*E>4C=+)DJyuRb6xCb+=k$eS z>T^`@p`*0hTp)WxsTBL0`0wun^96@dV>hA8;)Lwt1$}ObPR&G0fsEDyv;4{u4YNd5 zjh2@u6T%zQ`b5h<`u*6dk?o>|F9g)t7wmS<%bRZheU` zK;Ln|m`#O{pApvvXN$vz{XJc#*o2D9=5AL@s+o$6O2)7#*GuM$DGgsBR6(TGhK0O{ z?++Isyu1{iHT-yBOnT?!l&!RCFiDQt8X;W9QquJt6*Qr)Gcjkba;K4Dz)&_~xeI|+ zpp_O15ThK8@+1HrjQZxtYuBnTPBR2ws}LgGswvUy7UR7DWvAa;D>d!^g4u-CMjy4v z#>~aS0NOz>KSEPwQsOM`9XKwKwjvedxbI3~>|zRZe)STKL~?NJQgj%IW~9(>jQ|LuQN%v~cTybZy&2y6U5hK7kN-~XL@ZZ1le+#(6F>;*3$^^q6(9$P zZl*u}HxcXGK$;xj58vQDOlWVD@ZUtlOU-(LKg=H?ckxY*dxl}*-AB$nb*2j<_IK4ElYbsxWkdtL49>wou&!?!`XCXwG}~pNf2kA3;I!fr#ecNi~)Gp9KoEz@3QA@Jp9{mpf`2I=uc~zqM%7QU8IS zWeO+l!3hH1iExpVO9uU?{L3n6D$g7AalCbbL$lr+ubeC6RU_Mf((Wt6o}--}62l+y zp;b^2Cp48T>>nBj4jdQ~Q-vfa32YfNJ^v^#S5*7z??PYxq62%s6^3#2mrN$G2nPes zi~qyhczF-n9P{g6o(5b<5}KOBm`FPQXQXg6fmT()pEsWUSM9Rh2!Z|u+CMqaWBC@m z`dnN$A@~mkryaD$SCK`<3E%TxDXr&P*XD6M5w%A`|!`; zGd|b%$^bpVGu%eK`tR)6hw2uhzcOPPKB_`eo0~&E_`Xu{iUi^P-M8Ivq*0$#P9hf% z>UcZhh63z;m4jHf6GHC|S4vGab~)u&*aTfY#W6ARy3Wa~_Pe)f_w(K>XlgZD%+`3H zjeUM`fC#6Tm;-o$+M)JN`H4z*qTtZHpyT>#wdknd+CP(XxO-`L0|M_BD+&=r0f5Sv zFxV(h%)9EyFK)!8NJnnwBjx+K9HXx9m=`ez5XOhi_8n)X?b&W>mmMMM{m959zFv)+ z;3{fP{u=&a`5zr1n%RZ+B2QkGJQQrX}V!k}eifUYOr)KbA z-~$410zYWAQ-R0FOelf z%m&}{j_}lNw^3+;X0go51J>wT>xnQF{qap+v7d&5AZqD!qf!)DEHeVg)%(%ic5nk_ z@z=xmc78sPx6E%6vqp6LQKG}@wi?I$&OR{y%*Miey^q2G4lzJeKmEA)8Oj$0ND&w~ zHHj*9BL|DG{624IeOP)a1N(Sl&BNKKYiz&)Jg}EM-6_M4G0e7mO#?Exr3+zIz#091 zkryJ|7VU@0+%X0zKz^#p$zOTS`ctnfuX3quM4eBYY~%*yXCB86KQu;shJLM}iii>p z?UG+`zZ({enRf^b$9B|xxL0mLqVLtz9K5yP#97(SqA4rCJWKF+@02eRkfIMz5VGY0 z!GIxo#mg`Cg$^mf2*pO{)IFjl%l62!?MH3+$=E!Q*CwU-`g}8P7n^!|{Am4-t2>Ip*5rPp5DBiZpGw&%8$Jb*C?31~r8V^%j~R zAf(5Xu+^3kuFiz%)4f2@*1Ubd?ru=$mdTDHA1n8Gp?YP0R$ZOzfcjjA`Z{x|3+`*X z68mR*6`nKp&4H#z??8%~QF|A^vqwVJ>GMu6bVv5fSZUWQ4j*k)9Of}FD_f2UGU$3+ zk3Zz>PV7*6G?kRUe0`FM4{IfvuaN1hK-;WoG1(VvBegbXuH;^QiM&@LrW-{zxo^+z zH$YscAAyW`HJ2;#RinzknUfOnzq@+MK61vo-!}xkKSMn}0}lzL1Fu{7mMn`4+zrlq z*fG)6{BZ)3I+@_v%BJ3`*5QFkQa7T$J{y6&@wt2ti^jewU5?y3+Fq)5yX11L!9H8y zs{?5W~yPyQ#5lJtE3YCy5~9|y}cc0B7fef9qbWUyvU`L zfA|_QvA|(6QsiO?OyW6@h@g_MlI_c)s`^sIzXeFm^_)}sikwkZ%6h?h(TPkaEtdnu8n2-=B; zzE9&rWvmGl=@PDVPS-n!1Sx$x6h*|{c-dCp4DjbD9WaAI{ z^ioa!Hd4NPO>M3GQQI@9|L`#myHEtem~;hCeCv>8R(DR|USW+CxX(vBZu(o36P|QZ zKc8Kag=L-nj{0g~X{~Dw$xs5H8*04@-fCJ9Hfh_&8x zQ)D;F@thiSmoFGfVKX?8fDATggDk+SI|CTT^NN>MQBtxT#1+ z7ky%EO0`FZs8=vHxB7{ z!*Xu1X1@KQ#=BdRD8M@uUS7HGKo#_3KG^ViDGH5(Ll;ww;17C2xbjTy*5WQEFyuz@ z11C1R35agR z&kWJP%-5f4LZo?+A(Teo#v6$Rt89}l4SMk8w^?>K65tedOPB@CIWjU;Qcox@`Ug7+ z8Frzkc*kwb?RH{AXxxUir5A8Q_G-DM0!jV?g+nQ$zApa8WMpf)egl-?5OborYBVsN zq?rwmeoJ)kF|bL_o+loe?8M&oIBvs|IfhZ1BgAe*XKmc)up?PKrBymA7{KDhY=0!_ z;34=*vhQKRDjc&)mVzNQhD&Kexs42Xka3=&DSJmEy>m4R2)HlQWFW<%9v_~1GE8>R zAI`J$YNI1_(8(tzHriV}`0?za(a#j*dX2JB8CjA=K}}9icSe63Dt)v2_QIL*-24J) z&y6RdvLkeV5Zj)lw2F(<-e3+TIM@61XKZ2F`x7Ar>Zk9U-?D4N2eh_~m&G?Uz&Cm@ zy`=yaL!QTaT80B4!2A<3($hU5Dl}nFOt>@aGGb%7dxI|wAdd~UC=9fZvqM6^4!nc2 zu~~5kt3|#YhK)iTi*XZUlP9VqdzndI1Slr?rM--ESC36K32LR8eg3pdQE=+YHIT0; zQ1NPTiMlhu^d(T%Y}30UTtAYU+6I~8czQiq1WgSec$j^nbKNFKaNdmtejt+>WGJ`& zHG1yz-zqgxzK1s;8RcjZ@vBR=Lm3tzf5mp#D)%nruVw68;`rJe9#)_zu<5~k8HjJA z$+kbn*Qfx!!GHOS9t=x(+`n|iI3>ERrb{uR(~E1sqON@k0+%$t$>bpIHq!!O?nE8M z+(!o%hu(|Ob$B!}OtNETQzu6WlIrMt0Y&J+t4ss2CIxSTu%1*qc8NX+0JBSTPmVr} z0CX6|Z@6NX*TEois%57X<=;yz9(PntsPY(dH9J4^qXUnJaQ_IPwN)GmZ3qRVtSbn? z+EXZ!ba_$FwKY&NMF_+Fo-j$);I(e76w*y3=|jD-9~2XtPkUJ25g_U%AKiX`_rs4+ zbNT4UAi-Q3UUrBZUnsJ3O9~ba`}OmU`BAaOC11Kh!_AcAVwFL-KasrEXJ|aqQ9TMU zCz%D%c*FWt+=r@iCII5v77{~$OJbML4bzX`A9OazxF$W`&L~i4e!(zjBTuh`O$D}~ zQ{}Pw?lRn2hW+{C?s^E0D>|OG7{&TcJYey4@_elJDJ7WZtMx?)d7Ukv8uY%~0P=M)jG|KP->6)99h=A9_U6J{kYg{MHz$!l{-rXQOmR%&iD!55?m z`>0rwRKE+>lW2?5HPH*7H+!JoQ>w=41x2HM6O7PQ?;YXEmD+Ks#8-eDGp`wj#J5z0 zt^N|#3#1lo%_lCu!!}%LPjU^sovnLBC!TX_UUSa2uMs?Me}N?d6QxXgmLg3*Kxnp4 z#_uq97okQQy;r~w0eTanw7ejxUAfEr3w;KtZfxz|Pn~Z!mNYGHPqYQgyL&jm;{(upaK6`b@RJVuIqnPDnS=nSm3 z>c&C|OO0HK!q9|jXYM{OT;Kw3O6bxGIQq1P6z;dDGabX)L-yU ztwUI9UGO!(l&t}BcD`yX6fjri9RiSMJ5w0_&6}7nP5P9m97#PsT%Yd?87 z@g*SoY+M%?PuPkqU8nrf!FC#sy*HY;b=I*DPo9ood%sHdm}0LQ@cn4)=nicTOw-t+ zNOW%>GI;wE2Fjj{Y2I@k31)PMrdl6uj4)>o#P3#|;cVg_YK;?O&vz zQ45RMLb5KpUrI0o+LJBj#0#Ya4T*%mVlu1COAPZCc3EBki)$2<^9u(uCtR%0^u3E^ zYA>$40$4O*UO~Ac=mXlXlXhRL8b6MLUIRfkNi=>VKxDh*o_f0Ys-o?u3@qCh`z`ob zGRxC_1J)W0fLT;O5l^_y%IJvzfCG|x`-lpW9HrLh`wPykuDqC}95f4G1%XgvzN;Y@uxDE!t99f{XnTv9PK%nt?F zQVKe#66PZJx!o!VR9vINbXKH2R`u+Cp{ea*Z)-QeudD%qpm+Znqtebm;H~ z91miG>Y%BsU+Z~q(qq_a@>747w*3lIZ-5G9NOWO234QN8ZPoW$DI>@J`-J?`=w)pH zQB@d*xoP(6j7P2IXW0%(i5JY9>1dvURO{;KM5YoPMpC@<4WbM;g`8jcKnHo82kvHmHlG2uAz3YF$MXP>yGB#c=iP&&u9c>Oq=052U zQ`doeiAFgVh>AtZH862+Ky_#M&en17CNj=*;KHTc=Ag)U*3PHhz!wj0G?;xETF^}V zYIcEX_Rm9Vw@Xyu>+wgL3dM^fn6b$03vu*D9O#XFDMJM+h@+BK@lB4)?dZAi+lLCY z$#fxx(R9DG-2fT`U~w4Dqb#n<-y`F{MkKkU%y;es0e*_YLg-))+Mlmm`ZZ{q9XHu+ zDD(n7`OjlK)fc8JdL@@j_MwY2eM+01RJPUSTV7W~Za|N4vN}rl>wshBEh8y6e;+2n z=|%8;fEg!Ex%Z^uwb%K&Z!U+TP9Di5!>YCv!J3dQv&cv2F&8^MQcM6NxHj6oh@V?a zs_7vzQcTYd*fb#|rPou8lc8_GbtS2wkjMe=m-0zauRt=6yiEefQwPY+Va|zy00!ARsl@f03{ffPmvlj`znh) z%MDP*%h^T__9m1pe?1j{fb48{AE{3s( zaY@g$2@RziY#sYwm<&Ya3~s=@$98Br%BdVFM8Ays5;8CC3|vptCYwHSwrv#$hs}+{ zTQ?JD4tY!Mlyi3V)H3Duo5x*;zAaI1ZWLMffWdjTzD6I{il2U`n}bqjB7>)h(fGaJ z;?ECvv+|h1Ruz|Dn&yg@uYl~=BJK%)>wwCV1(Bc)k9I6n*OMeVtH&d8!JvUwGJD7^ znD|K525oEIzI_^v`Sdv@oM+p%y3k7_geZ?g4GIcM49$0PKNNewZKiJYfFIZ-|29jw zW&jJ=6qJ;<(BX7V!p)t^XMcyHsJs|C-PFng>xKbTW8+eQy=+=VG7j(5e&FIyu7v=0 zAK$yfODC%tOTFU$-KK zGgq<4?S{mag?$HUkzwQQ>sF;pKN98=qH^|>v5NIYoGJB9+iP8DT3p5lKEZ3a^kcp4 z53>_-nJdw4CDH=}jA@va8#mFob4>lxwmerVS~#NcDEd1^;XKcNM>Z2K+vqd^&=Cvb zhVJ2$`rh~v_w+vD*G?*N8i@HVcp8<7>{J&jU|V4?-RV&P4XXP7ZVJ!Mn$9uSYMRN* zOpo8?6xgvwL%Np1gZUHehm}S3IC88HDz}Jw(fa!;+#H?1Pw}#2Rf1c@)}>)1M2+x>Er&%RGvU`9~ExHwh)GA4I`0F4$X zz74Iq9M%vKwhDa%R?%%gy5d@S^5KfvNw}C3e}KKfm3U)NGc#}UbRgP$_7bmE|H156P-)b)>8>b~G_>$pj2ztGTh7h? z?;!SluM6$!e!2NYSjA;;``Q3RF6s55tMSVj@1AkPaM6?^SrluHvXUmu^=+@y5vD%M zbpd_4zLxbb!^U%3T=&k>C35BL3kKMO=rPOF_Lf=vBYyZqPk!3t5nRfWUdZf;)spsC zhv5*9$HvL=+DUi!PU#NV6>@>l#QsqwfHHIHqSHXi5({fe%Q*swM zP>-IHB0S|)H1>nO5qyMiP_6{w%<~wP9Eh+WkAMc}h36Ve!aEiDUzdb90TJl|LQXNY zB#qXpCvx*u6)Vch{?jzrxhI99saq?C+_t>5qL*6!`<$v?d6Jcb!zpW#c+NG)Js0Yr zR&D`Ip{D7%CHA{1`FZVeK7j4q-ok5a`&p8V9~j=Tw~!Q+@OtM)?$yj9oaT1tG`283 zY!ug`#8MYi(}CN=afIF{;8493F#gm6$BDe-Ht6`8C8^eQwya#B|NgpFnE^O{o4Gv& z!1oTGTWIhO$TTcTIP2HSJdpvpaWHS`>h6UaEht7mfC~=+0~P zU9fH7YF|Y$(#JXisy1*fWrm}eJ^vEb%5-TUy^|O7dBn-sNe@eli=K_0O~WZ?E@vaB zhhsE@l$2bIwsD|>ckB`E(Mn0eM|C$lo0Czj*mjh6o&gsIjdXG5;B=%~rI8iO%SzFC z+}$|D!-X}1^J$vgsR>02h;i|<**5g+7GeX98_6#z0)RlDT??RWY>X4-jBe?+TLF^# zki;Gn^M$tVeaZRYgE_jKNx#N z)#575uIADHRyU+L35dg^q_1{Wa_6pLTnfSlAx{fo4R7}l4h@U_T?n1(F^SOf?03(j z!ZNj78|ENTP??jJeAV7&^xoLv%!#cYqj$|CmRWxy29dvwN^+xq>$$qO{5$?t4?Qlg z`VlC|cMV373W7o#8fx{0C<0$pH^@4qnEc(~d)T_I#zuN=DOeKi6F209SR}hUeC$SW zT5%cUv*2n07dXsKe<_dlTX+;bBgDRw@l$XQqA;3&;^prKwJf2kH1F#4gb8K;rM)5~ z!o$TbT~X?r;D1nzFK+~lMAo{ZaZ|WzlIu&4nZ>iTv`7> z9)nRhbU;9^AC}EM(mxoBAPm-;2ZD0_flpozLsQ?`1FinRX6ONI&326R4iWF z#CP&xd}$&FpL!JBRyHz|^}}evoASF&g-`!Z`uQ^g5F^`zXlUBo8GAQ&UjDZdFz!$$ zG@OM7o)}60^W`T-Bw*$KM;OQ0yOY5`ppptumiL*y5HiaD z;Q(8{za!ij7{SjkC4^_3fD1G7nnCmb$mB^0hGKWOa0%5M{lRk>F?`ETF#fzf1OLI1 zF#bPp8UG6#{fqzoTgAWV)gSl?9aH}Io-y#RKPCSs^>3x1@!0>%HRwM=kc0n^)GxI% zu=Ib5Vm|yM_7_iDu=jsJJ&gZ;{r`Pu{uS`&EC`ItYQREjAKxMc4Dk8WZ8T&TQ3?!% zwX6PDB_MwUWk>1;-Jf|H3|OdMKL7k@T4Hn}KF5JZoij6$-rhK@Od(cSe}=geOPkP2 zCEJ@;fQ_UEWZSkN_(y;5VdudMr9=YT5uNK2z@b^bCEgnwk)_l6dfw9N)9whz?euT?P=H~KhS9P6P-g>290|~h_oeI4hVgo8 zM>NIx$TS(<~LL%l!m>9r*6|xC=o!UyUf_K0CTVWTtl_ zc9}o0c?KsV$(t9Xtg^U?hw9fOGX8Y*I1O2~m`2z@LhuOj;-WO_Yb5K!v`iXeOP>ET zC|}U@R>4fU;8)F7xU>OQ)K);NUD5p*f1!JbAc$c$6aU`-!`xSfMb$-Zn}~wKpeT(n z2uR1!B{&R7N_R@9NSB1f05c%nAe}=u3?SXzDJdOFN%@`8=Xu^g?~m`-cYX6`xR`U+ z-h1t}_PX~v_g<$0Xyvp7IXYXs&0)Bb0CRFo+3w5xB=i(l`1Puv=2*o#cGDS0ZJN9I z+ubh-pGq+1;FKpkhSaZ`p%rbX!qsb<%x5PN*;w`NC!NXAn75c!#91bOlZY z4$wxw}#J7LL#SORwjBFyCl;x0625BMt zIJJ;BsRVK6Yi+!t+qTx~NJW}E@AX;ZYKMdC(o>Mj6Erqg3yT6-{JiTv56hGL*Iy;e z5MLtFzUquRs25qEC+JxWO$xR%f;Wy{9mianP(QBXsC@2s^K@)AMcmreB7aU0-H_Ay z{@}?Q*xUI7YrHk=tC&XE&)e>Ug2jlMfPYNnl`qF~;YtrS-|g@x#CF4#bBkm})2G1E z+HvMzGPoRKOW~l_-*rJ>$J*FWzJH~S`X^*8hl6I)v!z4pbMx$>Kb~@_c&;Rz{)_<# z{8O(vDFi*w6V*+@Bpbh*R>DEIcs(%nV*m>`AWqv&TmP7F_H?^gg2pz4YyOr(s#tCl zA+B7|2L&YwHW$SFu{hA`toXl+`m5A#>{IXB@`UQi*6YC0b~+ec^-_o6>8s zNYG^a>v_}kXwXsk%m4fkjd&lHTEChPH{KGgqXAMmHVOxXlNEI9B5HWLfyFq!!W_$n z5O;7cCH;xQ&w~g51dvyH-Pq2JqA5bvJ0lwJx*w+&!1Z9-${{gRidj5?gE^gpgpX{8 z!%{D{7o>ik@i9<72;^A|wg_=N(05$psNyqR&?~66YV#w2qsHdnKp$SbBxbtt2H}WeE?fQIgkjoeXF@ki< z1IM!dV;5R-}(OE5X=9x``?}a z8=m>wT>!EC>+b)T^;U3S5QqPR&xoG<2a2$Y5PvIR0R-LK|F63FU+e!4;eV|@^RKQx z|3}>V52^gGdL+Ktj8EmI!)UC-Rd&n!Yya3S)oHER=ZrUqR+-kLJ)P*;iADD<545d6 zi$Y$(X#A1It}Muzw8X2Zx4t+KE+Q)Oz|PY$$F`e!kp=eH>LNjxX)jBh<;s- zxb{eWqqDV&qF-qK3_>-ORpZS(p)DpilNM8QqT71j2WsZ)XS^s`x~&6q*pEkB&sLq> z!?~ylv#D)g`1z}h28-WIp3h*=J#lQj z9sNS}b7Su2<1Q`pwThEW^I)hXT8QqadR^Tq1h^X@%_beH_Y2Oawr{nhCl9)`J} z*d+8rX%c_bi@^}T=~X^(pz!Qh=CF=aXo9yMP%JyC{!}FWPQu0R*s)<2DDvnGLbyUu zSS`+^i@0qwC)J(0f8NOY=9qi?NpD2%=p(G#qX3r?7DiO$-lv<&?`lMC_ogW~-%X9_ zW^{*^MaWriHt(p}bd$lj|L!o>O5(vCW9WJ0*000u`I_^TMMK`bEGCqSdlLWfzWX9>)B4x_{nOWsLj zUqQa{?B4H2nsKceT0dz4qQZdoobE`_%HwE|V`086BfRoS4A6Uj1ifAM@Ptf=N1nxm z)sF`a#U!auhz%-P9rI7K!#6eaW)fG1jU0fK(-TYE$DD%A%|^Bk<)A{2q=ru%=^`^e z8%BPU*^C<>&uMBMdQG15)u7<^#9zj0q$5ltwB zy|s(41d11kqyZ=G#qZM*5c6+c?|%3pF}qIK`Od9u?dRIzqY7C&=A5yW>_+;ZwqYI} zotFd@<-d$8S#9=p+Ok6X(lvmgC{TCkrLV;5f6IsW(Hr~a<6g0X&$Gy%ch68H^c;5k za)n4-%siN=+|eD_}}{Nh>YPXw$inT@kT@}nkP&ve&lJ!J1JtLJ44EC%UcsbFSX^yesiSj z&G_Wjy(yLz?LQ|qXRl(xnEBj&!crTTUpmjh6=gAvPOmL2z8`IlPEQo>%`#e4kDnZX z$`i=f_65G%j88bpjoASFn=k4{lPy)e5njUI+^Yl<3w<*~_PFcVN)65(s@B-XKDf8< zSXahQVMBjPXX@B0f{Y z>AEa|US!`hE%>QF|4G9dWPezTpAP+L?|LqE{aU|JhhSKbu{tt^F?HY_mv!gSmBg;< z4GzPheC*D=l=<1Xn|Zi8dro9(u#KxA`C~N`(|dW(lkgfmQ&p|!&SzGS-U)m=ji_Xx z(dDeu5Q11g7zVpL+x_Ir(_H#fK^}Lu{V03kNv}Tx7q1T(`d(qC88Ji zjVq~_)JI;{^UT0$!_JP|d$JDCCM7c%S*5HSm>Va?g~^HSu4v^1vY1T;bE^1vM`HLn zN|~z7JQ*(*lxwkPiWi)$S>Co%(s1JyJu~Ln2J?`gCw4Cy<4i3Uk6gI&j}?`KL)sUA z5Ju%i`d7#P`jE<7Ah^juw^4RiXdk*l<-`&0B|j15@w9-e{X#O+*v8SW^%X3JTTIXx z$LKmqq-VrkQBzWo)IvQ(f9>Jc?%VX_0=W9UiMD%+eXK%xlfd-4a7Db>?=V)??9AKB z%17%~9w~H1u1hxI=GxJC?c)l|4(&Y}l1*3fZ}6T>-g~I2!m+qC!Dp>577L=Aw~pSF zFWXXC&#PN`fY4-_sf=b=+KNVIm?P^ebUhL_V#zX+A)4F+48zo)y`E8gBakQ*f4UF; z?cuIrbF%7r=<%zAkmCzKD%^q8nm}$6TAf#_d9w>H+GSWoolbgNxb{^vKq*FCx8bwGNL@Ws|_7L}`mdO#lc{CpU0>JTB@?<~TkvaE)L*>E5lqo7Xd=FOdDf#0)rT ziYo;x2{5>e*0O~LD{_4g*qpTNKAp9&tVVZ6xouUQ5YDmDC(H5}OioO2XC9WE@jx;K z-6Y&EthO|p^{&G_6dyq&R5MF8y1c65EwnD&s*c}yai$(&f=)xVWacOFCMRyoNta+! zjXN$iKR2UKPHt%knW0hrI)jr88?N6&UHg_D9Stbt{pR{;7CP+5_B5m1i$x{y0@@kK!{XZNbIN8he6b>6dWArzAW;^ z^%cW;=KOiX@SH#1&EcmM7 z$z%n|W18Fcs6S@Jat%g<@IgfOFKxrhyp>4e7@4d>jPQgwVPEM7Nlx#>Nb+?8vpxLtR%Wd6Rw z$m?ZtoM{y&C4XzBnuh_EoAq+r+Zv{OTK6tS$c7&l=JtUEL<~Z4ITR&>76d9!FR;83 z_?E%^iJ|=Kb98wfRD20A=@-oHbP`%Tzk0BjBF?;PFFz03b2R`b-+M(x*;#Yp9{X-K)3E1SQ{g6OdH$(5|v^fcviAiM^`0 z6-zYQ0WrqoaJLEH~eTvfeA;fmCZ6!O3Cpq9(YwN5Rj1JzW4>;S*lDZz#xH>W3 zAZDLZhHei;ZS1eNOS4!KBuCDtx)e0sCl@>|c%@m{t@Kbl&wTmRKtNwvzBYT0cw|0 zrSjop=_}IpV7Vygq|M7xYOcoT&N4xYEcqXk7hE;>zxd2gk!!#t7bOc9g0NbO>TK=~ z&v2=Um_JnWC&}nH9DR_os=k|9ZM=f!@vBo_`OTWD z_=1zA+|;!|zxvi^&?i}OT+)-xv0Pi{ZFU{a76Br8uVvJAO8z+SWX>(~@eWk+$*<7&^2X~O&pT+-5MohzCI90L< zly3aO@?dV)6E{OpC1v?P@Fm+}WyiX`}&=;UL2oX| z`>bk?=cB@^z8PL&sqF6^yXDitS#hMm&>)4W-WJh~fH;GQI)3f+oP zsuUqC_$(s1FQpEJ_C%*5K0C(#(oC8t)pd4WSF-&zr}a_^`tkTAfQ!_i+Y3!gnyO8l zMiS}Yk{;jpfnEmvLhYjpgNeF1k%d%w*VIhri8!bh5yeqe!}FY|mo#3|>v>jUa+@_^O`7Df?*^J<9wcE2eaL{&<;xQm`CqdLSJmasS3PlXZfm1LD2srdmurr(w z_n`sD;jFyWoX+t7AmW%7rGuY=h$DCd8+z|@cSVoG85gJlYk~U00v0r89lHcMr;`;e zjQDg7=X)N7GV`Om;kqW^Beyp>dyQGWjAHTu1=SAO`(;x;qKQ5sd*9@0+-4Im>1>6% z`>{@0vPO|ul>a4$;i(~PGu3oH0Isd zGu75~yTs(?_Qq{b^d9%>!JsKfwupDtk-{9lMX#?VkBVt(ej4sQ2M%D?=XUqIZB^I_ zNN=|&Iuq6|V8A0Srm6S6gtL?aFE6e96t3!XMjbguIiUuXbTvBiccfYHJs1W_-tU zO$xox!~eAtFGP@~K%S)b8>$+@e|OpQXn*=c5{(QxdB0I{T#HYXv7uq;)bL6+L~h#hyl@4h^@@NtYhq>g0-5@^wQJmGlnnH$IW z2Q`I!GTG5By_Tj~lg6?!ZI+u@^$7S#?57D&xsCbqrVT>;+$EA5mw_r#hA&PFY;GH<%)>c+2V#XYtJzv!OY8cq z>338oABBT<@aYbpHeziBJbnYC|DI5$GESB`mRBxBYyV83&Ro9|6Ys6K)46HMmtq)o zH`GBtj_8(*p_0ziHfqmNR?+$A7JOp+VNT64psdx#2)n!4t!nb(`Vu-xB~gvoDFS@Q zV_$`N0ClE6vv2E>j{|>_hIx=w+J3+J9IUxuCmnZyQ$0_lzM;F%2(Bt9>%D%UzcUKl}AiNG+l1>^Rr#KCbY%RReE_A z-L@%C(A+A&w%3QVW-I6HX*7;mRqFHpgnR}L>HtxkVb2F@9^Y4Mm6wd}kcSurz8;7F zK=F?pmNn0+gp4u|252-3GzwNfDEVL!hgYZw-+S9eG|>X*e^JQ5$mb-msc}u^Ze^f{ijbpi>4iHue)e-f=`qb_+25TB zue+q3g!~Qsv|z(TkFg#?0pA2dGI=kcY$y?<*Up2?Xl4tmlvq?q)mVxAtPkd>MNYnY zQs%c5QucR6)p`qA>rc)~C(DXYi$8fg6L#(p&ka45s0osegFC5 zW%U}>&m;Y@pU21h<+3~~3D&n$#e`sqax>V{eS?Ir90Dsm@#+8*@d5aU1dO|%3eq#XzYCMZ6{p11; zA9Z047E_U_2K2(mf?@R@R`IbV4*+0P>Pw;rIJtG@5wc>)1oiv zTOCv?N@-MimC$>aDQmp1o6vox|EYM@I=Am5YDpZhHact9Q!O%voJojUr2Vqr?H6J1 zb2|@2JWp=*r<6QK6D5m+cW%Mt0KtLRn3GxGqlP&N@$ChxSBO^QroZ&@%-wp6yt4W0 zZxK;kjB_Jz_!AIO1=VVCDI@dYZsp*t0K4x5GwL#>i=s0HDTqrclB=SiCF45<7C6UP zEroSEl}OoN(oPp$*b|ga#-CO7J>xfM1rn>+0y&F;B8OAEnX`>?=xQrmjRFqFbi_B* z))I4~e0PJv?90>dw$o`?kDujQy(6YccuJA1y|qF$Oz7_k+TC5(?buvyM=alYgfH?wQBWdYPE-k)OwT(qh$>kE;AXh2Ii}!1H251W< z=rH2w*3j&EDtXl}%psPv**}`yslm&XJL*|^*smQmeQD04)wi_htYg{ffWMEb4xqco zg>A7)XZc=w>{Yi|=i&OpE#?D>0$f8)>Ow>pzrGu96jvu&UyWI%@5LM{P|I(6Ber%c zXDV4Umi@lYgw~T4a!vQjp+lfBVkNsc$|sj|UR*AM^#C|0vm-mv{Ggw_$261&<7QQ? zELQYtmI9^-;I!@>Q`9G~jEMq0WG~3%L`E5D7o>;TPG;K4TRcndc+!MX_mF#fc*+B# zDCX0GL9!gZnVXC1a&}=!lWfb&z5?;W!wBPAm>gXI1E5g9 ziN2>IE;(@}q`$+7)C$felU`{^guP269JS^dlO3qoZjjlf&PwWq7m4X!2*hrGSSu^M z^UyGEZw^ZVGI&Vwp~>F6>G@SUhtkMeIKdIsCSmRN?L|IWjk{$jPf(zsgEzWPogwRH zq^Iwg7I)~tW9aW;BR41rBy0;NO0}Sdq{;Y%fezd$^n|;aiOg;|^*W?cN$mVUu%=;7 zvsqA2ro$Q)JA8b|3)z{VO>|W%c{TR!b28v7&vCiZz2&c89euQEuj-!}64!0SSxYw_ zrh(X?K7agOnBSga5x&=3otIGOgr4Y%TYp{kLAJOZI=5Ik{xg(oyMMhW3be_wHKvkQ zNNp^vqLu(sI&$ilb>Z3fq4R<jVe%esxcw*a86y3rapoH+oOe0=161!_Opp!RLp1H%x_}t;8HDbI zW8J@culkWU@!;w95mGBZ@n_}zsQgQd#`6;9CXU~gZ1Q=DNk`1TwAOiHcO@4Ub(+RL zrlTUXb+Y}dUo=H5D#te&$J?2DI#$-OLT!3t({ccoujbOpmc3%s%6bd)FKM*xNmDGe z6S>}T$^1*Azsou=rk2ZE+VNWPw^dMT&w0=Jdt{GiHq@ zyonyaDjgnaf+&tJS2}^sANM6_YUm}4d^eMcZhkoKB0+jz;P)aj(X$GCW}vJ?hpw$V zUj)x5?yoE4mesjxOs%@ibi;S09sCl0CL)~z+rBoAXaOdE(<3NdBq;q>yqQ25$Pm zp`mrFw$UGM1o2Iwf5>=7ZQc?8@PE7oSivOe|Ir<~;F+Hq{y!y1T>jocKU63C?ztg= zOBu0INC0t7@}#XSBDineCr~`y=nA)`zW*XL|4Umw zVY3vpa1|Pyl`BD0WjvZtb2gktSH|`}J>n!-FfO6ko`fRmHvfj|+{F>a#e%D;iO95u z$wIu2lap6do9}!w@zk_y>}mD>@7u_~6c5O)zkj>}5B+^5&nxhahUX=0d|X^ywfHhi zgEf1oUHK2$7``s@#z7GH&TVNcHg+{LHXaa|AS^oe_g+|Qbtv%tqvEpI&K~V1!irJ- z7toD(`I4$4!>jXSLY?mdOx2rl3IXg~yaxDt-K#6r9=f@mQaL(s1K31-Gkjrv$ zv2KPH?$%AWF1UX*0=e~kC68;~KqX2}nTetONllp~c>NX#dA4>q z^q_5aE2jE*U+pv(OJsachbMy~Z_-xhiE-SX$~{~5(XU2Mi zxh)U;U=6wRwM7!-9`D0p^a64W=Rf>wp8Y$#*8Acd#E!Al6bhhN6QNo^7=6NRkGGTl zJg;r^-|L|BK(ogK1Uwt6pkff#X*x#B-movAZ?|uyQOi2|@P^Tc%(H~UWW+7o&~=o8 z&##d+qAHHlkExI@;!T~O{n|-NHD`|~AQ(E(5H{qN$15o5vQRpUQ|k*g@I+&p4Ij$0 z`l^$P$7PGrB=mTMq;!RkvyP_id-r@H^6YyDN zCxM0E`D?rFo8x0}JPRHQ*S~&;@j6QUa*|==qoN|Y3X)RZZZ`(}9MI%=K>(f~#IW~S zRKG2qOzFfmda8(Cek_rM%1!EW=b>WZA3uBrZpIta(1dE+_@&=@*P2j-V6-Ela%jHH zul+hhtWsGxM#IfD%#B8IIsDh2cb{oNmUtmvhb<{WH!KcO25%;w2i?NU-SX^^Rmj^M zwcX50&~;Ho>rTSM{2^lXd4`jr%aY6Pg40-){rihE%Bod?YM47P7I69MxxO)I+w!rE z2nXf`g6xCwn4bV;c$2Mr$k0ODsF&*oF(do}0$P9*W^+ZgYqT-QJp}%BgXE^ZD7`>B ze+TuJ`X7EQ;0uM=ek}<-)SDCAj6ZnUF<0$DmX~r8l#R+pTq|oMQnBXE=<@VV(qADk#9oC_1%)i$oQ5A+i)FY4c^yv-=z~{)OD9NYn9h^=O;Tnf{++Q4lgwt>`Jq>Ld4?Q zh}sjAO23co9336)c z+hOk4RntMU^Vp2_(Qu9HN%95u*1bYIgD-@gt^Gh!Ci@v zl2YU9^f{VF)CiMw*aodAp}H1C=9xsC4cxs#LPaFfrK#Uh?=w*LyI2R@s2zw2g5DyK zWt(bUFb?bbOV%l5wKpBHP@A8llg z3nW-D==~1A{)W`)@4@@1qhzl->-5vvlA#){PiB7HxX;a1xjFqNaZz==+;PUKr%{hs zK*+wNEPHoxp}zoQNyPb}r7zi^C9ri7-OaSQ-4UgCbk+rfEu_+5@G6H)Ev+&$b}_I8 z-!hg8`U>H8D71W$sMSxO?LPihYl2+uA%${O>Nx4*$G*Azj+$Siz$-`^%g1X<*Fp?& zR%W@jO%QYNPJ{rKMmk1&xa05*vaJ#cgh);~l zQz0Hk?z08QhKZH3gXUUe$~FS1+AhXyaS!$SQR;h`l~RA2i#q%3+-RCmYPFeMAPh=l zIA!6xC#$TK&y}8=>l{TD0Y3r49_hy;69uWwj+Kr(A~5g~hxBA(ej1&W*EydKkss_* zx&BvS?W4mQgJ;_x!7Z^Bo^5G1Z;^A@ufY=*?jF$kW0~8mm?I}fxiIL=pg#xIo#J@s zp^pQlP#41SC^sbj8-gd^I(=4(NEcTwGD{mIuw8WW7=A6o69*QuQ zt@FYn&}oNR8#?BNF=nPXpkTuZQeE8LUmnUbN-n5dNVfa9G+`P)X!2i@lPD;UNmL!D ztMLG+B9Ov!wWdz|ezkMS5O)79L_Ja^gudS8Mfw9@Q|?_#R{v*H24wloyNi^X zargx|e<&lLHJEH$o^}krE3*Elf4Gy_8Q~M7Pp2oVo`OG!gY&KGM5C95^Is;Dh+1wF zJv~LnJ-Yi*C_lfNba8VN#{gMF2Ln@J8%q|W!nBZZvo`+nDW#St+nlP_e@;YlNPs_X zKRfT(J#;2bcK15eGV^=WTQdLV*Jq4SG%zy|?RIZ=zDh~(qxdj*lsTvQlAMCyOXW}I zyQBc%Yi}?wq!rA*@Qa3R)Gtg}Sokf`1;EVic|}hCnRXp8g2{5tsIRW|r(0np>T-*0 z7(2woKIYNTHY<{Ti!{5uvb#_vnbz9vH=3P33=D07`$gZqe52OghWcWTtB7 zb|(IsI;x%$2FC3;PnPKxf?G({!_27Jp``bdg-Q)%N7MH9ddf{U!oMkm8(r0ORoW2# z-oO(q_^zv0T)20C{tDDC21e+#MkhcRhw%(m?dq8G;h13fD%+yXR%niFX3glQWieMO z?z}~nIY^@zbo){4Q$e_eCKhrC>YFa>+nlm-44*z==m*BvK1qL#O)DN*4OGf`_HD}nERPIpyo0u-*|?PV=!))5fU4C z2izgfY`rNO)+PC>_%{S_{n#$rWTmvbL7Pg_R<(JBR`RP8du3ZfOBYR%9)sf-y(IDy zl(`IBuX;F*Rfg|jHfUXvfFLob-H%_3Vqh^`fh1&on1v=SW;Wh^+kj9cBqs}vbz`>U zH-ObW+$?mV`j;!+g~{QYIcL|V6I*G$x{QPvX>f3`Ti!J0C9d8u-f#Z{y}Zs1Ox;a( zU(TVaM1Gf2=%eiHnE_`OTBlgXH_Eo3bMUcXu z?--xqv;|0^+))G-#?&!eB<^Xumm(CU>TKUMfG+G0`^rN<6GWO};z#Is%k730@<> z|J<$~;TikmajBNNXlg-j_H`Q;$ZCTu+4Jo-J1n&$9RGINpkPRIzC7;rnl)|7Mh8BhfnP6QyO`yF<=3$A= zf5$G_kv?bfOk*NkQ`WOJ!>+c6`F6SLbx8%x&&tqHc;N+Bhhl__&=Y+&OiKWK_al6I zQb6$}SB^Of!A87~WiU&34#+nm&@{I@E3`*}e{u~h4Z>%t)+?QQ^ zbFv}yf;A;{PV>sC`+H%PHaczfU4tn`B*_x%t#HZ$JB=)yH5004BkIG{?&BYPQB42^$+*96IG3gtJh0~TQN%QzDmIk%8`~xdZval z{Dh->f+5yhgFcT4e9rD>I{OZ5e)-OS`K>1Zk#NmX>7UHS0TttDK(YMjlE=Lr!qB1A z8iBq~*8P1Q*z7nf=DqWP-E^96kZaYE7 z#~Kz2MXKBuof8vg5?W_UGuDq2V&yt>Th>$6RIA7z+;98ZlaO#SZica~FQAXhzK=t? znykW&=Sfp^sw1q~&dRFq?nuf4t$tNsm53VK?rHvY8 z?ke@)3EL&RDGEWgPg>YykV7ZRO)vJ`m1ZwZtb6y6#SbEZtuF9E9^C&L?~$|m@=#;K z0I(rW!un8)A8!+b0coMY3G8JWZyfJ@=#Lg57hS=BW&Q+>K`RJUI9_~9HpT{J? zHeODdDjx$8Tm2%bk-M}=LdABH(p6#h+oncC~qlpU`R^v-O^Gcfu1 zY90(el|3}(Rgvl|`^I$=NCRlI_C3!8h0OE_k&eLW+EEe<_&g7hHEO4L;_QwF zHor>EU;Hx>jm;m^Ce2PP-K&n6BjD4^P)R^Xg`o6Xg?y){>ETfBXI4@bE=O|INHeaa zSEE4AOT|&mbQOQlYDVNoRUSx7*kCW$+SJT1`zhtLo~r7JGTLc--EEX&V&LCy`=Vow zm|D8ZC^$_ zBtin^WsupR^N~Au^)L>M?6L{z8eF70*&ELuc`g0MFCaG(l1N1Y0tJ297ADZx2HmW$ z1u49o2rknY3~zKv4d*~T+G7eEg_9aW4BzHd9`}#VtWReA&6llui?4nUsXco&TtYlG z8Udw70E--A7!H@Lz^&E!+@%^uBzs_iV4i@JhHabUWy9!uw#Z?8*%T_C3ajc~9ID^} zD6n~uT(Oh|e}rT9fxrqwYO%%)43+x@b(}KwYDR)$76=rcyJajyO%zr zYpD))PSTOa5? zE|m(a+>$2bnZ!ZzW_)a`xk@lJ^K0}g-HWq}TD(ekS~(IrZxj*wC;1(YemY#<%`0hI zsLF)-_^~KT{YVoy$PaoUEny)(Wk_oo{2WwrX~w7 zm5q+Nva+(#hCjwj0tmBnO|`>yKa{ZngcXCryJ&gxCN#8)^XyONofnhI*Q_y%BY*|o zM&Wk-%LNcCnUu|%6uiQBHwj684s7xsA+aU6?*<;i@7!_0!?*l@xT$@cyJBdXc`-FZVBVi;Pqo-hJr3L<3RjR5tsG10XP*ci>A04a7d++WO_8r@qf3dOsi zTv;0679ZKG2nzN#mp|9ZB5T}MHSIe)GV0}wQek9KyIR(ekPW673F`cp^CX}LRuMK- zq8XTq`QF+i@B)cYZp);3Cy2>nK!(IX@I@F!ZNdu@s@aC~IEpw$w2?Myjs~0#=jCjz`zNy!ZP+x&7fZ-itH-GpAPHpkaPl& zIUUe>q#L$ch<3W8$iK~7jbPVO%d&2dE(?wBF}JuXk8+qpm!htdKB1#L|H5l4v$kO{ zU51mjAVH85|CSeWiYitcwLklI=Wghq%>eLzv2A&Gc-dc&?e}6f-H57#Y#_jv><|sx zi7tbG3V2KC{%JHf+jtcIc5RZqrx640zJOF60;_E%>R}Kbo)DEF%M9P-qH`UvlU@w# zutN_xWGEv6=9vcc+J*r2@&Z#}^)n6$D3Q#dja3Kv$hIt!Bz&3#6c=6!N1r$D>T39b z##bLB>9vPaJ)&jO9lh8Du;hV!Yju;e3zLxicc1UVmlO*nfS6`Al2T^3F#G%Y&3ixU zVcMTx9@V{BbgY^ZAcJu+7r^3@H#Ch1P=V!Q)B$4B?4GYnsY`#26R42SUAyJvi0tbg zFEck701o0^452pRT3!umXWkq**9IHasp%~+pB!aEm1LAhw^CPCmel|sF<4xBplf{dQ)k&&R0^@3bFjkiWa^qx`jo5?0#3*rq>xny}9N2VC zV3!{hASBMvIP>Y>$+}NnlvPBsy~=+{%!ru&^H8Zw8O&mY5a&f$XgVR;aGH8t{08eK za5Y5IOfzyWM)ihBH3Rx&nD)JV`@ES?awFUc;;)@gElr&j*s)Bc2Vl_zI| zo|5d^G;0FS$L!s+^Jg}Ha7*(($*>1UBE%4gxqispZ0CjeaUxQ3^4+n=xU?-Ya=IE= z;h#^i^>QTcJbjkCg~Ke7q;QWCLGS+Mn+EO@RP(*<(bPAg4RXs-TFJ8TmbwgEK(LJkB4w^MK3B( z445sVuk+U*X$hy9`yKf0T63Xh`nh2I{^v{C#b&>Q@pC0AB&xTo_c)oCyPQ);uf;Jd zVzVAeX&JjkUjv;QEu&Fqh#(K9j zMBbu$PZa#T{Jv^5YDRNXMPYb+T*bMuihpqBPOiR$qlUG$BkDv?;`8Xkk_P4R2^6dK z=u6a;W=9+pymO3%W48v;*B;m{!aof#qO*sngH78@=ZT6dro^_RSsM5^f;Jwf^y`aY(RPL<=p<&Lct zvpYug_PWb z`GjRO#EozHz_UF(<8h+Z71WdrT{k9vJW&2WOnrAeT;KCIK|+FL31XvfB7_jht{Mbu z5xsX}^+ohv!-iE>ji}LkiQb|mvTCAtBGEh1Yw)||`*~i^{<-&@x#ygjIWuR@d*)ta zDkfZe{6uR0?S4EVI4V*!DDHwKi>;dh(Ot(K(>3lcSeY_fe_qClaU2Hehr3w`hk`0=w^yf z^4JGEYNaJ>k+Lc?l6S=Nhm&3NtepBnaW7nC*je!-xw=pv?nN#v3CLK$uk{30i&AK3 z5Fb|msv4*P&+uoh44e84gB~C6;qqj@z*-p|?PwF;~8{G-Hmi1O$$R?~k zT2SFGI0^>=_inC^@H@=cBvj*lhCeMGK6Y56|>FYk=8g3m)3s_fzd z2|5L?okTi1;4=x_k6(spE5C6qf*e@D{TD$T6pYg*hp#SB=()%8r#OQ-cD>MLxs_dd znejwi@~_^{1>Bk~i4=QS%tg`uXODejBg0zu_weGqc<}b(O5d3Wj5Tw6|6>MX(0Rs& z46Bqn)LeH1ix;t6{&&~bF~@K?t84nT11QhVZ5@2G6_0c9v<>-+AekGAR8HBiCS>Wa zUBdxy$BE=pmr1NwJyItJzE`T)mFi%}EJ-`6=@fC#?lT?F`k?)DvvFRQA9ES2(bDN7 z-ZQc}WG~WgO5GtcOoje@S)^hCHoE&}wO?0qFK=-cJ$*eh4sG$`Ey9n6FdBDrd;mk` zK#{I^V57iQAe+osA09`|dp@9J_{oZowUj1&TKDkRz!&1r;G;78G4QP;E z2V)^UIGBr7RgEl<&ZZ7czMGc;w9pR2heMuWb(NV;bj z*xqG^&LZo}C#^>K57rn(jXR zh3~4m{RJ^h6i`k5U?g`)8Sl&BAr>w1F;U(EoKvnW+}Gvh!~} zf7pfTbF&#eyd$`U{w0SzWp3@m7&a9oeU-W^0qJSVu1S1)pqw&bn?JcP<(u>8Xz`Z^ z^qQXP%$x93&HT?fNcPY%_U4hVH`4If(~Omn{MFCs`Y|{?s@TL&g1?^3<-CnE1tWgs zFeT>OYp3|!gdw)AvUet3qeK;E>~fp-lUX>!MFUD7)9U9lDB`%;z$RL7lJ(Lb#O*ys>TP> za3FLCryH>xAMO8n-^GHElc1{j4JD0#K#B#t92S7(iqP*|Bb|PdJ@Bmz8xw>uDMS#O zC2Qk&yeB@YQ$zv0h+#jSi1SQk%m79DJbuyPEApq?0baLoTPt=pk{!?PP%_L+c<~1$@Df9ya@HAKT<}NM60I_am9nnl_xknvRh%H+ z7xqshOzfj*gh@Wa+QAGIr>c~-q7+C-c73tLEyb*uU#{X)SCvtX$G5k=l2Z*U#RQ5w z288Tq4POj~4GD~wPLTj3NZ->j%5%~qx-hZDZl?EEm2R)})8BU?LOr-CPcLWhD z0JP}WzsGV~;fX3)Rp17q!87VwsLKv_O*U@$iN}x3J`L^HK7{azuvoc>>13I+~{zb-WRhW=TZ%EoK}8vX{&y#*@y=m zIcnt<4dprI4e*^u4{xPf6k|RFOrMyvbInQK*b00o62NAw+uXE)_Z?&be`5*XiiTjv z9vvif&t?npG62?`uFPa`iSjr*xOMW;O5a zM9bNZ>=qEX?J~p5?e$b>h%LR#yYEFk zhgZ07q1N3IwL0hR8{uz1iv?}u5D3xlH~vD^?c--8;=M>8GTU)t>I@9vyyR9k$UU4I zVuoXU&`SZCcz)cgI}Pr=mb6!EZoUEnXu65!(Jx9(3}9+YbE3IIwZ)k%cPCr--xsYx zAD&mO##iHI9gyKpD*U3uP5#`Zu;l>aVUmz=fmdN;4-nCs^bo=4XAWDB2Xz!9i1&p0 zF-F%Re(h?pdHH>q<cX&`|#&?)^B#QNyLSPTSTo|*bZ(a9=XQGUn_@iZ-dLbb9B zOg#0A=Ga)z=fJfQ$;nR+k%k}jUaYzuN)E?G{X8#5tp={_OS_NQF+$+LXKd#zFZE(r*pN}%a` zl@``L84;2+XJ9pj!8~(t$iZWVchK$=Ye`$LuENrsv>47cgH*DV=^3);apt^qd!Ihf zKaaobCcaaNQ86{2fM)#g30ZvHjt|lR+oy2geSr-tSmhFtD;1JpI~=fMOSRiSt$F!A zRi`j1dQgqb=aEeLmGtzNDG@}=wj<%QWe#Gdy1SOSK@FG4j>89b-4vFfY`_rwvO*8b zH9MC*OLe6iGO^#%aH9Jn>`dMTr7d#Ru_5atPPIhGv|_#+yn{NQY<(t{1E@ojv%iCq zGD@<)pJp<+^X~PyZ;J%AH;`lT6!WCbKx?sbeHcOqrQuaINP%wt5Mkuw#Ge@_zdTT>mI3=V9oic$hjgmyPBjUg>vbY97Ol0s0ZIm=hE+-5Zz{UUsoccvJXx_z#P@4X~1>0XN)WE_~!q>#7& z;dystKFb~6Z2QY_ZnTQ)MkW*)N^Jgl+a|V(sH2j^Pnn6G0Gi=tUs^eAt8VPR_3B#L zB{|P_Y>(&{{x87sqFfA;%!ybYY(X4S^KAYO?)aO`XC!~7T}x-rT;>u8MPiRoXf^;7 zqS2iFH!VZ^)YVZkxBPGv1}nLr{>IaHpTRWMWp|xsFX_~0A9D5^#FDyaiV(lahy_x!6(0FR;RO8Y^;DF$X|wy1_FK zfL--SckLI8&R;M4T3e>{AQ+j6p$pvKxmfnA8&=C(&&#ny&`ow|>abw48QDL8e68iZ zVCn*%pM23y_VDANKSKUGJ&(XMzF50~FCK{XzRd|1FNTb@rmZzJ{|}{+{cvfu?KQgw z#Jxh$Vc@d|;^6e{GnI6TLk=^+gPK>V&v)2H=tp6*wNEkChNFe)!dwhfhvhE6tF7F> zU7LJxq*eOtu2v)hn`al9WqEA%5J>x}5|qay!kes=*~_XXMX%0!Wq{5{F=XVsg#mTL zPFyesX8+I0(1Opn9Zyun6QNTm;UR)swvluU|^ zSeYO%9=``c6wkHqM%oJDFz}2gw)XXJ7OoAApG%sjLfkBSDSbRkVjrBpe09LZGb(%! zQ>ROwxy9;xCid_x0{4@Y=;b>imcJ!!-TVFE^bF8+SUhwsdfDyko+UgfQ$X@{-vC6= zT9?onFgi?%k45s;SSW4+pUt*_Pe*@4mJD*iGMI%vMMeqSE-z{?FIrrqCs35fTv2}CMVuUGOHM3YhP~v~@+|=X_RkTN2|v1VCM*lV7IELUr8#SYgFolV zc6*TJ0H%SWef$>Hh)-H|URO`)P%|)6uWEa0l3{a_Uk<#z>v-WR%)Vnsrg$Hm9!Tz6YI~1p&~cr zA`nI8C+yj>e_KX4$YvAfs~%2f`P0yUxiw!-H=rd4?!#1;f7M>96W-*URddmQ$R#X} z!(h!cyGOr;eoDOcDj88!ta&4KNcQ=e($7=B$N8X%=9*muQM3~&YY0=pt8b|%#W%8A z!a03m6_onpZCMeTJJAGgJ0N)WdxVp;mm8i1`ZkoM*Jw$=wbkIZ>EvlA`g8&FYrWuj zg3@=Ga26&`2(b}(!a0qs&v>EyM;vn9Dlsw9K(up`ia*!I+h6F(twN7%kZJaa4Ee*( z8*U$0{Rtib)^OL{H}^e4Yg6MJyClS`7(|oooML5X3aS`){V4a@ApBm(r^J#c05m1e zl_L}Y_C?i;7MvGaD-Ft7T<~><{*{t%uw^0YnB3!?f$)|7_pd?|{qWR_L5j+AjHi!}u2?O{4awUxpfu z(oZ&;vPBBXf93k_u6Q^`U1I`p{0)N%=L+}Nh~5%JgXD`O@!Z~-ZZClA6!8IvzhxB6 z6Vuj;XBCqLVaR$s5I>>~J}z^gs-2WW0`Da-_gvm17HXU=K7qYY zCYx5oS~%WuQd@)@3C{8#9%pM_G9vII_SVS5za9y`~acF zGgI!0Q_^rQzy1=k9&26@6JnlMroHG)#mxpFs(mi+D)v7{oEXDcEb1+B54YPlBSRx| zI1RO3V;IVq41(8D^!R=V&W}}n59uiz3x)$FNp}o@e}H)RtX_a)s1^b{X70%|8z29e za=-)|x`z?iZujB;t|J9R^=12YRO*^E%sw&ZSyX9el0*S`hA*PvGTEq7jOh^ZDUUoy zWwBzXE-rn&*+4H#>Ia7cs_EbvFMhc=={rpRB4p*Q0d|RPb!sRr`shqYzH_ zJq_04?ymW5#OIJ99ch^5>+HVDy|ThlmDQgCdPAz?MNW!$z{GbAxR-t8opZ&EwYux#i5~=0RX?Gc!a>7?k>9}S)hUKMdAjPfui|rn zwTfH;+pBLUAjTprDJp(y7eJr1V(Jr1yx}nX`BDUD;~S-dR|BmaxBL(<&8*&RTn? zHN3dt3*ILf@@n@F1nA^QCd)a!Ukuy0&l3}#0~)MzosyGA;n49MW5XDqwnu)pF!3a1 zYdPM@68%c=Xw$&2W5paJh^dk*N#JXWwa z!I2gung*?3NvCWkYA>i%H8?JQ1J5lJBt)Q6Pk#xOlMPjJF}0>y`{n|hEoEUGgnkUA z=|P9)HNUwA&A-v%tAkgOkow; zU4GAqaeM(o(kfQW`l{*LkuD_q9b@Z)xMq!D!RlRUB%9FjH076vYmLLiuNZ;5KI;Cl z#%GSOmN#{yw2~q@mV$gG$-&Se6pO&MFH7L4EDqTSa-G=kuJT%z#_qtMCvb2Eh=cu{}L z1%|9)p$8VEFs{c0oRQdeFCFiE1moxIJW{^A(WCoLiLf~0BOe=V5Z~`%8L8r{&m)@c zk#LB$4%+y`-1t5}#xiqYy>>cud*x7fF)z1OT&r3G4BQ!f|4jm7_i$fXUV>B^&({i`@C3`xeN4OPo}k5srxlH*xOM9T36*?uZ}JE+ zHz!g6+VW-;V?0q!=0M$_@|`Baqu9_fpN?N7CU( z_S6KM$a;TR`1qMWRiGGTpoMd=z?mk2%QPns-X|lV^E<82xpG0bCO#3kWF~466K&NX z#%`fd(fVo@ndV$TNI05pSWS$B2FijzdDm3;kT;IHj1(MYKFGoqjLpqISdI77>mFq< zvt{fA;R&RJ3fC>rlG4s=1I5NY09uFr_?E4DVO@(yDmd2UAr#4j?c&||U9riDq=h0= z<+01kS-M(`T^of`&pLIAo|47@W2OX`4SztazkkAOC~I`j@4eC-fBVG13-YH7jyjOL zl1>S0F6N-`X`ptx_nxtG*n7R(-=(-ZJ>X@(I}&?9mm2Uf11p9v@i@|_+pJN%?5 z*HM2Mlgv~IV`%`-w6S~;gP2*P&_@yvm%D>dNu>jsL|y}S z2hLm;9#MIbJWDDd(v;Y|^^iOXr|VJ#fw8p1T8a)Qmb+L6N`R1&6E;!~I~KD$+Do-E zk1=p4!gqKHnb5Pu4K(+802yg20mIWazy)e=`A?2~kiaJpha#PRdJ(?|GP@Z%Yu8ne znD>&4p@@%E2rr!!K!%Ck1RS5zO)yB6VBi(xL-kt+AlI_n_HM8hjHpXJ=sQg$2Y80W z(ii2D)VrZ-q6!hL^FgTm67Z+9@+0lXyv(2b)i*+UOPxOKT)LurygkK85U@LbLwD#Z zpSye;nmEP*@Rr{e=qb{*7m~a%e^bHEJk}^W(1UjH7jv-v%O?O7rh3%W2843oOXvKo zRk#*+gs*XGGp~N#P8J)pK=l0w@vSugJMsT2}mCveNOmV+2Jp802%JMQ|hw z!9mljD!&CVR(9Mea!PZS9AH$M>S|BL%WwHiZ^~CIHXSV8=`xd5{4tN#OpD z1<3v32aC)u_xsfCqwxXAJ?>eHMv{YJ)DITqBbFtbVr{K6gu(^^p7otlAbF)vC`036 z4iK7pj4hq~c2Zhx1DFlFed4T)#KkIlDH{}yZRs9UCRE(3q1Jij>AP|QnI|mO53CFd z-1Y4bi7A+Ocu4mteY4D-CfW>qCHgpb_<@*Ya_L8nzV=J|sUy0gL%awwtdu^|j| z56{aSOSBeip7g{}dbOUsf@QREI|8mHFMcid!)YWKe;S{D#Nnx%hzIAJ%KJ^g`4sS; z%+hmYk-8qeozJ;5L5@g8ApN2-+1QVCh!`ZO*5spZ;7_)z5&MCY8HBRZt3^gzO8@YB zxT^g=Pk{w6VLb9OZCgF+IWsrvug8!%vyk=^8v-trxV-R0j%OAWnOrFKlq;5w`GbTF ztJI!-IQ}zLNSI7ZPa;-d*XnygVL?HGRgFev?Ck>Hyf7iRghZ#N@?}?c+3E=~IZD4r zYL70Sra8>D?Ptq!zNogR{*O9MrTl$UPGn+e`|DTL_*3!Sc{$X;>=#k!2iw3IWIo|; zvApvzGas?qDD0tTte}B05R$VO8qj5r@kbn~KzIc@N<}2=G~MUH+Cr8urNUt^M=Wu( z6p{L}f7Be(8oZX?X442suMlowRyE=zKDGibQ7YJ|MrqJM^4YgU>Jir6a)A;2Brs2# z!1a!2Sm`@l^laPf%gzlrJcjaF_9gQ&QtcS`wm65ym9S_bt%AfNwELY#$qAv=J?nkjGkP%y_nh=O7E2 z_>j017fpjdoq9;hc@5j4faQ;$^(ZmXlH!S)4Jm;Fg$Ky7_lopS;wC2&yD|y<2;b`D z&P5+Qu|Su=X5-I1N<2-V8E<7D`K#sU*tfd0jv4`r$ZCPZkE2#bSs|k|Q!?I><3;97 zXs0-{o0DRkX$8`&I`7d?R$ybxD6xAQ3;Yy`<@graP z$C7JY*R*fyBlfkz$)VO7Rr1&a1v*1YjQ3IrwxSRgp0DCm9=i?%Jyx1|>W?f9)udu- z9jYpSMr?u0@F>Y;8=C)+KcwN6eL?p!&;m#eu6Y#?x6-ZpX2_#7^LimOD^&Z|%hj@_ z!`R_uc4*5X*nZrnaa5ZG%a4nt#LDI8$k;SfpY-AbP#Tq2JW z5s9BuFnmg(MD!W3HB!Q6qk+{Jyo+);Z7OF<2WjF`yn#_lUto%zb3y)8OOxw)a2Zp{ zsw6`vc0+-_>JUX*yaAbg#P^@sBRRWaQcxBSC`%-;_*gxG{*L#kL`tE9L0|GO&4McW znmTV_nHE#yYGsdm0~l3ChFxAiO;0Z>>7J9slNMEXhJ{}DkvTqjMhCEv8awtLiM5#N z3O0MuiiIqT-iWModS6^nIHol*GBl)CP*#>P_;Q~EP3{46`s{{V&zdk*C9M%oiT1u&1d zV8~Q&?3hHO=Am46^#$D(4%`os6+nNGq!p0~`ko1*zd|J8fupp+_I*tVXdiD2>}}^z zbs59#-Ag=S8pv|mUl_X_HH2~DO4hmpVF8PJ3pyJwj2%m}nUFrL1DtDjn`WM?^mzc3 zOp8rB)uW@#AI2EQ%o8H>Or4?w3h z3jwv8!9DZ;9~~fs%;0%>;Hjj)d~N*DL1B3==q%ajk`$E15%83%SBlVxFvl6(0CPU* z$$twW0Om1PgrFY6khf_RIK@b?@#2>lsmo)==UyA3QF`zCQ*;UM{- z5MYJo2rt*`NDYW>z$mVP!wsnT6s?8w330`ndPBq-klBQoK@8Is3nGWX_PnUn3J%RT zp$};JF0ncXj~&G1v$Q<3K!h*=qlafwh0wcSq3Y3Zo&iCQ zS&ISVv0aSZ5V3N8{>KByO%j!@e~3$r`6$H=%NH|)TqEV+{?2!lvQj8mM%<-T;7vtLhbY06`11#>4vqV-YjMb=G?Jn#LpO zDoQ{fDZut2w;p|P{~xcl1anq8x?-pLYif>FA>^-6IA%ads2@O)Vw1K*DF{->z{|<} z%>|LTtQojFFLdTjcGKp7XfE%^FW>M?4g%IR5C+FQn^DEqGNpu~5tRT#o-wC`b|-v{ zuXys3+!8k)D+N}7Khi!`gM`bVaGW&Zp4fY3B_N4^{JgM)tM#rfR-DAW*=W-5ml;X; zaNoW!1!3LCYx5HF^ErDyNa7!@5frX^YlK5#`FI4&p@>1sD+7%+@>fa$4)*ifMD<}T zx#$kTJfAlBtQ8?`{NFA|c|M3KoGGp;)^mr0c;s2QGlZf|8d(NU5bLG6pyz-K@Bo?- zf2+L_L0EO>0T?4T^GkvK;tK|a8|c{27Hr;~;wTwD$G$566>AArwo-&}StVUJfwFYO zQhs}nMi5q>odDhN{&foi+dE5kP=|*+#89#1$SAYOj6BjbOGH=$@*9V%eg-H9(2a@& zd*^h2d=T^aO3D0g!;lLC-ji*yn)_}!eb3-*ogS^hVSxD(#&+C(g@QlQRQR#-p%f!f zmMI*{hMKw3?jvQ0hRdx_s0pU>!rm1g`HZeLlHK#LLE?pIK)Xw91m)+5Yr>>0aPRwW zCxO4xUSgiNauM;*(lHH~OoUua2I1$A>&d^CoX1lT>w~->vu6u+O%k;fQK#zT6&R6! zLoy5SuJ=X3@H_I+N-<` z3n3v1tz~hk9QS?`rh27qR#?nF2Ey?i(C+bd(YRct?O|9<^u7TB?<9iMF62rxib4Gh z_D-hPt#GVKVCBLNb+0Fj1HpC=tM&~nuhete6N_;}OI!|wjrTJ8p}8GPw?_Q7WoX1R zJNPnj*Y5(xG7nOC!ZHOms<`;cV>5W27R%pSMTvwXAcA)%_YGD=E_0+KiNN-=S??vY zbRh=Sxgg;XlUB`WNDF6&1zf32|4&uizft>Qwdx!uL#QS-%swN=tm*8vt##!Xt@t`j zv}i);^AE2e&9Y!-sl?PVBfyO=2a7STJ$)t&#M{D$JpZAu0kuW}UO%hkr&$iNWpU|j zgq(%Y^?!YVT#IfU;i>Dqj+|78ra3__7X@>u>Nn@RR6y062TAWk{wzi9fX+IeIm0E9}5Aho)rdFcpcw2Ki4*3Dy*|GeZ&*crkYw6XnroyPh>SyP(L zq?X(b!6m{am0vLb|9Um90}iZki1iX?w&!P)$2>(5efIzNJ}N*aqn(y8bc*HVdQs&V z8Jp2G`B1i-&k&d5-G|w87|)SfAFLLB2z*{G@;gm$!%rlxp?WP(K6Kd}^AAyPX$F8w z_;YL~mE@wURObsCsl%=6$tQ;}MuGnupV|7NRxbv-0L^ey+%yn!7&f@IgljtE1>7Cx zOL+uXoS>5gj!Mn7dBKqj%5^xLh$=kL;ZNU~P=W6XTuu_oA_2JC1fTzYo2dTS`aoMq zynLe2VADBl=rUIscx()$UnGII%d0n1kb>Gm$gh%es@(aPxlw?V(T2i_)ju?p)b6+Z z07+)j-cXOQR5@AxpF;%%tF6nE=*lFb!ckqr3&fqM5)ZjSJpC)b0q}H&i6=ioc-eN8 zJdo-Ql+aQBWXLnD@v%T+Dia+oytQ&;mE|3d#P6g#+5&vdr)BcVS%__ z4zQR0)wZRW|0bFVo7ED`NOa&960eqv$^7LgX&k2bkD&J05>VcNsSs2*0z5QFR{#&6 z{P)nEwIMFqDJ=$zdMpyFtJy7{9vYuRT~FQLyLFkT^Ahr5g=FH%aiXu*WUZKo08)`l zA36{UdN&sm5T9cd_~`N#;4(SIK9|l>+OjI^HO%Z~q@LB}$!y5jq>J1j+qbK%Sgcmg zqkENwpyN|28kv#SxjM)0u-;A-u3?rbC!ek3zn87iHd$*z!r8fWq~=xnHCI|O0?O*H zn0VH!sj%z&H5W&JLFp4$kB|^@o&$mxGOr0o%jZU2%LsyuQFPXqKf@ z(7e2eKy?7jobev9p#wMc>%Xkq5-AT(Kh&|>!y?#(U0@kf*23~yst#Eai8mj$ZZ_he zmrR<^LL@(Td9idK%Wv%|fQ*@C?G)tm&~}y9MgRKxx!~W3{E`PSl#jwny4%9L%MQ&- z5%UW|GUXccFr?s(7CSvOR6h7DDA@8+Av)Nx{PrpW6UE+*;ECM=m(0^VhaGs175XfX zwJ~O&**&7;?IP&bPACWx5`!xFHwcpegaviFy@RH!qebsxVSU)Cg2`vVbT!i1i`lF0 z!fv!A3TEjd_=^s7pkJ;Mnzxz}_o$=pB{7tF_1a7NB%+$ke5+WGBXe4aYz|+hZp5<& zUM}TJY75-3NqcSL3>Y*vowsNe8oGetEE$<+$;wx{m$-o{k(404+ztIW`!KPiI*hXu za<@?`2je3c+Oj&J?fM&WJ{HCSlggAeAVvf%v7Lm%_lr0Yzq;9@xzRs8h_XV@s5nrk)oY&{T$odZuWCgXd}= z9?t+twbVlyS2jf`xW=;9citkbyIhC-KfO)MA*_`N>(lKWFFDXrYwft?J#cP*nxx6W z@#9|3CeB9{=gWuJp^U}@C81!C`DneKPk|&Bhq_z+!F#5*rewv<`yGl zg`_r_Q|^A^M2gcP;|VVffM4=3=1rjiMZzagS6IaYac*(ZeA5qarR?uI9ie(DU@kwSbulJ zDv?i&0y1*Op6hI2Y(;CTSjXy`ZP5LW_C_d3?aGk=I0g73nq&7UsJv``#cmTB!u$`c znil_13h@{3f-ji8KDfc{x;{$kfo{-N*@C>q5LZj{!2-QVnj;MbO2Q=2Cn>s|rky2! z5$hiPj(j|6!JWpgvIGmyFWSQR$%e8GW!9f;SmEvjT-I@7@`M6jv}4fqLGWk!P^F&Y zy4*U=-(XM5PI!X}Oc)_OuU%NCeem{pW`ZM~85l*g*!Sj;q zJD~`+`|DP??5U7q1}C$RnxX4&Ikh6}tU&K(?-HI^2w%BlnPB^YRpLk9nILkVz6IMm zLY0$6yC{L6lpW9H3$$)%{2eJ;hthjIU*fMsiUqq|ErK?5fY4Q?4OSEpgs(N2#YqwB z>Eft@J}%`QT=`}CVEdtyJ5v8>(n=cMryq6iW{t4>NTaMZ#vDGEHpWrB1dJH39JqsL z6>3v&wm@etU;>aq<19p^i(b_p1JCW{iv%UZZt&)oDWM%8k0(2@_=&?6RX)hmThL-ZnkSs zPaQ=Ip0N;^jn;ZQ4pCl$*@ye3#vguRS%gcgmPY)zH2QwYBbZtdr~2g0INILPeh2ig z7a6JQVyXJSfG?Y1J8ok0x?Sl;?gHCsaS&^# zi>twwSYJ3FzWg(0c}aq>t7FNf7t=ECfHo**e@d^vs*{$bG~1TH=p3M=>d8 z`9{+JwG0447?}&ijU@U3dLK1^J4b58?*dzlvmw}w=jv>Z?Eqty!Uc9Pw~%oP`GO_E z{@%}Ok*Yyb`10@GeSQK!joH9voc~-n+G3D<9GyGPpsaVjsHt#Ju!N+=`x$IdaC%$? zEr*0FQyE`*QrHd)K<@TA!fZ$&f zGtZJDeo^pFF!n7i1!am1d?uNpW`UC@qvT!s)jA^p6UV$g5`4Yz){=a^oDi*&WVaD;yKFGU{XQaxflkK3h}c9^?d=|Fydzv z|J*IW%E%v76mf6d+L&LlK7G{&=XH&ro8C4XVvS_xJ3Qrho99h32MC(oidKdUEzQ z)R?Jh<%vRqf_otXK_2bw?l0OU!*wo%7<~!u@i^6JpsKtxfc2@ z90W+b#O1W0EswzIdt=M@$_#(+l=@_9cnKNC3$yS%TiK7{`K(#PFI&R3YI^sY3FNDA zGJ#*RSq&Imd(dIj+{J6*&zr`5TbIVYck|%w1^>gT77i@JBn1&4N-8_-t`Abki0_{} zSABZQl}smd=$NY5Ie16PMJFrx15lK;8)EpFcst*UZvD_g?CV9_IDz!TLuxo##jvl& z7UM|PG0lrg{p6Wa70(@+TRhUzi9xUTa*G9SN13mxvCXpAkF~LV>q)lSTa0 z90KlrJd|Yp+3YQ!===6I+=S_?iQyn-vUSwVK>#g=Q0PhQ&V{(#F`J-4ya zBQIL=cEOr78iuLFStjHL{8f=T4}zmQ>ssDxqX$(=Bms35^OIY|-{}3@j+08Rch&Ri zi}GEscOlEY&9ndp>G*50VrvaaRv$$Qd>#7| z;*}5T5|a((&*=>g*j}UZsLOec%9#NYrgzydOhjs*#%37)vbe{i0hgwHsj)4LjKO=R z4LN^WDOW28wm%z4mE_d1yHlpbtC|bM<5&Qg!{efrXkf4Wih9Se0!?`w!Ims*V>j3V z@ABE@ct!>kP&)A^74r*QETImfd$B(PNQ9J+$xnVg59#s0tJ7~o@AJJOJuCbDcj`~I z)rB>b5BT@@RKc6yE?x0=*WETpbT7;%U4O8*gx6HIi~P0yvj`{Xu)xvZxOsEa?U?}t z7hk_`Yw$d1Ts51UJ<0bIS;Gc*E2<6KJZ_d;*^7>4{f1&m} zV6^dM;9_d(sawC@N<~mVAB|wX-REn1?RAK28?X(5B%h(nPlB7d*^U(N^Z6Vqxz$hl zO0JTr7p5R@`eGGo=gd^nehG&RrG7%dGBz>gz$VtcAtY^N_zW@b~*S!{-zi!t2PR@=&yCE8V~MLhCmiCoIa&%0GJF5oE*bn0794Lb^1V$oF%5rsSvT z{JURyHg4^QNhzmFU+HfH<(W;OvnOkt&qODHT7wl6M<*pPL(uLPW1^!s_K7@l=v=ar zsK~nzz7?qbXGNjxcTH2q+3E4^K-bff3t8f~Y$Vy(;S!Xgj{`Ov@$-lg+j4Vujd3{w zb$x3r?Z8o!fi3^G6i@JHGW$>vpO3cCPIG0W`W+ozQ1f^CdV@0*zq`=p$0d6sA(&zR zn{&@gKGPZ|F|M?uZ;ylX?_N}&{F#^?V>!{e=Z8ldo^tDW zmL@|~>TfL@(S^*$nx`E0Xq`_!y;j(Sp}CPY3v}BeLbMrSqUVaLInPg}9~p%r~ue|R{8hKh^&$eGMz zea-&1C|msDaP@+pem?%*_GxxwzS;Nd-?t}X$lvZz%KjS76oDi8t4Rmnw)&jKSEzBo zYH3qEY6oVQ6HujOc}*ldxz*sDql$RK`M+T zj`6nS6EEG1y#68Ljke}cx;0l|%u-AklJ6U{ls$|N{`f!v)g!wL#*$zQT+O$t56vb; z&%BuEB=$DowEak|(oav@JXjbj0W$d}_6S1({@Ls*zg+*@fHD)rd_FYv77(o6_(S15 zICM6!HuYqsey^8lR;2i;obd+Z%6(C#I}`IUfe2jVt_7dy1&M(#6nRXt9$LKnS-1I6 zygZyDPIGy8w*_iv>VU*aQaE(QF_Q{Dc!CU@xiL+^dr_fGWpJUj^Y%8C*WY9+ zQNb7aKQKC@4XOQzm)QIO7s#q(yVSQb(%+O7*Ee3@o@yt#ZU+=gYTLQ}4QxLs_01-g z@hOr-^bUh7--AA4Bj(Sm7v`X_yx+zqFkhzR9wuHM8v2oQQ#sWYHtf-E--nBp!t~-N z(Am$2fj%l2q3(rS4~J@YJZB;p-!#dJO8*s#V5Kz7&47ZVNUXKgmSBA`4UJX(J%Udd z(o0^+aq)M@5&F8ZdLtuZf?(hKOx`Byik7qP>4= zY19gPoDM$`^laHZxL_?$)bIsts^NbB@%_w)dJq1Hd9uCu(M(O5zK7pPtg2R=nY(Rl<c&OFG7@c2l0; zR1?P{xb`i->3FBlh5MdeGr#xJ00Q^l$^FCwV?q6}JoLI8Kexwe^Ua8tl7?MRqZ7Lw zNLWXu{+Ka5f?@#B@F%9q4($0~niv$iH0cm08llwdIX4e7= zq_a5WYQyGt!^DJ!N>4OsK5HC@YxyfJ1@~{0LM$%PumZnFxjCPHWS?n9R}oV{@cure z=v|GaYGvH@J(7qiSt|t13~)#MjUs-1vZs$|%_&8AJ=TD{fw`VXGMH`S?w^b;{AV9q;v<>_@d@Ku-MExQPmJU+QO^IP4{g%DM@RjVy}6Ug?61 zKgKrVy9bwxRJbm>zh0+}#e>!ZPh`$>c2{g8;#d*MO4tv!pZsINcRpr)4b+1rCgNxF zc-m@C&3Kf+-Kt)31J4}HOik5u=E&AMu|CbxMD;Ln7RC}HBq15=q**&Ba|?Skw|f;gtIhfpJhQ>jb$XerawFQO#M+43JGce-4{{M56G8()CG5!8It$ z1|hd0FCY)i?`>%^H`m-0N~Gk7OrH4Ti1C`4MZ_8ui@0!=A))=mHZg}!ewsdh%L9D% zH0d<+k?_THvDmgM#wSOI7KDBch~;jUn|ojHscWn#L-ad!An=8S)6DnNy_8mHt@WpI zx8Iy9$xSZ1VcqoZdNneu6~i(>HSG~c{=Q)b@H@lV45XeNjLYpjkP3#UH=Ej;ciCos zuLFq_>7egDKAAmhK(V@e44~vL{m}UL)mK8<@=NK-`}UiAz5LDeB#2KTqr{CB*2}8E z_gWKr120ZOSGUY!+lI*|e6ej)e7~twLm2RqQE27nmyBT(PyeppI(h$FkGgaOGgi&T zc(a6BWcQ;M_Rd4oeQFA;W;!apEY4SD)RR-67&YSjFbG`R)8LwS{uc-0>)c4UR^vAD zcWg&l=5oP{!zW_1zubAf+mFtzf(4C$5HKAf@BEU`A?Az8CmkG`#RddqnjE2rebu&Z zOZhlA9ZdhGxhE5eOtEXPo|q^u@!3z;1rk`e4=j8%EETkHOX02!8uhDuwiq`XK~kmFc9CSbR2cK3c7vVaK+=hX-;%51J>O+a9_k3w}m z)?*Vqz7Ct&ls08^%fbOTSvZ^9_U0=6pC_0nK@O)D`+_j9$ z?Q>D}^HuK!Sr66kR)@pI7hS*4-+_YFw?roj51Z&$jUN@rG>&N%$6*FUL%Vje>?TlCqE;+ z1au&K?j5P^3R-VGZPlU>6|XX1j$-a8A5-E1@RbvjDXro96>bTFwTt5np3&Q;EI3Qt z=*^7wOo6)Fn)W9z)vkS8y?DOYaoR+CcI&VDJn_WoTZ_12sV5>zY3<+ysXGR$cQ&(Z z>{t(^)`(I_Q$~L)0dD)3p!1QxFyt@yj9>90-%Nos_%+YnkH)--@x79v@o_a*GWBhy z`T2#GYmnLP-UgeW+qX-K`yUZ2kN3a5A#(TAyqh`O#0<#sRC8~`$L?qCKHo-2`M8CZ z=2o8-8j3G%XRaovJUxD`zg9jq;C_`7qepk`ap%^}mXBpT(y3uT7O-;YN9P93_U#{R z+tyk8Mu~3TH2ACVgZqv%I-+@L(3R@Np2?BV1|}U+G<^0TC;b1|d&{UenE=;MLyWe3vULCHMcc*E-RP?xt}_J$7h)%(Xv6V>N+uW;woq%HC{%4GTCaZ{XS3f;}`#rXTs4ihaDZyGbRm<<%#ZV0>NO$+=K8F zOzAukc*9gBCjPwhg}h8i0ew7K1xZlWccuUv*UR7}fife|bO@~b#WowM?P_>)B;xky zpwKcy-Bm~IsL3rCDmun{4;>hZAx|@;D6_n>t>djMQni}OnllAr29>f_l)IDzK~@sMnmQcK~@uBlKlECuhKZZtT-?W?-1{R^KMK< zPO4(8jt|$~0K>Jx>H3W^nu*wnT3wF=L4C%!?i(-?lk0`HA8hA>LgrrE46OyolIIfS zZIof)!0xk=bQHmIHmZsjp5pPiXF7_~u-ksP2YLPiQ+_uVTRsJmu$Sg?bA_f~X#`~E zP447Vo+(V<=Z67!7(s!l#l<1#K{KUv=;~T`2kP`D-}UmV1ONPbfc1>TnERk&N2xpc zppfemkqcizuZT!dz|Ho%v;dR`-(VP^mKlV%nA;q3-bV_D>JW#W*J}}mPhIiSKR|F{ z06NX{Nw*y+C{-N=@5augkJ@ut=O`^h;Q>wi0?YBcBr|0~e-o2u+7OFxD(O)s-jQXF z`>)!S6E3SWzFXpV$E;tkXE8np+hl01YAk1uwE%9_@+rJ=CNc^5S zwZvxTJo8_xVV+YO%{mkh)gy_uOrJYj1l{dya_S z4E?8iGE5S7ZQ+y(%5(LD@bSpE(xT9q z3L*dc^9-0-NywoIXC)(rftXlZj9SJ6ju!?fREDr`lJatte{!^yM%KGilxW)irI_=; zZy|`$p!dy1xBs)JjbiD31>uKc?Z^Is&rrTnlbck@6slg z6(g-gCwzb%VP=J3%He|x5DD{}7eI=mfjg6veVGNx_9nC-Xa(uv# zkUOvGlDQduwPad>nvI-JMF1($-xLc$B#G_5_yS=H_+DohdS~wBX65lu&~ugVi*#cc`3@vqGF9j$W8gqGMN@FKLat*%Zx@nwC>XKB zr)H65r_%q{4PRkU15M8tT6a{uFAdbBruc~ASKBM=8g@4bo2oYnlA2d+!t^2hoOUfZ9H>g z$gaOcND?$76eA@A=5KU!eO75%N^UW1e(w%W61&_MiD039WThPC`q65GP| zMZwGM&=y&ZL?Ka9IB(xSqS+0N^4PfOB!#`*d4ofW^=gK?LQIrM`ub+YW&x89+J5YV zPOL9V>Nxg@`oV4d8hLkIZ2#fRm{(DcXYJ#T#TzfElr-gg-} zlsP^D-UDWDmp@$YpQni0+WTBuU2G?Y3fyMyw*<%w+-@co8=i_PzsGPg`&(9CgGLOO zwt@v;E=dP?E$s_EKrE>1d!7tPkb9mUb&-1?BR@P(2e=kJ;N$KGRu>`fU|d zG->N-9pEqM&D#I@-QqS#lsDtP`732I#N6$SG5f{evmy-ei7k8ZQ9$#xdb*bnpd}jJ z{p{6@cJzdtWFLZzzv2K{AyHKDZQ8#CAqU+NN0Qz0EhRn88R?Ys<{!P-yu7tOzakC2 zO6P+XpYJ$(v(A5hrMxR9AD{cI@wfJV3=C%_F((f*i)w-Hu2p(=jJ>{R=Dn1D%)6bl z^Z{sgkyW|g8yO+UYtXg?6AB*Yd@5pnSK$fCzsCn|axq_M`*!)S|0H4maG6fkp8fDd z`riyf!{;jBaySyT#(|VnJa}vFr{9w%{N!nNaCn9ffU)pj0!18f*iX&#^2lvJ06K}I zc<-3KpIT7J$3cDVmJjU$F>3dLYJY*#S+@}N&8z1ho?Nlr^9`9Yd@(rh-LupJMPdAx z5>_rb+}C*pn`)zeu!dh?X7rGh{a&bX04WLVPv$>bk)5v3iJ#@RC#?lKiL0b~-`Zcm zVJwxk-(%A=gc6qm}N|P$3nFp61$=68Tvs)c)NoS>_z_E zP{7nPy&>KZyRY*Xc=_=2XWa7mhaX7lyTcmMwf<>MD4YE^~+I=_ICDq{d=QZ&^ zO)~|reYaA0{Pdw_H}r+fc-p&S4#Z$lztKYpBQfc0;09MMUV7k@2R<2zS^u^enrY^$g?otx>SxCb~|0?Zv+Wqi%nkV|%uIszTy(C{ZZig_{vHSclu)lha^BU1{ zpQ)DGEPh2PDw`_ry4m=0HQ6Nk9jCT=cfRkG>hFexbO|CKC`Q(Kc#tChK+C-%c}TdI z_rJ4%4|F5-@;~W+ry_OaL;4q(5aeGe58q)Ai;nxwJUsum;s4GGq@sD?(SPIgKk4^Y z^`YE<eeP_L{KZ3j+d268;;b{L znT(2w`z6==w)!=KmX?w-a=h;jqQ0T|%BoRzOvy$&uU>IjLx}0Ps^mQv1*GB=6$!kN zF?hy$vYg$}FE+ck!+#dM5WsIu0g+BMce~X|ua6M2TLM|54KI6s3jxFV=YuR`UA?Bv zkB?KJ-uj>(D1ch(hZHa-2DW+Zkg^mYbGbNg20fd+UjAN3!>{p+v7{`?*hV0cKPfVG5``j(St z*k_sJ-3?V}@yGc9YtM86u~fA@n0t&7i$m5sP6^-?mu1x$Hr zG?~w197P@{3@O1tr``7qegk@f6sG}&#gJTW2*#s}0$PG`dw=Yn)eD*d9>IB6t|jLh z@d6tyRCZlc?OrIVAiP78UY+-Bz?QW~1LB)f&|dT7hM&sOV_wg>cifvjUC#umFMh1K zb1@QHbu2Bcv6t-*MnYP~G_jg-9!&L}2i(sDC0mdonbU$urVJsbOz`1Is1+931KRpp;c-L$YEu0Eihfv-NWQ*PW5|2N*9^Q_bd|yP{mDEAQx(_C*wONN*)N6& zCyU&j{jv0i_EK@Rxh#{LRov?_TI(zt1)Jk|491@je%|Rxnarw_sfYJyk4yAdOUBWW zU3zwqa2Cok&Jeg5+4*QNxl1&qsz?hsH^&`jI(V$BsR=MQ&#ChKks>@AM`=G+ukChf z-M8SP1SJ$U)!xa`4r*XA15hoiXFmO6LbsUzR&KtY_lWxAd;#g(4~?`*b-XIg1$Las zn}LyV#*UiL016tGhPL}7-Eu8{wb)Cs*zvq6dE8zM8+OBFjp2-!)u3W^^5ShR!dAC( z@?!LlA1RI6+pIQEs*FL z)x334qm;kRm!`R0xeMu=o#vmIqaB#TveOLnsL zZ5e|v+(b}My`xhM>ZN=LuX>-BV|DoKbfty+({zT!<(xMW<2YWnh$h;N03sECeGPTu zX}m@e8!P5ZGOi}`8>MRg{D^lZiJ*sBt5!^HVeFd}TT+y7cGBUrzv9#_NKQxR6`x+ft%4w5u;3~M%PKD_dIJD^z3t@6lUbRvi5SfAD5VG6#rbk-z(putimv-?4t z?b7A1x<52aE%Wls#0pg<>PD~Z4JPZ1>}{oWT;pR(T2S4URtM7nLof_O1!HHxt6`?S zQ|x9zTHN@3W(+l6mRPwCo=y(jt*TA!s)7HO1jd$$dtllTC3 ze#4)a0Wog{k(=&^Sb*2|$=A9#HdE^u_bZvg@%$b<;E_hDaCMjAWHe2CgAaBuTS}(; zdQfb`Rf&0}yE(dhV$xZu*{=cu@Unr8UB#6n0=%Y*L30}g%v0CrM(-INcw)OH-d&m7 zSx7W_hQ}6{$1;_3o#H(-;??nbt-QNwRO-FSo4^e@{77=SI&H_uOZf>5Tq7vf#W%(I zDCI1787tsXfs3v8yPDtn=pU5Gnef}|J6>FTbnX@>q$D)?G^q$52;|1Zm2_HGE7l8u znVE+$%e|>Ol|Im-Lu3sc-a3^lr_gIenyzLh9^sk`r(7b zEfF7kL5G=BBOb-add{g4!^^=9Hua?RgKe5joYrXFL}kVRmYylT(8#UW6Ru}OGfaPW z+eUAe{zoEx!gw7~G%Qbs2aPoO5vUZbfZvM|_Y)8U3qx_4U#I&?2|-3wrIRk;A7GHA z5IZK%oSRFEs859bJ^%Ah&CA3fQ{87SRU7!@FVVM4e=+5aJ2if}DaAcC7Q4l0F7|54 z0lbIQ+}0=DfON8j&$b5vx0IH96ZMm4ZgXB|k8QGl-aNH9lME&cp;fc*uFLJn8FtLL zF;;0R}2Zxe7(WcYc>|JbnsOQ;2WYL5nmH`>0<*rC|Ws zu3QN$2D!U!-Lez+lS*9oR;6Ij924d@+P`LJ;=q-Q*Wix6mioOm`BrhB+gDEO+4Mh9 z2KFI@$2T`9T_Wv0&?YDSn~yY~fPkXsAWLA{3Ly!8^Piv%ff!!%tZx#}Du}m~E8nZV zO?$S=zyxG%7jr79V!l|9URItuRLPOd>Cq3Rswl#U|9iH-FQ%3@7CVgML?j0O8M7HR zcaA4YF(Hcvm~>XCJO}X~7zBD2Hczf%c;kG(Eu;Qym@F77T4RurnVMc?Lq4}{Jjd@2 zrPv%e;5vxD$?61_8@0dYOE6v#kXt@)Xv(sfIp_6}b(n*u9G5kyUkZrm>@GrKW+|6W z?En;TjaPwI>hB$?y~>^FUgH$lZ@Ij<@ND!AF)0O}&D78^C|&Q-0kr4(^CJ#Jl?efa z)xHlAzg|7;tz(;KXBDRwM2ucc2*Uq@HmD^|16BXimng-=WDy8KZ@2&dof3?88C z*QAl>W|e+Vwj8_sDtj>YE`rXyq2Yji_3R{iMcy~BL1;9O!IYb==ia$*1Gi>rx@j7B z;gxDEHy63tUg7T{4li`GtUcO02ro~~d1!iK0o409!6)3@hfX_~2m|?53)7yPyFXxQ zweAbe+bk}mA^7v{W5}5^TlW{LRCkNbd5`I=XDeG^^1aq#(<=*v`r3!j79*b(L%b#4 zo_xg2`J9{GgYHSOvC~5(oJgLd3aLR@1|o;WbqpN`9+BGUbX zcC$qQ770Gh{ff4BKti?L2W_DM8Z?6i&0X-0S(P-Bt&KVgO8zrh90D9GI3~5hThj}A z`GwA)nQKWVu!yYVa~wol4D1j{8UauShXZcaxJ(2l<}S|G6%~OL8#lZT1-vffbtUXKIJ;Q@tQR#Q=~rUx zOH^DFC+2Y}IhLni)kdWJV@)!ZOcgMTMUYxl?S5w59))G>JEbT~jH{S@`K;p&wI1pK z;C{oY^;12v5p0+^o`74{kjf=mcy^YJQeWKJjluCLr;}0YEx6U*xitge2?84`{F(Nl z1h?{=3(IdE1z2Ua%W)imMV#Uj^ppT9C)2TjbsTw!Os+TtDn-(2Ph1VMX^~%x3(`T2 z2(ymGn*Ihv4sZTvi8(D6LJIc7zL8;^Zs-jzdY}vukF2RBImhUreN(Cn_iNB@I_Vvb z;ED1J1v=2>lzT%;g|KzV%udS~Sfqf%OT%nZ@e$BK6=`t~mkEjR6}L?NjD25mRQ7E@ zsdZFtfSDaokGY?y7zRjvPd+u3hMZ#eKvBy@z?4QVbpdaCnZ`4}<*?$HTiW{~x5!`A zw#F;shB4L%6TKw!$C=f#hy5m4o{$oie(jUu%M3-z$QKl)@30(CcFNcI?HFH@jDCie z2ZjTTi};Q!QV8~&_BG!*DI~%qd5DMg3L^>MXC%s?EFG$x=TZ!9jxf+6HJ$R(c0T3m zQ-F003?rEGNgymK+;mVtij{b{df)jxKDF%2jN_m}!{*knG#UVq0`ZE(EVCvC(DGQn z9tI^3HnXATm{!D(FmFLoOUgji;$K#2-20~RL=e}?i4+9dCJv@`!0wV?^X;}>$o_vw zuR0{IJR5EenTd4am9Ibhs>XNG$A1-60((x9K6te5ge512`&YgwE|mL4FL;i?$7D=N2gxoEw)p_OkhLr*CxidM8@=5>DtwuGF+3XSoV&KOyKk_`Z-j1 zgSL~4_612aAYEQpWc{*y*#NVW8IS!5h0(4KTqVZz@BGEOxQxUgF>y`+^ z=xop1GB1^`1e6~i~Jv-w$pe=#Ij1< z@59Za^<=Ba1UGC#RR9VYMF-4T!oJ#jhTZ~VFxczz0%C$`DO7up%fiZ%}n}8W3-|B;(bJJPHBV;p+b+fY!Rk6G#^85|* zZyn7Y!jNO9w&dmR&}gkTy2p!nYF$W73pTVpxaf2yH@NI7gkce_ojbe4>q|e{OC_py zFU$F&tkj25`&?V?DHBM9FkKA@fCbcyF2;ZQ{Kg#A?_aTA757+ooqUG5S{Y22C<2MQ zj6AIJ3MNhgCcIKaynb{FQ98f0V(CukTm zBLIYFz{*za=ZU}e)o1=>((gUSmZAXp9tcc%RqTM#qf zG5@QG_Yj#8nmZ|<4EcbkFUfe!GsdC(Bk~;_W+C^$%5VC{1j}f^h-%!KkFjAkkfYSJ z<*9@^6Mp{dtQ>uJ&tjvk#^kG0x217b&_@3dW+5+jFUGLvmKE|=&iD68qr&R-(@1`Zr$}U-0?X#46F}ydVM^$-y z7N)zn6W=pRcA13@%blSKbVGN4^~N=L_YEFPd9j9cW5i!vp$wJ?q|HRlD)^&1X~QzHgji{plI zoDs9rLS0C=FiKrNn=g zB|^o(nfPucl4MtCGfa*|6@=qop0ca#QO)7m(21#N4opiOwkRaQrHVb}te&0F4xKxA zr*Of^`{;yIFb?Si1$5Z^uc6vg4~sL5t1gH6hrx0VIm*L(V0i7*{F0vb zqht%hc-_m~*_4Xb{XVGFM8Y0LUD;Nnk`H04d-*G*;jd{%j4Q^QLd^G+reZp&c%@RMdDyZ!H_?`sfFC`_`aHNu!` zLAbO7Gd4KhO!ih!4Xh-$;MA@ z&d5;v_J$^@BFAX@)M7cvF3?#e7M7b={v{-dJ1g@&QN?O^L^!^W0rEg|LV69_y>!=o zT#lIz$LGq*`)Qq~|H4J7P+krnft{v-h9w{P67BEhOc-FA3bY-hA)c^1dGPt?CtFSv zhi0!yEHQ`>3TBSZ`fdyr-thZDubT*G&^tY3jr0GnHvIo}EIf4d-~Imo0k{95N5Cf%`p%y9S)|=iMIdINx5}bgyw!*V0)W8D${^SGnct@%L;Z>=#++>FX?KDkqID z3kKiKeb=1{o3eC8j4#I|k%075v{W40tDLhr0VMf8q0GgyPAz#{*$4d8QO*qU;CmgRg-Fs=0K8r}j_;SZh z_Qg)-=V&GkD-aH6eu|Xy?D=7x86Q}NB40goMIv4BCbys)+QtlOvf;@Am{xLDpHE%K zrAsf#GNCY1exkXe*CBDzNdTv(&v|QP1^!6O0EmcJ7`;0B8V$%cb}5bmh=NrBn;6_O zO)L|QxdjlbiMlg#loUJs%U+-#_phmi5PJ{Lz=RH4Y)lXQY*}77)lFTvHGP$h1=Vly zU^WRJPIcRkFaVPf#G!V&PzKdjJhnBl_k4_pm?Bd+0ZjR!oXyb>-#&Z6trv!t2aU-G z^%i7av5)eQjb|@j&ccED7!FS=UIV{6%D0)1nG{;wv2N0F#TO@OLQ!DO+Y}&?3_vXV zw?H$eSBljzXgo}SXvvgkXO|hIP@2a3zU5V7SFL8 zg^LeXY9|R|g(l@aqtqavL3LYrU3gs!OiG*%G}Cz1;Xwzwt_(>d2#}ipY^Ca2$xp3* zKhV43fF5kS;~SDI$7)CT_n{s-PeILQ*6_GDs*WE{UN>(lxmfIxC+yzTu3Ph{9^dk* zY(RpOvQ<=0=io)r?+0D=WwkHiAX{*Hf2wEQ%_I2uT(!|Hf7-FdHHr8gX~fi@_37-% zEr~kZMiCRu?CLoi>k9j6*L5kNzb+!jS)izL=md;q!&t*92obMPcolwK%5}rxdJ2J$ z9~e!0t!M&exm;7~SrnNf4ChI#-{%I$8>Q=}9%SXyo$_A2_qMe<1p)}ahJ0a+0B9im zwSvD?>Xp0YB^=%!02P(VI0pdowVyoJ`bBoDi3AyG8$@oG^<0ZA!77Y(*W)+KScuU~ zB0tXpK<7bf_)lZ)j>7ql>_O{#`(8SV28%F+Gnd?Ds-1`ZSOge9lzOePDcb?~S^Qo{s@kHa)x8gdFq?Nbh+M6u%8y z7M{E?HTyAT(Hz2Hb0pyYZHBpyV1d8^s~?!WT3AiY+s;Al^^IKn`Ado>)@WGC_u%MZ zJS=?+x0I}IkIP*nmekdmZFz|Ro<#bWvp2ENBF|I~lQTZ9%TCj$8*gKbH_Y^rbf$bv zzxXL>5Y8XV5*=TzZTh{>GJ5$oL=)7oYca`o49f`=lK8cB&#TTVVqpuWE`NCMwD1x+ zD2r#Cjw_%zNea4mwmhZVSO~{1lh)M|nl^_TyQCA6@Ge@@GOj*{?tUXG_pZp+S#sHv z+oEsGIT*fvIXbKJDY6QNQQekSrzq_+UFh6T51<3BYILfxBwstN4u2D~-1fJ~uUW;K zCab)n*BHyW*DVw+J}sCRU!#qdJt|g_bGcA>F%|jd8mnWtrQMAv2 zq90pb^v;2i8ZP;AAI5m~aVP6q*`g>1dovGQbiS(lHsmh<`dZv#4#WuZ`u*76pz3|> z&cGv&vI5+9OF=shccF_j*n+kVTlf+BUTS~Vday)aSY9! z5JSqozbc!zkJ6BWq^U&6o_V15YT`NiOpuiLaqrUN3&LdWAehS)56$xoC@k#fdnih- zl5G7-lX`UViCfm&#DQ?mPkqo2e53^=m7H;3Rj|4-SaUyF*OJjI?R5*vdDiL#`I_B} z5EY0Sca1)p5NOM7?CX~!mTcsg8X>uBp5Nb!JaI5-sbOQCXEj^?z2}}|yMAUHGr`28 z)fD*i+B~eLjgoqFkF2{x_sa}4uhq z?QQIA^e^uQetR+)j-^A^E(}kc;TsIf9XTD$Az^Gt zxnf@p(6+0&r_JW>dp!z_1cYuihu{;8fFI%368iAza47UohPRo9DTyADIMYsT_QE;PlCstl+mEq1zpjTL^rU4*BDxGoLu+V zeBP|R%{*_C6mw|Q{!7RvA_nfEeZzW{K z!({F1DZB(2)mBc!VXtgtDIax1kk;6yW*k~Mkvx#jw$qjKX|VVC?4BRkv}=+cWOQ`# zD_~dLs1F+ArZ%cpKOb%%+sWV_?`gs|?q96OXE`2RN8BGGw@1>HvVo07W`lQvxELM_ z9#hl*l-a9_+!Oi0HaD5_RnX@E zwK2F-HlOBnO>{PPm7<;YXkwf0 zbZR;97cN=N6UxEuPVV6$u&`Jh*je=~*l=!OB&?T5*6>-R$G0SMhOQ18)3j+=FI3?l zI(d!SP3>T2`EuXNhbDGND04}23%3)ccO@v1e*Nj!pauR*)!2;1;b^l8b%!;rg~c5p z(&2!EE$d_KTNw(Gm@l;=@!b~m3uy@9<2Bz;&H~b6UOwxZrKd{kirm2ROw;i_Zu>TUMrw#4=HOkTl3oS=H4XY( zejiV`Db4=g8kh)G98HR*z^Nem)D7KVaCH6|1#m-5KI^h}rgm>SpwcwsYy(q{;AlH$ z6rq*l0Bxf;(9W;l3MSMI&&&+(--;pwmC78mv%Y_OrXk}o?U-FTD^`(apeyeWUN*PE z{lN`9Vo07aoumfoPz-DD*#hPkgjaR`xJ^gRb1b}MIZ6Ni*vZ=RpqnDoen6ebm1fQ_ zMnm4RmbvAmE^$9isN#F-OK^W{U~JKKsnin?s0e3OVigz|z*y?vcJRVro@CK{O05-Z zJx*`y7m^ajPgTb4pZvLh>lwWPS<5hiR)4hFW(?qnQUGn$yq=ZEi%S=P_DWQ_w$0xv z_drj`HV-zVU*x^A-MzsB<&qQ@enposeuC6X;jg-euulm;Yg0w&#xyLC$C`<@F@KEj z!Qi1QOJ)I4qho#3v02+qOy}zpt)KNWw^uSVjS1x7{xUk9&t(_AdL+ZvlCMAR znbJ-j5|-sS6YeaysI^t$m3f<-Cz7Z-+e$*jWXm&wTpY3t?UlV4nj*Z2Dq~-rarG`F zve|tZym9KaO#fG`8^qC$zC8XNNfTt&z+FlC6}AaI&{njG*oS*kx|ojoDH&91-pr~{ z6r!LR4w$9@U5^f+&5)4W+(nYPMsm%6;9^g5jYxw{ZM$xmL`N@bt_*oG^3&)+R1%Zb z$RkeV8udE9@Px)Y*cVy3UXSZ2S?CmGm!QSF>wehTA?5b6PPgtg#&^r0Uo!Q#Y9unS znbO?5SZLWFhC3Yx@r$+{*@t<8AMY%D&NtBB>F69*ZafIMAHV{$%aslAGg}pi1|Nqf z{a|{^-V_q|$B#tb8eP_|rKh#cy*9%MiP6XgCu-VX>r}j|+J@*NUyP8PFxS;>6l>r8 z;yX)VrgcRX#8~V@HZ^kHM#*R7n{YNcNjih<)#a1g*OGz9Mpy8BZ;27MhI$SU1L`rIdY96RVer^>_N68M?T|2ddP=S*h2FDt}Ow&3CdCV4k# z>AjE_T?GC(6A)F@w9&cA#(u^+k%Q5V^S5R#DRe~Ndq!Q1A!E+l=gf(crJ3j-L46j* zhKXdz=4<^zXH;VMGW>-@N3s6a%^$F^pn^tKqJAlliU~$ zX$#LYz)*Z*bn%t9k#NYY=hZ6P{I#n1TN z?RkFtuUG(Upv$`7iMN-0PG9#VfJsSwvvYUPrf)!m%MoMIhWY$rqxi{L+jv~GgEOiw zYo*3M&B<`_oGHFzK!4gbFrAFO)di-@vV|>o>e1srZ|sKgPw^g~(L*eOXd^Ejb-$#`N^BITnYVriw@$+2hpc zAx6HuT(^*uG=~{fLGMeZTHZGabxSkEQ2-~!4CLys4C&*noz9bUMkNYNjwu<03JTDF zqpREM#;|ec?kcD}lhLThuYbb%RgwyXiJe#vo01_)?Z{`wB|qN~~qB2l407;d)M7CL#*k-6A@w)0poDwV%#q5h4EXoUKc z5x!GcNr;g6FN1qZv&x8@D&=l_Jv=%zaQdPoWXk2Glph9kN{@dv7R_6F#HLb$^s~c( z^cX#8OijWKPeBOM{Vit3lGEybER(cmmOjkqG`4uqK36SXQ_Wj`anc7R``Va?TwkeZ zi&|8pBVC>MbAYW6>Rb>|l5t}_*&3T#j$>S~kalagKWQ4C3wIg3VZcvol^&Lr)%;Mk z+BVL&DrvigZ*qmxs6RJkQj62X&WtD~Ow_#=5Da7c#zB&0-dDaTLzjFNBOtoHh@hsN zM3>Wz8Fg6QSl&bABsvM?*s0!WURrSJ$2JrX(YToy(~^luRHzV!)9M-Z9uHP#;f!tC zEO@2;k|XouuNpe7)7;`!=la@Q%XJA0yJyeRJ$tCj@7c4EwY$2~>W~EFTr(K8d{>eA z^c`}WOlrvzaWkHL2SQ`jiy8Pei5vKH#x#By%Jq}e9AR=^xUgT8a1`Q=5gG+BoyeIF zeYPxPWB*fj58m;51T=^9eH&7Uos}G@*5@AMxa}JzXCW|Fy{D5(>F86bS_`5UkPtk7qs`T`Ss;}TRL$N3sME}>RH#>U}fo!m*rW2J!KBF z2!?3A2nioetD~3fV^<>S)>FolV!rFrlCkfpr<%rJ7TQ_Xx}`rjIW<Q%4k(BBWSt(<;L~g4Q!WY9%+zMRgR&V!I3d-r4v#Q2|^FxosgL?yE-SiJ3 z)z6~G_%+5fp=p^!dk#v{9L4i;o|_h$i^ zX7Yt0$iq?hjcMf|{p9x#HOGCV2=e)#YyVC7efmT8e+@nVKLts5%L2n2!Xh5=$Q=i! z7n=s)_DNxy$)b|)q&(uVA;RvxRdBl8vFD0V*Nm~`u<@RcWQRa1lz^;Nh4!9-FU+>C ziGl)|-NB0}xmx`8_a`_GEEQ^y_9>O?`k&<<;bJ5Ks@#2RYw(dwC% zy($FCehmI$kGlcu^lt<#z4T-`kAbqvB$gf%N0S zDVZsUEwky^TGyB&OP9OwqN6U;WVCB>-fg5SJnD-tuIIa|??mm=1v$4<&t8Hlxs2MG z%NTe0Xd0Gp^77yT!7 z^-pha@J#|O2HUU9%69?@s31ffh(j(d()i) z*}yv_t*KFPhcJC^!2;RIKnF}kPyY0DOqkqpbx{}>Bq@W(uI64sc96h%BbH(ws2m1(!`9(TrzAY3Dt^A zrpB(unrX@pKaW%-OThnanh{tbHdqlv2##MCYjrh*RF{k zK6J!4?0uL+$k$ujp~027Ie0hARpD|fi@;G?w;*@bS{S6-&a_5@^bH!n^N5g*$Z`s30oq0UY8x|Ah*3D2ip@< z(aFkvu4dgM^t6`}UaSXk+AOmL?&=-#cEEm?)v~13xoXl4)9C2LYd?OHI<>qW7kh^K zyq|pIiF1k1)SY!nPX4O)y;M?hu|#=SyAwFsl-DgAF#6~6k`bh8rhBIZORu9gDf?7{ zJZ=yMMnk+Aw$2)hi8|1J4AwRoGv`)p>#6-`#wm<+*_q6%Ao+s};%u>Fj6)sue zs>vv%o%$PWD5_rj!b)nA27jDokxV0@YV{^P9mJVP)Qg%NYt^LYPs_96sfaCq{zwyj zE6BLOJ>y8>m(9}-@179KeCobBru555bY%}fC2)Phs%1UvyZ2wkXYyst+1Gvnz#o9ClU$borR;Z)g@ge61UkcTV^&e^N%B z2JPD>U7@R3+v%^NHD=Fd&be6xs`iV7lV*FkS8Aml%Bj}B;M+s1)sqy1c>F2umTU_h zhL;^a+vtnF#T-h=_gQG^FWt-EqrQ8o#G!OgMc- zksy6R%+*kK8Ia5wXMRF9*aG(cd;b|keICzcR61|9l7xV{UsmkVv_&eF@gr>L1D)`ps%(mS`hrNN}P?pf~uD z;!@XQer+8!i<1C{XZ@Jfntr@e)nz9M{G`ac%i7e? zdXL%d>ShfX&<>@0ls&ELvw=1PvZ<{kIW2Nyg~wVU!>?Ewi|Xl!7*ZP#Pk^?1?$yUr z<35gKeWi_!w|}W?V38YsyA6wf!as}8=Ehp_5}T(`*+w3sW4J)Z0CLzg<@@QAK73X1 z0|mVNS;qV_l&fQQU_pBP6kHi49^xP9`nkE*DMUm0WHFkp|1zao-@%)JZDV1R}a^l|&NF$kb4^JIUcyn1N?OMN{M8@01|FrWe}%(r|7@Re2I?0_8|%41{yArz-E$&6CRkS;BKSzbvA$w5nldkTy~`6& zMQnGoRb1b+JZ96OW*%F!fvBv(Z&dbnFD?WNr1h(=AJpToKAzZjA`0LlWOI|)4}nww znl4^zBjbLbp7z(NXTF6_zbDknH8u2=WKTh%r9`lHvfa@rTRNsn~Q z8U`W&D2`JE^;vR`izUl(A5*$RIq3{c`VuDBOl*#ag_>=H!U5G!5}WF-U+S`S%$VwO z3OwI3`nErjs>Ir@F(E4MnP2_Jy+HxzqoYz#!s{8qQZf4dJ!@97JcvRoX63v~Z6OG} zT+$5%E3f*JFdSc1nR1zjdnABw(--M4LdFx4vbzdQ`ks=v?!9Zfe)ByyWyIpBuXS{? z*MV!?Oyb}%b+6cvkSM;(mn9U<^!CmxtA>;h#iI0Ca~=xP7ek!D(p9pLitTb#qLVDO zql>vu5=tzNnD>w|Srqj??Yyi!x++l}iO1s+%*cTL35ZTQEW3ch@OPTKM`0L4pSht? zduTf@s8_ZAt=@qzmlm&qVU5_!`Syfy2ICG_l^6t-d>PSOqtz>ofr9{te!Lt`VboS+)SX_>- zQc|Yzzjqu_qb^z3)oipUT!2en{5H3Nvn+{cP%ex=g~1pcbOF#*rgqroT`z962`gBH zQEfZ^E9^I1seqS%U_?XjcL#WTu>ldaPt8D9JgVVfrNiFGqL_ZSOO9*#nV~bo)@t5m zzGoY9Mt)En=QfQw>XU~KwAC>3wRok9o82vIfno83(ZH}t`|G|TxUk1H&2l@dQ?^6C z_XDBcZsE75T4L3{0WEc{K?7zb7P9lbMjY%d=;vtK6@2>#qNC5k>^aK(fE)rJ7>|JRwd*i#J$OO9NZ8XuzrYFm)IG*IK_a!ne7djW- zmH{Y}zLwF4)Szm{$|54QokS~pZ<^`Dc}c|W$ZS;n)mxaKRu7ODehjpMM80RD-zt@DaGC0-J!UIKyi11ySux->D~Kzf6vUCnYCuEnfw8P zljQ6i*_VB;@9qGuT0FQ9gzy$u4qh6NJl4e!=*``7vn7sRsOzGRDoF$L$bhw6HS5-N z7dG%HJFhu_p($hUAtPnQ9flrEj$>q-p;xw~lucoP9wraaJvWE|kOe)RghAd`2!cMO zr6$$x-b`kD=XRAcc2fy+iJ5ARzxN?bYO~d^z~VC zKA4dpKs|6}yz6LN8Q|)_RVmyT+Q4@Q_Tl@s>9TMaaUYwOCKhgs$s(g_UxBhAq?tCL zKk<~{p$0AYVVpC3x!)kKpzsOt3M_0j*y1qERfAq~KT)Gw?C7|)sDo!+wjiVsv-f(V za!y7mb`N@)lQo|v^Bg{nd7QVZ94w-_IDjADu&pUl-`USehV-Lm!S4pYC*&0cwxW;` zM9K9F)f*kWOqMAQ&snbAIKU%e11->J6!%hF#I|YarQ63U3YFq6*9Hj8se{Y0F6s7D zrD`Dq&sE~mZ~+V8TUWig~}WZ55J3yep?=jAjXfwrcoPmO9HVMYRM zbOdjiN#z(&Tgn~8j@y|<8#uN~(Rh2&CO&N0i+r2xZc`vZ!fIH1-c3Z>tZAk{Ft0jd8Vq^%s~=GsAjEA3?o_1@ z{eCi*^Vny&iH>WkaL(G3QBlb{i+g(Uc;kJDdHCxlR)FR7276n)^ zPd<8l%91Bz5N)T-D~&&FnW{@0n%XNT+4|T{ZwJ5ND~&`N>V)QlTVT0!4RvRCUve3m z)Viqeg{Mta!na4JnX@ErRM&jt4QDvHZ4tyt9Zik8QT}3H8L%p~ z@qCPAUNF&WNp~SEQLXCkLVual%$5sBz4Tck=4B2;t*)7~Tuty~^Q1$6Ey>OqbzJ{G z8G&;JM$iwXEyr!7$SqK&YsaYIEdK0i_6ggZe1*PoV7$Xxjo(MGnO z7-HJD8|Aw!jRY_vX3syc48%8arTTTX@a=(pEG9c!PX#A_ZMGPEiqe%hBF$rCE3|~Q zFQsqVn70#2PRA))wh_>qo^EAg`bpLgnI%p%m)1;$(x$bltt4L-guKU!0<@l0Y;>q8 za~H_baSMn)g*N;ADaqTo^j&Pn`{?_qGM5Q1wvL-Mj`_DBtE2A$Lg|5BslX)MsWsm6 z{G+dkEK|gfqI5t~$MxEfx6y_cteAdoz%pBEm0~U*Dfi3h@qYM}GXM5?S$;_^IOMnm zlZ_hQyOZ10l;v++*>x!;0t$g}I=BmyF1V=bY@Q?%YIGM%Vr)dD@vraTzh>LiiE|22 z6uiQwbUrq!Kh@MB^j`HB`jp7=eS*a06>}D6Sh{=_JJ+@-{^@jUs&jFfJeh9T z1?-1{mxa#R<+BLLJk%XruH59;_5Mjla9q{dyj>bgFl+0=F121<_ymqh1lg!dix6kD zpUu#YlTPxwPBu3C!nxpxXfT^RcExSuz9vZ;K}c<=<5eTLqvAOpld2*r_`yf;xXad% zhVKBc5Sy^ceFxs5f@Po$YAQ{)t=;!mJ*zC?NT=Fiyo%jEta_$$wTbhtu8=pu9M3wB z0XQV444PKT&bB-u&;%iyI_7CT=$ffg+CBh-;g{()VFMjd2#Uv-<9_rW&swh@4)x3A zuvFb^aC7SEcjN-_0G_4`%mS#E>Y$g&F~5S2>vSab%sb5TCm%+3i{f=#M>K)rU2v|| zTHb8^+>J@Gu-w@F!9uP=$tbwqEXtIlE5?kKm%v0pS4K#Omn9qI3ppd(?7~&^y@X zOI_djpNUb*O=e_5y?TLG?S%vyS zyWBSLRM2yO0xn??&~658qR1-lRToklGwJkDPIHX~9!V{=5vH3u1kR}!1l+mZ=ybgj zxjPX32AZe=<(Ii|*48a3ZlUp445R}u!qQU=oC_QsLR(%#wv|&qC;L-P?4 ziEW*~S`b{A#Qdlp8t9V@NGJ$)4V57>)I z=~(EJ@!SU$%$~esM#U|Q^dqf%>Tx0Uv&Q)}j$1@CPA*!9BcmU}$so*rmuMwi^1|Y@ z*B@3lhH`Hr5#d3=c5JX0(50hSez+-*S{JOdMRhJqMw0bEJtt@=nfvbDErKkwmk z3a;PEkEWoT2^b-wfHGdICk z1$~MMw=dfo1Tn+g@aJWWq$N~K)ed`9@kl7nicREJ&|il`X808+Ca7iKJ+f14;$_Yy z3Rr%l=`6MH53qm^&Sv-8_XK1F9bXac8x+oDguDgcm$5!1OuHm%xOlC?^5rnzE6j3y%@+ul1SH~adETBdG&cHCKqG9UUFCr zPnMD_lXl2g+0@X$r|fH%Iu(Ce=E<#UcbbN{Am*Zi;55*E2`P+oh*c4uAbTwZBlzq9c;$*A-#w@S|i+G@luyr-$h6N*MEyYa|jlMSTW6b`)1wj&tYGNk4nS6$kyX(Fju*e?Qo7;+ zHb{~;h3-}X6Z#fHpidV`cO9S2Yvh*T@q$1q#3Q9l;7PAi4exugQm_3p7u&;iU;92} z*ieWPNB$q9tx`nr+WKeed$be6qdzw@vg?3g3d@3WB0>ua5?ILB9noSYSXg^lEKwrT z#cggzo1bXEYrD*awt6~kLU0kX*U5p1gutfSU)()m3nQV`JmkFNc-2SMxWq-DckE_P z>fpR* z+dxetDcz@@zONSFz-h^n^<>FG)#CO?Gg#D*Y(Na4rIH|NhN;R&Zc3afb*J8Fq%%_` zmqSv!dD}wsJudg+SEjhc2)!>;{8lSH=ujBd6oR7f+po=@c^-pQ+4FU1+Q(253_<9B zSb)GII_%eY30wVs<^GbOZx{vvk(oiMCebfOcXlN;q8G68emS?eU2)kD?Z6zkt+S|f zGD%f*!cZfFttP&eEn<+|KN}@`mvp#kUSX@9F<&tD-qu}7tq?ObD(%N>j8h3anu_MiM0(WO5~1mOnIOOZtJsRH|{(uQIE2Hw04X($VMAk}9pspp>x zU|uCjb;9ntgBdRSuqYcw#)_xTBGy$%xr>yYMA&!S8g(bN6(znaRWz`*kpFPsaiZ@d z<#ZL#@!~*YR~-&033#%#j>I-TY1ZM5l6N-E38X1KNoDLia~>&D+pE;+RA4UfQQJeY zipW5qPh2<8mm1(oad)1dRGZw*APNSc49okoCur z++lLQw=N12^*1fAG06wqS~S>E%MQ+~wJ&&?aXnc~nwn;AjjI=(OM>Ug=|AH5^2$XY z3OPGZ^lY$Tjv^J1*m$EXX^a-`HJ#*Lbd(yX8PCJ(XSixr-tfF>IjrSC?)C1y-}v*S z$>Pd>5C;?aeqR6!Mek4kd&zMQ+sSXSgm(x;;)zR=z^8a5Hlmj;y%;76FIEifa9FTA(n$Y>X;`f)mxb9p z-rFvXR?Sjqi7unD$v~07t*H6rXN(#pEt(F2U!hURq5{xllggI!wib_(%6AMmqf|te z(kj(M>C*XHD0tQu8Y6>=Y)@|EIiU*_o9wN(U(DSFM0Y%Fne$Yn-c4s~CKN4c=JPGJ z@Wp!jh8P*(0rXeSBgaeA)Xnj`p;)OVReAdQq6ZXv^t6RVCi7T!g7GYn7YrIoHM9{w z9^xd+X@oOh%K(ckMyY$RB(^GU0@?aOab^-*kC7I_^^D-sZ}iE{MlLQy>B&#ygWhmO zS_`PhN+lhc;yM=Vyoc_>UST&**y~wSn#bNqMY8cyqEYtKWK?-~czXUYz4^x2Wp`+v zjZCp0-d-hQ0mS!4HI*(aG99B^_X-(WR)R4q#J-&S$wsDL#5|Z3sn{>qoj3iMEk8Ga z_*BH;^s%OOdNqHg1C>3mmZm>18B5Ks6-pIFqTs0pp!*6^vD;fA4rs0ch^RlWlm<-` z32rkI{YXLBTND!7G^`7HJr|K2V~tPGoRvw|Q^FwGJdRJE3dfl7o|ks=|89g=bxibV zd~xwc8Lx`!RJ-NfeWB>Y@CtQ?aJ)+iH~hB)`Jh`gTrYw3N6z%)-J^Z7LEi@0yN4fM zz+Zo<;s`IDe*`8efIgv=AIEhkqfi=;b;W9Af#t9Hc!^^neQQHHQ!GpT}S6 zwm(vve+9_?)8zI4RWFt-1D-YO7pVw~L0~R?hZ(|f0W##j)%P!`v45-dzjMg{f7<*1 z`%bVQaZ+$K14lja*QPC|Jq$+3y{Mwz=Y`G?qqjI{?b_v8XZF%#@Bc{S8IhBtCy$Un z1Uq^*Pr5BG*6c+uV)zzA#3mKBlABw2YvJ|vs&2=-arxk&uxW>G4CY2tpEU{5r`_FQ zsD2RKjk*v6B>Q)x!O$Ttik#LGbCHYz&-&+Xj>)PxcypS) z`>!O`yyCBkE}v;ts+RNMD>${NOcf~QF80>u>>c9e;gl>cC|2=l*v+QC_qJ7Ma+Z_ftZOkAc-d|CxF z95(6cZ3hWwT^_jU_)SS9d@QS0&v0&M4;T1@pd@+yQ@o#59(G8{RI|gC~o$a`r%G@O#ex5jo&;DuqM0skqEnKT=>_N1n1 z8bA0-V9V9P2k*r%8KyYy1@D%#2bZ)~-n-^s)q90Wn%%P$#IHd!jvCA2_WGKX6`y*W zxJEo{c+W3XT2`PPLA&8_>-kb4$s_zOs4XkAxt3^KnT6R#E9o65yP-IwYhXeX#_w`Y6!WZC0L zyvg4$*|gF&{K2)de*FM9ScqUolhuP`UA`naQk`c*IX)x+7R~JMDCN}o(6TFZFga)c zoPF4F!8`bTKIEY7gt1I^{dV)v5m`Btb#^a^SsY`S?kX6h`UTYC%i-;! zDr@m`Q8cF69CNcjEb|y#<~vm$mFaGf$B5wY5as3K3Uhn1_Gstkq*R-&5nYF~Oh3$a z?E5lWiRP5lYlfhNbG!}&h*Z>Y*pcD^iQOH@qs8&QmW`OUS@rW42A=&aMZ5>Y!J&9v z=6eewK1QCAyK@N27h6Qwd-O+(YT=F@}$+VawbQv4R{t$K#~N3D~=ER6Eucn*hr z6%Jwx#2n?>_$F@Pq3IOUbc^iWr^*bs<;&3wZuJ=T|0WNj?cwCXjdhXhFdn_jTE`E6 z7{huk9X~`_oO))tacUt!p|#p|_z&>(!$9D20L;v(Q+vqpq&R|%f|p5L+2OuEQaxGE z23NgXlbO0#%EwD`H)Ry~6unfOf@o3v5teutvb5D-yQ3ZFR%n$XEpp>->S&DjnQWpy zwbM$7r4fc6W8P`2?1J$wtaW;EXauuHCVn9{%kZRmj;H*io4YM$nED* z6lPNN9k2~MfxgeS|I-6vi$eW{zD)tynFvtVeFOfTRjDU&LDMvi_el50 z9F5S{PwsX(HVvJ%!8D1bhZ3)JM*-vKZDr`1Q{-{`*R=)PF|H3Fr^=?IQ`uI()~aUR zX(jQH^^`gI%(?5YXj$}u3>WRljfH} z39C}Q%Xr?!>ga9MZvMi0gW0V2=oA6aBWw-r6yiJN(w9C=AUfECt7|q7(3WrDj{AMqElf?}^O;#a2y3BQ?l)3b}E{AClg&J|dl68!QZOc@0 znhsjAYN)?s$P-vxIY(pKS}Zx=Ntt@tY)^J$LL4+4?xdTD68`Tn2g8g0x~2c(9KZ>v zM+!Bj72_5%r+2b=CtjAV-jasq|0m4hyuw}%kYJa3#($#~GjzABk4+~{)bZ+D&Hn*& zfIC&JNM%gagv@XSQtm4&3l~wzYBLJnmG#b{Y+^)ZmxfZS9Yx)@dNObUvW8_^M;mUT}UX>VJK9&=nu{OAM{R2$Ul>y<~gW695QeJfPW(TDxY z(Vm8*9U*ceL{zJS=dP?Hyk<%s2Vd>|!A*iokDi-dg^@p6ynFSFc~X6Rn3N6rExje^ zMDKJizeIH;U$t|&NC?+bbj^L`!=0>`U6J4(LFbtC%z}zjRkCv)pN4K+p&#-024Zt? zogUJ#AzlHi{s{wdNNPc5xuwNVMas9H<;?Ck^@rXM=irCIi<=7V>x-S+pI>~NpJG9= zfGxU%6|y*W|HIF!s>L#!YMa9iqMn(i@yX^ky(ZgX8gT%@CCJSCuMA1#t|`QWL4}GW zt_ibNkYUIpAtW`hq2|u1TPrQ{TS&q?tE2^oo?ZSOBf2^V??pw1yvIsO6TFq%ErSW& ziqjcX{&c`r4Ft|yU3@3Jurae7R_a$RBj3g-l+`!JhHE1QX9{C17^k|pGOxZnyHvr; z6y%?yBE$+^G<-$)&&0U-yGE8{9pWG@9V?5P+mhx8fk#zbwVs!%Bs{0KyhxYC%05W? z2+Z&fyIqTlh^*=UH~Wj-5>M`O`O^WkX23(VIBd<@Eb2NItt+35Zh`0aH)61u)Ke^0GsA zPdUWm2tv;a+U^^8RkX{gpjRjtT81SHW#vCaB@s)x+h|mvir=^$*LHO8>^19DTA;Tc zJ~E9a*t4Si#7j&1igPpG`hz@}RE3di+BBcbH5u3w2p4*x}7MDR+O*GqES zf*Yu)E9$sJcyRG8;ktCce~d1$!ORu?%0F)=P@F1K*?N#J5vU9P#VyJqh8dQ^@cIUw zEJ1PsL81!Q;_6AFRFHuo9 zOYv6WTt19aIjzY5(x3eV7BX0AAX$M_5Q~UcIzI*L7S4Cit zyKPLZ*jXTSN+?c~l5hBFAnt51O1Yp}_$E5V=Qw7lqVkxhfteSXX?E0=CkUs-@C)cA z(f8{wx2RA2u1EM9ijjv;N0pPo6`T6eqB_45gg$y{eCsLT?|L1@B7m0k<;%MlF9Ti# zX^=X;WO)09iIQU@@2f9xxhKZSQRe$+wG0&n^e{4Jwp?uOooj;;zOJnb>d&jV3ZES{6 z&kReF;5AAbIb{$U>0Wz&S<#f6^c&XEtp+xgVz*1iS*x>yI|FJ@XI^f z+oDO{;6oQtj2EnU2rhRTGebVK_}?;NG}l&M@2F<-lxZn}lq$wXxbS>p{6tY`HEWy{ zm#=L4&A$DNEnCi4Nem(l33AQ&0)sv;TnC)9vYL}K8bja=<1|;0$)-itJr7Wtc$^!Vo2IG*IT}`{XS%-io{fk`%jf~zVi`c>2<0; zDB{sGB~#O;oAj>G5V~Ac6#~J)Mi84))>DB1a_BZvOt6F3jefH;vG>h+AqLUAVHO19 z0}aQKJ*lJYD4TL{EExD}P|LUd$tf`(Q_@G9n|}!ZGgBp?XK-XcwR%coHVA!P?_p_& zHz1~?4+~cgbIX!$I}a#R`_Nqe)?h+O{e?;lX3}6uU+fslxcdy3%0N&>^YjbCwe4HT zfM*1X^w0&MYL*snW$}0Ynw+YVgBU2r37UhmK&`*%8TDpfNAU-7f6fec(Ypl#hwsVM zJLpYC$w3N{W_Vv?t(ps>g|jtGbNS2k9@n3@gdl4~!u9*O`XrmlX?iNnDqB=$E@0Fx zydmuKTr+c-M$9{9|9!$oF;E;y?U4f6%k95if&qZj6xz6Fw|9a6mkKK(YI3gXrA zw+e0rknF}bTx7Ih7pp&Ep{hl6)Yak>3Y<)PjylvoL6#s&SyGCZdk6H}2Ooj(&~y8B zpRZzi4$o5ajtldybWyqz-QH{ouMxA82f+sW0KawgOa?@JE+)Q3#?^lP2sOGl-^WB% z@U^V>1}VCGEG~Vwl+Z9Hn>Y!^dxmKFJU8|y1+Ln-Ag=5)tzyO!CTaA*oB3ph%yK$l-YY3bd|p2D2+fSPzDmg!$&B6} zLZT1Hk{^LDE||AWD&&5O_Mu{!(6IdWtpuJ>`^+k$bf(?H!0f;8FlN1QfFF2z?+AOV~2LxT!uy635fY zv+hyh;8daKb++A;Fg?X4L~;HSEhXg>640sCB3rboKJ)4-fFNa6Y1#p&HgGdT!-#kk zc_M!1>Wp8D<~^)8x3*d7lsqCibEe;s`gV-gTk-7Cn#k<)H}}d&9)Bmyo-!1A3uHXN zm@oak%H%!uf)dnYQ<9^35d8AYK$xOIqpfp`h40s6X|lyU)X&ppkD?{SN#QsD9pdAX zzzSxKZJ}XM&JkjtDnPLh<-WR696`&AuSNM+QG~N+u?tJZopF-pTU({mx>Mo|#tFlM z7n*mk91%;^^~u#iJunpff=89fzQ=kgN}-&PW6j7h=AU^?OfA~YnIw>tmHwQY^ zD{s(V3Tfk00d<+0HHF*^3yD@3nX?$xKrua_%W9W5V6$@5%77R5Y8+SEV(dUP&-l zO_Wt^$DBRKc-v2nO&$Try5k+MLp7>pN`XtbGmd}ONBuH5M!E3Sk_%j8N|KIq`U9P? zA6ZS^Dm1||%6w_r;Baz}mndhB1V~t^__H*jWne^8%GO?LeV>j0>`f{B{s5OJpsmr@ zR$m_NqV{TT)%Ide_j-v+DzTuPQ>3>cJ*Qs3Z@AVDnVc%WG-GfKtMlwKhT)toC>qi^=WzDeErN>=7? zi%(BTcv;q|+Mel=cX(&{z0rT|Y&ETY6X*Q3D!rEgk@tHH-WcN-5IjhU&^Iw()10md zS-y;Ac%yLWto_I*2Z}&@PcrM*^!n$RaiG3W+B%*34@8q3eF8EZJb2?=GZGg3+XdVd z#x`Azb5mF{>S!imM$yf`nVdZKa;5`zL73Y-nhwLGhG{FR95rY^aR^q%cMtXUUuavc|o zn_uH@{&C?=%0!iwxm-E48>a-f&x-^}s8UgVj?qyTsO z0?;4-&Oyl!mO5WRKH9StArWnJaeyMkSJD*NI&nG&LS{m?tM*4+Me(e6cG~t|H5c9+ zv~nm6i)I&!O%+d0(He?Z2uP0`vm`7O&`jsLuy+)61pElp!JV5+Zhk zQimBOQ?bLBL?Y51Vk%(SYfF8uD1e*&lK{7H1&N^B)|oFi!8#lk8y$`WkfepFKJ#Hi zCl1)xBr~9TWyA8xRaNl!gt&UfiHWQfK4g#2Ffc}4Q2!-4+f8ro?=8_}U;oxqM!h@l z#+YO$$>xvQLj;C&R2_ALaHMVNcXnNjka=_uo8xZ%z^HOg zQOHNsGb@YltO9Y8`ARqZs_@yRnq@TJffi^~_>=E&oHpaL|IDO!d@{ycPWwPb>Q_s<;9 zOir5E$V~0eC2OdA;fiwoA@_jy;^Rh8=oYn@eK%Y^D`E%AVL(b>vL#vjRAXxD|(u7KSto2pWaI8MwSH-<2_TsnN-5x@{$m3)m-C^4_a*Cki#B%!D0~GK2c%{vkqetI71AITT}WpR zJ>Mt=@HXxy3yWJ0AkZlIXUZ6fu2u)d9YyHT-Ln{1*|^2JGLw+DxOJFCED`n@j4sp46_IoAcA+8a)^Y0j^o-}J_d~Y{gP*X zY+;@`V6c#UVVv_&Z|Uvc=F+Ncs)>o0kJ~f&{gS=EuzG(nHjJl0(R)6JF~lK*$wqtJ z_m#F_CMlU?@gNMfvpRr0iS2StAo%NjOkckZgBs{MKLVETx)o*{IMlRJ)!oS`4>xPh z!~^CK)zW9iF^z;G){zCsJ8nByTjK{QZ7GF!RQMCrF^A8eqEuWKq_xVTX@RBpzxudiFt4Zk(R6uC- z@)aVIggwa0!U>%xi0USju>ggxD|`Cnwmq=hgITM8c~wf%gN#yb6={0y2h$DXD#xrH z>9+r{0C6t-Zl7(-Y8JH{Sn$76>)vKW#2jPynHm(`@fMbi^Q(zg4}DF#(l66V9=X982N)!(uM6+yna5& zS6#_nJ9ojSwcONrJy;lS&sh71r!N+WZ+a@y-eVkSy$|NicSuW?Eja@1wZ?_jy$qTj zAGQ-mm;R+WwjuuJ=y+{NY)Gt-$TIp7fR3NzThxoA`fS&qA_DMe3|=?y+neQ8B!J)Z z&cv5$wCfEa(eQM$Jx!Rd<@78aum7KLZYgiRpipkpplFcT2z$U?2PtVVZW@EfXn1sP zg-jcCjLmwZJ?3%EZvig~fCt>o#;B~p=h%fbz>em<2Qapayt@gYR_~wlMGF+-mZzZ) zYi5-LmBc$FJN(M->iE1U%luQphj;VqorE^SfLCFg1?F#`XjQY!b^S%hGhh{!Ot_=O z^&xg0LAK1fN)LHpqFv+Vc5hXSEhg*}!S8s*IxKC|`l|DhAja08v632u-T+p%3 zIdHPR_%j#LqhEffnmNJN-H5TQonqr-fE+ks%GvE#an0JrfADFtjO z&Of9pd~sigbG`>1nwX_LT;i*hE}0AVbm`5K1%982!sH{kJnudM@$?BQ?Lra+%&F$k8pN`vn@g;oT0L3c9WGQ}ySfqm90AG6u{9BcVCpEXb5EIlsj)7sTq4d6ul3b6H16TpbN)xj zvNDg>Z@Ord@vwSQd+DM8k*ow zIR6X*kFMDgX+CIIGS)h|WWR^hWFuNFpgJncmw!00(WIw-Np`c$a|53Y!P13|Ps*X` zrTHOtC44w;z9G*tAeqnhu*0@&i>sckl^Qovh#kY+YKl^7lMQA_xnuU1gPGug*x*=o zyfV}~S)$?@^3m`3U_J}hNrgd68AH|5$VGjU<7Z^RJ_(3ngC3{Sr{wMXBw2&J(jd)p zI`yW(aoZYLDN=s&hR#Dc2d|3$RUK#h3K^?vZ+f!V{$Q;Gd7dwiUv0ut%Z?t@2kLpU z*WB=nt{JB5b?z6$%jR1u0Gxo3g7j; zRxuF~T0$>qpSyZ~@xlb@L;06$e3GpzN-t`CsHbS5lyg!Xz@hWahk%X48kR+ut2NOW zfWQ8xBIS|tEXEVu4FkF7&f6J&oqegCgYRD=m8AyFurD?Jz3?Ab%x2QqFpD8H3cyL8 zlwp&-?-_5PF@>!RsvjMy<2nc%-8z{<4h0}5$`$P^DkGTVXd{W-EQv8wPFP#WSsi-0~D%h5-&K z4nyDsNutBnbF#*82~8G#<3za08H#33JfehF3Ln06KUBeS3@o8fCBZf*<#pc^J-z1` ze-W-6HmSwsIHuJ-mH&3|Yx6vsetAuL-FuUzy36YGfj3D=XvS9gqiBUU(fNyCn_NaI zv5q1<&aXladHYbEM=MmgV=>j_Pqd>cq|-$7jQ5LYIx|3SX)JmK*PWBnH8$I3ABiz+ z8ed5I@Hiv*ACT^}cqKf`eY>OHXWBj!Ucy~lIELlm5&o_~VDhd%%E_wO2Ap^F^b>cP ze*m5T_o89Z@!?Q2b=Z8@60hFgkIMB@wUTD6V!7b%*~|7TxFa{JE!sR98M?8GAfy#( zGNE?&CW0!eyy247^NGLdozmYd+18tK{PjPM9TyrC4qvTZoS9XaXgUAToxDnsEuzAshRmi4%gsWAPD+g$DLn(9m@!_f=osniS8sItqFn@8Y+ChHPjXoM?qFQHfv zpDefD7;UrQ|j1TZ^{8nU}8}0lNscMW|!dJNxlCbEn_zTgy>kP`C&wY+#=YX1ed$Lt&2e7}F zPUbO7fzr&D@i2>QjO@J%NrxbZoGf$C6#>r7{O+U#&N6_L7v3^`9KmGH zdhQLtT_&bgAYQ-UV9b5b{NhL1m|q(z9O$W6&=)Foq>?_!dGBuw1p?u7h48$Rk#|Ioc-sk z6fUnAj?auw!b57l7r@1m;kS1Y^Ks~8yk_@RiyFVEn&Zv#MnCsj4ljr0%_&4ntaBfI z{hzmgh9z65HaFRyn%YKUi{><4gr8v&!`Y#KWt#seSN~;~;6wTM$)DNd@6&%$v45Zb z*Ve!P_>US0eECec)BN}GKkxjnt^aQOD>?%IBLWau|L#XjMimcKYY^w$D3P!H7#l_9F5{+rb10#n2BSIMW?+LjNhmQx!d z2qSb8`L27UyA!vH6lbS6(73!eW;3k84|j>QdnsfTi-SQtE&0xe=5ft5Y3`ei7H(Z6 z!w_=SD>YYAeosj1WBJ*cw)l_;-Pvuvfi>9KpptTnSlU9;M6-UxOg-6Cx2)(@vQz=P zE~I5!9}T6&t$%3v?DX{UIzll@Rq}RCsct9oNVAH2>G&de#c|&b8q)GGT~*%0AMchn zmBeA@y6r6QzmOkQV$>UZoiDRLKCjJ;tL%|G1>ofKueS~#6h=|P4cQ1z&P_fe-ZIz}m#K*y+CDiivHm?umnG@l*mX5X%9*R9dKhxkj9ww(1G5#_uOuN*YMk zHmZdVy1vsXlVgq3hDU+v zP0G^v!y9?Z=gRl4FYb=&>6<(m`T``xtTPvCet*)G!;;zUL+-0`-E&KsqI`Qj6w%j|1 zN)iih$%N|)PElTLT`{h|eF$s%g%o#hub{lxf(sUk+=@+Vp0z1w6&U*psvp~%3>F1_ zAUvEghy4y*T%lbQ;JN+Ce;nOtIAJ7Is(dl(Ek_d)!^i#Vc91d-;nfM@{p%v59>i@w z5nFN>9k~Y7izvl+vF8S|P(3!+Tr@|>Cl%2H27KxApr77Gzt?o+l@gI}+C8WWub0WW zEd@0`jhi?Jll)V?AaNSjz$K@k#2dxKZ|Xxuv)3CO7&N~Ay!gY9IYkmY}xfohLTnSykrI5jusRw!2 z|H&?&3cDnY^+t`E1s}jAfxE=2%qB5EI;@0Upi%v!>ARa9p9(AW#IbL=^PU^j?4*f8 ze@wk83wyWe@vDwanaT&Sry;{bxk&(95pp99XjfF47p*8)?S7-HPNUoZSY&FGM8Tj^7HrW zb=Ww>IWLB1i-a#)rbAvqO5dnwqL=au zCc-;}*&rgrhSDaf7bZ#0c5c0CO-;a4lty8*ha%4{&65d_hYw1Cm*LBD zIQ{zXEvV~F35D8`9KuUB%c@n@{g*Ul*>?dps%Mw!>Q7=1Ua+V7qaq3% z-U~US$WVrd>9a>hmvaluyapD}>I4(0o!w(_B~N9rO5_~A+NOU;wceN61`S68i?gOZ zVQeU{#9uLOY5arDJU#8=1}fEm6p0w_|1clM8JrT_JPU zsqIGWNtxPavFP2Z+x!nj#*^9#vK!|0g$B}C5g@aHvq@v|MN-^zj6y{Z;GBP3;F+JS z*E0CAj%zMSSN!tBjBN*s%$w=0Y)jf%+x)`-e2vXg@qYH)w)l(U^s6RsjdgmUX&wNeQz9s*<@i9jT3|>^7NXV^0?>KTKOiSm-_F3S&Yvvm0S5JePxCXy_*BHe#!H#39>C}trb=~gTi zcp7rn953(W^abqf1=}0ITozf{eceyo;iv06l7182of(fl%u$%SKcH`zz4+1QAt~%R z#zav@ zdlvYmY2QSFaPaYrZF3sIW(@{CdMMF;20RJ7^Z1OMwg^<1Q-xn8t@?_}K%bE{)GuU! zZk%~l>*8Dnk3@cHA3GGec~Mz4@!x9O0EjoGYkx6bPtmsZ`mmX|%~#IaZ0V^ncK+NL zzMNwhyCE63hr^BN%CXrviJ7E?JT2Fuvq)LvZaMIL24Va1h{rjpj^_4I@oHFo4Kd(` zf{m@8>h&NgHC==l-?IB9Q;^!4Y+;rpl}lE=D1T#`raY?|Hp{^x@*~E?9q5>bST}|tGjzxps0GmYi)=|}}X-u{9#$6bzY+n=ijjf>RHnOW<*fxKfE(Td?pvub%h_zAt07xE4v>s*D+*?n_Bpz?P~gehPa z9Av&N{FPs&t3d^lx%ZmghbH8Bhx~Ez@*8okL^(uykrxSttaaDMbH>k{l8|>uT{ofu z=r%FB{Vw=pM6{da60y;Ob4?+cVa6WPm-1zjxP)x?hi*bw_Kq_sCe2kEf2*z0=#iG3d2&$LabDh+l)ZarbWQ7PvIk$2V+Q*bc3(FG|JGFz$yOd2O3lZZP z$@(%gi1!Rw}E3m=i-X09m@&6`K`v9Cp{ROrucZ1=i?ls70| zy!P8G2AIDw? zcdM1}uq;2SVe9JOOr;e0B_pQ2LrgL}cTj!aEi!Egr8TV&`R*yD4Qn(U)wHSAv1kko zJ#L!YnVl0OEY!J~`DC!$Z>OzT`&u5k4;e)XfA$p~$sU<7Vc37;Bf@ZeWRuC>e4b?~ z<}W@{8D#xg0)_23`857vYpb*h2g=>82-gz(lZSjckP+oe8%Z9hZmDydAek*|V&fvT zms}N3^F|pYv!r1)Ny*)Jr)*b{%#(bBHb!OWIVwH5fcsg;dh%!a{QIbtCER4v;Ws&z z8m|JY?xGCi4t9*yc1JtMz}ei`w-#TU@$a<#RP#K&Ogv@KcWzl^2($PgC@4bNsXDbdLZ5?RcnR{Pxf8y zcYW#K-3Lt=L}F*o4$>uezdL*Vg_4k3-y(A_OCbV@f;(%miH-5t^?-Jo=L=l@3b-e;e4_7msD^XB2zd}fH@ zH|t(&-RpZ@*YDruAT>T`#8J4%>pJNq3^fhZWiQM11188pgOPfJ`;U*!g%@ATs>4#> z4yCNz$f?rOD9lEu<0Np`@`^^FmpWr-5M>D)d!P}!eK@wpKC=F!*vlaCZFpN*IAoLcctT?>I71Q2v-6i)A7YZR@0BA z&J$yc-rzdu6gOTu^`5Tj*GQ6;nWBo|st=pjnV`o?h)8{5%tkO&P5M&JbIs?ns4$tD zt#a+eW$b97q!9AFovGqbdLsWt{6e}228Zz7pf~U5_njYYklaG5_fTr0lvq7|WUiIx zAEYu+(3&SP{KlMFdYt86%n?0I#-~biy539OnJtv#ADrRVaC}DJ=pTGHF{NmG0J{S1 z#~`PY+XDtT_?diJ4d}_~#{A`xF4l&y;3w48*XH_zSqj{s_uyI9TD^%xsq$NHb!Dgs za{LaxeO-sQ>NlK1BRV^VH(=XOJgY$GPqh^l>h>R^N;=+=#uw1}gprS;F0**elmDdS z;L}cebuWnej)8u{AbRYQF$n~GY<5k}J1cSk{B$>Ka){|LAJ_ECp~|0WNyG?mbq2^F z&N<6rPPOStXFGd_nyq)0?O%9QM_@{HL%1UJm^Er5)pS*N=50niOIV_l{^IyNxSwM* zpY_-cpXZ`D?_9Q|%Ko}H&crdU2XUp(SIoTH!*4*>@zb^PhuJEJ0E)8)qTE?`{wFh} zQ%$$ZWR5A;1?E5#Y0ATqU5DHQ`2hbaW+CX>p@ZkBY52y=&(}9{`M44*PO&<)Q?aF? zjS;sGJd-(ij<=?0tLXG*iRdOFDZDbv@COG}$eO?bw=7}=Y6GQ|5>(>F^TW$!L-=P^ z%DLSBdA;=_hGRyJMXq1ggu&XpRPB|1-n&$z;MY(n2DHZ;t=iDz+MhQS^?Cov54c69gy$`b5UO{tOmduU3I@l(zZSm!q33FpXt3E zb2Upj`ZV>wqjVVcbo=LQoMC5h0-4VJ7pViR(jixnmS`J0Le>J7^hb~uY}}6Vqr?ms zD=GbLU5X5DptKMt+|by-xldDh+MM2V3ULH)aVa>#t+6{tvx_dwCZ^)7d>GNLl*isp z?Dh>m?!*=)KQDdr%wJqYW`_=tzTZbbe@i~OYy#sIh{@FdsENk!sI3e0U~a5D2rYu0}%+E^dEsV0=qmv`1`*?wX^3dj?Gk39|M8j>s#nK^5vBt zmvHwjN>f&Kn{jib>3(I433;i7Pw{VJ3(wXqZS$Bs1b+yvR~EvpGeENORLM9%?`RwUu{;s z>wy~R&qO+qScH;_n*Aj@EQ%ay@MA;vR>-ZbQNSL7UV5QBsU9JS21haG2Swyx(up&m ze6sKuxq`OL=rQWw-(LJnIq@~pPG~^>Fk)_D?fvmu-SZ`|JZThO;q zsoqRFpx~kiA(B|>x;)d!6UmyK%WsV(_%-rk^=fVy6?x=YOOu{Q{3BC}h%)dE+>QNQ zLRf4khf_>>z$NUU`X&gs2D-h6BX57R>6kTP)=1Pc z87_iTeb60>Y<&pk9I5)0@1qMeVG7i=1e7Po+Sc+3@(fw6y&){7$JW$lVu#RJzKQI0 z!-HJ!?oVay50q?k?&J>`1cF|`<}9j9Zdz-n9RmzPr)eJBT7|>hSpNJr$8yk#bXF3BJ zdicg{*xN5RzZZn*TMzYM=E|SHct_eZIgvYarZ5eNp*jg~8v7_($Fq+lAuV}NDgG2N z%q0`FjdeeS+ZoAu3}xhnQuUYkIUJ<}QZI5zRxr5NpCm=q>aeF;Q3FC$3#VR}YR~*_ zf)q#qnbl;FMt6dwn8wfw6@xJe(^&5p3c*@!*f|QbW2oy)njlpj|Dk8bI$is@yaA4c zPQGGxWo3FQZ~<~7;6&H*_aII`8v3zEFC-jxH7cr|L5oB~2A&8p?H~z7UABJ7JHkTv z6YVQAE5edVd9{6VG}a(*X}fd$W^|U=nsj$F*(o6EO5T+`UZ1O8RFS4LJ>U8)841?* z7`XgoGTmqJL?AVAo5|OYmrr0-xRKLAo?(=`APi6hf8jaLD0V55YcCiNai(y& zm%RgViL%>(??nW}VV%?A6FFC#Jx z-z_h@TjTD4*p2J}Ef`;#?7LG>JUvEbP0qbx{|D~4;x^DxvFw{c&;RN8=W)Xj9)47{zZ+4q4q;r?$hHG=Gx zy0=C2Pmh(gfH(A%v~+^ItE+BzgQX^nK%BI)dfVo`nWY z^hnnMai%b0nN}{t+UUQ81d*Qx*nS^zgmSyHD+pOTdMYq4$8B2$4D^_=&Us+qUFHQc z&Z@iu^4q6~H{#S8`kh@wUGOvQf7Y-xcpz8im(#=5|LnfLFk)GZq8-VdJAM=iGvV&(GW*Erw_IcMojPhP&|g(A%R6`H{qJsVYKLoM}(QwjxCLCp^Ot%euRtE6+$UQNCOHT!iZg+B?ZqX$%3=C-Tz1yp)h zDKZ60yy>R1RsjSVd|ilYT}e_5y162k#qSMI?Z^6G7Wmr^?5G%^#1Lbs((1EF-+mfe z+=}E28nClGcIj%FSg@1b>Ce5^-rUM}__ec)a`*EgXRNj30U>*Pm6aHBRUdwZ~g38 zN;=O?KjO_bboJImzBa3KYWiV;!s$o*o$+{c8i7aoTxUmV0x-|IVm!>VguWl(k#7`hT@0PH+w?8H8FZgTiOK{ zUbxE4fg-CclW5N}tGirf+KNKWxczM`=e|0M ziEKgd(Y3mn{=QfBFNBFp5zM*SN%^*r>9bm0BRmN#MCR&GBT?OoU98sUl|PwRFRKXU zxc&z2C*Wgrt~*?moM+?{q|lq;2-G>d)Y;wD5~dTkUUckE0(&6q=98l{3C* zhHDYPU?NGLk}s}}0I0lTz;7zQ-t@&r50=2a^8VJ8W@N`9>^X1{-WHe{})N;f5UUfc7LBlSVq|2vN-HN z!PeL{ast5~3lK5u)PE|!dMWUT`Ua#)9Swm8`V2pKBMUl%ZuS)TpB0XY57Au6JlZ?V znzQUVSk4bqkMqkDAX?6MiBCEM!0%sd`=9tR@DKd{`Yp}4fA}YP{zt(6Cqe$bzTJQS zpXB-P`2GGBpdWH;#DlcQ3Hf%NW_zWtBC5cOyKjt8Hl(Et1`zl(7Hu<0A@ytJ!0Cwo%O|=^MkH5S~OE(eb(5zT7GALS!1Ojp2GLR4aq) zoG?2(KQ&=#gbJhBwwr5_NUQ!(^j#gk#QD-Z_K<;BPK)ye!kb@v*9tI9D{ro6#?PHE z&4CT=%CUIgLia&0OtPOdaVB=8#w>ZVg7LOhMHZQH-(0}xv=S5K-av{s8Y;pjs8sk=N$Es;5DI@t`IMX`q&wa?2}yJ@K2=#Y5t@gZaPX@-kar z|De!B&}`&_X-CbiT6}oNsi?Rth|A70Ks(4(bfu4$ep*e}2Pga4)gx6DIAcDjUWdZf zhx7wC7a@W=xoc(Yz>E3|>*YkzwM(01HO93x0@bjeb!gXFv5mR>^BPHe@w;YD#bOKf zW4U6*X!q(f8%R}IXYJ~#Y9wkLSfpGFhArc3!D0pA}p=_}mQSI(``) zOD$jIZMEkErs{9N+y`5U=d(w#*w&4LtL(zl61P!HzvzFRd>{@-T~c!3^CNNTy&0z! ze(Jd^e&us*Q%Ch&SXgwB>@$p4!5$$0ltQvY7THJatag}}yGKnklw(ref3k98^*>lS z4SODhQQ_(RInlI3Ld_3jT5aB~>NvFx4{phmGCJMM*cfMQ5-^FV%<5>}aj?UKFDBoH zpBQb=uYASR32Y{%$o) zJ{0`%!+{0zL~uIpaX{z$EZReg>I-}ck{Zfv-Tfw%ZOpTQ-RB6>GHvk@*c`714{1K9 zALQ6_(!zLk)1oLQvEBW@IiHE!#Oiz*4I@z()`5b#z1A1vR&u`juwG2&Jc{tc3dZ&i z>PPT{dg3(fF_0TeK~ZU0TH2(_a4KuQX(Do`o^T!E5u z)1_tA!3&yOyPie$8%w=PRFDd+1%v+3<=GyudnH z=)xX3mN6X^d&{QZe>(f7;Ye%X^84CgZKV|bT&-3<94mj29QvoAl~wTB#R1xHEG{Yc zvNKNMPb%)T08nvm&OfNQrtE)HaW7&qYy-ui$iRN=wlbX$wcexo`N`VO0wS#N^a&~d zNx~fFccdX=LhjbR?NoAR8y zb_k}g>*LsciJkQNE*%nWiHLk-Fa%wGP5bG2#@DA z8DkLw)hWUfvsuQ?+mL$|7VBd&)b%fJQLqcsm$`U5@P^s0x+V#)4fBd$%LA%CKp!XG zN5D*Rc}(q?WuwyjrV5l>B;q*e#t8=Qb@^M*btt(Fl(`Z3=xxcdDW zt}6Z8hu1cZ?35zVEM$~Kxv_%}2Uk{#gddn-d~xLx{xQsE<@!h&uc98QU=^9?Tn$%Ov!MU2KmXg!fyn(!xf_l#pg-o{XE=hkMHZX`{@K!P~f;+5h~+cp?Dm%Id1vP_M6;#QZAtHx%@i~H?5>2jKY#K zZG1WaG;^x`{y8=Vr!3F50@I`~G?CUlyKx@Q$qbiwIQ6ai7|t_s>nIh=`|ud;mrx z-}QTUoS5Ypu>E&;rWd>P2Z#cNAt_!{L`+sq0SXBZGZnbsC z1rz7fq@B*X0a+Bp+5^8XHb~izv-IZPH|XZ$Ub|t{b{jEyY3WtwYok&#gY?IyoWO;2 z`uTe(IfCPeFnpoF?4UQt5gz{pq(!&sx;!WGT7}+7Hl|Jlwi;qbAndwF6@;y(QBKz* zENd&emOh8s;k0NR=}#7=kN!G=!H+%pI44(4G|ce9Oji=F5>Kq125yz2I0wZCJYhnJ zrm~w!=Gxylca(s!suY!4y{H%LL$G;Pl%l98fglZ12$BN}WqX9?6;Q za=?ej(<2Wk6it6)?kRB>Hc=1Dkb1xz2hS{2tj+#h{{@ybdPa9wvawpbL8-f^f4#P>Igy_3e>8FVXp~D`e(_s4Ja#V)WnDU=*>KAi{itaM7v#DLSsgh-0Wh& z&u$~wum-#ndgbUG>3alLMoShiRrwHz`SZwX|j}3$R1c z6SXQmOev^QSn2|dPw^1F&Q)I*;$*>3w>&~!1J5-c1?ml>z30|$YvP%cy^1B#9ZMIbk%ZwtY1&@{o4;k0tY{&Vw2JC!2bQe02wpU7J8Naz0vS?7*f z8m&;*QGzL2DnCz=h(uSw4z}P+(bQNgvzPe%5$QTg&S?e>)q(@+zkYxWJ?&jK{rsFd|*ZuJY1t>TIP zd?x%HyPn+7n0Ro2o7omP`Z<{A-*E*zBnSH^lqnt%c?8?U^+L_Lms`*sA z)!%Y=D@6l1p1VPIG6ub;Hmez4+ef9fb~QjOk=>Q?_U|11K9LZL>S`ZjQLaGVoTmNN z>@w5zNIsWjl>xqcFJ+rBDE%bZ#g|Z;eOG0(P-B@zT#mn?DO$O%!k=C#wb*g1m_6igz+1$qK9fq8r{1H`u zC(#^UEx%`p3nx?Ao1759huMYbQ+57F^(gAduzSNfcUOQfjzJ6agzoeGIU|69(@$utPdI*FFYjK*d z)h2QS6$K1NO4a7|nPF&ghNcX9w_1E+Er=>V_#%cZYJG*xN5Eo%CL0yw8~~z9n3vu| zoS$wXcAlf6aDW^5O0Dh<3TFd0bHA6(7w2+qI|13A*f-D zUhVR&EXuT$Y?FM+a%K^~JQ&KBqCf{QC^xCvY#9ulx(=Wk4 zg*|@ac0^dp!SOulri7=rs|Q2$^zXRYF!wiZp6lrFjZpjLN&E2+t3Gdd)kE$uy4@)9 z(RH2}UUdP!o#|rCbZb+6y_n1+M+Wuvgg`BD-k}2@6a#6IQ0JRhw>NjAzn-sW52CtG zu%JEZtsQMP?zE4?c<3!zih4NPp3_Vb>;lHScbAVKW10i)s@4aH;26cwBfBA{D6!H~ zIsgnl>-65c!>3ZV(-7{_Z-6?Is27r#;2ofMf>z))CRv}hoqH;aJu(`gk-zwLgIS+m zcHMsTB6iuR(r&K)pIrNvp2z8vkN)M_&*;eA{rX$+#+r;+eYyHsY|~Xkn+ML&&~Ld2 zUBrM0y&}+bnm(NeB&ms@^fnar`Wn(wyx)xbHW*d2-$>Y0lpLX6h~^20_!Je}voSqg zBNvG%bM(S$le|KO!55B_nSd3}r{vSao=HpaXJf3!Ya|Z4_KTi_csT9Ex*&oPHA62; zYVzV0ex~E^%#A?%PX_J?WPVZ^sLEm#>NPOcand;-pgoSfp^A#0%)GbUPoV+`OE`lP z43H1tR09s>#VR}$44bqxkj)s-w`oTJG#kc%#SXA7OISMp8+evb$k)ekgmA+zTZutE zMtUwFwYmMdI5L_m0tp``^{o{{9mb>iCiK4~cNG#*xWjG0>HW$!KV{6ue~bv+V$f<4 z5oS}SnrER~$>m~M$Vh+DW6lg7^#0yFP2Si-3pVKc$(@h%Q;ZDU9ndwKp$U!;_)l*C9NDgZ5UW@@;*|nS!c`_ps9gr5cim#@t1(;S-G{dL~ zsELRF!J8xfeA?m@FWydg8ehhULXlB^@y)VtC& zJ9s%`C{rRl1F(?DiX{}9WevqR{Y~Uca&ze*Exmd~Q?ef#>e{i(bUI?)*euU6Hw^*_dx z>uAT}e7$GQ9iB0@q~WOcppOj(Z4AxCmfQ(7E#7dB4V|1q4wMkgBbwex<~RRgbeFvf zH-Fb%uLt_2&RNAV%W4yExH0oySesxe;)>XSX!ZGWpKQqE3;%UG*FD z2~3h#eO?lI^BN>MhnM?4&Y`DDj+txt_A^`;jP~u{Sn?UnSyJ>7{7km&(PSguG|+Ei z8dTk@e}~?^o3$xUva;bozj6?n!96pCyif_y{CKqyQeo8oap@C+hJJH{6CTA$9q-~c zip}5l_Ipb^%~OTa4{Bk#L>XS5&l$p^b7Qi14(nEDi*GzJD%XLN(IXnTtpX>V*$Zu- z<(g{ddBQE0^X-&PcMx55h{v{QeP(}9OflS4t<5{FL5$(r#Et3 zEzb__AQg5DjBW3ehqR4h>%(P!|EA2w*Ij?2f@S8gQ;otlZcpcUs>2VuPi8T1&+CCfsYrY?PUu2?4T2C!8|_b1)4W&b zqDu`brUf(|0y-+~GaV!eX!20?kQxZL5yKoOmS$6eQrqH#F&{MC##$Z_;Z%Uq=g)Vm zqGtU}d>~*qx9<3FyLo~Cr$`O^qCd3&B#x)P(*crX_Ea#H z@BW(3+k;`cE~_Ltg59}MZBC@V<^4%XW+cK{-tJ>&_WdIIM1dDrvBtthy7<4f4}!_f z_*BHK4cvJiM|~$X?W@|Ac&6OGflhM#aV9kWPhgLYkx%;yadaCSGdP2!+09gELm6_4 z3(`SrPvn87@WY@+$K=41e5u+ez;JbBopI?#wsmhhJz}|MuS;tlyYNTe9mqK9NX&0C zEVO`&7_;G96Vq~bsZ_%S@-o37Bw)^CDCOyDD}GysLb0FkPPFu?b2c_Hcw1aRP2hR8@u4I_@Y-_y zQ$9ZQgPo~}Rt&#h!;s5|6qgIPRj#lDN_^TZ@9HMlulb_ zM_GGXX~vgROe8~J^oIqVZ!4UH=Ulpso=w_!3y@;GMsDB+;LfbXmt&-k!|G8*iQ_T) zS#;u`!V<0WIVLO`Mm>ELPOvv^kAEn(cy(ji)Q-m+M}DmVW0me`Zrk>uI>=05zm9s& zy`x6wLcaw+6Ki2Xz|>T$=V)QpybLFL5b2;Kn+37trQ-U2tgTl()Oe*C@am(m#Db3^FmPS}ZRVzOSILEW%mdp)p@Pv&Y9sd_)lw#d<4tvh(pWqh4xrbdMHGpIkqJaD&rZE`tHWiO)74{D@*`f4z#346Q% zyS)@OA%rN>5Uu}vu_1fry0odu5J?7HI3nnCXFyqz7OitMLF^y?vw_?ac@8`gtriie ze_S&*wD3aUxX-^3tCq_#l$cc&Uu^hRi;dJd-#+H+=kugn99c;Uw#?NNUvj*at@6xs zau-`-omr7G@e{~+?_(DV=PKjprp=WoWMQ-F``IZBOqUxoKX9Kd2}4R!UEx}SnlezM zDBoJh`f&c?$3AZ^%UEb65l>{>J(McWO(vHs#*u6o@HhU6O-k_@{(!M9+~5EnB^Sa@ zlh%t%pkm64tK5xzeQ(Cr3oJTxh*Y9WujR^91i2(!k$25i&ZCJ9{}?Vyx&++23DEmuL#>`Wz16hpD+-S?ySy7Kf^7@=r~KN>D>i zaCbai009%RSj;$R=o8S#p+aR>r2Z{%OGLG9Fc7=TDP?C7MEpPjo$6F2gf$$)DaE=y z%?wR9z#1a!q6og>sA4Aq8a>}l>Tfi8k6oEZpXg6no(TIH+ojdKvG;8TOxaJ&T{q6a zS~KXmt7qc{84gzZ%$o*bI96$Ieo^C-y`m#o_{hi@@SsGZH#-r0oA$Xn|6o9xE1}vG zvl0P)zDIo_G^9q@pzrhyEGW45Q)(A?{UM6jZb)(@KyT?xgSIw?FtbGw;NwdSd)*VL zmjbnSThilk+wbUcdv)`$R?UTeP6r#>H6zcK%aV05?^v%h;nXKKzz>e&3_%S;uNQbW2>-jnvxh2dWvVD#J-@5;5z5Og z3>WyFAO7YK|FoT%nnQ@uz$I7SqF~SJCwFW!)c0C*{GE>hc-f>)0bb|{ln_WPMPPhT zXY^wQ1tDpMefMnz=DO+`x4>@vMEyq9sz#;VZx3@6#_^5S$pW%envGoE3nsiCde`8V zVi8*BgMKKCpY|YLap1gH1%`0vGyWp%?P^-q0Q4=nHMoAuK*F$HXL?>*s1ZT(Qs_8C zIg-{i;R;7(d`{=sX6)0vbtdUy(e3iFDJ2@%)lYPY zOW*a?O{y-yP5RtaxG@NOvjLZY-sQ@h46$vuZJn zHh_1#9i!8v&&y}aP&A^NrGjC%RXZB%vbgv zLAY7l7aGYUu&<;qewJ^{*O-m$j#g5h8gb7z0`_Ar((AR@$Ey)*{G(T@>=!8fEte?c z*qd+X4C^;ADDNjuOHy}Xzd8r!d2LWJbBhcs)S4@uDO386q{e+`4`-y!ejY1EWN~nj zo=pFxpfultM@y2}zZSwzlB9EsspMb=vUr%N)HdVpur%Yp+PM!1vdx^uPgzBhAFJ%| zKHX|utl7J%Cj&!f_j_EwPjZ@y2^ov40_fX%;L60l54m6@TPCrPd| zNS#yX)^yJPjG4C)OuOYu?1DEMak|R~l3cP&&nT>zp%j(NrVLm|^{5M+MEcyp6&cpnR7FW}Vh)Fq9%X0+!wWo7+no?uE_bgobqJp$ztkZbBbj0S6WA7{?$!wzg2d^u(=eL7790> z*Hnb7zHO2xtMtceC*Oli#_io2wXFq?dlY}lUgO^54_C$9=d1M;%*d>|(l?a*#HR^B z_dFWVL^+*{q0u((ZGX?@wlhC;t5-e*W;oy3Q=4+EdUF^_e5jOkc38>=rP9@nS-obm zKU%v!nG_~(-&Vvdgxaj4YPmSRmx1Q>xlqd;-r(a^R%inm!ilx&$a8+7_^cQ0DeN{V z%TbcA)Zyq}vw+^Igt2o5f`nfJL`^AVR*q)*z;k#EEZp5uT#9 zeB^tmBj{j9C8RqQ6;#T`Fgt25+Ozg`BU@5~$k3O1 z(gHSsO8IfpCc9!~qcp;9bErf#dr$j%W0igPXF#65Kx*0x?fiChabDi{VMOb+jt;2# z!KLye1z5CNyb7F(wLYC@as9l<5Z##5KImc7zOeQXo$P>YfvqdZu*APG;7$#G)Fyf_t$|;ulbAie#U?rPasc(=+n-gAjMx%2(<>fL3e%!^)(c{rR|p#q%HiIV`mlJLL1WlRjA|pmbBkoOQDj?`InW4(IpBbv z|JZ*a>U?lKU-3s>9b?3gt;G~f6Cc1p$m4njrI4+weXmPrfq#~)bDKj5!amQtX*xw(`p%Ii#B5$CNVl`_hAw9()?SX_sMAC1_EGNPtoqViNo6 zX0?Xe<DCdD-Fftti4Jzv#nTvSwWIPj)iwx2bNbo9!I^{dT4oRlgQRLjp=lnbGe%T8LqX= z|7R&`9qXzS)xug}zX9f{BLlS=ZHVQr@8X9{pPn4v*Em5AacwuX!L`=tisoK@to@5) zTW@o|hOX3NvG<@`GKtQgV27R8BT0Uuk#v?a{=hJY+_t2Fn$@{l^FyBV@CVw(M&oOC zc|Oxb)-GpDA(5g^v1>ZYxJJEtgGfcObUABB`L!7O=`|(A7NVZIEWhFj2eo#x*<1UG zjn_NqayAYelrdpa+OM%MudCmm?Q{)9?7uuN(wi{1ANADNKoAJGMX*z$NK)up6zA;Z z+_s|D%+-pr{desA`xE`BrkwPHQp$!t<;D35*a-BCuI5HbHc3p~=AJvFn$&0aa`r5G z$}4R59!SZ`aMNOr&9nms5Qwo`YH4&pp~14Kd*LYJP_N-!Q=k2TWHl%kDFk(zO}XfC zDd4Y=+A5{O-3}M0SkJq`7<{88SZsUDh!;Bhu{&8!hhg+_s0s!V=82`8KV=)DFQ-IY zJ$9Jo{cV%X_yWiJ3Xn!u>rN(SiBdwRXUGNK#GGe7J?JGa;Ac?HqlU1_S%sr4fk zd`A4?uuE}YyChR!UW_pugTmZ4s_Kgk(y*~#RtL+fV`YKq)0*j1Oq3_bXOe~uixV`H zPgtbFc`n-b4{LK5tAsugs%=tcu}}V>`R_W`f-kgp#B4gemp1op(T}1J;AWC z!0{G-{mp1zIQ*CK@5KwU=YpH3{KE-_1r1XCvta0y8A-N-BCzDH*s)U`^l0V!~YeI zuEcrB8P_V}6qAS%ZQO$4261zX_-f4s?F5>%bO{J+t*1%9I*u7oivrW};K1;u$J^Nt zMSTo1UfXKu7Hn@d>C!N0#Te551M#T_XS)|y}W&Z#$Jkc@%( zcP4)irWYkR%an%6FdT3Bnv!KiG_lVS9<I(l3f%{1!%*Z&RwaQ>f@M%FI0Uf>l^0<=uRxUbsPS{!^so8JBO9y;s9> zuYQy1o&f@?64$P-UYBq8WST&ZJ0=&_<^3-*EjZy8!ruIeV|&-#YsfKi_HBJ)Uz5** z0!d$i#OUc<5#031vuyYsu~2tX6GRO2?gSw^?@)Y7j=nDcpYg`BqGSm{fbu4SlGjbgT7K!GVT zHLtM}7|8f9vwPa`+0DK>{c~Urt>s5j)xPWe8a0)on)kx7aOW!r`qImvE_PdF9tX_% zOQi7jw~S7!{+Pa(_@jp-=W+;MT*JPPz($f}IP=XLbwqGwRYu+=u_ zd5rfPQ&h`*`sVubukftD4-= z_(;u_r4c(AS4-P*$=;e+$1@f_q$lH|q*oyxldXv&2E(d)CX=r6O(sP)gd2zcVr+5v z3c~F?^HDn}5_QE_CK45P)OFJ{{_K@%r5wXr;dBO@=DF3hj8n=0)ksum6H!0&l9X{D zV72>4WUcSM^=Q;qJI*%gOU$b4^Mt7XBG$8l&qt2NXHnzti1kJ@XIpS~qD{f^c8hq5@#*EdeZW zR^C<4E4K0i?}l&I ze=zK|n*W_)!|OV%1;TiX)W*8uSg7eI_ti0+)_MhHkdzwRpGEfXlH2kYLO*#YeF(jV zPkgT2@RE+qivJI{`Y&b7xMO`RVO(n_9c4KknbAFuch?U=8vH)^PHMB%GSF9tG_a&p{~-o#XMyj#>{yI#Mcw;O#Ey9aS13tL0(Vm`Ar;>(^@22z&D+12~x z?K2lA5I3*p(9u|1OP*BtztY{iF0{5DQkQ_eDH z`)mzIDNf6*K41r8FDiI&SEXnpPbW40TaxH@dQq7c$>0S5t zSBTffzGvA|DR;doK%%_08!J&3r7gXV|4ZuocT!NNXl!eXLs>yDy;D2Wt&k{OcOC=f z@kxaxy$Doht?He{>3uPv&{py6l@vBdsjxsVbU$1aPk#Zt=u(T1J92Tk*uMIxqV$Ga z9o2z88y+W7(Gs9v^N~gO9NS=pI*FYogM_aeG3m5DOe{&lQnRGND_7Ed}w!I zPFA%1Wrdsg_*j2R^zst^9<5LM`1MlH$Xi8dt49!n=(J~3$8#C$NThWi**%|Fz<#I* zY9>AOGeCP+BbJ{My0<;i-;FrgzqCe}?|r8laqp4Yl9Wb(w8)~GLnEtsykjyU4TTny z7;3bOo4UvxjtR>nTV5q4eJ{2Aw3)}chjn(Tj-AiUR#ec6bWH0=sZGcgBKX_faCNz?Ju*K(S4PIKYOe!EE;$wtPEE9#u4ar%)w8mCxSkikfC=nvPQ;+!a<8m!#WsOEP)l=L zF9I7mbGh#2w|_>ecX@yGc^ZLw^QRTspmc)_#5LztkA-YUvk1eiW2Rgy0DK4fay^8& zNS;KO8gnjj=BXL>28*v04fX$)sZKVhI%DJ&SdKY*P6fO9N z-<&cEu~(X8G{$@Be!;Mm$(UnKXRkVqkVY2q&>I}uw%f@t*s-LH2FO;%@!9Q8Y)n#O z)9UOMXXK4qAbWqNsvBd6(MiX8r#1j5u4r2^2)~sUQhG%Q!d-!dFDWw}OX~~v?Iw*o z;(}AOl12wJ;*hl-g1BmVoep!`CwB|i2Nq>ssK|Fjnfbt?m zk4hdt^+W2$;l+A_jritOxYOvDpNLEgcq;r{9}BRm!ev_&h@_>Z&Z2ram8|O1BO|p& zuaAePr>|*9SAP;d_1ay1Auv}b+<0xxdF@zxxo)CRt(B8C&)zmxUm}+YB!VCYv*UHs z0BQS0B_DjE&{sZs>GP|ER71F_aNep9n_4C)5qmi}PmTWAyD%g^T`nU5^GezY)7}TK z{{({9T~rlE_UvLxMr1DJREGDs`uheb+Q z)~BtD%(@E(9V%mSzP~O`caiig_K6A5q@p8i|02g`Bi>hGUfpB$WSIKZG^a58%GY04 z z*nz8Z91NuQS&AX9Z zoY8MLdi42B%5Ro%PAlXzo6`{k=(E}LDUSI$-f|X_V;k&S?Mhz?0|y;Qx6P}cWH$P~ z@p`AnXQm2;{=waigibg*DA)4+G-}11`^(+9_->1jZ_>3%mKCAUiE?tYH<6Vc{kEI4 zLFtmv*Ag-E+4bt$*jEG}6ebT#5}xRztAyykE_!C35Qz%hkd0B4%O#PcsI9yLB|{Q# zm&1qqfzD0DVDoxCH;odq^0kN|xBRcp6>Zdk#ejmt$xb?Z>HjeI)=_b^{hDr!KuCb# z!2<-h&{*(<;O;KL9TMCL1b24{?hxD|XrOUv+}*u#Io0rHfBWqDX4dRAXVyCPCp6t% z)pV_@=Xc%LZ7`caj-}2+U8fmg@**6yl#5}J1iwCnT|(;@am2`D(fE+Pa#FgTiNI7t zU-F0GZs5AYq?q+t8lyHnsh~L4%M7LDF;^y1(-n)?sVljX*jp#kci-%KniU% z+4{)GhzuB?5wd5saXMdIEk$8#2B@$_?nXBDvaq$J8n6pN!rli%wvK0<55)u>`cgRj ziRAZ{DN0JB^KQO6G+zFYOt-InBcZ*sy4y6Z>JJx7^3K}UpO*yD@o;Fu@v;G!zlSdW z2~D*v7XNT_nsXW*7ei*MD3s&Yx+sNA3d zJY~oH+al}s^Vb#`cOJX8QC;tQCHClmT-iLg$c~cgmVZA;Wbs`;?yg?`EpZ}EmAe@K zgBacD^NQcr=MmF@vY^eK7)-V1{A?rV6@l%*{J_yCkV6H?oWVQLB6 z@O~v0(}K=8--X92PXm)o)R*H^1Esc!ViT(srse8L%8ffVWbG7qlgwa}bHrH0;sSc7 z{M@P97CA_sTSCH?!jR?2_$?U&XJt$Cl<|N7UQkX0mswmD_f&CVLb0{cW& zEQ~C$k;c(>euaSWC|)uZt-P1AFKEL9Uj+ScmO4J_@;_y%SGOLgH>5T`WU0fb=_nh3 zXMhEfud|xeg^b7OE3j2y!D~wL0ghmCSb`UrO)X$qP0eWEtr3*-9~`{ZLx4qz?*}6C zINN}goCm(K{Ow4$h7lI;P!Ea+^WaJ<@t7Bt?)~$EqOZpjv~2X-wGwz+jGlGbn2gOe z7|9%;D;bc`3=0b!?2^MhvO|}bxC6*s7;$Qv2|0K8{k+XdIZ(7VB z#`D181rG52_J1h_{?F??WI>SIv9Suf(uoMgHp~8mS$CE6G;YoO;1W)GVTkzL_F8`J zW}p;uu1G*TO`dd-#(M;q?12k3R-L21WzMXHmvjcRRyw6KkvoBtB3e;XlQu0=txCf; zDckD|@v72aJHA(^_L$W7YBbwXxEmZFj;6$0xp{;POqf-Xq)Qg5Tc!W}GDoALnYT!0 zJ6DXqopkYMzTcm#xoFZg&SZF`zPQ$J;KOg_P@7rPi^JAdI=jnedhtkC9JT&BLxXRt zj%)fddu)kpnU(bFMpbkSTs(5)o|V@HqE+XClIwG*YYx-3o}Qj;gr%aO5)n%?1al`7 zdkiO+8<%r}$l}<;wou-ih|6!cwVrF9kJb1F65lU8PEJ}ClkDaEW;AX$k0X|MO5min z+V&w5Tr#dq0pa<29NBg+PBwbF~Zc?$q67J#|6zVmXeYCTNf!c z&Wb)Ptzbv;=y#ZPYRSc*Zj-=*)$6Y!*WcX-tEq|z1I*C+)opb!;`ihI(GmsuX%v2K zzPURalGmhIy?(OWB{&8IONQuZ^26|P?|AN%O#bk!&cHcXy|70ypxmuZ#7EH}d9q$@ z+uXJr^_|8oD}kBB`^-`ZXDC{BW1c|TX{_M6zlyNmJS8#-l<2W;!& z)iz)RZ5LkDj5d_MI|u%y_G}~*bj2_|mFA-xY`HoR1lZd@HA5nbsjGJhI5MmP-S1NQ zPd=v@?ufY=>>AB7P_g_v1w`f5jDV<|U1&7Z9a&`cW?DuNgGrHfd`pf}*SL%!o{m)f zV(T?%sq3RbwZcWlWJ}Vv-ycFO_}ij=Sn&E!z9es9Me7&yR7b`*_4Mb6OKKhHHbXU% zhst|KSme=ixv>oq8<}k2ErNpC4859ZvKBED`$@u5YFw6_$0!9T0fAxIr_>^3&)F^< z3zk9gin@wV?l1T8h@IACr^MgjqwShT$i~-IkhKpS>Y?@O4_MQQDN*x?YvMck( zLs#rVMnG2n#f%+~{F!-))ue_9ci>eOZpm+VH?@(a?f9Fb{dp`9pE&W5W;DK}N02a| z(?&yM(0(3`w71z~ftC-htbnW>3dqVk zgqt*38LLFd8vQZnO9r+HF~|)?S7dIN`EOtobu&gMz6Sk)u&r25UxgdQ`+Z3KT?E-G zFBI)-?blE{mvy;)N`Y8hqXuVZPBZgb?RKgJ4vuZdRP3_w8=31pM zk;h53-EY-`#&9P#?X&M*<$&f#MhmHJ2bQ{ezc%;j9)olA|m_KE&u@*%L`7s+_-T# z@6U$yu_g1RZS4@cHyrZz9A~ctlRr=u&9+!pET|uk!oRfN_*FM!>2TzFQMqXh32jWe zv+9U+mNAhV3%`E4nOfbAq8CkhNQZpP$Gh->;qhnAZYve%^NcljS@$n}Y$)oL#&ePG zFX_q-;fR<{TL;rP8{YSsdw=#VNS8iuxE#DD(X3|min(ZFTz)fX6M#4pUmIR(s{i0L zPo5vc|N7uGKkyWf#cpaX4{zQ|9uUI+*?Td7Zg&%Ex$J(sK2#V}0rt~guTUbdGpQ}f z-U&SZ)_vWfNPhv52bt#iUU=tUaw_Q^8S$^@iA&j6YL0*wh%3QmNhD_+G9SLRJfeP` z-aG%L%v{v$w*NCHippbflbBWjfus3cKWFglo?O489`r=in_)Yar)T1J+c$!EO=Mr| zYOh}+kt97%B-|#psWC{gYnIeh34NQ3vM_b00Xuw=HQ9ele~<5U7kA%-6gxN59&)4L zcmzkzpzA&WDq-GqhX;>??%n35goi6B#89vCWK`Sxv0w$<%o|J;W9Ezk;QWkEvC7}m zPlC+O<4bTogS;s#7)%uFVN}a8cT|th4I9O`0i*bqxk=_Qni}(}yS-}Q@qVNRw*cP| zJamk{^`@SU96rncCRxu?s+x<@i)-jZ`1TuT@`E)Qf2gcVmL+1#VfdIvwX zbRCf02vv!ksPXBy!<$kU^x+x?K!uI~sL)mFv@kJBc6uS&`QiF0vVyZA8o>jy#QH|_ zcWyj@1)Zb0XpskO0$9+aq*+eJ+nXGe2*L~a;gQ>QoG?8xj}&bDfk&zWe$Qw!^70zU z1dFudhxtF1y+qD@1k#69*X90U3iFupw4^?+Rg!11i4W;-_87VA8*JN!z{x4iV#PDH zZ(|mQeDu3QjW?POg0yzq1R*26kOh8*TJEB+rYR?UnBq6)IYu}wi6Cy1p?9vQGbM&T zj=Qd4z6^M^yja~H3HL|XSPGwQhEX;;bBFwJFkeYz5dSy^2M5I!q!Ln-%5UNQpz%2v zzXIjZ+^=JsKdzPuHTYJ4*70>#{i~b9mmHfk8~kahyCL=TYb!d^sM0=--q2K48$J#$ zJPCwpj6K5vVCa}uP<*-m*4mDt?j|vD9(y;S)*14nJf`-s4zM~a$E~kC`AhO75LdM; znY55M*e=y6iEoTwI6toCx8%(hG+wdnm%&@=(h3j-4dJg$^^NCqPr71u2nb}rY zJ3X7RkWMJmut)lQ%HgCvXI9xJ&76FhWisJLHm3yhg+NP{*>JvfqjP?h#$Qh= zmqV-??#-MO9;b#y$$RRA;fju5kK8#80;7ElMf+(U8b{*dBiLx)oAF%xnBAO9Pl1;3 zm!BqduJG5>ccK$+sIk=f!G651B?qoCfHQrY{@Wd|i6gHC^VJ@czLpD-QbO~5F!tlZ zt?#%8#3e;?8<_EcIz2CEk7MXT#l5O5nVjrv;9B^sb%aFo+^ry4MLs)FbR%mgK)30T zRZLJmw<0ekJ5TNcJpr(%uhK%E%uuBOk#bytz8)<@av}wXWJw@WPFfBp_8w?;BvWx$ zVC|RV*~~n?loS6Eltp#~Q4<%oK2-kEXmh6s0pq@HsH?|NVSRh!G z7ROcfwRC5d49d{k-FZKB$V9NUW0nfpAkN)dAFcDEWtFSFEVW)c&&AhO88A+Xq8n01 z&gfh;X_;!_Yh^=;(`%ZJlJr6lPU ze!RAIvI$hZz72s%kL7L11A6?CH+0ZNmimhiG8*laY2*4vXT z!$0VP^&=#;M~U1{^S6+<)Jl%x>R1hWPen11+}-bHSTz}ueMHin*wLgI02*a2?|3d{ z?;k2)>WKx63ZRaBS9tb?`_adY(Up^~F*f^9Y5d}#pG~z3g)(mPCna&xY__atI8je~ z-P3th>{FM$It09wl@LtlN2Uhc+0SlPJ|)afUEkS>pWm$11Q;l2$AxycOys%p2N&@7qmHD{e-Ieafqzr z#)jwU8(7-0Znz-bfqb)I1FWTe@0mA=yG5g!LgQ>cSm{_9sF4vsy-^FBq%^}goA@|X zK*c#8i<_uQv{F_K&#J;>-!L}!g^A8sY8#9lcr~2Pe{_alAMJ6E2-D?;DY_( zcIV!W-BdW$No0I=SI3dTX$l?@G;R$dlQSH5&Umu!EkPD*A|1yb5{BAvxV2a7b?qJ? z>>xCtC{5?8WJp8^DHPTcC>~l$6kC!qYusEhC$86|a{1^smTB2e1^m{8s}vH+{hLV9M-fgmU=6O0cAs0 z;!c=?xRV3K0T}U~I5=LyaNBmJ5U`CP14rCbHpeYT`%d$eZr<^4u@4YWE_T09y(u_0 z9xtbXD(2?J*3LlW$x?96R-d6r>t7b^iLFg;&w3{1SAY@p2RGD0dyl5Eq2IWVb4PWtndDQPA(V&&s{b{Z_`#)X_M;(C(eavSn8GhZ16J89g(x zF5NsQKdB-6C%T3Sce?p1mf_oh+Q~W(S2#%3&e~e&u6xejFFwnS`BgX1S^>yY4!|6^ zwrP}Tx!))O%)xhnIqVH_vVcE^|hE+;&@!|$OSrFXdDEga4)YsMXy;>ukCVR^_3{P=E(Em0GVS(XC|4HoqeCc#hI3V zgKR58{_)=~6Nr)Ei$pe}J5d%K8UNj_>3SQ|*%FG%glahk#l|h=V~r*m{5?4|5J&kn zO?;zAl&b3&$1>+)&1~j4tufhmL6rk;k7HS>JF{eWWwvQ#s(Tp1nu9?7K{CeYkwz+5t%6;TTemC2j-G^8WH(nDKIh|b?#y}I+cXbwOC3}+@GCl z--J04hsp-Urn?G}#oc@x%QzO*>L9|oA@b7swBx2`?m(&n20KlHJjn+N$IyK|VG%;N zo=yFni@1~^htb1@3FY8+Y7ILGi-PZp1MpE@Dd+% zJGFULy7etYoVL;kZp%#{T|pQsc;xQo=^zwRb;S@%XYA@Q(fTYLIKWe!@Gm6VHG~^^ zV!$Pz0Kt3)Jz?b&Krm18$GHxiJ*|~)^rGnIk1;V0@u0(PBBo|LZnhy7lEZu#f>t=B zSd<~JyTEDW=XmC=y3Cwde~Wz^P0!BU@E}NP^TMiXjI-#Epz?ZkYS;w09U+O1RL}ux zuU7_IiYi9aI;q|jnbP;dZ;u*cm})xbvA{;p!lMEJKfS7;pH6ZtnPQH9LCU)&z`>sE zKz2Iq@pHbn%a7@Mp#gUJ!3Vp%CC=D89a3DCR_LH=K`h4m6LE>5I7UbVs^+ZmU>TW9z=MD!J6u3x{0qoRgU)g#+i#d+~O2EB3Kg$|$l9x77Q z#VNZMT2wsG`hNea^zf*!s!~VhY{?`CY16b?#Y##WkK&9y`I$Z4n1 z>4xksb2V&eM$}-yBHB1avT)vg(J%zRI>ZOPA=NWB@GaUDH?s|{IlAL};LryrDbEQp zEN-qUp=gznxn89oWCtkM#=19ZC%1}5g^XkLAWW`C+`h%K1^3v+P`(8F%~Xz~E3NxY z&oht@08sZoB6`Of(cJ1rwLAc)pn~*Y?B(YTpA}94<{edtS{g{poaI|%Mc8fU_A@!q)q_$%{l9tOPmG;5a2=#>NcJl4N zzA%jhVx{DNwY1jq2~~ypOZ(%BApA<5zit5)y*f-q@B7Bt-LlK5y=7syqIoA4)mBqW zH#sFN$}8w6&*dk@$PC57>*}4%A?|a)h~Y0(t{%P7PIyq1(Or_l*ew2Pk->mTF~(mF zjvo65mX%1#Ytasi*SEld#VpbPPV7sFr(CEA;CfzExW z(Qf)waIX>IWl)D{>y1bNZT&O4jnzJ{gLH|a%cUrjv+L6gft7Ru9oIoyP-F7R=qb(Z zQ{A3f0u5>|B2(Qd{b%g$ch!=<=Ny={qJj>lp43___lGq7&q}NZ2W212f@Be*a=#a7 zsR_TnMo4R_E=U@U1qWxb&xoXd+rq6e-`+21V={nYPPK7IVJQ+dX2Rk~7Mo}{5>*52 zDictYhd?#^utF==uO_It6GlpolPi(1((25NYM9Qh>*b!6t+_gu5N+VB#(_&tO5K;~ zw!b$7glo$}^T%^V@Z{(G8o8x$MDD=i#HISd2Gu&Gr0M8Acek@&&wM(X!3Noq*Q2C6 z8r=++Cy?9@>#g?9+bE7;eBRZN4ije0RWWaZXQ-8SFND$dc6Q|IA5P<;82dpL3(BhnE6N zb8E4XcVB=wJ?5{Z7y4c%hE{!HitSlNJ$^i^9H&O2G%#qxN#o^%)&4qu<=$$qBpK=Q z8_(Bugs^*a)7F?pB}TWF!+fd=bb1VL-}mnE_HHm+hXQJ(lW!(JEt;}(Y|}t_1GmbB zI-u19Mix`Cnt;{5+G5sf#cH-S$ub&dwV#B_w44Z{Rk1-sc;>f6GaD1V%(;IynwZA= zH*XgURwB4(1|5)RuF)$ZpA;E{li}de6F3G4$cY->oPNb2jyagG<~FeXC`1usP+lB{ z#pM=S_mPfYQ>C-PJao1P@?;Kx7we(@){(0|S+Gwb$tA0nhoaL2dVbR^f5oVfagZIN zo-Ou)#sf_tFef4NFAMPFIZ%J#nc%c27(@{FQSdxgoWxR2!+wtTJ%CAeUH#J4=(5I1 z%m0}}QuHB!Tidj{fJ&EMT z5;Z$k^eE=GS{hBA<(H6=h}pT2P5iaO%emEtpGR`47A(G}0p`a)q+_0r_$$I6=4*tB z@UPu!t-#f4oy=SXb-VoNvMwj(j1`+}jiuj%erlvQ-F$AVu#dIH-aBnF?ers4_cAZa zz}XN`+GBxf4csk)li}-B>0+0$jtc_ptu$xnTt?fk|PczfW zA#Aw(;WIuzu5=;0#cX9I73d}@CwTLHp4Vy>+(yQo*-zP2pQb&vsISl{<0L0UOZlE} zy;3f{oq|w7k!vexCS!so_BwruGdt9=ItVbiQ6oxWuw3`uQL>AV8#S4D1-+iXX-rhm z=FPXL(YYMF~Nk+;~<}N#)ghah7 zR1mvgs=Ka^a~LukKJo@6Mp>shY?Hm$lKJO?E-*Fjc4D|Ww{@ajIlBJX#2&&?jyW(Z zS6-yPXQe?*^Nh^#jusk+=X0DR&wcLeGoUCd$dR_7e1Hi|@B)$Gl;`&yc&b0Vd_Na~ zX&ozv3CI($w=Fn~&1f1FF1tR0U;LEILW!o>XC3F9R>R#2QSPk^tn{z2x$4GkK2d8@TN{)%M+JgMphLaD%8u_$o}XKix5beG`53F9M|3h@jjcatc<)1-ncQ z2}h+~zR;3n|3|wp9!UPCN)XyiGrdvyD8$<~Be~-U-!Qq%u&E(W-m2W9Cq?Roj2bF5 zLSD=-$Zys01@_{EZLjgKlSF6ZNB{!Sr}_H(LA#Jb@Q-$ZK1E6Y&(r@A0!gW~(^->z zYU`AH_o04Ot3WeK?4zvvRTvnw$-X;Bnq%W&$l$J(bkr)wxNT78S{7^Ehqo~aMlGE{ z4bNQ4C_S#T^jo8F$kr-a)pS`;_?^t`3W>Z>@twos?gy5q=llt#(tXWGEk6%OWeBf@uB4wngaD5{w#YPaDA$p36>>m6-eeNh4bbz^2(Bi;|91 ze{_M$B-vyH_`ucF;xEe#z&$i>mTDREkfs-XfbV{Z;jDwDFTWn&vsm zfSTe`<{5|U_U@rRVB`mwkxFg!wus`h!i&v{{zRPeEaDauT<&2}uaG|<&T z$B67JG?VGMiO&L3mw~&!~;3N1jDI%YSb`paT0{4>`5`M$R%5 zOn;`4e%sPm_dhTv-+RMQYhO<5D?0Fz$9nZ9!Nv0DF^tP3RKDC5P<#wbb*EbY5-93N zARWF>);Pzz@U#6ZcLNQf@s^hCU%OxDto}H&oMRMwhVuC(%rkLMR|v|bk@lAXigyO|cnTYiS5f*bDGt8nM@f9OwpG4Y-V5k5r81;v{jU2-s7(mD#& zBxz%uBU~9dHv?rk6X})JlpSW8bfynmmzfTWerNUk7e3|k_hqHr#eTh2q4gS(J151_ zb(O)Hc1jaX%A9SVfJ^7&PN&Rm&7M$fEQ`{SJ6r8Vn$3&c)k0?jETt4fO{`V7a>viA z+pPe8YgK~dSF)<5P}ZSk!*Pb(>~d3O4F?Bj$)yvmrx`gnvB1i`)oA*EnNfM8JD}Vg zdpr-ntm`2bE81xResR_2X-1Bdef@nH4SMx@d74(QFyDUk!o0V}Tb$`=i7LL>I0{vQ zD{mgj-o2TDg1~++A~_G_d6er582?4q?~VVJ2_EP8a<5$H%V@Uorx>yBo*I*vQtd+)YmGQ3-*{>+!19C(6CjG{O|B(#lGqdj0y z@(CBUt5m2~>s>NNoO6eoD3mgMip?+_=ht?u@M!#>ScmE!R*|HofSCUHc`kqs8fHYTPvRSX`L5kr3sdjUhk!g2LqR1aRi4oT!W>-)N=~!G z;d<@i9=#R?M?&R4*vC;rxoMHF)#hOihY*EiH)Uh*7O-K?$L4M_lb>&!6u3TN2XAA9 zu7((B%d&erb<_AuI%O2jl}>Ss`qXQnHDubw_Ps1fUwDgq@QY)#2EkFgBtl;2Yh-FQ z2YsY*r3Bf-+B9mqA-#9^3su2)pSkhuJkl(5m|M3s^7IJ4GB35xBkQ3>?^HuO&oq8@ z&iLW~C|xy+8_a10>)Vq-Y4@g08lK!;m`enf7@k%)xvO;{FnaSlD_DJi1ChMg%xX3h z3PT-5x!Ytdkw0((b&N+i0wxCnuER>E%1x{gHz^GdYQ2|~h@G3|fXN}xm%#<;;}NvX zzf^*HQ=;(P%~kX4=X-WJlF%a}imkIUA~(IjA@n6WXCL|I8TP_0rF#}{>X}86VyeDE z{xYw<`J&k21xgZS&5{M?L}k&}&t?~<%~%*Szs7<5GNSFf$)j;Z#A2iWUGT)wo#|M! zif!D4l!ktASIA{`aZMsILE(Dys8va)a(}Pl>GTeByB?QXi%_B?hh5iT?bIFDBDYl2 zoWG~LY(K!A6o5VgFb_xc{T(5rwNiW+8j)5AiJW%d$B|Q@pQt|f5Z-&8W@$4n$Z4r zQsnb((&k0h+jV!sJ`<6Gpf`4s&id&EF;^yFB^#dN<_NXJs?rN@@XCk3FiGNJSd?utsP z>Gz8M&c4c8H2KZ`#|u?KLVlZ>Z+)aGGfbH&2X##84_fo8?|2zY#K8tOl}az1mok%# zCRJ#w-=wx7yIJ_!P-S$6_I#{RC$PNG2q8qz*34K`d^YoC9}qiW&ah4cVh1aA97dgt z($E?D`6`7Q)=xs+-RC3Ztjij<3u>jvK9N3gui|wz(R53B^RyIKYFsQBIN=O_q@tE%XL3PMUXo@SY@UDY&+(j(_OsNGKTcjfN~ zh{vF|@u=lo_4Ju?Jm-=w=uItP&7HXtAUM~ls_H3#+$bhhPRECdUHN~n!I^V%t)5%_ z(5H?hc@i-_f>^yK!XV$*UY(q-|I8A6k}D8-GHKnMg0oh6M)fk7&@4+cgpTdzal_*R z-1JDdj|_yvM(sg}KG{QIEdX01*b9Nx1yDnS3mv2npiRA-544!tZ}ZU%m6<(PMs+sq zBqG8IDh*14Kc^$^%p-a|{xLz)ovikZyly5#FE$U%n2F8gYIu3~-{|@l*KMW#=$&lb zIJLBJ)2g6Z+fzX4S6zGV=RZen@oGQV*qO7YBT*%PX`6W z31~Pt1L0}Yl^WS-cD|SJfX_$H5a*@#X$7|)-DaTKGfUjm50ph;Sn(E@LQ8*0P24s1OHxh6>6YAC1R%3t`SFEBFOXbeXlF^=2Qy$_4Vxl5$*z zMb@D?anEtY#8wKbPyTtXRL+wUMFctC<6mFGcL z))hgoXFp+37+mjAl<5g$Ptv3Y%*6(qWLX)$&WWr(-R%I-L~h=PP_0`AEQ&87A73 z$@^QPVZ%K;x6Y0Fanvp8sGH0RUa$dI{+u{%mlB2RCvdz@9q6p^$f0-IBSb3C?xBoe zEMr;$d*h4BtBvW-0aaD)h=lM#%IxC~Y(dOPS)hzSmIXm32fiS;V}BpeK>>02PX1EH zK#RM2J%wiV_5@D;CZ@NqOiUyo6kWV zS0?Au_rj@$>Mk>?pCqF?7m>2ixGT#*W$Y_Xi+fT;vEvh1?l=s`0DvuYS%0H=SeWyiQ$m9I0>p3}v8kw-9_ySy9EDKNsA9Ep_G2%-` zMk?Bd6=e3(=#y&aob$V$^~qqS?a7r;*2-fsInH$-f&++<)xioK^#~nlO)M2fSJFCJ zOC)?hkgz;@{TJkjJ^u@G9J=fK%cq8ymHR5s}q>WO7-cTD5qA-i1$8s zCT8n2aHe6|9D)X?dFOT*wP)(_zZ5$NMj!2gB8}L(radL!bec1VR33R|A+dw;bJ>)n zMvm?8@UuyPwt_G$vWVuyUHXmPha0Gu)R_uIIoEDw+D@RYW?SAORVB~fQ#!Z*LUYh8 zCS$WktLJ~xUQ?csos*xo-j5`MH(Ia#V6vt(2)En9P~Oo>xL z|GfGwbqkF>OYHD0flX`JcX_7LD#mcj6#)N zXR$O=H<-krS!BP0tdVO+ffrU66z@04Swoso$v)HC(CP8>6a2*Hq%-xl`6HVqcOxK# z2zu>-)ZOFvv9b3iL!GKctVeJ2R7!QZK9VqZ)1r>_nHnFV8051{Koj~K&XH>(xjv^r zb*)$17!MT&<~6e~uM%>vc*}R(R12UhyO!1XsX-f?`?)IfU&pt{weA#Zf<7#Wn-MI| z0HOeCqOrG&mw~_7UCmuK!Q++2xbAytD|2KwZ1G)7~`IC+DAOXx4w_6kRS= zz9XP!jU8Bh1UvZKSQ@~;xM)@?8Lj7i+d=M1+CRKSLTCGp8#LiwJAb=Ao!J+4eAzg& zZPJ&pi^cl-wX1PvkY7i;9qOUEzJXU;B%5e6CxUS52grNSg39X%KFHd3lklDVqY%opkL`(zQg zn4K0;@VL&BbfobM;Y@Ja`1U^QyOf}VFr-akAi|HGB|-xstUPqbFR#vN)HoGfV_+qH z!qn@M21m5bq|kDPsiJXE7qu-*LC)xp-tmqKvbxvp7Y33V`M&Zl!_vi7?di)Cky)mfFjs}$} z?=hHx0n*miG<32@@|cku=P-A zpiU|0W3|OTFU=VI!D-Zcrs}9=w>3f8jjhAX$6}}rS_EJEhPyTJ(cJgTSfc0rzn zvj~_s>8l?5fYQWK8b(5z;e3K-n+V4Or{&Tqtpeef7`dS;tV8|%uW`OveiZb&A3(QG z$DlR|w&ajB=qpD8^$2<|#y^`DY0CZ{WMUD}?UX-`F}CeHp-srQDY9^FTs5Oo+@Rtx z2UX+g22^dQAhA<3QvM|2fL~LwO}lSL$Tql)W7NeeTS8(vyN_XgWd!OG;0<5Qu{~{@ zg4rcv{@NwHC#p726@hOCfe|V&nXE!yo0}9Kc^xiuD_ht;3VdY@b2<<*JvbuymDVdu zmA@9wh<)@6dT%+#X22#Jh8p|M5#zj9?8m`-hn6i`#cSE}IPr#TWx+1`*c15DTsh6E za()$Q!Ik31lo}49nOisZH}psNKWHTP$rO@Xg*cUH9M0#(x3y5EwQfLNEWO^|dH z!@-n%iO4lFVdb&AYeQUQLKmw`c)85E-WI?~0B7IFIH;}y*>q z1Ib!~qmHh@wjAF%(}HqW>|G$enp?yXc?OC6U49>N?NIdELfl=|>1f)5>&nBW`Eb6y zZ_xM=RKuL65UhaLPk>Nq7#V}wz~xq>dkk@YTI>~qYoY<@D7YGqTVXm1Z*rK9Vr9S7 zkk4T#ThaBKXri;*)ewo*5OOKc21opyq?4l+l===hV1)-Rg~0$b1#?kwaM#Mf!Fm;> zyBk?PMVH{-AGaZ<kJcGv_TP}qR}XDkE@8_+6uV%C9eS)_SNeb|j4X2#~27Z`fl z?MJ`bMABR9-s8v^ zFSRznY89;d#21aae1yG4z{$m}di-yZB>KV0w`30K`d;pNuYoflfu`MQ-mJ-SFCU}C zQTcJF8^2MhU+O5bAY33&mf{kMo7mTnkM0!X+yl@Jc_ILUx9AHEn3C}2C6b5=N1lSAihebS_5I4rQtDs{!}XhXXY$SSknRvX;1xU zzo4I>TXCy&N}D<`MVK@u^m%Egk2RYgHJ*DV@M zBEOxSmnFU_v}gW`?!*)6h0JB`AJgjE7rM~5nR5UO`MY8a^)z8>)fVhlwHDg_)uQ#1 zyA3;+3!UQT@3fue_BW1;iutGNMJC3c*6j}gtqc2g1u}H4snUX7ScUcDuMgk#q|I?) z(UV>q|C|VEEG~km9q^odCBgY5axH7_E>A#Bid-@6nYh5$g-PJns|=p7(f7HLIa939oCV$U@ovpFNDG&WRFQgHoO2?)@9h62tx#~4 zt#0Sje?~W?4OlCp&a_bzDe5HuA{UOf1RS+$Ux?k7XYllf zQ|mNWYWyFg3*Yjuig8F|zM@t|SJ_O<+N^3?vnC&2t#{Ji1;o#KqW2)sn)w;A zH}0q6l^@Xnfy36}-vL6Hp}4jiHZf)WJ8dYqihFVSti^s2sLU~1F7^Nx(bkji3x%Ndw2^Ij^^_zIi|b)We{W{JkYX5dy;MlqzM2iQge zpLaiS2i=P)sdg;P4Y#V@uIxqK2r}|>!#yd2nta* zdOz#V(B#R{sl&0pINJN;H7DzfK|5ybiSQC~Cb)a{-yz*FgldR72uD`sTn=e3eO zKrI~rhpSQyV8An22L(yv4BT0PVLpT42-I3l=9XV9`F9#PrtTRFEYw&!)tBXxlT2E3 z^3=5|)!BfsArv^|nW}&hmUcj_2H{V!uH;D0{ES#)60$V4e*0s#;ntAGb4NR)2XjG< zgJyIivpo?m`Wi^5U9a@L6U2Cyjj2pVBY{rUMmF=}-l$beMS-I#^}@%c9xq>HAL=aJ(8l)5mW8`X;>-5>JsH zD{*t1UY{QlC8iiT!rN`F#@js+wUvfrn>TT)QZ7r3vFA$A&FZQbY$m8-e(Rqnc8x02 z6&TvtKVq20g6Y2Etv6N+s-;O&qSvh~b8-LBps9{8t9RT%@>5djtz+WA#!}{!P=yyq z^B*O@4|ko=DU*wC7;lHr)yexL&u5!)rls6uPkE0!-Az@uYn@sS7WZa0TBXKf8~6|b z-;n;IrCCnP4Fy63_S!Eev0x2a4!e%(*X-+8HN?^CjYDZHm`6|fHN%Z3p2r*9W*HW!7?-m_9aNP^~X7NBWb=A?yRebxM#V1a595FyUz0y#<8e9`}^iJ(S) z!P}+oGQ4v&YMFB{lcl*OYCj>}7k$1Uw~k{sZ@Y$!=5{b{OTjKid7r2xkAC+# zij6CeZHv+Yrp&TgaNgLkJ_W~a1VrJ;mXt%dRpnGn{-{eUf-IH#K}|hOV1oQJj%%A4 z^ceOym2N*Us52myP}QM0)3sHmCF^4ntNlc?;~!d7E-nNdAT<3@$?#U8^KyJLaG*BR z+3;>#(GoJ2v7!HbafO~aFm+?q_am;+(ZFld)+omN@qWDMt!W=a9cYQ6FI9aw`TQ{2 zmq>Y(YvJ7bO~9j}(ZWW@q4c%Gl3sqr%pce#J?S; zKRm&IzeED<8`&eAPh~79>_8#Kqwiu<1s;IK+YV*ZjeB_Jnd*(D8vBmmhnYR@PEw31&+ghw-W)c#?aJTQ%XR+451jtO{akW4&Z2@% z%tWskP_5j&e_QwKAle3}U=L@S)j=ids&5U+xatr)#=Pfc=)h>@mmL7RA?4rGh(0k6fxeoVb$v;8h|&w>yOpU8O6`Qo2cw{E7*KDeh4*ZxKS%itA zgJvB&`x|9ma>S1`);EMNhkTC`%urQ4zJj3ySMieW$X9b1A*If}yVUrBM3=X~ z+}$bigtP}ONy&sz;VRnggy8f={R2#(x~q46IzJ(J?_>>orD4wLX#OV(m0LwVu$-~A z6u3#UMGY1;t*N&Brr-W+9%M4t8etJdv#FiKikW%Y_0rAs0Pm$}x)hG8s~3&6(e>3z zOrTFQic-iwU;(t-K5{v&*>K_dv;tR-UR}_p$7CAgtek~aiBaYMA?>Z=+HBgj@4HTs zQrw{s+@(PAVxbgwhvH6f8nneFKymlt?oNukyBCVPOMvhO`aIA2*6)4S+WE3EJ0v96 zoO4|>=Q+px4|8@^gxxCbu*pEnr&6%~C6P<4#+?7W%V3tq*nV21Jn)C*VDM(>ef&L5 zccUcj1J?q6_(_EjHySLSHBo-0zb%7shKSw%xv8-2=6Z_>KSZG4owWo$|GXH~FnVcq zLxJhEaZI(eU(rr)*c|hB?qD`i5+$W`!0?RcXHWO-O)t4^0=%oK-`sf7pJMMVO=k2D@ZBqPt|@Et zKyWIdO6MxoqzWx%w-?_}=X)*q->1>M+xAX2GSU8tjmM$7aXzV9R^gZ*kEl}RxH}=7 zri|WI8jHcroLK{`j-A3KEpI^{!-%8aysAzx{cN0<3~4ECo78c62(t*)OO*Iy z`FI@}KOlq#p}zkX8bCskoF$JU>2s%9yEX*ZS3G(2_+g6(W6=YQ)B1yP@4A$=9-qqWCKEW7v3Lf_7W`{^&0qzwUcScL=K z!f6%_S?}@f$sCDjz|fReqKo?$0{+0&VK9%(-SN1QKP#;m_UYcFDq$fMCHs4*&mKI9MwvX}(e6g9ByCh%N{#?w4sEIAv3PyaGL zUU2HdbH5%;bE#|dLclA4#m%5Rn-5oJal*a!04w*zweuhPeo?;c6KhfAzM8fS`!Ar@ zk+w~zjOCAdE}~{DTSOdTPh@iQSW^;+)}`B#6JL^ywHFM5BnmTjHry*$zZGnLpJV!b z(MJVMtiVekxFsz;W;uSRGF}^y%hcIEWL_%mm|&|XGmF3Z$Dc|mj_5RU2q%G`a1=~$ z$N}H+l3}NLAtywpPdDXiZtx7i$sI=v~U%;JDo z0h<1bPF(+ys=4q$tS^d%6-;pB77Nanyyuf|iH&%Lv8bku;gpR{wdr=zB@8f0q~1pA?64~P>sTLVl*Yoy9wDtY;^NYyN+JQSMnfK1e(hief@=r$?xOME&`A1PicJ6B&1~{Gzk^m{`+`O>;RRR%Yq_6^~2qM&ilcR zG3i`VG8Wg%FzNOB-ZwgryY;VWN;%$O_1=fL9%Qtr(Y-+1HmF>@uge zb;t1)>zL=ETk)UNnd?7+g5S3HTbH}(T?DoeD7RRD63$m5 zS&qrE0{ygXHrU2}Gq07Ak?W$qNuG0mo<7O5cZoc4y>G@z58<2Yy;e$h?vK1{Jf>i; zN>h^XNNBArxH>?mRSglSXP~jBBb~Yr|GY5z{`^o-36P3l2*ygQ;GIjoEbUns4U`p# z(PuB64PoCJ96UtPe_N!Iaj`d26dv>OtET$p&7d9v9iou%rqp~AJ8>#KfE)kI^{_;a z{jTOD<3NG-v){7E3nPSMw8&a;UXJU$Hlhb(3Zeuib?=7)BHcxOBf;R;F3M(Q^W8Db z>m4R)%Er{_cJ-J^>>wG{#Q#aC@aJt{*l<8ijHTA(*Jo&(-FSVe*qY;FjA6BB7}j6R zMb3uX4VPR+oyMNLC2ghT36^>@fn~3)me?atK<@8O_b&A5V1xW}Xal7pFtBx5Z4wzT z+eC2-obZVRf;dH-7vQg`qe)Hj>|{?*x%uV}5#H|*c|>@te+}+LFO#ORP}kIy4c!4S z4~oUj2>ENgd=^E@JTxkHZGtbRFV=h3`f#Hfs$Ao{jz|u=N1yx7HQI}DP)*?%RZ<7* zQD0RApy;qIhn?7!-F{KVUo~Ya{;^hzh8z8$UFe=544+uNbm2GMe3^Kf`KAjm=>i(U zx$t%sCt2?IVpS02of0eCXJB15pB9?*Mrurj06hmSzFDAS=9sz|-RXm1;htaVq%S7a z?!kP%v7VjctN2D=;L=a510tJdYHph4v5i;#m7TjcmMVb)SUzZ2XNdKPq5BmXzcI9=xq2Xium-1D4;9ZW!r;a47ylnbh4tna zDZ_*Z+lqj+<^o;^*i<1ut`4}e8B;vx{${i0_+tA(uYkvm^M3;>y2x3H$m{zM`mU;MVf zLtRr8AY16zod@2+BM0o984%OY5;=vtH=A{1E+9e|zs4~^KmC;35)%NoK_N-CWg9ZY zSf*8VZ+2_g=8TfUvd0mNi-dBCxXAXJ${U`k-A!Th99j#qN^lo!icTT*TDi{}{>YZY z(a-P#NgmI?L_xkJGouF{5DQEPc`?E#8HZ<^zvl{WMV&y=r9K0r{h9D*W7!R^)$E5P z^B}gC+%bEt&RjraU_QJ#jH({4Qo-)+mSFEafZ$QM7q)8TBU6sE0G_HD9hv!VVUn%P z3h4e&nOze)9$qh0(Z47PsM&r{G4wt2db&vQT4^f|BQ$3pb|=l5s;_D>*8j!^l}Vfl z2%x3{XsUaIlGAldKtEI)?5sjMGWFv$19bqd(;=Fw{<`K7*scnQW4_H_zEu z36|50OJ0Dwl&;p7zKml<+Dh2Wg!Z~|sDOUo)u^>&U3cmYG68At3md_^u5SCna3)}4 ztWBS>>crySaZ@WhECxmtP}nvi&=CMu%6}e>AcDW`RS!!7VmD$oTBz1Va)t!f*?)wF9`L;U^Z1r$I2i|MsN$x zPH?C@j&2pzTKNPl_&)#&`tc+^TMzP|e~pr@|GaH-5s;8RS7Dnh4^VCK{BzD18^Ma+CdBLgj z0{*xemQ`=i+JaRfUZ`8~1nmiGuCreA`I8%}t6q+^KeDbjOghYUv!WA4O}kyY=qLoO z;_Godec=7n)!K99K0{1}Db*0K8_Be-rng?YW`rj&%Cd6%V#?MLAA zUE>tqFJmH6Bwh=W=iRAM>IE;Y1}vpFwr_*HB^I_mB=l4+y?;_4F#5=x7$^ISMw zJTHq2L6xKOhl2%@bk49k5xcj?v$6%`ZEm`;8zBwrFI{pDVL3wZO zB)qLy;*y0K72gqL5E)H)eG;5~_%d_Tt}3--1sTC!UrAYJR{axj%&mlfa#xO^qR+7a zfWRIkZjO^z6$Z#JcA~7ijKM?Pw;<0sAa45-5raK(+NO!0n$ zY^?-6W#2QX@8k%1*;H!myD3XRGnLfP!7Frq&Q9&pkExUjIb>z;x2tJ45)(>;j7Z%e zK>hoQe!YR-3Xv5-7zhJ&rnBE~2ydHJ1$|R^bC_Y7UYYX}{YaI_fk~F++##K{OsA^c zRmQ$7D+&&wp8}*Y^wQOH6RD$T+|W6LU;Zq-6-piof; z75L}Xo0mLdC`KfvTw;Dr>#F zzYGejuVItY!TMQ+V3BuH`F8sj9_bxa|VY=IuoVAvS6w!guBDs6X%kgS{<{;NIl*Qz@?~sR5lL z7JDw_G-(yD`))L;90r7~M~^ar@EuF|#tR@odDhWFrAh!L0t40!G>%U?gCWMk914ubzT8{5uK*+jj&IWEEWSfTFO&wYisS=20|l-h&L=$r}2A!wOmL zc2<&B)iBz){Lc`5)eGDAzmxrN3x%nBptPFV)Yqv!V8{XE=B$I6CGPREt@UgJLo2X*7;m z{JQVU1n!vG9w`*V=8gpt(GawleT0kiUoF59uUPcIL>T3reJu8t#)Tg(y63rgABVCT zx*G1Kk&OP9SqIs(EDXe4kTfcmJiT~pVWS%V->4M23qMMjR`atw*fT?>kyYyoMa1%u z2%6tK3SQlMk;;*DZ+~*-TGaof=F^oP`j{^JY1C{j%p}dkk9T#dLh4*qJL@-sfFL|L zisT?!!Je5W_@{BDxG#{}^tIf*CjV=jQp`2Viyv_$Z}iPfO|LF(T>3=m zB7a}q36p;BU0~j%95YtY-Z9rJP-J!p_XR*iN)&UM>t{M-(8M$>s57_@BIqP7D-(Q{ z?C~D}MdoN&mYE)oe$h)62juABv`MMi5#P{dS^#}pfli{f!M35y`z5R2e_lo=2+6w{ z#8B)|wc-#k06L63HDu^Rc?fD{J!s~)#O5pC5@bBJoM6xGO>AQ&7|qr0CY3Q42iDPx z4ECHHyrlr-L4=~Tx%?0n>pt^Hblr6x&i#nwRNbgKqnPvcohtMBzL{aN1pGz^s?orFk zF5x2mSYuZ8-cc?6Q1T|Oqu6u4%v)qBr{REqeEc?x-}FRq?-S06 zb_e&oh2=+vFax=nIi~&5>yNSN0egP2JY_L=CIq7@HpgxX+6Lv`CY!RUkLnDgE|mcf zs|880@!5l>+elj5Ma2(ZA`^rAH8Hu^q;47yn$&AmJ{({e4a~fs>1B)r=bcR=7V4h!f81w0SCcD&!4yF`;%W&=b6I)4i9)XOj1Al+>fVgZsf@G zW5Z5%Ki8lBN8Ul_K0o5E*gbKv&%TwZ_mqIVVAPFUiuA*O@g$@ZUZ*bGuzP<7XrR$| zF_a{8$WO6CsNVoFZg}1Z!TRv&_rELmVRM!N5=g_+O88z+;GE`;R&V(A_Ybo z1(WMVwG1JIDWXK^J8x+FAMPkt0&@ebd-tlA@rUp~U>^ z9m8i};Ai;H5*{Muxo}mM<@TZ!@<)OM+W$h3NEYusONv_8JzfytobOv_p2n%LQHZ=8 zRt&G#|KRm`(#Ol}%8JVPCl+$p3%v)u-Lp69!1e-q*}c7 zGnD21D@2*A$Cun@r$)2Cy^A`|&B2icI%Z=mmpv39%HBVShZ^m#3bi&9&YwsU4tgua z^SzHLcH`yGG>@o+-69KP@Qdd2IP1;cVcm2rr_HbtAC|UzbOb-*E}3q2=N!Nez~wV2 zZs(`;po@L957FF39LuqL){6}?D@I8{h;l87nwWfc5GcT4>SB$ZQkBt*fgYro<6D;8 zvxHhBDr4lkhIfwui7pGnI^)y5LPN4eGt=@<*BXUmTF#4qH6Cbq9 z-w@k9-VH00(g%$P#FsXP>-HOwxqi3qEkED;zdq;MYjBOx+vV#(e#M)jt2+dL!F6!z z^_XlkYtk*%?6Pos5uk?<{@(NUO2dHG@W-W^`Pwp0oC=9b0F3!9N~)?r1fPWCVRYgW zqm8w(*Kl3!nkEmA%uwV?c7;$+gGY+yFpFN@#Ol_8X^dK3XJb}_2wdX8WpcdotE&)~ z&KQR9kui_cT!Udq*ai|Gbg_^-x^1M}Y4SN$rW+Cb?L9NPZ<`5{o`+=WOq#F9-G8Y-Sh!g0e8e1^DGAuv7`I)A6VqgOn-bXO2}0HPHDPjRL-E+M zil#z-(vw25`8CG>@f~>v--Ql@?}k_elRCrIu|A00&d*<474k7C>2Y~XIu4_6&Bra9 zxUMP}vA7n{X2+C}A&f=1rd3N3)QFP-V7*%E&I+{CwbCuJ!Nal$eGpJ+7woRg@H$)o zx9)^IRc2Bne=X9<=c-_vbNo;^C|uzEB6hc3)_STb8yifOld=<(q$n&Y=oB|0k!cX) z|NN59aG4&xOwKt8wYmy!m+x&Ow;eoSa#!FBtmJgtz&*(=R&xVzQyI*2>y$^nQ?XeelzE+oY0%)K1Z6(A_E$&RM!02k zRG`HP2hu*ME57wds||W%z{M$e-`zVE)=q6JIC4J=&;}7Ka!B^@{_gux_;{1lkT*3`R7RTl@}Z0A&Cg@)amMGjRqgDAn_!! z*|4HVCzk(NZSikK#pA^N_ig{H3gut=i-(Z?TZ!?%X)ywI{{O-z?xD?m=oOi~SNC2r zPB@yEeC>*XMn*vYC;s0FHiao)K9ze;{NqWq&Pxrkj~{)%@x3X0t1O27L|lwagMvRZ z2#E1M&`(PPhZSd?F4S+Gj67CFaxyB{z>~R`3|i@&b};W@nx^l6Sx6s|P+tpLJ{Zp( z&b>(<|K}frM-s+=Z`mHO6z_m<5ku~ufBs)>;G<54%^UxrcfS3PtuW-DM74u`aZ86p zxFPa=?Gl;N5fo%&_KQXio;h$T2)C9cT5vk0ZP|Oy1+3JtBWtYNrr#lyzPU>Bv@$e! z&i2&I)iUfn+TRP-dOMeVeR#p#YYB@N-HR;M6zG3@#r`Q%h6B^$d!``xmCk++kFw!^UZN z){G7AmV3K7I-YSlDV&$d>aMFtCHoO-MeaHiZvw)T_E~53`b!rm)WFl6au9Mv0KQSz z%$@GLwQS%Y|1mK)a5;GEE)6f%?O{2waJ8J)bl)UD_L^M=2KnFi9T>&EoZptfs_#!eIAU#;wHSG;$}H!o)I#g@8N!~VX}0DKK_!-)awEv z&q+PTTfdzMRdYG_Cokc=pm11IckYm@czBD(X>5;K zl}@Cn9f(4!Nf2%JwM8yzDy+pSwh+s!)PD5&*HzL{{<==1&c%uq{UjhkDX3R7s|D?J zgC(N5?{kxuXUx^+t(HU;s44QDfmoWVZo#^4i?PD9q`Oce0Cn0$vK7EVf2)eMC$`HM zpFC+ww|6Yx>ql+!sg?ZI#mr&Hy`CxZAA5rLB}2zrXW#42i`(sZss>72zc+2)olUqI zl)k_bv=aJUydU9LL1^0_shJ;6)r{c5c8jI+o_ZC;PbZkIrdKZ?>iLPi@$CJddZ(;f;#FeVL67x+5cX+#JL!4>M z=~dhjy;v6Dbsl}1K>t><+9a-^hBx4@)1hEBRoSv>s&iw7dHSBO9w?K946#8twDpy# zDCQTK^>fzVUD*(S(~5LTVY<1!(MYLXIS{?#zheyN}O44N7~w?5PcT&net3?AP4sB z9;I2KSb*%32OxVZziq_!>KR?epEg#ih(ePDzP;Rz%&_?(KcmICHeMvot5EG2^!Sh(!Y8Nj&UXUd zpO=J?>A*TrJYy&W+~Dw_ou+p{{_lUdkF~jx%^yTAE^wq_ifc(B`FX*w?%fjiN za?5~a*7o+PGh!QyqdpP=vXKz{DCqtvmUuw;4WP#vN)Z4Rke3%l9NoTzbx9x=)34GC zgu9{8OKy~f%JIZhKIe7cd)(`x>m=8fXib-4Xo%-o2kH4u%>6p}ri4(isad;LJbyh6 zlzeJgPsrf1z_vLW>M%%Q9~a~VA6<_-$J1L0VK0rkI_d7-@+0vu-d3u-$&Nj*vcz@Y z<}B^88|}WVJM5jIJP=uP6J$A=W|~1ARn=Pe>Ld3ao=0DZiE1<-A`wcQcL*TKiMv-j zmMY(p$aGWkASegF8D3nvKyh6OBY}S%wQisEM?X|k(e-kyXY9{>?%QvF75KwT(TDh4 zbyx@fYM3uC{GXdA0s*^3Zv6q5?n?(N5{k|=Vz}?-$mpQ@?;4d*PgqQBMg`Db_1cWE zsi_a{YL!iGMsA`06;p?bfG5=%RyRu3xxZJg&dI(!$saCL*n~7VFC?u-|YK;JM4k?U?vy*5-?B zrB^-i&)c)p*AgmupCy;vFvMZ}K^fg!W3?;n76jv3@-8m## z&FUz)EOfujmmrhD?_|W1oQ~#@X1*uza4f#yMGI?Gccymc*FozxhVL&elOhQoHLROV zHqQLgOo#r0sHCP4%e!Y2-GkEMnx6ch>Rf5q!(nT6QdWEdpuG=|1MUEyywn;S_N?w= zM`(bSTL}Glx6=D{>Sa*gT`Ag27jSJa28ct-I9$f5*f{apqc`NjVBjtEpjqZFcdg?4 z29=4tKgq$xm*pZhgG3VQ+*j$cr)n8;wk8p~Y+NU`JuU}J({4R)n!fhzoAHSiY2|u? z`n{MXv%_Ela+7$kJ&EUMJ#QjO?e#s@s_716#SJ)SGORD8`sc^`mKQILtT0WguXZ3UP)#-M8LT~ZLN9kP^DKzmSt zyKn5!F&7)KO0Qap>AZB$>aNHA2O4^qUKbAHzJ7DpH05H0f1Deze{K)$wb?}l-DbvT z(JN+Cf_TcCs&fZf?^^RmBJXNn#$?#-7mXyOtLZt^FX4)N)m5vXr>F2oto?2@fAdj3yWJ3@`+>pnd^VmQe`A_P{ACt*>CkJN-K$H1gIJ_O}T46J9?2(LCiyOmPUV|Q};RCJo&<{ zJc@bYYdJ^j^oMa0{XD&z+MdhAl(#w`^QtLA&gS8t?seCf$TwGQt5m+|E_+vZy@T@L zGM^AgxU88;QGrm)^FMERzU#IC%k5b-)zr?Zu3oV{`_*uLC)p7k=yP$LZE#Q8qE32O zz!>PGT{4@~51T!V3ibUTZ2@;f z5}xRpGa>g{{M=OykrS9|j*Dh`RS-;#UdVc@I{*Y@e# zbHEBnk^e~Z@wv>Z-djx<`n1>+!?mO#^0l8&PWmQ>? zdF;jVg!20*SdtP{KWC*xNe#*b+FhK~@c+3)sZJI}DI3Z&WWBV3{^R6q!`)GZJY;0P z_+AR~L#6fXCq9N?LzaZrSXbG2c91<^CYzQppNfx5$f8OHeuhO-iY`qv%bKwLr`S+) zlfzyowYY)Y*&9#4!}xXvZ9E>T*1h79jAfXC7`n#FtpNlJu!MV~B6#~n=9SZXvG9UV zF_BH{%HSD`Hy>4Qx|$}_VmaZ`@8IA+0z_$=yq7QTDMEy}+D^OrFLkwW-Gap46t^fX zGMAB4(W0}liM&zWQ47G=50ldP;s1f4U(bmL0&5p)wqnLOPc^71Z-}m?tvd#A>Xt)Ux~f`b#b-{2V*f{~L}(UM7L+4&oyoJ2mQHF2m~=(ZhO;JvQ2rrh%S zo{1WWY6mUwBKXAVovCEDRZWcDK=hVBOpbXks!7=j@!+;lKu)hw4_O04v8#v0LL?V3{|>C3B?uOdwwuLd*#*TCW39G#MKGyxCkaz8KtKJ_rF*d zcK6m6ThI~;swY?{whFm(P;(XTD~1}=y?05e>4?ot@r*83fy`_h6QHNA*DYvgYh5&- zDZhpnBweRBA&)1y7^|cfpWW1n3R=b0r*&r|fiF$U(5Q0IQ}63gJlG%7@oyUtjEL^x zAdd7rgY`*`+}DhyKSP#p>(h$Q58gvtH1(2dt*!Wi#6HW!c}U8-L+XZ-yH)h$Cz&Qd zvy;?7MpY;l+E%680zR9Pj?4gC=x(K3MF-OO{!}VAFCW|L@MuZdYSpZYM^bR>!9`sM zlt>>-3YcVJwzd7K)osKa-NK0+L7|!FjeqRBCg$cL2~C~E$$OAk%xDo zFRak-as&Hb^J3`q9WYNJAO}3hX$bAx4K*C_uPUB51)z*b_`=42%cD?K+NLV7V1z8) zgwY$hD)BLGwzA2*y{-x*haEcq{QfmS2$wob<%`}jMKw@TK_S9wEia3l3+NkmFp$M$ zZW!ou@2Pb}#0HEnf15d5$dEIGKe|-&HQ;Jiv_-SzrqqhSbxLUIgncIyg3ngfwP~EX z%O>K2+}QuEW}_300cZe+^2u1BbRf-!N><$r9`L>;Okm}5RTeLdUSo>01H8K~ z));zTKsvOjy0N^1gvj&P@D(gl2{H0*u?~UK#}xu{c^iN1ldt`t%oUY?gwi6r!{=$r zCl<<%pfSp-f{rX%VqW)(SCNsBw2R@tKU;h2T%m?jbfff7jzsw`C18-;c zGpt^wGQTcROU|5CHlQAO0T6-r z>Pm!m1P-lVm@5}xMY(3|P#PZ)zF^wyc{&l({kjHA;)6U*XW;L1CPhoq+hvr0YXRIj z&Ix%mVMEFWh-(PNn5OCoJnEt)-iqnTcXf3-I_!N9^mp8dR>DiK>_FOlw{2k9;S?b{ z)k3F;*Vz%6P<*wJ&K0=FU)k!6k3598(dZXmVD>QCb$A`1SO1P$PTcp7yyw#h6k#*4 zUF{FJsJ;`UiJ7JbN_&3T#m43&jT04c2x=SpZSitI8Q$pt0tbI?gVJ-4YhV6&cBah# z0lRp>=8`?&jgx{}@+}cihtS0qgYD@@5ue{<@34DaZ@Sbl;`XIz|YTZmxb4KIL?e z2$4w+rlAYgS_n9iK|A+0#^S9}XzR4dDHQ`1B$WDL^v zM*!NKS3-g?7M-+Isyt6=0-Zz68ki$OeW2k4nj5-IgWBIT(ker&mh!Pbb_xc6X*7rr#_(bI& zZcwo~N#ah9Cx^qBQ$N`K%&X#tq^1EH>2>s_j9F8P^GZQ(iY-?DdEC^vpjtJqGo7GT z0=i5kpb$fOICF2*_v`PYr!=z3UmJV=WNl&q0x>>1bRzNaIi(WT{9`r(Kya*_3{n>2&W_P#Ch6NCli|P*R#!?$ThIY;+k2(_$*kGq$3= zjLykHsZjDZvHGJNn+vX0cwzthbS=OM1z-rBJ5IFh7VAUgowoPbK^WIbM)$u8nfsMO zpbo+GfL3U7>?zeKKDidz@~mkw$r5) zw1$csK3hXReYG596A2pvk-@8ECD}xB0-J?z%Yy8*SyRa|0Y*YoQkLZjkzxIk>o&eP zrkP{u;S<|m9A3&XvkkMnrlzT>jTWUd5Zf>dJvb@iqiu?x;(H%}|D>t`pG{dt%HZbB zJieWat+Ad;S*C|)mltY#b?W7CYBS_|tyy1skGN5f}WnHs|?2z);HW0DI<92|l{kVHug zcw@Y1mu)X3Lm$qM(<_j@F85YwCL$C*gJcRKH5-ikyem3%VLr5yaHCQM5L`H(F?M5r z=>8r|0P#sguc`9*XWgpiMY7R^5&IfBgJUhU@w=|UvpNqVPmhpELgzdSUe5RnCl2kmxyxg(%s20SeeBJV_0DF^Ry0s(Q@k5w5mpkoGw2eX>Dg_ zz$9h0pUtN1cSwu#cHVcQ9kYp~hIPRZb2SFsCwV>je2BmxF9p>!hcJgA(bUvz3tJ@) zU*WeLZ3VA#4BngQ%QYWT0vpH&>&^2YE~P9g`_V_NPN%65nN>zg^Hj_>l6yZioF@&rk(SqOaNL69qVU6PxJ+lvIs`z$1r(!cNStWBxssW5 z#9@Q2B{f(o8uasw!QKwm6z-$`5Z-g>R;aQHKC(mu$Fl@6oS+3^_#}RrE8~z=$w+;^ zv9L+7>1XIGM4>7Nnq!eNMEHU2;DT+$u0}w`Y$8q@(*eEmUO%Ud_@t^Fl#P|?Gz@(S z)D3fZWIPc=J2OrwykmgSK(+P!s zWl~l{&rsL-w1)k#5#2`f-Qm`&;jSbCSq$#3n1areCT(z(&X7YU!YLgZI=$V2^qV*k zBZo98M}oSPD<;SN!h7d#S19OR-WO{I9p(9en(i(njjYA1$o#bZ*Q#p4A9A@lAWvipAGNv!?yk}9OSG*62{z?-7_!)kc9%7#=8dXq9fSD%OlC=jWMV;?1f;K0q$*P0|R#eR(% z#J#~%vCck)o&M!(Ge_8JLS4O<=IW|X(QD>VL}&srbj|>tL`p7~B|6+r)71|3Jg9E7 za~t1Izo2;h=sCX7seG6RB9t(_&BFu<#w~`?YJP3A+35_DpJ{0cZ|n07Da0sb8--(} z%~;bcC*MwW;OmoZ)1-Z&DXdRlNx=pf1=}8idp4!@^bLOJA#%C5DkiL{MQ388+##6U zN?mrhSLe%3*e#Gz3B7Vw(|;5~`Y%ZZ>`pdUViL_)CqrE8u_oeZ-49^sr;Z5l6+bie zJ++cJaj5kBMvi`t)5mRrW5VaJ0#Gh{%q`(?29^A{fkYvNbGTZ}_WVgu5}wD=jzDHx zB~FofcK=40%iTHEbXxMA`%hSmSHVnnTo&(U{|CF826Z&$z;KLA50dMxnWzBb>AUbd ztm(VXfv}1>w?po`H0^7f1QIlJvKrU^%%0^PEWq03)%;Wt1C+H;pyy`e>ts|G_qOS2 zA2fAQ&wcb_L{e@^Rd?R21?pdL46hAS;f6LA6yE%ebB*!m4ONxJTNu5mcDKdhT63I- z{Q1s}Nti9?{ayf>a`8Nygoh$6FmDk{x)PxkhjLE_do~sp>`bb`YR=u3;eMv$AHxsS zR1n(y{?8@%>OvK~wEd$1ipmv+08=4l?Q@Z{tTVr@PPpzTGoHe`vn9?s9Z>v>k`(BP z^RPAE)eYC_ITJ3x$WU>LkU+fU2_mxrAHpIdcSAO~RG~R^2gc85b(@t)cv56>J6N!Me+pl{i6!I6g8(!{l$6bD#I!NPo z)vEXGJAbFsvqpcYWhS_hYuJ&iyf9zBBe%QekBauf6hQ}nK7#t@!y@hEBxu%9vfehP zW$yiT$`=uZ`_}^vG0eN7mZhG8m3pB#GwWZMnb@a+ZIvPZKt9LnIJcN62OcwOz>b3D$){nl!*Gc#bT_i{a-f=1N0RU-u=4!^SE@oG)`)o;i6sW;j*M zmet)6M!Ru*6?_P5+jZ3J0&l5b?TY*jD=lY-qDwkEA9=$+32A_ogl?XIm~r|o{SZqO z7f-?8&M+k~ujWGq8>cPM+kl6Ks0Ja#KolRV9*U2vEHwKJ66;1D zmSYL;gz#lpSD$PW19tk;Nl`lkkIYOtC9lnEVF=$tFZt~NC%*H;f%vKzTkXCHOe}!n zi`L-6m6<BhFgG_wX4P4(cMa(G8d}w^03DVos zwTZ3N0!;+tJ#1P;j)9)p5Q zvN!mpxv5=iIAo03p_EBu<&J(+`8JoaKP@gF2-S)ONcf)8G}fa`CYNPMeP?&yVxFwv zwC!1ZJ^JFgwe7ud6`c;dY{R;9F3BLqCCsFh6ZSkq_vMaR#PEj(j<6cv&nP}qj0gy z5s>w!e>!_avuD>F?!AhJ>oX65-?qT(NMwUGbaVklT z&6PVgDmGD>88iepK?UegyHo}GFqZq>vs6q1qWJ6QL2G{$y8^fE3T@IfPWR~=t!*?A z)jfR+>(gI}kwSAchJ7oP8TBE?D(9mGJv`(Me>c2Q;Wtp93(MoJ)f*8n;*?{eZM{~} zIa2h?zA8`>)YH=zcCe_$XySQMJ)?bVWXII7U77}60;`m0H~YF6-)LDE$CGL9PVGOsdS<`2BhiNoT)ZxNj~#znI4oJt0P;o51p)*?~X zcoXGfs!L5m^?N*~4FyTHG}8>NJdW#wZkSx6faLYZ*{yzE?g(zRJ27^;!q#I}>3WW4 zg0uuq6_EY2P%)DLz4t%OPifJT2=uxKh z7LkWOeD;5CAAi`lhfNd23vprpSNr$pJrwdD{`Nn&Y)?PXpw-F2y|#lgTdO^#4w|TS zvZ!_WKe8Da)~POZGY@6{_F7&Tag<8CIOe{a>3XaU{-5g3GoZ<3Yt(xm6|sS+^d=x6 zMG)yVN(m}WI?|$m^dcZNgs4a-Akw>Z2qn@Xl!($hLVy4P>7CF*3GD{dz4tk1-}9CG z>;AzPOs1?^vu4d&&&<0uz_7%1<#@|y?+PgBm6!6Oes==9H>PuwuVCdL94>1E0~4DY zqI)SjXf_zi{Ug^c>aU|NJBhcs^$7_K`@x+FvqZXSMjY|fb=lo`a>*cVfW{l0edrwj z%v30jc2L=F+%ToAFVFoWK84=gkwvK$VSrfRD##2e%#H&YFzKZ}5lVd%VjPY|cw z3Wu?64|Vlk8}t#sD~c~PW02`Wic!Z-;b^bm8hUeGDIf0`w@>gk%7D1eBWD8zPJ7&-1FnN~i#BO+ zduC+0FJ4xUp%LicEbPiVoO8j^dwtJo0!j7UxE4IIL6&tljL0!*Xnt0_yg4FLk!Q*? zfxn|;^GX6ePlUIokA^nQMFuTujr@mk3^JmIi&|Cbbj}k=lKuR^8eSdi0BlPIVP=hb zBCWr1=>|QGGgRZ>V5S!5M(<-H;i7q<4M1|YFFigCgC7JR&Ocqfj7>v;L=HU*7jZ1FW1t~4Qd|u-0|NV@O^F8>~s``M;drm$3!l!{i|ZqE;uTfqJM z0dDOMRy-*vGKtfB^FeZ{>b*IDL$_L`r!um4O_?h4U7K#+NCSJ8`kY3Hm_(2B&hv@0 zxF^XH7Y;PY<@aKY%)em+9E}@u_my>MOoo?j6wG3K2S;zWKnx*ouT;)52!4;*yKZ9o zoH0~MU1%B3Kj7~M-=OWLPoR~TM&#%5y*Kt{FuLvFE~YyvPbyy7EYIx%P^+<*D>PQg z7TRGy8D4V2B^QeJWYw>I}gt zv!=Lm#}TD{6#{8T)9ty5f&i(0+*)=$OV^fQTw?*=cZ{xe6*$WUTJ{X%ocS6^Js6K7 z?CPt444i^&V6jSi3NT+gw)FF=ExHG1PX6%$(kzGmw`^65G0qc4>2luxict#RH#Jxa zIa)HJ1|YWrsXLSgYBq4Es3d4Gzp6c%n_EK44IE9QUS+z=1ORGztIxVfh67$#8-dZE(}a| zQG3hA^N2%xZ&h>kd$}+o@iw8icEfHmB7&Ov7}7I)W0kb6yL{s73mcP}P{~;-q+?+% zhw&crwm?j9nuJ%S7+HDXHO)N&PV}hzdk8VE{pgBQ|2c8DJ!UD~$J>_mcRTI=WQ7>6 zPpV|m0I7enLR0HEk4=&e_21ku0V8*^F1}va*NE)5!kdtd`_> zriPS8X~In_dIMmU6Q#NW9XcB3-7S<9E5!$PGs!zXyB*R5Hxu6jec76{TDU)73_4gJ zlQKLk;D%kIXNJ5=ClKr(>Gky$?#Jskq=_(%_g(D1k~HgHP9NL14B|V_1vvEjqD~2a z5>Y{Xr*}txaW)yiWr+48gU6CmZaRV&VqMO>>KO&LaZY4$3%^~wA>KXW7A2-O-J*@- zR3#0QiN724l;cAo(hi}>GYv=&D?}S-*H0?PQm}QMWxMx9fqTR;4qClaasDlNjeXTq zJfFxXs(Jpqrcpa1497g!UFaG7;KtO0(TkZ{v+5}fqNI-5b1+85Qy+qnZMqC53;k`- z*d@)KqyMn<+kxKtL#Gg$j66f_YM1h_sK?XAP!n&xglzscLyeECTdEajb{n8fp3OD0 zERgzzxQ`Bt@4SIXf1plTBaU0*QFn)evn33 zX;%%TWmRkK1XEH4djTE-m?Y!)#JcPtr50RtS&6rJP!FgFn=bW;n8mC|jQ-9DtHXhcsw zJiW_oP=uyxe5(opdhGG?(i9AHVdil*WPxewy$wly_?i_%H>!@^IggSwWVJoEz>buhm0%< zb)b$sTdKqu>?mUgD~K2WwK#;9ksm&)SRms+7`1;BV#@DmDj$k%N-K}D9FP0`8TR1l z7W`f-#4C3Q<)ADL^mhY#IzYGu)IOp)<;D^sdtak-yrTuENybYzK8 z26C-RcC2sE1wEP4wvVf-$m8Kk;h(tmp){NUfcU{&?jNtlE=MK3eu-)yRy-dLLEpkHN%LvY449y=pTo(a14x< zKR2OH*@E-! zcFL`~Akbwz7Hx6hof_?I`TGE^%jMazm6T&i$qITC{c{$@rS`qZVmec*h=?(2r>l)DPerogYB>jujP9kFJ7iMTnL5=I z!J@J3JR!6J_w5Vj4k`kDPWHwXA1RaR<)?I}-+@9LO&UgK{c!PQie5XdL?qrEiT6BFQU2t}Wg#*}9 z|M+n6DqDvm*QIY)IZgNS_z<0t-Rzjoq_{E74iTN04XSgZ-e$nV<|8|ZN<1t+jS613 z43HTYvshT)o9LH2HJg1m*HU)x@^~p^B5dnl@w?5XQK9-enVw$Rxo~F&L&+AkPrQ#9 zTh3nExP3M@O^w0mt+;uT>(SM@z88|V0pgFUOlK1>fV5RGjVTM@U_y@uSkNQU*gvC@ z6T)07oyHEj*O8o;M0SzjiCpf?f85h^lV_Ah{6c~(+i`}H?oq)JP4mk+vtIA_MgkiS zWsoHKw^Zz7R^tBDS2M_;GBl1W_HzRxn^b5pi2^2_pjRmoLp0BUEb}V~9?R@@A@fBe z4;v`>4BlpDEl?8AnLn=zKD+>+2D@tG;VtFGAZ2@JY81QH+#XnItcC8IXZMv!o))D^ zQy*@vztS%!L-6nPOUZrxM%W|9w{h{yM%j0YGA*;2U)WHxxtb^FO0_#yRXwg)1~24Z zJJ1&0eBePjyH!!l-Ocd(Y(j!siP5Y#Qw-}gHlbc5GFHa@Xo_!ZFX|Lx69mdL0XVx} zrv*j15W2BT%zcMJWopYB$fi+PPgJp9q*Wc|{BX6>OK!5^y)4drk3sAGH5*kuJb(SM$<~(u>PW1{njlxwyGMz!-$tU)U1C8!z9DT~mH5 zQ~59~(4Hv260`)i(%vKd!u8 zBT#Mg_-@n!E#BxWF>WWTGUnvOTNL=&Q%t49K*=w&xG8{^u_i)^9}4e~fu@$wvt?P- zNNLgZGxD#KRD+Qi8$%)}cEvUa64D~Zw+YQh#GG5YCzn!V?{(8tuk$hlCM#HDY17f% z){**8fJ#ZwgvBowfMcUEV4LgIFcp&2gLN;!=XQ)Y+bNff4>8)3IvBs2ofSU8@ZR6M z>5m0pJbSX_XWC#FNaWMRM%c%}7;5A&?t{P_@TJRb%ekd$3Y(>2)>< zzU5DLN075Rsh5Vr*z4QQ1NvKZ_~Oo+s;F)C^XY@wt&%)rT>)7kn(o=SCY!;RU&TD- z-wk(6(5x$|M2%coJl>xd>7_;cvs#KPQaz*RLH0|W0bn28@6~y8Oo*=8{p9+9n+w>{ z;cdzJL(lC={VG%uEWopnwvNvu&w%GqX&1bssx_ivx|62zq6o+AM|N*$SgHk#R>=7! zf1xEj#0B98S`sM08l@2y-10AQ$%HqsyqZFjwIaE=IiTaObO|vWESC4eerOkD>ZjN3 zF!P-PZyWq+w68v+_&>uX@ZJmyIuG2NhlZp{%#Aoe%_9%IZv)MQjHiBC1oA9a$EUo> zCAGYXc)lmIwr*(7_~1IC8gQ?{^AmXBl+{>}@pS1KbcvuE&&=|VOj~)MJy`Fl>h_e> z3E-4vZ?c>|5EE36*5uPd{hFzqz}lnsf+5a9!B zpO!8`dRu=MiyMhY_7myc`l%ca;@KAmt67QAj*0x*Uzw0i7Zq-VN=WR%%Yh4G)>3@_ zp0n3{lj_lzV{;<~KcB0RQeaQTc?_{IIq^=6NimX>De#nx)OMuG8TGG_9{Z`sG%*^= zhy3=w=Vql)5-PFd;N{N&kDh(kSUn1X&*T-yC-kt0pbrhJKPMF0)SE=E% zZ_ArHo@f^`oqvT36|cV?)Kd0YE8~k0GdKSZ!@^!-(gC~G`lIplcD*Jp-YaQpSYK=S z#Mfh7y*BdjCbL}`E;jKYa0dO%AJzM9Nx>2{9s!^?~B8d*YWHjSS|FziHecNO6 zOZjl_Bct{z)XgdTcU%dnr?RvcueiuxCcrvzB1>@z6lAwgg1wP6j&+-4{VPY4W4*iI z!;tqrSNRGW%^yn;vHog`fxLNjx~*^tM%%9Mt?aXV?Df+P8yCkrEQ4sm#r4yx6Wy(! zxC<1xS&|V?Ho6Fy?^|Q@vcAsdO1=eT*k9Ch zsZ>xm{S$Qsg=@pJulh3`P)CS`t%@Ws*^T~RS0(Z2>#gzQGg*ed>sP@L}$fVO#a1j3#d z@%G{Ghyxj{@dC1V()|YjeGJ$8@`)7&ZCXm}0h;FqmB>m?RM{-i!?;dlP0vclX9#ZJ zLoFmw65lssn?CvbSaeO_7A@unL&Ft(}VKmU9|E)<0Q35^m8+ zo`4RQ4gyVdmNZL=w8Irq<>jlx^Ar^HY-xR7DvRGC2U*rgs>@rdb-BSdf8`y@73i51 zdyBcg0LETSDRrg9gNIdLuu0kq-34B@e*37eON=to^IEKPibWzdk=Y2)ldiQw@xmrF z1VuwVy@8edF~;!$x05_e2fni3eyMrDA}@FNz&c`u0dtaCPc?^8m_LKX%?j-i6)C`Y z#&x;(2mcVu^tAq(iODqMW`=8JioSInBWXq$eSWR8=TrgKHF@Iiyz{&(8UMlpG|Xj~kmv#oPS> z7+GTc-GPeTJ}YEucYO)v!R1Ap9#&`ayeoise&JtPg{=mbZlmMp$*L6liOr4E<7V)H z^zcA)H**hjrqjc##y;OaCW_&i#O*rAp_$zH4^KBa>kP8yG8aa7rbo$vp~gGZ5Ukz% z_@lDZbU)HfsicXtmqVf&wVSp=urg%!eo|)N%+NQ0*t35p1&A>OIUVBt)qGP-j5fY& z&BPZtT3iu-Hc(xcF-=IT8Y#IWGqL~CPUDPS^Kdj_yj<0A&)1H*)rzk64|2frv3zJi ztRI5cj+|1r_Uhqn2#aSCBRZkqNoSL^#tr5=NN@heW)4wIbp$Z%;3fr>J=It1*y;;pEQ%_}&BbQ!Oz9Y%o zK6#xO7UA$n!btU5=U{REE~#tnwQ*jD_9!k2an?~loKyBNdH6Mvw zGrCG?_hZ`^&oM6hI7}xVn4e>M=sSRQxZIvAyP3FXW%aUC9(TREf~0J0FN0i+vAAh( z{ATQ?wa%u>SA{*VIYGhoH>MpCN*WMyss-V+EKPe${{uzo#NX4@WJnR za_+-V_BJjZThCjYGnMZM2(W5j&99^jmF~I(pltQpe1_e67@)z(M)pooztWVy&frG% zkDPDApapsX>RNWBGUL2BN8YR)-udys4Zloa2MCM4cLP}HgABeZIU)rUz!kHA+_Cod z75vbs6_N>Xl43VHdWT5+!bpFhm=cETR^M^pNj4U9S?mY6uPUUzee*y;LZtN8Vd}=R zj6sdv1Oql!NzZF?=fTJ=#F^pN`7pTugUFh23ARhViJI#vX^D3ZYLtZuKL5BTO&kG? zlWxxJyDLT)BPZnCa-$30$k}s+@!hoa*(Xm^xdX}!jnM46<~H2R;D~V8*8j?c)7(mo zs^ZU^s6{?61}@^`2%6gE84S%orwybE;;K?c32eo@H@&)#ct8#$iX~jfn%@ch4HIU z`Gz}r?$a$mP_>S*A*UN8J^v*(6iZ@1Id9L%=;cc(yy|3nc!1w5jybDdf1@HdTsL9R zqTuV&lhhztB8}E_#Ev2{Y%yTjQ)BG9NK~7fmF0bM5VEvH?N4-6Y*O z_0JNMuTL|TuM*eHo}iZGCJ|s{H2TQCq4HUf%wD1fiS)-=V&2_gUbWBN?g2x!n8k_| zGs&InCk*q5r|q{M`Bfq!Cj-SonQGyrFiJrQkfpTySen)B4Q+vmBtWsc$AOMgh%ik`b{s5V0f ziIo6D^+|r3?kg0u)ZL@I4rJt`z>%3pAHMuOfkL3T=6K1he( zNjt6eCQt|%vRmZllzy)oR9mMx@fkGz!Uh*YdAv|NTUJU?WUN&m0iuVRhUNA^2|(=~ zOdKpLo=*F+m>s3S+h1+CEns5qQ`h$dx0o0|B3Wym9W!4(7!;-5xH%0F0o}cSn6`6{ zdY&5O@n(NuFIzQfn8$!?su2KR>d%4K~7fcmK5$XO|iZ~krfJE%~ z5Q@mxe>QUEl15b;ivR)f)n9j{NpTg)ILW!`u-@E>sPja>Z5ydA*?*B>y7Q$f_``_g zUP@+6z|0MMPZj*UarOP}R2qbYIES$I@`A4RnQGTM?y;8kSM)2uN0e@)*ogi?Fd((a|%63d@IqI^K%VyoatP2ZDU6j*2GB0I2HwEdTWF8rq zG8=C{Taj7rEfn;;+IlJX3*s9=f30lFty4F~uyN`9R(z88`eV%8^zhbhjK~tS zCAcyIpmF6v)rYARH6t$mL7-=lL#7Ja+T<*I@-_0)324$V%&pL+M!f%}@O@|Y$gAqy z2+QSZnL>RfUve;Iu~LIjcQt@`L;e7~a9k4Io!fr{VfIo3oV~Mwu@Zc*DOxnG<_pR* zZ!0UNWi{^KFWK7dc|SO2V1s!`!R$2hno=Va`GJsskXbVg_O;i_CA$Sz$EO`M8_epz zoY*PfL=uD`>v}cDh`Gysme(Bmj&~o595zT~`!4_#>9xy@jY{1^eoT4dA#!i;8dj*amcP7~%_1u@Mh?1k zfGn}Lf!wMNYHtd$?!NI(GDyk5X7Hi68wGi2}k({8}&v~^?6Baa%Rv;ozNLq*xzJY4DO?8cD! z*sa)_w^CnG4Gf}(Gdjas1-Jg3EKF>&j5W=HB2jfjQ(B(61*nlpTQM`QS{{AidIx7d zq9-f@Cp%oWfJ(|g%)M~1Rg$#?pJ=?9U2AEI_v)$L|wWs`<`^uX{ z;fs|>%XOLuf!V}m=YEJK@eJqPCqi)hrx_y}Y_{oe6TQXPZe{jbl&{_o+Aj^{EFQ!o z*M|2|%A9ssO+yjoBNXlh+rxvY<2unZa+~lg_Uz4 z=CL$ZQ;H~{$+)_9^fXbW65>qE=WWU+0RVs3rjn1gz6QaR$hjc- zXyy++LKrOI-fhx%5d9J`_!-aW1g#_Fp?Kg5qqyC4uy^|7E_p7f(M{$8p6n>D1L7N% z^F+TrpBfj7G~Ndm&}ln4wO`4)@*)dG94>s?UV)VsOc=&3T!ymET%gWa-f4+FDke7L zFKbH^*j^qD$u)-5mU!g0Uhki(n3mrIS7f^a(vg1IV>$qB8H?qETiGeEcIq7T{G6LexL45ZUl*k+8FN3qAhImi|66ulzEL{7#4=?iX%M_K zc=WZhSQPHpmTfbWKXl`=7~}E5IX1kP@TP7@ADik<7qhr0R@c92-rv!#6T{$1qsypE zeTV5!5dcD6~Rw^B*cQ)fhm(f2TY~x4Bi730s3RHex?sGl2BI+N6F_ zynugC;EFxE=VDj2i|^?FeZQ11#xg#3TNQ!X2(K0Ff45_^UmK<4yxrcL9Ne+=t^WF( zIfP0x4U~I==PYyDvbVAteY*aWBvb{Xko?jkas^7}#jZ5aZj|R<{%Q$6!W;Ds2Jg2= zjkNY6RJyNJHSmZo#4tQyerkVdd@`+0pkARTxO95ZQZwII z51*4YjJN_jioR8k7VCC8n?Urhe{3Fp`QQIfdxLUeVtK#(@BjVYphw^Ei9<~_SHHu; z8ImoI6FB+A`_HlYaN5O_XG5oVn}u0;MM&ijJi)DriZVH$n3k62v$=?-QKL6lT3>x}ex;f@ z*Ufal;Faei$bi?5?LLNISVs<(G(wcJx$QiE&JPt!G zKC3lpxP097fUPmWZefcTn%b_CFCif*9eu)}zb>a@tIIzCQLr#c^`;4!cp#H;R1S$U z>E3Q^(W0&)mKCNppL!~kIT4f~&O*l1$_hk)0cT&P%{M-}0;9l_{bTXNp$(q)DU0r* zaPLEqF^;B}-ykfD(AjTh+Mwu~DFasw(JNZ{>OsAHWJ`5g!kl%8rCWVGwOOR)lMuai z7ipi*LBa3=yi}}eH+=9_QA(>0SlYBfL_F+U{Z^_`vWM53-+nva{7C+R7D(hl$a_(i zSzmjl{^tuT<{5q98TW9WQ^gchG<{dg*87o|eyX8g#IM@mOLO=K^0-hcwMEGSlXoP? zmv*I9uCW0zVUHFiqaaw3mij63Q`PKoHEk&O?269dtKq>{(K~K^j8`f17D&Se=>lpk z58F^(UB!#A8*JPC9t%!yv#Dpy)WD~8TILajR<1y=CG=9lDT~>(QJ&4D z(54|o1V2IaHZV2{K8PhEWy?5>g1>c= zHs=r&V|`R8*bXj$0D1eOeO1;6$;2@q`>FWBCr7wr=)~--?-r>SjAKuJ|K$;tmjE+3KOMw&Z*)n*-ozCKc*w^Qo{l!N%WwF@6T#FAhjJq~O80%=LRePbRg z<(c@qYZ3ra6CcCvGg6`_5gfaFK(Fanyq>u-Fh^6|IbtqmS&{$g6OH=I8wg zb>Kz<91i!mvx!M>v{1{RtLAZ7MKl2oZ$b4uHV-;hhF0H3X=@)Q%qN^q{g-470hjc- zfu-Nv2E9-ptp;Hy1ri;;1TWE3{b(Q^Q~6;Cud|&`kLxTF=Gio8h=(GEztfiON@ZRAC}+n?z8(i z1hu-#&tJ+IsGqN}o*w6E z2nZ36FXo>nJ?;2S;4L>Ri7^3Z7WB_bDLfVvH~p%p>jwEuxp1fBM67ypcd?4vxRQU$ zPhRn~x%WdzRkq_VHV0f1ba=ST_M>Rh=2{}|Fy+_qV_AJoGcg}a%a$g3OXAw;u^$up zZ|QTh1f!(USAR4u^sq>P^_83n;8%Ojy{=jvS_*a1BO9UnF_J&OnO6i7fAj48>5eeW_r52l*vVAu$vC*@6Il zywwj;%xQLH1wH&JR}Aw5 zYMnnm*`Q270<13V@BEUQZRo>FW_6?X8$X;@iB*Zp$p=cZ@!b9k< zp%wXV{T!V9?$k@tLTOWA7Z3i^{)_ROHuzGnR#%wfkF>0zF3sQ_^h%QLN$0;y5m%q) z)1rQA_J2DX`d^1;e|R(ha;)p`!p1*Bv+*)Ot@93I|D;KdxAtX2e<^Q&p>4aE>d(Oo zFEh~85;pxgupyBBi0DsH=AQy@m<@QhPl4W#&AmYE1u~78BX6_-H5r=I)wRc1fjxaGeL;S!`+wsdAJ$0`B t<%rwQ7XRI`w!iED|IjtQvUYstO(53$iZmaA*q+}WDX7X9%07Ghe*hz;%(?&o literal 0 HcmV?d00001 diff --git a/packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..a1564e6c0d --- /dev/null +++ b/packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "description": "Overview dashboard for powershell integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"w\":8,\"x\":20,\"y\":0},\"panelIndex\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"w\":7,\"x\":28,\"y\":0},\"panelIndex\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"w\":4,\"x\":35,\"y\":0},\"panelIndex\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"w\":4,\"x\":39,\"y\":0},\"panelIndex\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"w\":4,\"x\":43,\"y\":0},\"panelIndex\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"w\":10,\"x\":13,\"y\":6},\"panelIndex\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"w\":12,\"x\":23,\"y\":6},\"panelIndex\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"w\":12,\"x\":35,\"y\":6},\"panelIndex\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"w\":13,\"x\":0,\"y\":8},\"panelIndex\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"w\":12,\"x\":23,\"y\":13},\"panelIndex\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"w\":12,\"x\":35,\"y\":13},\"panelIndex\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"w\":13,\"x\":0,\"y\":16},\"panelIndex\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"w\":10,\"x\":13,\"y\":16},\"panelIndex\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"w\":12,\"x\":23,\"y\":20},\"panelIndex\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"w\":12,\"x\":35,\"y\":20},\"panelIndex\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"w\":47,\"x\":0,\"y\":27},\"panelIndex\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"}]", + "timeRestore": false, + "title": "[Windows powershell] Overview", + "version": 1 + }, + "id": "windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_15", + "type": "visualization" + }, + { + "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_16", + "type": "visualization" + }, + { + "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", + "name": "panel_17", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..2dc240f99d --- /dev/null +++ b/packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "description": "Overview of the Windows Service States", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.service\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Metrics Windows] Services", + "version": 1 + }, + "id": "windows-d9eba730-c991-11e7-9835-2f31fe08873b", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", + "name": "panel_4", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..4eec362f7b --- /dev/null +++ b/packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "columns": [ + "event.code", + "powershell.engine.version", + "powershell.runspace_id", + "process.args", + "powershell.command.invocation_details", + "powershell.file.script_block_text" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Details [Windows powershell]", + "version": 1 + }, + "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..ce978c720f --- /dev/null +++ b/packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "columns": [ + "host.name", + "windows.service.display_name", + "windows.service.state", + "windows.service.start_type", + "windows.service.uptime.ms", + "windows.service.pid", + "windows.service.exit_code" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"windows.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"windows.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"service\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"service\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"service\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Services [Metrics Windows]", + "version": 1 + }, + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..04e954c31c --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Engine versions [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Engine version\",\"field\":\"powershell.engine.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Engine versions [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..a1d8795f59 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Hosts [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Hosts [Metrics Windows]\",\"type\":\"table\"}" + }, + "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..c3010746e0 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Unique engine versions [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique versions\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique engine versions [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..a67dddfc97 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unique Services [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Unique Services [Metrics Windows]\",\"type\":\"metric\"}" + }, + "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..89fc1c53f5 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Users [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..30859feacc --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Total engine started [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: 400\"},\"label\":\"\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total engine started [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..05fb357273 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Top active hosts [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[],\"metrics\":[{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top active hosts [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..ea3f28e91a --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Total remote commands [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"process.title:\\\"ServerRemoteHost\\\" \"},\"label\":\"Remote commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total remote commands [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..20a555f9a3 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Engine and Command started[Windows powershell]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"*\":\"#EAB839\",\"Engine stopped\":\"#BF1B00\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"400\\\" \"},\"label\":\"Engine started\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4105\\\" \"},\"label\":\"Command started\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"label\":\"filters\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"label\":\"@timestamp per 30 minutes\",\"params\":{\"bounds\":{\"max\":\"2020-05-26T09:14:29.996Z\",\"min\":\"2020-05-25T09:14:29.996Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT30M\",\"intervalESUnit\":\"m\",\"intervalESValue\":30}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"log\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Engine and Command started[Windows powershell]\",\"type\":\"line\"}" + }, + "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..7991892c14 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Total commands [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"powershell.command.name: * \"},\"label\":\"Commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total commands [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..1c3be90530 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Startup States [Metrics Windows]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Service Count\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Startup States [Metrics Windows]\",\"type\":\"pie\"}" + }, + "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..41e0eb5de2 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Unique hosts [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique hosts [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..f31c109dbd --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Connected users [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"powershell.connected_user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"4\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connected users [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..7c4f2295c8 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"powershell.command.invocation_details.type\",\"negate\":false,\"params\":{\"query\":\"CommandInvocation\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"powershell.command.invocation_details.type\":\"CommandInvocation\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Top Invoked Commands [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.command.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.command.invocation_details.related_command: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Top Invoked Commands [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..2e83176ae0 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Started providers [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.provider.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.provider.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Started providers [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..298c8a3225 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"windows.service.exit_code\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"0\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR_SERVICE_NEVER_STARTED\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Non-zero Service Exit Codes [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Non-zero Exit Codes\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Non-zero Service Exit Codes [Metrics Windows]\",\"type\":\"metric\"}" + }, + "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..eb31ba6e7b --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Event type [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.code: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event type [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..5bc8c71d54 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Engine versions ran by host [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version count\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Host\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Version count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Engine versions ran by host [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..5fccc4cea5 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Unique users [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique users\",\"field\":\"related.user\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique users [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..76751cae17 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Service States [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Latest Report\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Service\",\"field\":\"windows.service.display_name\",\"order\":\"asc\",\"orderBy\":\"_term\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"4-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Service States [Metrics Windows]\",\"type\":\"table\"}" + }, + "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..87af19a431 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Host processes [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"process.title\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"process.title: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Host processes [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..d81f48dce2 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Event Levels [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"log.level: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Levels [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/manifest.yml b/packages/windows/1.12.1/manifest.yml new file mode 100755 index 0000000000..a3632b677b --- /dev/null +++ b/packages/windows/1.12.1/manifest.yml @@ -0,0 +1,95 @@ +name: windows +title: Windows +version: 1.12.1 +description: Collect logs and metrics from Windows OS and services with Elastic Agent. +type: integration +categories: + - os_system + - security +icons: + - src: /img/logo_windows.svg + title: logo windows + size: 32x32 + type: image/svg+xml +format_version: 1.0.0 +license: basic +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +screenshots: + - src: /img/metricbeat-windows-service.png + title: metricbeat windows service + size: 3142x1834 + type: image/png +policy_templates: + - name: windows + title: Windows logs and metrics + description: Collect logs and metrics from Windows instances + inputs: + - type: winlog + title: 'Collect events from the following Windows event log channels:' + description: 'Collecting events from Windows event log' + - type: windows/metrics + title: Collect Windows perfmon and service metrics + description: Collecting perfmon and service metrics from Windows instances + - type: httpjson + title: Collect logs from third-party REST API (experimental) + description: Collect logs from third-party REST API (experimental) + vars: + - name: url + type: text + title: URL of Splunk Enterprise Server + description: i.e. scheme://host:port, path is automatic + show_user: true + required: true + default: https://server.example.com:8089 + - name: username + type: text + title: Splunk REST API Username + show_user: true + required: false + - name: password + type: password + title: Splunk REST API Password + show_user: true + required: false + - name: token + type: password + title: Splunk Authorization Token + description: | + Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." + or "Splunk 192fd3e...". Cannot be used with username + and password. + show_user: true + required: false + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/integrations